Re: [PATCH 2/3] binfmt_elf: Verify signature of signed elf binary

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Vivek Goyal <vgoyal@redhat.com>,
	linux-kernel@vger.kernel.org, pjones@redhat.com, hpa@zytor.com,
	dhowells@redhat.com, jwboyer@redhat.com,
	Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Subject: Re: [PATCH 2/3] binfmt_elf: Verify signature of signed elf binary
Date: Wed, 16 Jan 2013 09:00:59 -0500	[thread overview]
Message-ID: <1358344859.4593.66.camel@falcor1> (raw)
In-Reply-To: <87wqvdli1o.fsf@xmission.com>

On Tue, 2013-01-15 at 23:10 -0800, Eric W. Biederman wrote:
> Mimi Zohar <zohar@linux.vnet.ibm.com> writes:
> 
> > Please remind me why you can't use IMA-appraisal, which was upstreamed
> > in Linux 3.7?  Why another method is needed?
> 
> Good question Vivek?  
> 
> I remeber there was a slight mismatch in the desired attributes.  In
> particular we want signatures that are not generated on the local
> machine.

Right, IMA-appraisal supports different methods of verification.  The
initial methods are hash and digital signature stored in the extended
attribute.  With the queued patches, we can force signature verification
to be of a specific type. It defines a new IMA policy option called
'appraise_type='.

> > With IMA-appraisal, there are a couple of issues that would still need
> > to be addressed:
> > - missing the ability to specify the validation method required.
> > - modify the ima_appraise_tcb policy policy to require elf executables
> > to be digitally signed.
> > - security_bprm_check() is called before the binary handler is known.
> >
> > The first issue is addressed by a set of patches queued to be upstreamed
> > in linux-integrity/next-ima-appraise-status.
> >
> > To address the last issue would either require moving the existing
> > bprm_check or defining a new hook after the binary handler is known.
> 
> Even if there is a small mismatch it certainly sounds like something to
> investigate.  There are a lot of pieces flying around with IMA so an
> appropriate model of what needs to happen isn't in my head.  As opposed
> to a signature in an ELF executable and a key in the kernel.

The original IMA was about measurement and attestation.  IMA-appraisal 
adds local integrity validation and enforcement of the measurement
against a "good" value stored as an extended attribute 'security.ima'.
The initial methods for validating 'security.ima' are hash and digital
signature based.

> Hooks aside in an IMA world where does the signing key live?  Where does
> the signature live?

Initially, the public key used to verify the signature is loaded onto an
IMA specific keyring.  We've discussed embedding public keys inside the
kernel, but haven't done so yet.

The next steps are to ensure the secure boot signature chain of trust
has not been broken.

(I've cc'ed Dmitry Kasatkin on this discussion.  It would also be
appropriate to cc the LSM mailing list.)

thanks,

Mimi

next prev parent reply	other threads:[~2013-01-16 14:06 UTC|newest]

Thread overview: 62+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-01-15 21:34 [PATCH 0/3] ELF executable signing and verification Vivek Goyal
2013-01-15 21:34 ` [PATCH 1/3] module: export couple of functions for use in process signature verification Vivek Goyal
2013-01-15 21:34 ` [PATCH 2/3] binfmt_elf: Verify signature of signed elf binary Vivek Goyal
2013-01-16  4:30   ` Eric W. Biederman
2013-01-16  4:55     ` Mimi Zohar
2013-01-16  7:10       ` Eric W. Biederman
2013-01-16 14:00         ` Mimi Zohar [this message]
2013-01-16 14:48           ` Vivek Goyal
2013-01-16 15:33             ` Mimi Zohar
2013-01-16 15:54               ` Vivek Goyal
2013-01-16 17:24                 ` Mimi Zohar
2013-01-16 18:21                   ` Vivek Goyal
2013-01-16 18:45                     ` Mimi Zohar
2013-01-16 18:57                       ` Vivek Goyal
2013-01-16 19:37                         ` Mimi Zohar
2013-01-16 19:47                           ` Vivek Goyal
2013-01-16 20:25                             ` Mimi Zohar
2013-01-16 21:55                               ` Vivek Goyal
2013-01-17  8:37                             ` Elena Reshetova
2013-01-17 14:39                     ` Kasatkin, Dmitry
2013-01-17 14:35                 ` Kasatkin, Dmitry
2013-01-16 16:34               ` Vivek Goyal
2013-01-16 18:08                 ` Mimi Zohar
2013-01-16 18:28                   ` Vivek Goyal
2013-01-16 19:24                     ` Mimi Zohar
2013-01-16 21:53                       ` Vivek Goyal
2013-01-17 14:58                         ` Kasatkin, Dmitry
2013-01-17 15:06                           ` Kasatkin, Dmitry
2013-01-17 15:21                             ` Vivek Goyal
2013-01-17 15:18                           ` Vivek Goyal
2013-01-17 16:27                             ` Kasatkin, Dmitry
2013-01-17 20:33                             ` Frank Ch. Eigler
2013-01-17 20:55                               ` Vivek Goyal
2013-01-17 21:46                                 ` Kasatkin, Dmitry
2013-01-17 21:52                                   ` Vivek Goyal
2013-01-20 16:36                                     ` Mimi Zohar
2013-01-21 16:42       ` Vivek Goyal
2013-01-21 18:30         ` Mimi Zohar
2013-01-16 22:35   ` Mimi Zohar
2013-01-16 22:51     ` Vivek Goyal
2013-01-16 23:16       ` Eric W. Biederman
2013-01-17 15:37   ` Mimi Zohar
2013-01-17 15:51     ` Vivek Goyal
2013-01-17 16:32       ` Mimi Zohar
2013-01-17 17:01         ` Kasatkin, Dmitry
2013-01-17 17:03           ` Kasatkin, Dmitry
2013-01-17 17:42           ` Vivek Goyal
2013-01-17 17:36         ` Vivek Goyal
2013-01-20 17:20           ` Mimi Zohar
2013-01-21 15:45             ` Vivek Goyal
2013-01-21 18:44               ` Mimi Zohar
2013-01-20 16:17         ` H. Peter Anvin
2013-01-20 16:55           ` Mimi Zohar
2013-01-20 17:00             ` H. Peter Anvin
2013-01-15 21:34 ` [PATCH 3/3] binfmt_elf: Do not allow exec() if signed binary has intepreter Vivek Goyal
2013-01-15 21:37 ` [PATCH 4/3] User space utility "signelf" to sign elf executable Vivek Goyal
2013-01-15 22:27 ` [PATCH 0/3] ELF executable signing and verification richard -rw- weinberger
2013-01-15 23:15   ` Vivek Goyal
2013-01-15 23:17     ` richard -rw- weinberger
2013-01-17 16:22 ` Kasatkin, Dmitry
2013-01-17 17:25   ` Vivek Goyal
2013-01-22  4:22 ` Rusty Russell

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1358344859.4593.66.camel@falcor1 \
    --to=zohar@linux.vnet.ibm.com \
    --cc=dhowells@redhat.com \
    --cc=dmitry.kasatkin@intel.com \
    --cc=ebiederm@xmission.com \
    --cc=hpa@zytor.com \
    --cc=jwboyer@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pjones@redhat.com \
    --cc=vgoyal@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox