From: Mimi Zohar <zohar@linux.ibm.com>
To: joeyli <jlee@suse.com>, Takashi Iwai <tiwai@suse.de>
Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org,
Eric Snowberg <eric.snowberg@oracle.com>,
Jarkko Sakkinen <jarkko@kernel.org>
Subject: Re: [PATCH] ima: Fix undefined arch_ima_get_secureboot() and co
Date: Wed, 15 Dec 2021 13:16:48 -0500 [thread overview]
Message-ID: <a54f7de463853f9c3b7404739793d2f690aa317e.camel@linux.ibm.com> (raw)
In-Reply-To: <20211215160345.GF3786@linux-l9pv.suse>
[Cc'ing Eric Snowberg, Jarkko]
Hi Joey,
On Thu, 2021-12-16 at 00:03 +0800, joeyli wrote:
> Hi Takashi, Mimi,
>
> On Tue, Dec 14, 2021 at 04:58:47PM +0100, Takashi Iwai wrote:
> > On Tue, 14 Dec 2021 16:31:21 +0100,
> > Mimi Zohar wrote:
> > >
> > > Hi Takashi,
> > >
> > > On Mon, 2021-12-13 at 17:11 +0100, Takashi Iwai wrote:
> > > > Currently arch_ima_get_secureboot() and arch_get_ima_policy() are
> > > > defined only when CONFIG_IMA is set, and this makes the code calling
> > > > those functions without CONFIG_IMA failing. Although there is no such
> > > > in-tree users, but the out-of-tree users already hit it.
> > > >
> > > > Move the declaration and the dummy definition of those functions
> > > > outside ifdef-CONFIG_IMA block for fixing the undefined symbols.
> > > >
> > > > Signed-off-by: Takashi Iwai <tiwai@suse.de>
> > >
> > > Before lockdown was upstreamed, we made sure that IMA and lockdown
> > > could co-exist. This patch makes the stub functions available even
> > > when IMA is not configured. Do the remaining downstream patches
> > > require IMA to be disabled or can IMA co-exist?
> >
> > I guess Joey (Cc'ed) can explain this better. AFAIK, currently it's
> > used in a part of MODSIGN stuff in SUSE kernels, and it's calling
> > unconditionally this function for checking whether the system is with
> > the Secure Boot or not.
> >
>
> Actually in downstream code, I used arch_ima_get_secureboot() in
> load_uefi_certs() to prevent the mok be loaded when secure boot is
> disabled. Because the security of MOK relies on secure boot.
>
> The downstream code likes this:
>
> /* the MOK and MOKx can not be trusted when secure boot is disabled */
> - if (!efi_enabled(EFI_SECURE_BOOT))
> + if (!arch_ima_get_secureboot())
> return 0;
>
> The old EFI_SECURE_BOOT bit can only be available on x86_64, so I switch
> the code to to arch_ima_get_secureboot() for cross-architectures and sync
> with upstream api.
>
> The load_uefi.c depends on CONFIG_INTEGRITY but not CONFIG_IMA. So
> load_uefi.c still be built when CONFIG_INTEGRITY=y and CONFIG_IMA=n.
> Then "implicit declaration of function 'arch_ima_get_secureboot'" is
> happened.
The existing upstream code doesn't require secureboot to load the
MOK/MOKx keys. Why is your change being made downstream?
Are you aware of Eric Snowberg's "Enroll kernel keys thru MOK" patch
set? When INTEGRITY_MACHINE_KEYRING is enabled and new UEFI variables
are enabled, instead of loading the MOK keys onto the .platform
keyring, they're loaded onto a new keyring name ".machine", which is
linked to the secondary keyring.
Eric's patchset doesn't add a new check either to make sure secure boot
is enabled before loading the MOK/MOKx keys.
thanks,
Mimi
next prev parent reply other threads:[~2021-12-15 18:18 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-13 16:11 [PATCH] ima: Fix undefined arch_ima_get_secureboot() and co Takashi Iwai
2021-12-14 15:31 ` Mimi Zohar
2021-12-14 15:58 ` Takashi Iwai
2021-12-15 16:03 ` joeyli
2021-12-15 18:16 ` Mimi Zohar [this message]
2021-12-16 4:32 ` joeyli
2021-12-16 13:22 ` Mimi Zohar
2021-12-18 2:27 ` joeyli
2021-12-22 17:10 ` Mimi Zohar
2021-12-22 19:15 ` Takashi Iwai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a54f7de463853f9c3b7404739793d2f690aa317e.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=eric.snowberg@oracle.com \
--cc=jarkko@kernel.org \
--cc=jlee@suse.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).