Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
Hi David, On Mon, 2017-04-10 at 14:19 +0100, David Howells wrote: > Mimi Zoharwrote: > > > From an IMA perspective, either a file hash or signature are valid, > > but for this usage it must be a signature. > > Not necessarily. If IMA can guarantee that a module is the same based on its > hash rather than on a key, I would've thought that should be fine. File hashes can be modified on the running system, so they're normally used, in conjunction with EVM, to detect off line modification of mutable files and prevent their usage. These patches https://lkml.org/lkml/2017/5/2/465 should provide some of the missing functionality. Mimi
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
Hi David, On Mon, 2017-04-10 at 14:19 +0100, David Howells wrote: > Mimi Zohar wrote: > > > From an IMA perspective, either a file hash or signature are valid, > > but for this usage it must be a signature. > > Not necessarily. If IMA can guarantee that a module is the same based on its > hash rather than on a key, I would've thought that should be fine. File hashes can be modified on the running system, so they're normally used, in conjunction with EVM, to detect off line modification of mutable files and prevent their usage. These patches https://lkml.org/lkml/2017/5/2/465 should provide some of the missing functionality. Mimi
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
Mimi Zoharwrote: > From an IMA perspective, either a file hash or signature are valid, > but for this usage it must be a signature. Not necessarily. If IMA can guarantee that a module is the same based on its hash rather than on a key, I would've thought that should be fine. David
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
Mimi Zohar wrote: > From an IMA perspective, either a file hash or signature are valid, > but for this usage it must be a signature. Not necessarily. If IMA can guarantee that a module is the same based on its hash rather than on a key, I would've thought that should be fine. David
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
On Fri, 2017-04-07 at 10:17 +0100, David Howells wrote: > Mimi Zoharwrote: > > > > Okay, fair enough. I can stick in an OR with an IS_ENABLED on some IMA > > > symbol. CONFIG_IMA_KEXEC maybe? And also require IMA be enabled? > > > > Not quite, since as Dave pointed out, IMA is policy driven. As a > > policy is installed, we could set a flag. > > Does such a flag exist as yet? Not exactly what is needed. There's a flag named ima_appraise, which is used internally in IMA. A temporary flag is created, while validating the rules. if (default_appraise_rules[i].func == POLICY_CHECK) temp_ima_appraise |= IMA_APPRAISE_POLICY; if (!result && (entry->action == UNKNOWN)) result = -EINVAL; else if (entry->func == MODULE_CHECK) temp_ima_appraise |= IMA_APPRAISE_MODULES; else if (entry->func == FIRMWARE_CHECK) temp_ima_appraise |= IMA_APPRAISE_FIRMWARE; else if (entry->func == POLICY_CHECK) temp_ima_appraise |= IMA_APPRAISE_POLICY; If the entire policy is valid, ima_update_policy_flag() sets the ima_appraise flag. ima_appraise |= temp_ima_appraise; >From an IMA perspective, either a file hash or signature are valid, but for this usage it must be a signature. So in addition to testing entry->func, above, entry->flags would need to be tested as well to detect if IMA_DIGSIG_REQUIRED is set. Mimi
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
On Fri, 2017-04-07 at 10:17 +0100, David Howells wrote: > Mimi Zohar wrote: > > > > Okay, fair enough. I can stick in an OR with an IS_ENABLED on some IMA > > > symbol. CONFIG_IMA_KEXEC maybe? And also require IMA be enabled? > > > > Not quite, since as Dave pointed out, IMA is policy driven. As a > > policy is installed, we could set a flag. > > Does such a flag exist as yet? Not exactly what is needed. There's a flag named ima_appraise, which is used internally in IMA. A temporary flag is created, while validating the rules. if (default_appraise_rules[i].func == POLICY_CHECK) temp_ima_appraise |= IMA_APPRAISE_POLICY; if (!result && (entry->action == UNKNOWN)) result = -EINVAL; else if (entry->func == MODULE_CHECK) temp_ima_appraise |= IMA_APPRAISE_MODULES; else if (entry->func == FIRMWARE_CHECK) temp_ima_appraise |= IMA_APPRAISE_FIRMWARE; else if (entry->func == POLICY_CHECK) temp_ima_appraise |= IMA_APPRAISE_POLICY; If the entire policy is valid, ima_update_policy_flag() sets the ima_appraise flag. ima_appraise |= temp_ima_appraise; >From an IMA perspective, either a file hash or signature are valid, but for this usage it must be a signature. So in addition to testing entry->func, above, entry->flags would need to be tested as well to detect if IMA_DIGSIG_REQUIRED is set. Mimi
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
Mimi Zoharwrote: > > Okay, fair enough. I can stick in an OR with an IS_ENABLED on some IMA > > symbol. CONFIG_IMA_KEXEC maybe? And also require IMA be enabled? > > Not quite, since as Dave pointed out, IMA is policy driven. As a > policy is installed, we could set a flag. Does such a flag exist as yet? David
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
Mimi Zohar wrote: > > Okay, fair enough. I can stick in an OR with an IS_ENABLED on some IMA > > symbol. CONFIG_IMA_KEXEC maybe? And also require IMA be enabled? > > Not quite, since as Dave pointed out, IMA is policy driven. As a > policy is installed, we could set a flag. Does such a flag exist as yet? David
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
