Hi Mimi,
I've adjusted the patch as below.
David
---
commit bf33218ad2bf04f1b92f5c32499ab906f107864c
Author: Chun-Yi Lee
Date: Wed May 24 14:56:03 2017 +0100
kexec_file: Restrict at runtime if the kernel is locked down
When KEXEC_VERIFY_SIG is not enabled, kernel should not load
Mimi Zohar wrote:
> At some point, we'll want to also require the initramfs be signed as well.
That could be tricky. In Fedora, at least, that's assembled on the fly to
include just the drivers you need to be able to mount your root fs and find
the rest of your modules. (Unless you mean just f
On Mon, 2017-10-30 at 15:49 +, David Howells wrote:
> Mimi Zohar wrote:
>
> > Huh?! With the "secure_boot" policy enabled on the boot command line,
> > IMA-appraisal would verify the kexec kernel image, firmware, kernel
> > modules, and custom IMA policy signatures.
>
> What happens if the
Mimi Zohar wrote:
> Huh?! With the "secure_boot" policy enabled on the boot command line,
> IMA-appraisal would verify the kexec kernel image, firmware, kernel
> modules, and custom IMA policy signatures.
What happens if the "secure_boot" policy isn't enabled on the boot command
line? Can you
On Mon, 2017-10-30 at 09:00 +, David Howells wrote:
> Mimi Zohar wrote:
>
> > Yes, that works. Thanks! Remember is_ima_appraise_enabled() is
> > dependent on the "ima: require secure_boot rules in lockdown mode"
> > patch - http://kernsec.org/pipermail/linux-security-module-archive/201
> >
Mimi Zohar wrote:
> Yes, that works. Thanks! Remember is_ima_appraise_enabled() is
> dependent on the "ima: require secure_boot rules in lockdown mode"
> patch - http://kernsec.org/pipermail/linux-security-module-archive/201
> 7-October/003910.html.
What happens if the file in question is bein
On Sat, 2017-10-28 at 16:34 +0800, joeyli wrote:
> On Fri, Oct 27, 2017 at 03:32:26PM -0400, Mimi Zohar wrote:
> > On Thu, 2017-10-26 at 10:17 -0400, Mimi Zohar wrote:
> > > On Thu, 2017-10-26 at 15:42 +0800, joeyli wrote:
> > > > Hi Mimi,
> > > >
> > > > Thank you for reviewing.
> > > >
> > > >
On Thu, 2017-10-26 at 10:17 -0400, Mimi Zohar wrote:
> On Thu, 2017-10-26 at 15:42 +0800, joeyli wrote:
> > Hi Mimi,
> >
> > Thank you for reviewing.
> >
> > On Mon, Oct 23, 2017 at 11:54:43AM -0400, Mimi Zohar wrote:
> > > On Thu, 2017-10-19 at 15:51 +0100, David Howells wrote:
> > > > From: Chu
On Fri, Oct 27, 2017 at 03:32:26PM -0400, Mimi Zohar wrote:
> On Thu, 2017-10-26 at 10:17 -0400, Mimi Zohar wrote:
> > On Thu, 2017-10-26 at 15:42 +0800, joeyli wrote:
> > > Hi Mimi,
> > >
> > > Thank you for reviewing.
> > >
> > > On Mon, Oct 23, 2017 at 11:54:43AM -0400, Mimi Zohar wrote:
> > >
On Thu, 2017-10-26 at 10:17 -0400, Mimi Zohar wrote:
> On Thu, 2017-10-26 at 15:42 +0800, joeyli wrote:
> > Hi Mimi,
> >
> > Thank you for reviewing.
> >
> > On Mon, Oct 23, 2017 at 11:54:43AM -0400, Mimi Zohar wrote:
> > > On Thu, 2017-10-19 at 15:51 +0100, David Howells wrote:
> > > > From: Chu
[Cc'ing Matthew Garrett]
On Thu, 2017-10-26 at 16:02 +0100, David Howells wrote:
> joeyli wrote:
>
> > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) &&
> > + !is_ima_appraise_enabled() &&
> > + kernel_is_locked_down("kexec of unsigned images"))
>
> This doesn't seem right. It seems
joeyli wrote:
> + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) &&
> + !is_ima_appraise_enabled() &&
> + kernel_is_locked_down("kexec of unsigned images"))
This doesn't seem right. It seems that you can then kexec unsigned images
into a locked-down kernel if IMA appraise is enabl
Mimi Zohar wrote:
> The patch title and description needs to be updated to refer to
> lockdown, not securelevel.
Fixed, thanks.
> An additional patch could force these rules to be added to the custom
> policy, if lockdown is enabled.
I'll have a look at your patch, though at this point I'm lea
On Thu, 2017-10-26 at 15:42 +0800, joeyli wrote:
> Hi Mimi,
>
> Thank you for reviewing.
>
> On Mon, Oct 23, 2017 at 11:54:43AM -0400, Mimi Zohar wrote:
> > On Thu, 2017-10-19 at 15:51 +0100, David Howells wrote:
> > > From: Chun-Yi Lee
> > >
> > > When KEXEC_VERIFY_SIG is not enabled, kernel s
Hi Mimi,
Thank you for reviewing.
On Mon, Oct 23, 2017 at 11:54:43AM -0400, Mimi Zohar wrote:
> On Thu, 2017-10-19 at 15:51 +0100, David Howells wrote:
> > From: Chun-Yi Lee
> >
> > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
> > through kexec_file systemcall if securele
On Thu, 2017-10-19 at 15:51 +0100, David Howells wrote:
> From: Chun-Yi Lee
>
> When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
> through kexec_file systemcall if securelevel has been set.
The patch title and description needs to be updated to refer to
lockdown, not securelev
On Thu, 19 Oct 2017, David Howells wrote:
> From: Chun-Yi Lee
>
> When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
> through kexec_file systemcall if securelevel has been set.
>
> This code was showed in Matthew's patch but not in git:
> https://lkml.org/lkml/2015/3/13/778
>
From: Chun-Yi Lee
When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
through kexec_file systemcall if securelevel has been set.
This code was showed in Matthew's patch but not in git:
https://lkml.org/lkml/2015/3/13/778
Cc: Matthew Garrett
Signed-off-by: Chun-Yi Lee
Signed-of
18 matches
Mail list logo
