From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E576FC6778C for ; Tue, 3 Jul 2018 13:08:14 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 9C106245D6 for ; Tue, 3 Jul 2018 13:08:14 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 9C106245D6 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=linux.vnet.ibm.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753349AbeGCNIL (ORCPT ); Tue, 3 Jul 2018 09:08:11 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:60408 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1753163AbeGCNIK (ORCPT ); Tue, 3 Jul 2018 09:08:10 -0400 Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w63D53H9023754 for ; Tue, 3 Jul 2018 09:08:09 -0400 Received: from e06smtp03.uk.ibm.com (e06smtp03.uk.ibm.com [195.75.94.99]) by mx0a-001b2d01.pphosted.com with ESMTP id 2k07bgxp9f-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 03 Jul 2018 09:08:05 -0400 Received: from localhost by e06smtp03.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 3 Jul 2018 14:07:57 +0100 Received: from b06cxnps4074.portsmouth.uk.ibm.com (9.149.109.196) by e06smtp03.uk.ibm.com (192.168.101.133) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Tue, 3 Jul 2018 14:07:52 +0100 Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com [9.149.105.61]) by b06cxnps4074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w63D7pXe32178218 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Tue, 3 Jul 2018 13:07:51 GMT Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 45D3B11C04A; Tue, 3 Jul 2018 16:08:17 +0100 (BST) Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id CDA6211C054; Tue, 3 Jul 2018 16:08:15 +0100 (BST) Received: from localhost.localdomain (unknown [9.80.97.127]) by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTP; Tue, 3 Jul 2018 16:08:15 +0100 (BST) Subject: Re: [PATCH v5 3/8] ima: based on policy require signed kexec kernel images From: Mimi Zohar To: J Freyensee , linux-integrity@vger.kernel.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, David Howells , "Luis R . Rodriguez" , Eric Biederman , kexec@lists.infradead.org, Andres Rodriguez , Greg Kroah-Hartman , Ard Biesheuvel , Kees Cook Date: Tue, 03 Jul 2018 09:07:39 -0400 In-Reply-To: <840dae63-5a90-1327-437e-1ed92e165754@gmail.com> References: <1530542283-26145-1-git-send-email-zohar@linux.vnet.ibm.com> <1530542283-26145-4-git-send-email-zohar@linux.vnet.ibm.com> <840dae63-5a90-1327-437e-1ed92e165754@gmail.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 x-cbid: 18070313-0012-0000-0000-000002864C02 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18070313-0013-0000-0000-000020B7C868 Message-Id: <1530623259.3452.28.camel@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-07-03_05:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=876 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1806210000 definitions=main-1807030150 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 2018-07-02 at 11:31 -0700, J Freyensee wrote: > > On 7/2/18 7:37 AM, Mimi Zohar wrote: > > The original kexec_load syscall can not verify file signatures, nor can > > the kexec image be measured. Based on policy, deny the kexec_load > > syscall. > > > Curiosity question: I thought kexec_load() syscall was used to load a > crashdump? kexec is used to collect the memory used to analyze the crash dump. > If this is true, how would this work if kexec_load() is > being denied?  I don't think I'd want to be hindered in cases where I'm > trying to diagnose a crash. For trusted & secure boot, we need a full measurement list and signature chain of trust rooted in HW.  Permitting kexec_load would break these chains of trust. Permitting/denying kexec_load is based on a runtime IMA policy.  Patch 6/8 "ima: add build time policy", in this patch set, introduces the concept of a build time policy.  With these patches, you could configure your kernel and/or load an IMA policy permitting kexec_load. Mimi