On 04/07/17 at 04:28am, Mimi Zohar wrote: > On Fri, 2017-04-07 at 15:41 +0800, Dave Young wrote: > > On 04/07/17 at 08:07am, David Howells wrote: > > > Dave Youngwrote: > > > > > > > > > > + /* Don't permit images to be loaded into trusted kernels if > > > > > > > we're not > > > > > > > + * going to verify the signature on them > > > > > > > + */ > > > > > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && > > > > > > > kernel_is_locked_down()) > > > > > > > + return -EPERM; > > > > > > > + > > > > > > > > > > > > > > > > > IMA can be used to verify file signatures too, based on the LSM hooks > > > > > in kernel_read_file_from_fd(). CONFIG_KEXEC_VERIFY_SIG should not be > > > > > required. > > > > > > > > Mimi, I remember we talked somthing before about the two signature > > > > verification. One can change IMA policy in initramfs userspace, > > > > also there are kernel cmdline param to disable IMA, so it can break the > > > > lockdown? Suppose kexec boot with ima disabled cmdline param and then > > > > kexec reboot again.. > > > > > > I guess I should lock down the parameter to disable IMA too. > > > > That is one thing, user can change IMA policy in initramfs userspace, > > I'm not sure if IMA enforce the signed policy now, if no it will be also > > a problem. > > I'm not sure how this relates to the question of whether IMA verifies > the kexec kernel image signature, as the test would not be based on a > Kconfig option, but on a runtime variable. I assumed one can change the policy to avoid kexec and initramfs check And we use a global IMA status in the -EPERM check for the lockdown checking. But if there is some fine grained checking to ensure kernel signature verification it should be fine. > > To answer your question, the rule for requiring the policy to be > signed is: appraise func=POLICY_CHECK appraise_type=imasig > > When the ability to append rules is Kconfig enabled, the builtin > policy requires the new policy or additional rules to be signed. > Unfortunately, always requiring the policy to be signed, would have > broken userspace. > > Mimi > Thanks Dave
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
On 04/07/17 at 04:28am, Mimi Zohar wrote: > On Fri, 2017-04-07 at 15:41 +0800, Dave Young wrote: > > On 04/07/17 at 08:07am, David Howells wrote: > > > Dave Young wrote: > > > > > > > > > > + /* Don't permit images to be loaded into trusted kernels if > > > > > > > we're not > > > > > > > + * going to verify the signature on them > > > > > > > + */ > > > > > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && > > > > > > > kernel_is_locked_down()) > > > > > > > + return -EPERM; > > > > > > > + > > > > > > > > > > > > > > > > > IMA can be used to verify file signatures too, based on the LSM hooks > > > > > in kernel_read_file_from_fd(). CONFIG_KEXEC_VERIFY_SIG should not be > > > > > required. > > > > > > > > Mimi, I remember we talked somthing before about the two signature > > > > verification. One can change IMA policy in initramfs userspace, > > > > also there are kernel cmdline param to disable IMA, so it can break the > > > > lockdown? Suppose kexec boot with ima disabled cmdline param and then > > > > kexec reboot again.. > > > > > > I guess I should lock down the parameter to disable IMA too. > > > > That is one thing, user can change IMA policy in initramfs userspace, > > I'm not sure if IMA enforce the signed policy now, if no it will be also > > a problem. > > I'm not sure how this relates to the question of whether IMA verifies > the kexec kernel image signature, as the test would not be based on a > Kconfig option, but on a runtime variable. I assumed one can change the policy to avoid kexec and initramfs check And we use a global IMA status in the -EPERM check for the lockdown checking. But if there is some fine grained checking to ensure kernel signature verification it should be fine. > > To answer your question, the rule for requiring the policy to be > signed is: appraise func=POLICY_CHECK appraise_type=imasig > > When the ability to append rules is Kconfig enabled, the builtin > policy requires the new policy or additional rules to be signed. > Unfortunately, always requiring the policy to be signed, would have > broken userspace. > > Mimi > Thanks Dave
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
On Fri, 2017-04-07 at 15:41 +0800, Dave Young wrote: > On 04/07/17 at 08:07am, David Howells wrote: > > Dave Youngwrote: > > > > > > > > + /* Don't permit images to be loaded into trusted kernels if > > > > > > we're not > > > > > > +* going to verify the signature on them > > > > > > +*/ > > > > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && > > > > > > kernel_is_locked_down()) > > > > > > + return -EPERM; > > > > > > + > > > > > > > > > > > > > > IMA can be used to verify file signatures too, based on the LSM hooks > > > > in kernel_read_file_from_fd(). CONFIG_KEXEC_VERIFY_SIG should not be > > > > required. > > > > > > Mimi, I remember we talked somthing before about the two signature > > > verification. One can change IMA policy in initramfs userspace, > > > also there are kernel cmdline param to disable IMA, so it can break the > > > lockdown? Suppose kexec boot with ima disabled cmdline param and then > > > kexec reboot again.. > > > > I guess I should lock down the parameter to disable IMA too. > > That is one thing, user can change IMA policy in initramfs userspace, > I'm not sure if IMA enforce the signed policy now, if no it will be also > a problem. I'm not sure how this relates to the question of whether IMA verifies the kexec kernel image signature, as the test would not be based on a Kconfig option, but on a runtime variable. To answer your question, the rule for requiring the policy to be signed is: appraise func=POLICY_CHECK appraise_type=imasig When the ability to append rules is Kconfig enabled, the builtin policy requires the new policy or additional rules to be signed. Unfortunately, always requiring the policy to be signed, would have broken userspace. Mimi
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
