lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Mon, 08 Oct 2018 07:20:25 -0400
From:   Mimi Zohar <zohar@...ux.ibm.com>
To:     Nayna Jain <nayna@...ux.vnet.ibm.com>,
        linux-integrity@...r.kernel.org
Cc:     linux-security-module@...r.kernel.org, linux-efi@...r.kernel.org,
        linux-kernel@...r.kernel.org, dhowells@...hat.com,
        jforbes@...hat.com, seth.forshee@...onical.com,
        kexec@...ts.infradead.org, Nayna Jain <nayna@...ux.ibm.com>
Subject: Re: [PATCH v5 0/6] Add support for architecture specific IMA
 policies

On Fri, 2018-10-05 at 23:10 +0530, Nayna Jain wrote:
> From: Nayna Jain <nayna@...ux.ibm.com>
> 
> The architecture specific policy, introduced in this patch set, permits
> different architectures to define IMA policy rules based on kernel
> configuration and system runtime information.
> 
> For example, on x86, there are two methods of verifying the kexec'ed kernel
> image signature - CONFIG_KEXEC_VERIFY_SIG and IMA appraisal policy
> KEXEC_KERNEL_CHECK. CONFIG_KEXEC_VERIFY_SIG enforces the kexec_file_load
> syscall to verify file signatures, but does not prevent the kexec_load
> syscall. The IMA KEXEC_KERNEL_CHECK policy rule verifies the kexec'ed
> kernel image, loaded via the kexec_file_load syscall, is validly signed and
> prevents loading a kernel image via the kexec_load syscall. When secure
> boot is enabled, the kexec'ed kernel image needs to be signed and the
> signature verified. In this environment, either method of verifying the
> kexec'ed kernel image is acceptable, as long as the kexec_load syscall is
> disabled.
> 
> The previous version of this patchset introduced a new IMA policy rule to
> disable the kexec_load syscall, when CONFIG_KEXEC_VERIFY_SIG was enabled,
> however that is removed from this version by introducing a different
> mechanism, as described below.
> 
> The patchset defines an arch_ima_get_secureboot() function to retrieve the
> secureboot state of the system. If secureboot is enabled and
> CONFIG_KEXEC_VERIFY_SIG is configured, it denies permission to kexec_load
> syscall.
> 
> To support architecture specific policies, a new function
> arch_get_ima_policy() is defined. This patch set defines IMA
> KERNEL_KEXEC_POLICY rules for x86 *only* if CONFIG_KEXEC_VERIFY_SIG is
> disabled and secure boot is enabled.
> 
> This patch set includes a patch, which refactors ima_init_policy() to
> remove code duplication.

Other than a couple of #ifdef's in .c files, which should be converted
to use IS_ENABLED(<config-option>), the patch set is looking really
good.

thanks!

Mimi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