lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <a54f7de463853f9c3b7404739793d2f690aa317e.camel@linux.ibm.com>
Date:   Wed, 15 Dec 2021 13:16:48 -0500
From:   Mimi Zohar <zohar@...ux.ibm.com>
To:     joeyli <jlee@...e.com>, Takashi Iwai <tiwai@...e.de>
Cc:     Dmitry Kasatkin <dmitry.kasatkin@...il.com>,
        linux-integrity@...r.kernel.org, linux-kernel@...r.kernel.org,
        Eric Snowberg <eric.snowberg@...cle.com>,
        Jarkko Sakkinen <jarkko@...nel.org>
Subject: Re: [PATCH] ima: Fix undefined arch_ima_get_secureboot() and co

[Cc'ing Eric Snowberg, Jarkko]

Hi Joey,

On Thu, 2021-12-16 at 00:03 +0800, joeyli wrote:
> Hi Takashi, Mimi,
> 
> On Tue, Dec 14, 2021 at 04:58:47PM +0100, Takashi Iwai wrote:
> > On Tue, 14 Dec 2021 16:31:21 +0100,
> > Mimi Zohar wrote:
> > > 
> > > Hi Takashi,
> > > 
> > > On Mon, 2021-12-13 at 17:11 +0100, Takashi Iwai wrote:
> > > > Currently arch_ima_get_secureboot() and arch_get_ima_policy() are
> > > > defined only when CONFIG_IMA is set, and this makes the code calling
> > > > those functions without CONFIG_IMA failing.  Although there is no such
> > > > in-tree users, but the out-of-tree users already hit it.
> > > > 
> > > > Move the declaration and the dummy definition of those functions
> > > > outside ifdef-CONFIG_IMA block for fixing the undefined symbols.
> > > > 
> > > > Signed-off-by: Takashi Iwai <tiwai@...e.de>
> > > 
> > > Before lockdown was upstreamed, we made sure that IMA and lockdown
> > > could co-exist.  This patch makes the stub functions available even
> > > when IMA is not configured.  Do the remaining downstream patches
> > > require IMA to be disabled or can IMA co-exist?
> > 
> > I guess Joey (Cc'ed) can explain this better.  AFAIK, currently it's
> > used in a part of MODSIGN stuff in SUSE kernels, and it's calling
> > unconditionally this function for checking whether the system is with
> > the Secure Boot or not.
> >
> 
> Actually in downstream code, I used arch_ima_get_secureboot() in
> load_uefi_certs() to prevent the mok be loaded when secure boot is
> disabled. Because the security of MOK relies on secure boot.
> 
> The downstream code likes this:
> 
> /* the MOK and MOKx can not be trusted when secure boot is disabled */
> -      if (!efi_enabled(EFI_SECURE_BOOT))
> +      if (!arch_ima_get_secureboot())
> 		return 0;
> 
> The old EFI_SECURE_BOOT bit can only be available on x86_64, so I switch
> the code to to arch_ima_get_secureboot() for cross-architectures and sync
> with upstream api.
> 
> The load_uefi.c depends on CONFIG_INTEGRITY but not CONFIG_IMA. So
> load_uefi.c still be built when CONFIG_INTEGRITY=y and CONFIG_IMA=n.
> Then "implicit declaration of function 'arch_ima_get_secureboot'" is
> happened.

The existing upstream code doesn't require secureboot to load the
MOK/MOKx keys.  Why is your change being made downstream?

Are you aware of Eric Snowberg's "Enroll kernel keys thru MOK" patch
set?  When INTEGRITY_MACHINE_KEYRING is enabled and new UEFI variables
are enabled,  instead of loading the MOK keys onto the .platform
keyring, they're loaded onto a new keyring name ".machine", which is
linked to the secondary keyring.

Eric's patchset doesn't add a new check either to make sure secure boot
is enabled before loading the MOK/MOKx keys.

thanks,

Mimi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