On Fri, 2017-04-07 at 15:41 +0800, Dave Young wrote: > On 04/07/17 at 08:07am, David Howells wrote: > > Dave Young wrote: > > > > > > > > + /* Don't permit images to be loaded into trusted kernels if > > > > > > we're not > > > > > > +* going to verify the signature on them > > > > > > +*/ > > > > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && > > > > > > kernel_is_locked_down()) > > > > > > + return -EPERM; > > > > > > + > > > > > > > > > > > > > > IMA can be used to verify file signatures too, based on the LSM hooks > > > > in kernel_read_file_from_fd(). CONFIG_KEXEC_VERIFY_SIG should not be > > > > required. > > > > > > Mimi, I remember we talked somthing before about the two signature > > > verification. One can change IMA policy in initramfs userspace, > > > also there are kernel cmdline param to disable IMA, so it can break the > > > lockdown? Suppose kexec boot with ima disabled cmdline param and then > > > kexec reboot again.. > > > > I guess I should lock down the parameter to disable IMA too. > > That is one thing, user can change IMA policy in initramfs userspace, > I'm not sure if IMA enforce the signed policy now, if no it will be also > a problem. I'm not sure how this relates to the question of whether IMA verifies the kexec kernel image signature, as the test would not be based on a Kconfig option, but on a runtime variable. To answer your question, the rule for requiring the policy to be signed is: appraise func=POLICY_CHECK appraise_type=imasig When the ability to append rules is Kconfig enabled, the builtin policy requires the new policy or additional rules to be signed. Unfortunately, always requiring the policy to be signed, would have broken userspace. Mimi
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
On 04/07/17 at 03:45am, Mimi Zohar wrote: > On Fri, 2017-04-07 at 14:19 +0800, Dave Young wrote: > > On 04/06/17 at 11:49pm, Mimi Zohar wrote: > > > On Fri, 2017-04-07 at 11:05 +0800, Dave Young wrote: > > > > On 04/05/17 at 09:15pm, David Howells wrote: > > > > > From: Chun-Yi Lee> > > > > > > > > > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image > > > > > through kexec_file systemcall if securelevel has been set. > > > > > > > > > > This code was showed in Matthew's patch but not in git: > > > > > https://lkml.org/lkml/2015/3/13/778 > > I specifically checked to make sure that either kexec_file() signature > verification was acceptable and would have commented then, if it had > not been included. > > > > > > Cc: Matthew Garrett > > > > > Signed-off-by: Chun-Yi Lee > > > > > Signed-off-by: David Howells > > > > > cc: ke...@lists.infradead.org > > > > > --- > > > > > > > > > > kernel/kexec_file.c |6 ++ > > > > > 1 file changed, 6 insertions(+) > > > > > > > > > > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c > > > > > index b118735fea9d..f6937eecd1eb 100644 > > > > > --- a/kernel/kexec_file.c > > > > > +++ b/kernel/kexec_file.c > > > > > @@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, > > > > > int, initrd_fd, > > > > > if (!capable(CAP_SYS_BOOT) || kexec_load_disabled) > > > > > return -EPERM; > > > > > > > > > > + /* Don't permit images to be loaded into trusted kernels if > > > > > we're not > > > > > + * going to verify the signature on them > > > > > + */ > > > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && > > > > > kernel_is_locked_down()) > > > > > + return -EPERM; > > > > > + > > > > > > > > > > > IMA can be used to verify file signatures too, based on the LSM hooks > > > in kernel_read_file_from_fd(). CONFIG_KEXEC_VERIFY_SIG should not be > > > required. > > > > Mimi, I remember we talked somthing before about the two signature > > verification. One can change IMA policy in initramfs userspace, > > also there are kernel cmdline param to disable IMA, so it can break the > > lockdown? Suppose kexec boot with ima disabled cmdline param and then > > kexec reboot again.. > > Right, we discussed that the same method of measuring the kexec image > and initramfs, for extending trusted boot to the OS, could also be > used for verifying the kexec image and initramfs signatures, for > extending secure boot to the OS. The file hash would be calculated > once for both. > > All of your concerns could be addressed with very minor changes to > IMA. (Continued in response to David.) Thanks! As long as IMA can ensure not breaking the lockdown it should be fine to add an check for either !CONFIG_KEXEC_VERIFY_SIG or !IMA enforced. > > > > > > > > /* Make sure we have a legal set of flags */ > > > > > if (flags != (flags & KEXEC_FILE_FLAGS)) > > > > > return -EINVAL; > > > > > > > > > > > > > > > ___ > > > > > kexec mailing list > > > > > ke...@lists.infradead.org > > > > > http://lists.infradead.org/mailman/listinfo/kexec > > > > > > > > Acked-by: Dave Young > > > > > > > > Thanks > > > > Dave > > > > -- > > > > To unsubscribe from this list: send the line "unsubscribe > > > > linux-security-module" in > > > > the body of a message to majord...@vger.kernel.org > > > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > > > > > > > > >
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
On 04/07/17 at 03:45am, Mimi Zohar wrote: > On Fri, 2017-04-07 at 14:19 +0800, Dave Young wrote: > > On 04/06/17 at 11:49pm, Mimi Zohar wrote: > > > On Fri, 2017-04-07 at 11:05 +0800, Dave Young wrote: > > > > On 04/05/17 at 09:15pm, David Howells wrote: > > > > > From: Chun-Yi Lee > > > > > > > > > > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image > > > > > through kexec_file systemcall if securelevel has been set. > > > > > > > > > > This code was showed in Matthew's patch but not in git: > > > > > https://lkml.org/lkml/2015/3/13/778 > > I specifically checked to make sure that either kexec_file() signature > verification was acceptable and would have commented then, if it had > not been included. > > > > > > Cc: Matthew Garrett > > > > > Signed-off-by: Chun-Yi Lee > > > > > Signed-off-by: David Howells > > > > > cc: ke...@lists.infradead.org > > > > > --- > > > > > > > > > > kernel/kexec_file.c |6 ++ > > > > > 1 file changed, 6 insertions(+) > > > > > > > > > > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c > > > > > index b118735fea9d..f6937eecd1eb 100644 > > > > > --- a/kernel/kexec_file.c > > > > > +++ b/kernel/kexec_file.c > > > > > @@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, > > > > > int, initrd_fd, > > > > > if (!capable(CAP_SYS_BOOT) || kexec_load_disabled) > > > > > return -EPERM; > > > > > > > > > > + /* Don't permit images to be loaded into trusted kernels if > > > > > we're not > > > > > + * going to verify the signature on them > > > > > + */ > > > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && > > > > > kernel_is_locked_down()) > > > > > + return -EPERM; > > > > > + > > > > > > > > > > > IMA can be used to verify file signatures too, based on the LSM hooks > > > in kernel_read_file_from_fd(). CONFIG_KEXEC_VERIFY_SIG should not be > > > required. > > > > Mimi, I remember we talked somthing before about the two signature > > verification. One can change IMA policy in initramfs userspace, > > also there are kernel cmdline param to disable IMA, so it can break the > > lockdown? Suppose kexec boot with ima disabled cmdline param and then > > kexec reboot again.. > > Right, we discussed that the same method of measuring the kexec image > and initramfs, for extending trusted boot to the OS, could also be > used for verifying the kexec image and initramfs signatures, for > extending secure boot to the OS. The file hash would be calculated > once for both. > > All of your concerns could be addressed with very minor changes to > IMA. (Continued in response to David.) Thanks! As long as IMA can ensure not breaking the lockdown it should be fine to add an check for either !CONFIG_KEXEC_VERIFY_SIG or !IMA enforced. > > > > > > > > /* Make sure we have a legal set of flags */ > > > > > if (flags != (flags & KEXEC_FILE_FLAGS)) > > > > > return -EINVAL; > > > > > > > > > > > > > > > ___ > > > > > kexec mailing list > > > > > ke...@lists.infradead.org > > > > > http://lists.infradead.org/mailman/listinfo/kexec > > > > > > > > Acked-by: Dave Young > > > > > > > > Thanks > > > > Dave > > > > -- > > > > To unsubscribe from this list: send the line "unsubscribe > > > > linux-security-module" in > > > > the body of a message to majord...@vger.kernel.org > > > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > > > > > > > > >
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
On Fri, 2017-04-07 at 08:09 +0100, David Howells wrote: > Mimi Zoharwrote: > > > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && > > > > kernel_is_locked_down()) > > > > + return -EPERM; > > > > + > > > > > > > > IMA can be used to verify file signatures too, based on the LSM hooks > > in kernel_read_file_from_fd(). CONFIG_KEXEC_VERIFY_SIG should not be > > required. > > Okay, fair enough. I can stick in an OR with an IS_ENABLED on some IMA > symbol. CONFIG_IMA_KEXEC maybe? And also require IMA be enabled? Not quite, since as Dave pointed out, IMA is policy driven. As a policy is installed, we could set a flag. Mimi
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
On Fri, 2017-04-07 at 08:09 +0100, David Howells wrote: > Mimi Zohar wrote: > > > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && > > > > kernel_is_locked_down()) > > > > + return -EPERM; > > > > + > > > > > > > > IMA can be used to verify file signatures too, based on the LSM hooks > > in kernel_read_file_from_fd(). CONFIG_KEXEC_VERIFY_SIG should not be > > required. > > Okay, fair enough. I can stick in an OR with an IS_ENABLED on some IMA > symbol. CONFIG_IMA_KEXEC maybe? And also require IMA be enabled? Not quite, since as Dave pointed out, IMA is policy driven. As a policy is installed, we could set a flag. Mimi
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
On Fri, 2017-04-07 at 14:19 +0800, Dave Young wrote: > On 04/06/17 at 11:49pm, Mimi Zohar wrote: > > On Fri, 2017-04-07 at 11:05 +0800, Dave Young wrote: > > > On 04/05/17 at 09:15pm, David Howells wrote: > > > > From: Chun-Yi Lee> > > > > > > > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image > > > > through kexec_file systemcall if securelevel has been set. > > > > > > > > This code was showed in Matthew's patch but not in git: > > > > https://lkml.org/lkml/2015/3/13/778 I specifically checked to make sure that either kexec_file() signature verification was acceptable and would have commented then, if it had not been included. > > > > Cc: Matthew Garrett > > > > Signed-off-by: Chun-Yi Lee > > > > Signed-off-by: David Howells > > > > cc: ke...@lists.infradead.org > > > > --- > > > > > > > > kernel/kexec_file.c |6 ++ > > > > 1 file changed, 6 insertions(+) > > > > > > > > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c > > > > index b118735fea9d..f6937eecd1eb 100644 > > > > --- a/kernel/kexec_file.c > > > > +++ b/kernel/kexec_file.c > > > > @@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, > > > > int, initrd_fd, > > > > if (!capable(CAP_SYS_BOOT) || kexec_load_disabled) > > > > return -EPERM; > > > > > > > > + /* Don't permit images to be loaded into trusted kernels if > > > > we're not > > > > +* going to verify the signature on them > > > > +*/ > > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && > > > > kernel_is_locked_down()) > > > > + return -EPERM; > > > > + > > > > > > > > IMA can be used to verify file signatures too, based on the LSM hooks > > in kernel_read_file_from_fd(). CONFIG_KEXEC_VERIFY_SIG should not be > > required. > > Mimi, I remember we talked somthing before about the two signature > verification. One can change IMA policy in initramfs userspace, > also there are kernel cmdline param to disable IMA, so it can break the > lockdown? Suppose kexec boot with ima disabled cmdline param and then > kexec reboot again.. Right, we discussed that the same method of measuring the kexec image and initramfs, for extending trusted boot to the OS, could also be used for verifying the kexec image and initramfs signatures, for extending secure boot to the OS. The file hash would be calculated once for both. All of your concerns could be addressed with very minor changes to IMA. (Continued in response to David.) > > > > > /* Make sure we have a legal set of flags */ > > > > if (flags != (flags & KEXEC_FILE_FLAGS)) > > > > return -EINVAL; > > > > > > > > > > > > ___ > > > > kexec mailing list > > > > ke...@lists.infradead.org > > > > http://lists.infradead.org/mailman/listinfo/kexec > > > > > > Acked-by: Dave Young > > > > > > Thanks > > > Dave > > > -- > > > To unsubscribe from this list: send the line "unsubscribe > > > linux-security-module" in > > > the body of a message to majord...@vger.kernel.org > > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > > > > >
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
On Fri, 2017-04-07 at 14:19 +0800, Dave Young wrote: > On 04/06/17 at 11:49pm, Mimi Zohar wrote: > > On Fri, 2017-04-07 at 11:05 +0800, Dave Young wrote: > > > On 04/05/17 at 09:15pm, David Howells wrote: > > > > From: Chun-Yi Lee > > > > > > > > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image > > > > through kexec_file systemcall if securelevel has been set. > > > > > > > > This code was showed in Matthew's patch but not in git: > > > > https://lkml.org/lkml/2015/3/13/778 I specifically checked to make sure that either kexec_file() signature verification was acceptable and would have commented then, if it had not been included. > > > > Cc: Matthew Garrett > > > > Signed-off-by: Chun-Yi Lee > > > > Signed-off-by: David Howells > > > > cc: ke...@lists.infradead.org > > > > --- > > > > > > > > kernel/kexec_file.c |6 ++ > > > > 1 file changed, 6 insertions(+) > > > > > > > > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c > > > > index b118735fea9d..f6937eecd1eb 100644 > > > > --- a/kernel/kexec_file.c > > > > +++ b/kernel/kexec_file.c > > > > @@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, > > > > int, initrd_fd, > > > > if (!capable(CAP_SYS_BOOT) || kexec_load_disabled) > > > > return -EPERM; > > > > > > > > + /* Don't permit images to be loaded into trusted kernels if > > > > we're not > > > > +* going to verify the signature on them > > > > +*/ > > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && > > > > kernel_is_locked_down()) > > > > + return -EPERM; > > > > + > > > > > > > > IMA can be used to verify file signatures too, based on the LSM hooks > > in kernel_read_file_from_fd(). CONFIG_KEXEC_VERIFY_SIG should not be > > required. > > Mimi, I remember we talked somthing before about the two signature > verification. One can change IMA policy in initramfs userspace, > also there are kernel cmdline param to disable IMA, so it can break the > lockdown? Suppose kexec boot with ima disabled cmdline param and then > kexec reboot again.. Right, we discussed that the same method of measuring the kexec image and initramfs, for extending trusted boot to the OS, could also be used for verifying the kexec image and initramfs signatures, for extending secure boot to the OS. The file hash would be calculated once for both. All of your concerns could be addressed with very minor changes to IMA. (Continued in response to David.) > > > > > /* Make sure we have a legal set of flags */ > > > > if (flags != (flags & KEXEC_FILE_FLAGS)) > > > > return -EINVAL; > > > > > > > > > > > > ___ > > > > kexec mailing list > > > > ke...@lists.infradead.org > > > > http://lists.infradead.org/mailman/listinfo/kexec > > > > > > Acked-by: Dave Young > > > > > > Thanks > > > Dave > > > -- > > > To unsubscribe from this list: send the line "unsubscribe > > > linux-security-module" in > > > the body of a message to majord...@vger.kernel.org > > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > > > > >
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
On 04/07/17 at 08:07am, David Howells wrote: > Dave Youngwrote: > > > > > > + /* Don't permit images to be loaded into trusted kernels if > > > > > we're not > > > > > + * going to verify the signature on them > > > > > + */ > > > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && > > > > > kernel_is_locked_down()) > > > > > + return -EPERM; > > > > > + > > > > > > > > > > > IMA can be used to verify file signatures too, based on the LSM hooks > > > in kernel_read_file_from_fd(). CONFIG_KEXEC_VERIFY_SIG should not be > > > required. > > > > Mimi, I remember we talked somthing before about the two signature > > verification. One can change IMA policy in initramfs userspace, > > also there are kernel cmdline param to disable IMA, so it can break the > > lockdown? Suppose kexec boot with ima disabled cmdline param and then > > kexec reboot again.. > > I guess I should lock down the parameter to disable IMA too. That is one thing, user can change IMA policy in initramfs userspace, I'm not sure if IMA enforce the signed policy now, if no it will be also a problem. Thanks Dave
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
On 04/07/17 at 08:07am, David Howells wrote: > Dave Young wrote: > > > > > > + /* Don't permit images to be loaded into trusted kernels if > > > > > we're not > > > > > + * going to verify the signature on them > > > > > + */ > > > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && > > > > > kernel_is_locked_down()) > > > > > + return -EPERM; > > > > > + > > > > > > > > > > > IMA can be used to verify file signatures too, based on the LSM hooks > > > in kernel_read_file_from_fd(). CONFIG_KEXEC_VERIFY_SIG should not be > > > required. > > > > Mimi, I remember we talked somthing before about the two signature > > verification. One can change IMA policy in initramfs userspace, > > also there are kernel cmdline param to disable IMA, so it can break the > > lockdown? Suppose kexec boot with ima disabled cmdline param and then > > kexec reboot again.. > > I guess I should lock down the parameter to disable IMA too. That is one thing, user can change IMA policy in initramfs userspace, I'm not sure if IMA enforce the signed policy now, if no it will be also a problem. Thanks Dave
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
Mimi Zoharwrote: > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down()) > > > + return -EPERM; > > > + > > > > > IMA can be used to verify file signatures too, based on the LSM hooks > in kernel_read_file_from_fd(). CONFIG_KEXEC_VERIFY_SIG should not be > required. Okay, fair enough. I can stick in an OR with an IS_ENABLED on some IMA symbol. CONFIG_IMA_KEXEC maybe? And also require IMA be enabled? David
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
Mimi Zohar wrote: > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down()) > > > + return -EPERM; > > > + > > > > > IMA can be used to verify file signatures too, based on the LSM hooks > in kernel_read_file_from_fd(). CONFIG_KEXEC_VERIFY_SIG should not be > required. Okay, fair enough. I can stick in an OR with an IS_ENABLED on some IMA symbol. CONFIG_IMA_KEXEC maybe? And also require IMA be enabled? David
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
Dave Youngwrote: > > > > + /* Don't permit images to be loaded into trusted kernels if > > > > we're not > > > > +* going to verify the signature on them > > > > +*/ > > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && > > > > kernel_is_locked_down()) > > > > + return -EPERM; > > > > + > > > > > > > > IMA can be used to verify file signatures too, based on the LSM hooks > > in kernel_read_file_from_fd(). CONFIG_KEXEC_VERIFY_SIG should not be > > required. > > Mimi, I remember we talked somthing before about the two signature > verification. One can change IMA policy in initramfs userspace, > also there are kernel cmdline param to disable IMA, so it can break the > lockdown? Suppose kexec boot with ima disabled cmdline param and then > kexec reboot again.. I guess I should lock down the parameter to disable IMA too. David
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
Dave Young wrote: > > > > + /* Don't permit images to be loaded into trusted kernels if > > > > we're not > > > > +* going to verify the signature on them > > > > +*/ > > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && > > > > kernel_is_locked_down()) > > > > + return -EPERM; > > > > + > > > > > > > > IMA can be used to verify file signatures too, based on the LSM hooks > > in kernel_read_file_from_fd(). CONFIG_KEXEC_VERIFY_SIG should not be > > required. > > Mimi, I remember we talked somthing before about the two signature > verification. One can change IMA policy in initramfs userspace, > also there are kernel cmdline param to disable IMA, so it can break the > lockdown? Suppose kexec boot with ima disabled cmdline param and then > kexec reboot again.. I guess I should lock down the parameter to disable IMA too. David
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
On 04/06/17 at 11:49pm, Mimi Zohar wrote: > On Fri, 2017-04-07 at 11:05 +0800, Dave Young wrote: > > On 04/05/17 at 09:15pm, David Howells wrote: > > > From: Chun-Yi Lee> > > > > > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image > > > through kexec_file systemcall if securelevel has been set. > > > > > > This code was showed in Matthew's patch but not in git: > > > https://lkml.org/lkml/2015/3/13/778 > > > > > > Cc: Matthew Garrett > > > Signed-off-by: Chun-Yi Lee > > > Signed-off-by: David Howells > > > cc: ke...@lists.infradead.org > > > --- > > > > > > kernel/kexec_file.c |6 ++ > > > 1 file changed, 6 insertions(+) > > > > > > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c > > > index b118735fea9d..f6937eecd1eb 100644 > > > --- a/kernel/kexec_file.c > > > +++ b/kernel/kexec_file.c > > > @@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, > > > int, initrd_fd, > > > if (!capable(CAP_SYS_BOOT) || kexec_load_disabled) > > > return -EPERM; > > > > > > + /* Don't permit images to be loaded into trusted kernels if we're not > > > + * going to verify the signature on them > > > + */ > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down()) > > > + return -EPERM; > > > + > > > > > IMA can be used to verify file signatures too, based on the LSM hooks > in kernel_read_file_from_fd(). CONFIG_KEXEC_VERIFY_SIG should not be > required. Mimi, I remember we talked somthing before about the two signature verification. One can change IMA policy in initramfs userspace, also there are kernel cmdline param to disable IMA, so it can break the lockdown? Suppose kexec boot with ima disabled cmdline param and then kexec reboot again.. > > Mimi > > > > /* Make sure we have a legal set of flags */ > > > if (flags != (flags & KEXEC_FILE_FLAGS)) > > > return -EINVAL; > > > > > > > > > ___ > > > kexec mailing list > > > ke...@lists.infradead.org > > > http://lists.infradead.org/mailman/listinfo/kexec > > > > Acked-by: Dave Young > > > > Thanks > > Dave > > -- > > To unsubscribe from this list: send the line "unsubscribe > > linux-security-module" in > > the body of a message to majord...@vger.kernel.org > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > >
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
