From: Seth Forshee <seth.forshee@canonical.com>
To: Eric Richter <erichte@linux.vnet.ibm.com>
Cc: linux-integrity <linux-integrity@vger.kernel.org>,
linux-security-module <linux-security-module@vger.kernel.org>,
linux-efi <linux-efi@vger.kernel.org>,
linux-kernel <linux-kernel@vger.kernel.org>,
David Howells <dhowells@redhat.com>,
Justin Forbes <jforbes@redhat.com>
Subject: Re: [PATCH 3/4] ima: add support for KEXEC_ORIG_KERNEL_CHECK
Date: Fri, 3 Aug 2018 08:11:29 -0500 [thread overview]
Message-ID: <20180803131129.GS3001@ubuntu-xps13> (raw)
In-Reply-To: <20180725233200.761-4-erichte@linux.vnet.ibm.com>
On Wed, Jul 25, 2018 at 06:31:59PM -0500, Eric Richter wrote:
> IMA can verify the signature of kernel images loaded with kexec_file_load,
> but can not verify images loaded with the regular kexec_load syscall.
> Therefore, the appraisal will automatically fail during kexec_load when an
> appraise policy rule is set for func=KEXEC_KERNEL_CHECK. This can be used
> to effectively disable the kexec_load syscall, while still allowing the
> kexec_file_load to operate so long as the target kernel image is signed.
>
> However, this conflicts with CONFIG_KEXEC_VERIFY_SIG. If that option is
> enabled and there is an appraise rule set, then the target kernel would
> have to be verifiable by both IMA and the architecture specific kernel
> verification procedure.
>
> This patch adds a new func= for IMA appraisal specifically for the original
> kexec_load syscall. Therefore, the kexec_load syscall can be effectively
> disabled via IMA policy, leaving the kexec_file_load syscall able to do its
> own signature verification, and not require it to be signed via IMA. To
> retain compatibility, the existing func=KEXEC_KERNEL_CHECK flag is
> unchanged, and thus enables appraisal for both kexec syscalls.
This seems like a roundabout way to disallow the kexec_load syscall.
Wouldn't it make more sense to simply disallow kexec_load any time
CONFIG_KEXEC_VERIFY_SIG is enabled, since it effectively renders that
option impotent? Or has that idea already been rejected?
Thanks,
Seth
next prev parent reply other threads:[~2018-08-03 13:11 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-25 23:31 [PATCH 0/4] Add support for architecture-specific IMA policies Eric Richter
2018-07-25 23:31 ` [PATCH 1/4] ima: add support for arch specific policies Eric Richter
2018-07-28 2:24 ` kbuild test robot
2018-08-03 10:08 ` Nayna Jain
2018-07-28 2:24 ` [RFC PATCH] ima: arch_policy_rules can be static kbuild test robot
2018-07-25 23:31 ` [PATCH 2/4] ima: add support for external setting of ima_appraise Eric Richter
2018-07-25 23:31 ` [PATCH 3/4] ima: add support for KEXEC_ORIG_KERNEL_CHECK Eric Richter
2018-08-03 13:11 ` Seth Forshee [this message]
2018-08-03 14:54 ` Mimi Zohar
2018-08-03 16:16 ` Seth Forshee
2018-08-03 19:47 ` Mimi Zohar
2018-07-25 23:32 ` [PATCH 4/4] x86/ima: define arch_get_ima_policy() for x86 Eric Richter
2018-07-28 12:22 ` kbuild test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180803131129.GS3001@ubuntu-xps13 \
--to=seth.forshee@canonical.com \
--cc=dhowells@redhat.com \
--cc=erichte@linux.vnet.ibm.com \
--cc=jforbes@redhat.com \
--cc=linux-efi@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox