From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Snowberg <eric.snowberg@oracle.com>,
Mimi Zohar <zohar@linux.ibm.com>,
John Haxby <john.haxby@oracle.com>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 5.4 04/87] lockdown: Fix kexec lockdown bypass with ima policy
Date: Wed, 27 Jul 2022 18:09:57 +0200 [thread overview]
Message-ID: <20220727161009.182304198@linuxfoundation.org> (raw)
In-Reply-To: <20220727161008.993711844@linuxfoundation.org>
From: Eric Snowberg <eric.snowberg@oracle.com>
commit 543ce63b664e2c2f9533d089a4664b559c3e6b5b upstream.
The lockdown LSM is primarily used in conjunction with UEFI Secure Boot.
This LSM may also be used on machines without UEFI. It can also be
enabled when UEFI Secure Boot is disabled. One of lockdown's features
is to prevent kexec from loading untrusted kernels. Lockdown can be
enabled through a bootparam or after the kernel has booted through
securityfs.
If IMA appraisal is used with the "ima_appraise=log" boot param,
lockdown can be defeated with kexec on any machine when Secure Boot is
disabled or unavailable. IMA prevents setting "ima_appraise=log" from
the boot param when Secure Boot is enabled, but this does not cover
cases where lockdown is used without Secure Boot.
To defeat lockdown, boot without Secure Boot and add ima_appraise=log to
the kernel command line; then:
$ echo "integrity" > /sys/kernel/security/lockdown
$ echo "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig" > \
/sys/kernel/security/ima/policy
$ kexec -ls unsigned-kernel
Add a call to verify ima appraisal is set to "enforce" whenever lockdown
is enabled. This fixes CVE-2022-21505.
Cc: stable@vger.kernel.org
Fixes: 29d3c1c8dfe7 ("kexec: Allow kexec_file() with appropriate IMA policy when locked down")
Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
Acked-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: John Haxby <john.haxby@oracle.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/integrity/ima/ima_policy.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -1542,6 +1542,10 @@ bool ima_appraise_signature(enum kernel_
if (id >= READING_MAX_ID)
return false;
+ if (id == READING_KEXEC_IMAGE && !(ima_appraise & IMA_APPRAISE_ENFORCE)
+ && security_locked_down(LOCKDOWN_KEXEC))
+ return false;
+
func = read_idmap[id] ?: FILE_CHECK;
rcu_read_lock();
next prev parent reply other threads:[~2022-07-27 16:38 UTC|newest]
Thread overview: 93+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-27 16:09 [PATCH 5.4 00/87] 5.4.208-rc1 review Greg Kroah-Hartman
2022-07-27 16:09 ` [PATCH 5.4 01/87] pinctrl: stm32: fix optional IRQ support to gpios Greg Kroah-Hartman
2022-07-27 16:09 ` [PATCH 5.4 02/87] riscv: add as-options for modules with assembly compontents Greg Kroah-Hartman
2022-07-27 16:09 ` [PATCH 5.4 03/87] mlxsw: spectrum_router: Fix IPv4 nexthop gateway indication Greg Kroah-Hartman
2022-07-27 16:09 ` Greg Kroah-Hartman [this message]
2022-07-27 16:09 ` [PATCH 5.4 05/87] xen/gntdev: Ignore failure to unmap INVALID_GRANT_HANDLE Greg Kroah-Hartman
2022-07-27 16:09 ` [PATCH 5.4 06/87] PCI: hv: Fix multi-MSI to allow more than one MSI vector Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 07/87] PCI: hv: Fix hv_arch_irq_unmask() for multi-MSI Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 08/87] PCI: hv: Reuse existing IRTE allocation in compose_msi_msg() Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 09/87] PCI: hv: Fix interrupt mapping for multi-MSI Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 10/87] serial: mvebu-uart: correctly report configured baudrate value Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 11/87] xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in xfrm_bundle_lookup() Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 12/87] power/reset: arm-versatile: Fix refcount leak in versatile_reboot_probe Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 13/87] pinctrl: ralink: Check for null return of devm_kcalloc Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 14/87] perf/core: Fix data race between perf_event_set_output() and perf_mmap_close() Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 15/87] igc: Reinstate IGC_REMOVED logic and implement it properly Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 16/87] ip: Fix data-races around sysctl_ip_no_pmtu_disc Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 17/87] ip: Fix data-races around sysctl_ip_fwd_use_pmtu Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 18/87] ip: Fix data-races around sysctl_ip_nonlocal_bind Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 19/87] ip: Fix a data-race around sysctl_fwmark_reflect Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 20/87] tcp/dccp: Fix a data-race around sysctl_tcp_fwmark_accept Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 21/87] tcp: Fix data-races around sysctl_tcp_mtu_probing Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 22/87] tcp: Fix data-races around sysctl_tcp_base_mss Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 23/87] tcp: Fix data-races around sysctl_tcp_min_snd_mss Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 24/87] tcp: Fix a data-race around sysctl_tcp_mtu_probe_floor Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 25/87] tcp: Fix a data-race around sysctl_tcp_probe_threshold Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 26/87] tcp: Fix a data-race around sysctl_tcp_probe_interval Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 27/87] i2c: cadence: Change large transfer count reset logic to be unconditional Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 28/87] net: stmmac: fix dma queue left shift overflow issue Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 29/87] net/tls: Fix race in TLS device down flow Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 30/87] igmp: Fix data-races around sysctl_igmp_llm_reports Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 31/87] igmp: Fix a data-race around sysctl_igmp_max_memberships Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 32/87] tcp: Fix data-races around sysctl_tcp_syncookies Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 33/87] tcp: Fix data-races around sysctl_tcp_reordering Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 34/87] tcp: Fix data-races around some timeout sysctl knobs Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 35/87] tcp: Fix a data-race around sysctl_tcp_notsent_lowat Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 36/87] tcp: Fix a data-race around sysctl_tcp_tw_reuse Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 37/87] tcp: Fix data-races around sysctl_max_syn_backlog Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 38/87] tcp: Fix data-races around sysctl_tcp_fastopen Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 39/87] iavf: Fix handling of dummy receive descriptors Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 40/87] i40e: Fix erroneous adapter reinitialization during recovery process Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 41/87] ixgbe: Add locking to prevent panic when setting sriov_numvfs to zero Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 42/87] gpio: pca953x: only use single read/write for No AI mode Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 43/87] be2net: Fix buffer overflow in be_get_module_eeprom Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 44/87] ipv4: Fix a data-race around sysctl_fib_multipath_use_neigh Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 45/87] udp: Fix a data-race around sysctl_udp_l3mdev_accept Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 46/87] tcp: Fix data-races around sysctl knobs related to SYN option Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 47/87] tcp: Fix a data-race around sysctl_tcp_early_retrans Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 48/87] tcp: Fix data-races around sysctl_tcp_recovery Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 49/87] tcp: Fix a data-race around sysctl_tcp_thin_linear_timeouts Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 50/87] tcp: Fix data-races around sysctl_tcp_slow_start_after_idle Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 51/87] tcp: Fix a data-race around sysctl_tcp_retrans_collapse Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 52/87] tcp: Fix a data-race around sysctl_tcp_stdurg Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 53/87] tcp: Fix a data-race around sysctl_tcp_rfc1337 Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 54/87] tcp: Fix data-races around sysctl_tcp_max_reordering Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 55/87] spi: bcm2835: bcm2835_spi_handle_err(): fix NULL pointer deref for non DMA transfers Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 56/87] mm/mempolicy: fix uninit-value in mpol_rebind_policy() Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 57/87] bpf: Make sure mac_header was set before using it Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 58/87] dlm: fix pending remove if msg allocation fails Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 59/87] ima: remove the IMA_TEMPLATE Kconfig option Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 60/87] locking/refcount: Define constants for saturation and max refcount values Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 61/87] locking/refcount: Ensure integer operands are treated as signed Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 62/87] locking/refcount: Remove unused refcount_*_checked() variants Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 63/87] locking/refcount: Move the bulk of the REFCOUNT_FULL implementation into the <linux/refcount.h> header Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 64/87] locking/refcount: Improve performance of generic REFCOUNT_FULL code Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 65/87] locking/refcount: Move saturation warnings out of line Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 66/87] locking/refcount: Consolidate REFCOUNT_{MAX,SATURATED} definitions Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 67/87] locking/refcount: Consolidate implementations of refcount_t Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 68/87] x86: get rid of small constant size cases in raw_copy_{to,from}_user() Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 69/87] x86/uaccess: Implement macros for CMPXCHG on user addresses Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 70/87] mmap locking API: initial implementation as rwsem wrappers Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 71/87] x86/mce: Deduplicate exception handling Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 72/87] bitfield.h: Fix "type of reg too small for mask" test Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 73/87] ALSA: memalloc: Align buffer allocations in page size Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 74/87] Bluetooth: Add bt_skb_sendmsg helper Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 75/87] Bluetooth: Add bt_skb_sendmmsg helper Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 76/87] Bluetooth: SCO: Replace use of memcpy_from_msg with bt_skb_sendmsg Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 77/87] Bluetooth: RFCOMM: Replace use of memcpy_from_msg with bt_skb_sendmmsg Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 78/87] Bluetooth: Fix passing NULL to PTR_ERR Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 79/87] Bluetooth: SCO: Fix sco_send_frame returning skb->len Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 80/87] Bluetooth: Fix bt_skb_sendmmsg not allocating partial chunks Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 81/87] tty: drivers/tty/, stop using tty_schedule_flip() Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 82/87] tty: the rest, " Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 83/87] tty: drop tty_schedule_flip() Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 84/87] tty: extract tty_flip_buffer_commit() from tty_flip_buffer_push() Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 85/87] tty: use new tty_insert_flip_string_and_push_buffer() in pty_write() Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 86/87] net: usb: ax88179_178a needs FLAG_SEND_ZLP Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 87/87] x86: drop bogus "cc" clobber from __try_cmpxchg_user_asm() Greg Kroah-Hartman
2022-07-27 22:32 ` [PATCH 5.4 00/87] 5.4.208-rc1 review Florian Fainelli
2022-07-28 9:40 ` Naresh Kamboju
2022-07-28 14:41 ` Sudip Mukherjee (Codethink)
2022-07-28 14:45 ` Shuah Khan
2022-07-28 22:58 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220727161009.182304198@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=eric.snowberg@oracle.com \
--cc=john.haxby@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox