Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down

On Fri, 8 Mar 2019, Matthew Garrett wrote: > On Fri, Mar 8, 2019 at 3:00 PM James Morris wrote: > > > > On Wed, 6 Mar 2019, Matthew Garrett wrote: > > > > > From: David Howells > > > > > > If the kernel is locked down, require that all modules have valid > > > signatures that we can verify. > >

Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down

On Fri, Mar 8, 2019 at 3:00 PM James Morris wrote: > > On Wed, 6 Mar 2019, Matthew Garrett wrote: > > > From: David Howells > > > > If the kernel is locked down, require that all modules have valid > > signatures that we can verify. > > Perhaps note that this won't cover the case where folk are

Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down

On Wed, 6 Mar 2019, Matthew Garrett wrote: > From: David Howells > > If the kernel is locked down, require that all modules have valid > signatures that we can verify. Perhaps note that this won't cover the case where folk are using DM-Verity with a signed root hash for verifying kernel

[PATCH 03/27] Enforce module signatures if the kernel is locked down

From: David Howells If the kernel is locked down, require that all modules have valid signatures that we can verify. I have adjusted the errors generated: (1) If there's no signature (ENODATA) or we can't check it (ENOPKG, ENOKEY), then: (a) If signatures are enforced then

[PATCH 03/27] Enforce module signatures if the kernel is locked down

From: David Howells If the kernel is locked down, require that all modules have valid signatures that we can verify or that IMA can validate the file. I have adjusted the errors generated: (1) If there's no signature (ENODATA) or we can't check it (ENOPKG, ENOKEY), then: (a) If

Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down

On Thu, 2017-11-02 at 22:01 +, David Howells wrote: > Mimi Zohar wrote: > > > Right, it would never get here if the IMA signature verification > > fails.  If sig_enforce is not enabled, then it will also work.  So the > > only case is if sig_enforced is enabled and

Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down

On Thu, 2017-11-02 at 22:01 +, David Howells wrote: > Mimi Zohar wrote: > > > Right, it would never get here if the IMA signature verification > > fails.  If sig_enforce is not enabled, then it will also work.  So the > > only case is if sig_enforced is enabled and there is no key. > > > >

Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down

Mimi Zohar wrote: > Right, it would never get here if the IMA signature verification > fails.  If sig_enforce is not enabled, then it will also work.  So the > only case is if sig_enforced is enabled and there is no key. > > eg. >          else if (can_do_ima_check &&

Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down

Mimi Zohar wrote: > Right, it would never get here if the IMA signature verification > fails.  If sig_enforce is not enabled, then it will also work.  So the > only case is if sig_enforced is enabled and there is no key. > > eg. >          else if (can_do_ima_check && is_ima_appraise_enabled())

Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down

On Thu, 2017-11-02 at 21:30 +, David Howells wrote: > Mimi Zohar wrote: > > > By this point, IMA-appraisal has already verified the kernel module > > signature back in kernel_read_file_from_fd(), if it was required. > >  Having a key with which to verify the

Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down

On Thu, 2017-11-02 at 21:30 +, David Howells wrote: > Mimi Zohar wrote: > > > By this point, IMA-appraisal has already verified the kernel module > > signature back in kernel_read_file_from_fd(), if it was required. > >  Having a key with which to verify the appended signature or requiring >

Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down

Mimi Zohar wrote: > By this point, IMA-appraisal has already verified the kernel module > signature back in kernel_read_file_from_fd(), if it was required. >  Having a key with which to verify the appended signature or requiring > an appended signature, should not be

Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down

Mimi Zohar wrote: > By this point, IMA-appraisal has already verified the kernel module > signature back in kernel_read_file_from_fd(), if it was required. >  Having a key with which to verify the appended signature or requiring > an appended signature, should not be required as well. I guess I

Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down

On Thu, 2017-11-02 at 17:22 +, David Howells wrote: > #ifdef CONFIG_MODULE_SIG > -static int module_sig_check(struct load_info *info, int flags) > +static int module_sig_check(struct load_info *info, int flags, > + bool can_do_ima_check) > { > int err =

Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down

On Thu, 2017-11-02 at 17:22 +, David Howells wrote: > #ifdef CONFIG_MODULE_SIG > -static int module_sig_check(struct load_info *info, int flags) > +static int module_sig_check(struct load_info *info, int flags, > + bool can_do_ima_check) > { > int err =

Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down

Hi Mimi, I've altered this patch to allow for IMA appraisal on finit_module(). See the attached. David --- commit c0d5336356004e7543314e388755a00e725521da Author: David Howells Date: Wed May 24 14:56:01 2017 +0100 Enforce module signatures if the kernel is locked

Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down

Hi Mimi, I've altered this patch to allow for IMA appraisal on finit_module(). See the attached. David --- commit c0d5336356004e7543314e388755a00e725521da Author: David Howells Date: Wed May 24 14:56:01 2017 +0100 Enforce module signatures if the kernel is locked down If the

Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down

[Corrected Matthew Garrett's email address.  Cc'ed Bruno Meneguele] On Mon, 2017-10-30 at 17:00 +, David Howells wrote: > Mimi Zohar wrote: > > > This kernel_is_locked_down() check is being called for both the > > original and new module_load syscalls.  We need to

Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down

[Corrected Matthew Garrett's email address.  Cc'ed Bruno Meneguele] On Mon, 2017-10-30 at 17:00 +, David Howells wrote: > Mimi Zohar wrote: > > > This kernel_is_locked_down() check is being called for both the > > original and new module_load syscalls.  We need to be able > > differentiate

Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down

Mimi Zohar wrote: > This kernel_is_locked_down() check is being called for both the > original and new module_load syscalls.  We need to be able > differentiate them.  This is fine for the original syscall, but for > the new syscall we would need an additional IMA check

Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down

Mimi Zohar wrote: > This kernel_is_locked_down() check is being called for both the > original and new module_load syscalls.  We need to be able > differentiate them.  This is fine for the original syscall, but for > the new syscall we would need an additional IMA check - >

Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down

On Thu, 2017-10-19 at 15:50 +0100, David Howells wrote: > If the kernel is locked down, require that all modules have valid > signatures that we can verify. > > Signed-off-by: David Howells > --- > > kernel/module.c |3 ++- > 1 file changed, 2 insertions(+), 1

Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down

On Thu, 2017-10-19 at 15:50 +0100, David Howells wrote: > If the kernel is locked down, require that all modules have valid > signatures that we can verify. > > Signed-off-by: David Howells > --- > > kernel/module.c |3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git

Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down

On Thu, 19 Oct 2017, David Howells wrote: > If the kernel is locked down, require that all modules have valid > signatures that we can verify. > > Signed-off-by: David Howells Reviewed-by: James Morris -- James Morris

Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down

On Thu, 19 Oct 2017, David Howells wrote: > If the kernel is locked down, require that all modules have valid > signatures that we can verify. > > Signed-off-by: David Howells Reviewed-by: James Morris -- James Morris

Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down

Hi David, Thanks for you send our this series. On Thu, Oct 19, 2017 at 03:50:55PM +0100, David Howells wrote: > If the kernel is locked down, require that all modules have valid > signatures that we can verify. > > Signed-off-by: David Howells I have reviewed and tested

Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down

Hi David, Thanks for you send our this series. On Thu, Oct 19, 2017 at 03:50:55PM +0100, David Howells wrote: > If the kernel is locked down, require that all modules have valid > signatures that we can verify. > > Signed-off-by: David Howells I have reviewed and tested this patch. Please

[PATCH 03/27] Enforce module signatures if the kernel is locked down

If the kernel is locked down, require that all modules have valid signatures that we can verify. Signed-off-by: David Howells --- kernel/module.c |3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/module.c b/kernel/module.c index

[PATCH 03/27] Enforce module signatures if the kernel is locked down

If the kernel is locked down, require that all modules have valid signatures that we can verify. Signed-off-by: David Howells --- kernel/module.c |3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/module.c b/kernel/module.c index de66ec825992..3d9a3270c179 100644