From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: "Luis R. Rodriguez" <mcgrof@suse.com>
Cc: "Kees Cook" <keescook@chromium.org>,
"David Woodhouse" <dwmw2@infradead.org>,
"David Howells" <dhowells@redhat.com>,
"Andy Lutomirski" <luto@amacapital.net>,
"Roberts, William C" <william.c.roberts@intel.com>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
linux-wireless <linux-wireless@vger.kernel.org>,
"james.l.morris@oracle.com" <james.l.morris@oracle.com>,
"serge@hallyn.com" <serge@hallyn.com>,
"Vitaly Kuznetsov" <vkuznets@redhat.com>,
"Paul Moore" <paul@paul-moore.com>,
"Eric Paris" <eparis@parisplace.org>,
"SE Linux" <selinux@tycho.nsa.gov>,
"Stephen Smalley" <sds@tycho.nsa.gov>,
"Schaufler, Casey" <casey.schaufler@intel.com>,
"Luis R. Rodriguez" <mcgrof@do-not-panic.com>,
"Dmitry Kasatkin" <dmitry.kasatkin@gmail.com>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Peter Jones" <pjones@redhat.com>, "Takashi Iwai" <tiwai@suse.de>,
"Ming Lei" <ming.lei@canonical.com>, "Joey Lee" <jlee@suse.de>,
"Vojtěch Pavlík" <vojtech@suse.com>,
"Kyle McMartin" <kyle@kernel.org>,
"Seth Forshee" <seth.forshee@canonical.com>,
"Matthew Garrett" <mjg59@srcf.ucam.org>,
"Johannes Berg" <johannes@sipsolutions.net>,
"Jay Schulist" <jschlst@samba.org>,
"Daniel Borkmann" <dborkman@redhat.com>,
"Alexei Starovoitov" <ast@plumgrid.com>
Subject: Re: Linux Firmware Signing
Date: Wed, 02 Sep 2015 23:00:30 -0400 [thread overview]
Message-ID: <1441249230.4172.75.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20150903002914.GM8051@wotan.suse.de>
On Thu, 2015-09-03 at 02:29 +0200, Luis R. Rodriguez wrote:
> On Wed, Sep 02, 2015 at 08:05:36PM -0400, Mimi Zohar wrote:
> > On Wed, 2015-09-02 at 20:46 +0200, Luis R. Rodriguez wrote:
> > > On Tue, Sep 01, 2015 at 11:35:05PM -0400, Mimi Zohar wrote:
> > > We want something that is not only useful for IMA but any other LSM,
> > > and FILE_CHECK seems very broad, not sure what BPRM_CHECK is even upon
> > > inspecting kernel code. Likewise for POST_SETATTR. POLICY_CHECK might
> > > be broad, perhaps its best we define then a generic set of enums to
> > > which IMA can map them to then and let it decide. This would ensure
> > > that the kernel defines each use caes for file inspection carefully,
> > > documents and defines them and if an LSM wants to bunch a set together
> > > it can do so easily with a switch statement to map set of generic
> > > file checks in kernel to a group it already handles.
> >
> > The names are based on the calling security hook. For a description of
> > each of these security hooks refer to include/linux/lsm_hooks.h.
>
> I see, thanks, ok so BPRM_CHECK = for binary loading, are you folks
> really wanting to unify LSM hooks for firmware, modules, and binary
> data ?
You're asking me?! From my point of view that it is already unified.
The same mechanism used for appraising files in general could be used
for appraising those mentioned. :)
The main issue is having the file data and metadata (eg. signatures)
distributed together. Thanks to Fionnula and Florian support for
including file signatures in rpm packages was released today -
http://lists.rpm.org/pipermail/rpm-maint/2015-September/003962.html.
> POST_SETATTR seems to be for inode_post_setxattr, so that as well?
No. The IMA policy rules can be defined in terms of file metadata (eg.
uid). Changing the file metadata might result in files that previously
weren't appraised, now need to be appraised. The EVM security xattr is
an hmac of the file metadata. So that needs to be updated to reflect
the change.
> POLICY_CHECK seems broad, not sure what to relate that to exactly.
> Is this just SELinux polify files? Or is this something more broad?
This hook is currently limited to verifying the IMA policy signature,
but could be the basis for a more generalized hook.
