lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 30 Oct 2017 12:43:58 -0400
From:   Mimi Zohar <zohar@...ux.vnet.ibm.com>
To:     David Howells <dhowells@...hat.com>
Cc:     joeyli <jlee@...e.com>, linux-security-module@...r.kernel.org,
        gnomes@...rguk.ukuu.org.uk, linux-efi@...r.kernel.org,
        gregkh@...uxfoundation.org, linux-kernel@...r.kernel.org,
        jforbes@...hat.com, Matthew Garrett <mjg59@...gle.com>
Subject: Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has
 been set

On Mon, 2017-10-30 at 15:49 +0000, David Howells wrote:
> Mimi Zohar <zohar@...ux.vnet.ibm.com> wrote:
> 
> > Huh?!  With the "secure_boot" policy enabled on the boot command line,
> > IMA-appraisal would verify the kexec kernel image, firmware, kernel
> > modules, and custom IMA policy signatures.
> 
> What happens if the "secure_boot" policy isn't enabled on the boot command
> line?  Can you sum up both cases in a paragraph I can add to the patch
> description?

The other patch automatically enables "secure_boot" for lockdown mode.
So there is no need to specify "secure_boot" on the boot command line.
 Reordering the patches so that the other patch comes before any call
to is_ima_appraise_enabled() will simplify this patch description.

> > Other patches in this patch series need to be updated as well to check
> > if IMA-appraisal is enabled.
> 
> Which exactly?  I've added your "!is_ima_appraise_enabled() &&" line to
> kexec_file() and module_sig_check().  Anything else?

load_module(), which calls module_sig_check(), is called by both the
old and new kernel module syscalls.  IMA is only on the new syscall.
 Did you differentiate between the kernel module syscalls?

There doesn't seem to be any other patches affected.  That said, the
IMA "secure_boot" policy is more stringent than what you have without
it.  For example, with the "secure_boot" policy enabled, firwmware
needs to be signed as well.  At some point, we'll want to also require
the initramfs be signed as well.

Both methods work independently of each other, but there needs to be
better coordination for when both methods are enabled at the same time
(eg. are both signatures required?).

For testing purposes, you can use the same certs/signing_key to sign
the kexec image, kernel modules and firmware, by loading the
signing_key on the .ima keyring.  Using evmctl, sign the files
(eg. evmctl ima_sign -a sha256 -k certs/signing_key.pem  --imasig
/boot/<vmlinuz>).

Mimi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