On 04/06/17 at 11:49pm, Mimi Zohar wrote: > On Fri, 2017-04-07 at 11:05 +0800, Dave Young wrote: > > On 04/05/17 at 09:15pm, David Howells wrote: > > > From: Chun-Yi Lee > > > > > > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image > > > through kexec_file systemcall if securelevel has been set. > > > > > > This code was showed in Matthew's patch but not in git: > > > https://lkml.org/lkml/2015/3/13/778 > > > > > > Cc: Matthew Garrett > > > Signed-off-by: Chun-Yi Lee > > > Signed-off-by: David Howells > > > cc: ke...@lists.infradead.org > > > --- > > > > > > kernel/kexec_file.c |6 ++ > > > 1 file changed, 6 insertions(+) > > > > > > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c > > > index b118735fea9d..f6937eecd1eb 100644 > > > --- a/kernel/kexec_file.c > > > +++ b/kernel/kexec_file.c > > > @@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, > > > int, initrd_fd, > > > if (!capable(CAP_SYS_BOOT) || kexec_load_disabled) > > > return -EPERM; > > > > > > + /* Don't permit images to be loaded into trusted kernels if we're not > > > + * going to verify the signature on them > > > + */ > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down()) > > > + return -EPERM; > > > + > > > > > IMA can be used to verify file signatures too, based on the LSM hooks > in kernel_read_file_from_fd(). CONFIG_KEXEC_VERIFY_SIG should not be > required. Mimi, I remember we talked somthing before about the two signature verification. One can change IMA policy in initramfs userspace, also there are kernel cmdline param to disable IMA, so it can break the lockdown? Suppose kexec boot with ima disabled cmdline param and then kexec reboot again.. > > Mimi > > > > /* Make sure we have a legal set of flags */ > > > if (flags != (flags & KEXEC_FILE_FLAGS)) > > > return -EINVAL; > > > > > > > > > ___ > > > kexec mailing list > > > ke...@lists.infradead.org > > > http://lists.infradead.org/mailman/listinfo/kexec > > > > Acked-by: Dave Young > > > > Thanks > > Dave > > -- > > To unsubscribe from this list: send the line "unsubscribe > > linux-security-module" in > > the body of a message to majord...@vger.kernel.org > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > >
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
On Fri, 2017-04-07 at 11:05 +0800, Dave Young wrote: > On 04/05/17 at 09:15pm, David Howells wrote: > > From: Chun-Yi Lee> > > > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image > > through kexec_file systemcall if securelevel has been set. > > > > This code was showed in Matthew's patch but not in git: > > https://lkml.org/lkml/2015/3/13/778 > > > > Cc: Matthew Garrett > > Signed-off-by: Chun-Yi Lee > > Signed-off-by: David Howells > > cc: ke...@lists.infradead.org > > --- > > > > kernel/kexec_file.c |6 ++ > > 1 file changed, 6 insertions(+) > > > > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c > > index b118735fea9d..f6937eecd1eb 100644 > > --- a/kernel/kexec_file.c > > +++ b/kernel/kexec_file.c > > @@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, > > initrd_fd, > > if (!capable(CAP_SYS_BOOT) || kexec_load_disabled) > > return -EPERM; > > > > + /* Don't permit images to be loaded into trusted kernels if we're not > > +* going to verify the signature on them > > +*/ > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down()) > > + return -EPERM; > > + > > IMA can be used to verify file signatures too, based on the LSM hooks in kernel_read_file_from_fd(). CONFIG_KEXEC_VERIFY_SIG should not be required. Mimi > /* Make sure we have a legal set of flags */ > > if (flags != (flags & KEXEC_FILE_FLAGS)) > > return -EINVAL; > > > > > > ___ > > kexec mailing list > > ke...@lists.infradead.org > > http://lists.infradead.org/mailman/listinfo/kexec > > Acked-by: Dave Young > > Thanks > Dave > -- > To unsubscribe from this list: send the line "unsubscribe > linux-security-module" in > the body of a message to majord...@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html >
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
On Fri, 2017-04-07 at 11:05 +0800, Dave Young wrote: > On 04/05/17 at 09:15pm, David Howells wrote: > > From: Chun-Yi Lee > > > > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image > > through kexec_file systemcall if securelevel has been set. > > > > This code was showed in Matthew's patch but not in git: > > https://lkml.org/lkml/2015/3/13/778 > > > > Cc: Matthew Garrett > > Signed-off-by: Chun-Yi Lee > > Signed-off-by: David Howells > > cc: ke...@lists.infradead.org > > --- > > > > kernel/kexec_file.c |6 ++ > > 1 file changed, 6 insertions(+) > > > > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c > > index b118735fea9d..f6937eecd1eb 100644 > > --- a/kernel/kexec_file.c > > +++ b/kernel/kexec_file.c > > @@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, > > initrd_fd, > > if (!capable(CAP_SYS_BOOT) || kexec_load_disabled) > > return -EPERM; > > > > + /* Don't permit images to be loaded into trusted kernels if we're not > > +* going to verify the signature on them > > +*/ > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down()) > > + return -EPERM; > > + > > IMA can be used to verify file signatures too, based on the LSM hooks in kernel_read_file_from_fd(). CONFIG_KEXEC_VERIFY_SIG should not be required. Mimi > /* Make sure we have a legal set of flags */ > > if (flags != (flags & KEXEC_FILE_FLAGS)) > > return -EINVAL; > > > > > > ___ > > kexec mailing list > > ke...@lists.infradead.org > > http://lists.infradead.org/mailman/listinfo/kexec > > Acked-by: Dave Young > > Thanks > Dave > -- > To unsubscribe from this list: send the line "unsubscribe > linux-security-module" in > the body of a message to majord...@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html >
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
