Re: [PATCH 1/2] module: add syscall to load module from fd

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Rusty Russell <rusty@rustcorp.com.au>
Cc: Kees Cook <keescook@chromium.org>,
	linux-kernel@vger.kernel.org,
	Serge Hallyn <serge.hallyn@canonical.com>,
	James Morris <james.l.morris@oracle.com>,
	Al Viro <viro@zeniv.linux.org.uk>, Eric Paris <eparis@redhat.com>,
	Jiri Kosina <jkosina@suse.cz>,
	linux-security-module@vger.kernel.org
Subject: Re: [PATCH 1/2] module: add syscall to load module from fd
Date: Fri, 07 Sep 2012 13:12:44 -0400	[thread overview]
Message-ID: <1347037964.31197.100.camel@falcor> (raw)
In-Reply-To: <87ipbqhenn.fsf@rustcorp.com.au>

On Fri, 2012-09-07 at 09:45 +0930, Rusty Russell wrote:
> Kees Cook <keescook@chromium.org> writes:
> > Instead of (or in addition to) kernel module signing, being able to reason
> > about the origin of a kernel module would be valuable in situations
> > where an OS already trusts a specific file system, file, etc, due to
> > things like security labels or an existing root of trust to a partition
> > through things like dm-verity.
> >
> > This introduces a new syscall (currently only on x86), similar to
> > init_module, that has only two arguments. The first argument is used as
> > a file descriptor to the module and the second argument is a pointer to
> > the NULL terminated string of module arguments.
> 
> Thanks.  Minor comments follow:

Rusty, sorry for bringing this up again, but with Kees' new syscall,
which passes in the file descriptor, appraising the integrity of kernel
modules could be like appraising the integrity of any other file on the
filesystem.  All that would be needed is a new security hook, which is
needed in anycase for IMA measurement.

The concerns with this approach, expressed in the past by David Howells,
are that it requires IMA-appraisal to be enabled, extended attribute
support, and changes to userspace tools.  Normally I wouldn't be too
concerned about filesystems that don't support extended attributes, but
the initramfs is currently cpio.  Perhaps this isn't an issue in
anycase, as the initramfs would be appraised in the secure boot
environment.

The first two concerns could be addressed by passing in a digital
signature, which the new syscall supports. The signature could be stored
as an extended attribute, appended to the kernel module or, as
originally described by Dmitry, in a .sig file. Where/how the signature
is stored would be left up to the distro's and userspace tool's
discretion.

When EVM/IMA-appraisal is enabled, it would either appraise the kernel
module based on the xattr, if available, or the supplied signature.
Otherwise, without EVM/IMA-appraisal enabled, the stub hook would
appraise the kernel module based on the supplied signature, calling
integrity_digsig_verify() directly.

This method is a consistent and extensible approach to verifying the
integrity of file data/metadata, including kernel modules. The only
downside to this approach, I think, is that it requires changes to the
userspace tool.

thanks,

Mimi

next prev parent reply	other threads:[~2012-09-07 17:14 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-09-06 18:13 [PATCH 1/2] module: add syscall to load module from fd Kees Cook
2012-09-06 18:13 ` [PATCH 2/2] security: introduce kernel_module_from_file hook Kees Cook
2012-09-07  0:15 ` [PATCH 1/2] module: add syscall to load module from fd Rusty Russell
2012-09-07 16:19   ` Kees Cook
2012-09-07 17:12   ` Mimi Zohar [this message]
2012-09-07 17:19     ` Kees Cook
2012-09-07 19:04       ` Mimi Zohar
2012-09-10  1:46       ` Rusty Russell
2012-09-10 15:07         ` Kees Cook
2012-09-12  2:57         ` James Morris
2012-09-12  4:15 ` H. Peter Anvin
2012-09-12  7:34   ` Rusty Russell
2012-09-12 14:38     ` Kees Cook
2012-09-13 19:22     ` Mimi Zohar
2012-09-19  3:38       ` Rusty Russell
2012-09-19 14:41         ` Mimi Zohar
2012-09-19 16:15           ` Kees Cook
  -- strict thread matches above, loose matches on Subject: below --
2012-09-07 18:38 Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1347037964.31197.100.camel@falcor \
    --to=zohar@linux.vnet.ibm.com \
    --cc=eparis@redhat.com \
    --cc=james.l.morris@oracle.com \
    --cc=jkosina@suse.cz \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=rusty@rustcorp.com.au \
    --cc=serge.hallyn@canonical.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox