| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 03 Jul 2018 09:07:39 -0400
From: Mimi Zohar <zohar@...ux.vnet.ibm.com>
To: J Freyensee <why2jjj.linux@...il.com>,
linux-integrity@...r.kernel.org
Cc: linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org, David Howells <dhowells@...hat.com>,
"Luis R . Rodriguez" <mcgrof@...nel.org>,
Eric Biederman <ebiederm@...ssion.com>,
kexec@...ts.infradead.org, Andres Rodriguez <andresx7@...il.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Ard Biesheuvel <ard.biesheuvel@...aro.org>,
Kees Cook <keescook@...omium.org>
Subject: Re: [PATCH v5 3/8] ima: based on policy require signed kexec kernel
images
On Mon, 2018-07-02 at 11:31 -0700, J Freyensee wrote:
>
> On 7/2/18 7:37 AM, Mimi Zohar wrote:
> > The original kexec_load syscall can not verify file signatures, nor can
> > the kexec image be measured. Based on policy, deny the kexec_load
> > syscall.
>
>
> Curiosity question: I thought kexec_load() syscall was used to load a
> crashdump?
kexec is used to collect the memory used to analyze the crash dump.
> If this is true, how would this work if kexec_load() is
> being denied? I don't think I'd want to be hindered in cases where I'm
> trying to diagnose a crash.
For trusted & secure boot, we need a full measurement list and
signature chain of trust rooted in HW. Permitting kexec_load would
break these chains of trust.
Permitting/denying kexec_load is based on a runtime IMA policy. Patch
6/8 "ima: add build time policy", in this patch set, introduces the
concept of a build time policy. With these patches, you could
configure your kernel and/or load an IMA policy permitting kexec_load.
Mimi
Powered by blists - more mailing lists