On 04/05/17 at 09:15pm, David Howells wrote: > From: Chun-Yi Lee> > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image > through kexec_file systemcall if securelevel has been set. > > This code was showed in Matthew's patch but not in git: > https://lkml.org/lkml/2015/3/13/778 > > Cc: Matthew Garrett > Signed-off-by: Chun-Yi Lee > Signed-off-by: David Howells > cc: ke...@lists.infradead.org > --- > > kernel/kexec_file.c |6 ++ > 1 file changed, 6 insertions(+) > > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c > index b118735fea9d..f6937eecd1eb 100644 > --- a/kernel/kexec_file.c > +++ b/kernel/kexec_file.c > @@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, > initrd_fd, > if (!capable(CAP_SYS_BOOT) || kexec_load_disabled) > return -EPERM; > > + /* Don't permit images to be loaded into trusted kernels if we're not > + * going to verify the signature on them > + */ > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down()) > + return -EPERM; > + > /* Make sure we have a legal set of flags */ > if (flags != (flags & KEXEC_FILE_FLAGS)) > return -EINVAL; > > > ___ > kexec mailing list > ke...@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/kexec Acked-by: Dave Young Thanks Dave
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
On 04/05/17 at 09:15pm, David Howells wrote: > From: Chun-Yi Lee > > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image > through kexec_file systemcall if securelevel has been set. > > This code was showed in Matthew's patch but not in git: > https://lkml.org/lkml/2015/3/13/778 > > Cc: Matthew Garrett > Signed-off-by: Chun-Yi Lee > Signed-off-by: David Howells > cc: ke...@lists.infradead.org > --- > > kernel/kexec_file.c |6 ++ > 1 file changed, 6 insertions(+) > > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c > index b118735fea9d..f6937eecd1eb 100644 > --- a/kernel/kexec_file.c > +++ b/kernel/kexec_file.c > @@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, > initrd_fd, > if (!capable(CAP_SYS_BOOT) || kexec_load_disabled) > return -EPERM; > > + /* Don't permit images to be loaded into trusted kernels if we're not > + * going to verify the signature on them > + */ > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down()) > + return -EPERM; > + > /* Make sure we have a legal set of flags */ > if (flags != (flags & KEXEC_FILE_FLAGS)) > return -EINVAL; > > > ___ > kexec mailing list > ke...@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/kexec Acked-by: Dave Young Thanks Dave
[PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
From: Chun-Yi LeeWhen KEXEC_VERIFY_SIG is not enabled, kernel should not loads image through kexec_file systemcall if securelevel has been set. This code was showed in Matthew's patch but not in git: https://lkml.org/lkml/2015/3/13/778 Cc: Matthew Garrett Signed-off-by: Chun-Yi Lee Signed-off-by: David Howells cc: ke...@lists.infradead.org --- kernel/kexec_file.c |6 ++ 1 file changed, 6 insertions(+) diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index b118735fea9d..f6937eecd1eb 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd, if (!capable(CAP_SYS_BOOT) || kexec_load_disabled) return -EPERM; + /* Don't permit images to be loaded into trusted kernels if we're not +* going to verify the signature on them +*/ + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down()) + return -EPERM; + /* Make sure we have a legal set of flags */ if (flags != (flags & KEXEC_FILE_FLAGS)) return -EINVAL;
[PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
From: Chun-Yi Lee When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image through kexec_file systemcall if securelevel has been set. This code was showed in Matthew's patch but not in git: https://lkml.org/lkml/2015/3/13/778 Cc: Matthew Garrett Signed-off-by: Chun-Yi Lee Signed-off-by: David Howells cc: ke...@lists.infradead.org --- kernel/kexec_file.c |6 ++ 1 file changed, 6 insertions(+) diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index b118735fea9d..f6937eecd1eb 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd, if (!capable(CAP_SYS_BOOT) || kexec_load_disabled) return -EPERM; + /* Don't permit images to be loaded into trusted kernels if we're not +* going to verify the signature on them +*/ + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down()) + return -EPERM; + /* Make sure we have a legal set of flags */ if (flags != (flags & KEXEC_FILE_FLAGS)) return -EINVAL;
[PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
From: Chun-Yi LeeWhen KEXEC_VERIFY_SIG is not enabled, kernel should not loads image through kexec_file systemcall if securelevel has been set. This code was showed in Matthew's patch but not in git: https://lkml.org/lkml/2015/3/13/778 Cc: Matthew Garrett Signed-off-by: Chun-Yi Lee Signed-off-by: David Howells --- kernel/kexec_file.c |6 ++ 1 file changed, 6 insertions(+) diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index b118735fea9d..f6937eecd1eb 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd, if (!capable(CAP_SYS_BOOT) || kexec_load_disabled) return -EPERM; + /* Don't permit images to be loaded into trusted kernels if we're not +* going to verify the signature on them +*/ + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down()) + return -EPERM; + /* Make sure we have a legal set of flags */ if (flags != (flags & KEXEC_FILE_FLAGS)) return -EINVAL;
[PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
From: Chun-Yi Lee When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image through kexec_file systemcall if securelevel has been set. This code was showed in Matthew's patch but not in git: https://lkml.org/lkml/2015/3/13/778 Cc: Matthew Garrett Signed-off-by: Chun-Yi Lee Signed-off-by: David Howells --- kernel/kexec_file.c |6 ++ 1 file changed, 6 insertions(+) diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index b118735fea9d..f6937eecd1eb 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd, if (!capable(CAP_SYS_BOOT) || kexec_load_disabled) return -EPERM; + /* Don't permit images to be loaded into trusted kernels if we're not +* going to verify the signature on them +*/ + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down()) + return -EPERM; + /* Make sure we have a legal set of flags */ if (flags != (flags & KEXEC_FILE_FLAGS)) return -EINVAL;