lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <0e794fc984c8f37a6d3eb5acdb6cc094f14df940.camel@linux.ibm.com>
Date: Tue, 27 May 2025 10:17:54 -0400
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Pingfan Liu <piliu@...hat.com>, Baoquan He <bhe@...hat.com>
Cc: prudo@...hat.com, linux-integrity@...r.kernel.org,
        kexec@...ts.infradead.org, linux-kernel@...r.kernel.org,
        pmenzel@...gen.mpg.de, coxu@...hat.com, ruyang@...hat.com,
        chenste@...ux.microsoft.com
Subject: Re: [PATCH] ima: add a knob ima= to make IMA be able to be disabled

On Tue, 2025-05-27 at 11:25 +0800, Pingfan Liu wrote

When responding to kernel mailing lists, please use plain text not Mime encoded.

> On Thu, May 22, 2025 at 10:52 PM Baoquan He <bhe@...hat.com> wrote:
> > On 05/22/25 at 07:08am, Mimi Zohar wrote:
> > > On Thu, 2025-05-22 at 11:24 +0800, Baoquan He wrote:
> > > > On 05/21/25 at 08:54am, Mimi Zohar wrote:
> > > > > On Fri, 2025-05-16 at 08:22 +0800, Baoquan He wrote:
> > > > > > CC kexec list.
> > > > > > 
> > > > > > On 05/16/25 at 07:39am, Baoquan He wrote:
> > > > > > > Kdump kernel doesn't need IMA functionality, and enabling IMA will
> > > > > > > cost
> > > > > > > extra memory. It would be very helpful to allow IMA to be disabled
> > > > > > > for
> > > > > > > kdump kernel.
> > > > 
> > > > Thanks a lot for careufl reviewing and great suggestions.
> > > > 
> > > > > 
> > > > > The real question is not whether kdump needs "IMA", but whether not
> > > > > enabling
> > > > > IMA in the kdump kernel could be abused.  The comments below don't
> > > > > address
> > > > > that question but limit/emphasize, as much as possible, turning IMA
> > > > > off is
> > > > > limited to the kdump kernel.
> > > > 
> > > > Are you suggesting removing below paragraph from patch log because they
> > > > are redundant? I can remove it in v2 if yes.
> > > 
> > > "The comments below" was referring to my comments on the patch, not the
> > > next
> > > paragraph.  "don't address that question" refers to whether the kdump
> > > kernel
> > > could be abused.
> > > 
> > > We're trying to close integrity gaps, not add new ones.  Verifying the
> > > UKI's
> > > signature addresses the integrity of the initramfs.  What about the
> > > integrity of
> > > the kdump initramfs (or for that matter the kexec initramfs)?  If the
> > > kdump
> > > initramfs was signed, IMA would be able to verify it before the kexec.
> 
> IMHO, from the higher level, if there is a requirement on the integrity of the
> initramfs, it should take a similar approach as UKI. And the system admin can
> choose whether to disable the unsafe format loader or not.

Yes, that is a possibility, probably a good aim, but in the case of kexec/kdump
that isn't really necessary.  As filesystem(s) support xattrs, IMA policies
could be written in terms of "func=KEXEC_INITRAMFS_CHECK" to include the
initramfs.

> 
> This other thing is how to make a handy signature on initramfs? It is neither
> PE nor ELF.

IMA supports signatures stored in the security.ima xattr or as an appended
signatures.

Mimi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