Mimi
next prev parent reply other threads:[~2015-09-03 3:01 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20150824210234.GI8051@wotan.suse.de>
[not found] ` <476DC76E7D1DF2438D32BFADF679FC5601057D32@ORSMSX103.amr.corp.intel.com>
[not found] ` <20150824225713.GJ8051@wotan.suse.de>
[not found] ` <CAGXu5jLDHCgygaVNHpuvszN6SXNKAjRW83q3-D2ZfRpO4uAmdw@mail.gmail.com>
[not found] ` <476DC76E7D1DF2438D32BFADF679FC5601058E78@ORSMSX103.amr.corp.intel.com>
[not found] ` <CAGXu5jJuwPfnQhu9u4-90UkmjWTBF_GLpJ7J1VaaT2D0d_-Mhg@mail.gmail.com>
[not found] ` <1440462367.2737.4.camel@linux.vnet.ibm.com>
[not found] ` <CALCETrXWBBdOKz-fSdM7YVu_sWQbA3YsHPeZAkRmtj+eawqZGQ@mail.gmail.com>
[not found] ` <1440464705.2737.36.camel@linux.vnet.ibm.com>
[not found] ` <14540.1440599584@warthog.procyon.org.uk>
2015-08-26 23:26 ` Linux Firmware Signing Luis R. Rodriguez
2015-08-27 2:35 ` Paul Moore
2015-08-27 19:36 ` Luis R. Rodriguez
2015-08-27 23:46 ` Paul Moore
2015-08-27 10:38 ` David Howells
2015-08-27 10:57 ` David Woodhouse
2015-08-27 21:29 ` Luis R. Rodriguez
2015-08-27 23:54 ` Mimi Zohar
2015-08-29 2:16 ` Luis R. Rodriguez
2015-08-31 14:18 ` Mimi Zohar
2015-08-31 16:05 ` David Woodhouse
2015-08-31 16:45 ` Mimi Zohar
2015-09-02 0:00 ` Luis R. Rodriguez
2015-09-01 23:43 ` Luis R. Rodriguez
2015-09-02 3:08 ` Kees Cook
2015-09-02 3:44 ` Mimi Zohar
2015-09-02 15:28 ` Kees Cook
2015-09-02 16:45 ` Mimi Zohar
2015-09-02 17:36 ` Austin S Hemmelgarn
2015-09-02 23:54 ` Mimi Zohar
2015-09-03 0:18 ` Luis R. Rodriguez
2015-08-27 23:56 ` Paul Moore
2015-08-28 11:20 ` Roberts, William C
2015-08-28 22:26 ` Paul Moore
2015-08-29 2:03 ` Luis R. Rodriguez
2015-09-01 2:52 ` Paul Moore
2015-09-01 14:12 ` Joshua Brindle
2015-09-01 20:08 ` Roberts, William C
2015-09-01 20:46 ` Joshua Brindle
2015-09-01 22:21 ` Eric Paris
2015-08-29 1:56 ` Luis R. Rodriguez
2015-09-01 20:20 ` Kees Cook
2015-09-02 0:09 ` Luis R. Rodriguez
2015-09-02 3:35 ` Mimi Zohar
2015-09-02 18:46 ` Luis R. Rodriguez
2015-09-02 20:54 ` Kees Cook
2015-09-02 21:37 ` Luis R. Rodriguez
2015-09-03 21:14 ` Kees Cook
2015-09-30 20:34 ` Luis R. Rodriguez
2015-09-03 0:05 ` Mimi Zohar
2015-09-03 0:29 ` Luis R. Rodriguez
2015-09-03 3:00 ` Mimi Zohar [this message]
2015-08-27 19:37 ` Luis R. Rodriguez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1441249230.4172.75.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=ast@plumgrid.com \
--cc=casey.schaufler@intel.com \
--cc=dborkman@redhat.com \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=dwmw2@infradead.org \
--cc=eparis@parisplace.org \
--cc=gregkh@linuxfoundation.org \
--cc=james.l.morris@oracle.com \
--cc=jlee@suse.de \
--cc=johannes@sipsolutions.net \
--cc=jschlst@samba.org \
--cc=keescook@chromium.org \
--cc=kyle@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mcgrof@do-not-panic.com \
--cc=mcgrof@suse.com \
--cc=ming.lei@canonical.com \
--cc=mjg59@srcf.ucam.org \
--cc=paul@paul-moore.com \
--cc=pjones@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=serge@hallyn.com \
--cc=seth.forshee@canonical.com \
--cc=tiwai@suse.de \
--cc=vkuznets@redhat.com \
--cc=vojtech@suse.com \
--cc=william.c.roberts@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).