subject:"\[PATCH 09\/24\] kexec_file\: Disable at runtime if securelevel has been set"

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

2017-05-02 Thread Mimi Zohar

Hi David,

On Mon, 2017-04-10 at 14:19 +0100, David Howells wrote:
> Mimi Zohar  wrote:
> 
> > From an IMA perspective, either a file hash or signature are valid,
> > but for this usage it must be a signature.
> 
> Not necessarily.  If IMA can guarantee that a module is the same based on its
> hash rather than on a key, I would've thought that should be fine.

File hashes can be modified on the running system, so they're normally
used, in conjunction with EVM, to detect off line modification of
mutable files and prevent their usage.

These patches https://lkml.org/lkml/2017/5/2/465 should provide some
of the missing functionality.

Mimi

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

2017-05-02 Thread Mimi Zohar

Hi David,

On Mon, 2017-04-10 at 14:19 +0100, David Howells wrote:
> Mimi Zohar  wrote:
> 
> > From an IMA perspective, either a file hash or signature are valid,
> > but for this usage it must be a signature.
> 
> Not necessarily.  If IMA can guarantee that a module is the same based on its
> hash rather than on a key, I would've thought that should be fine.

File hashes can be modified on the running system, so they're normally
used, in conjunction with EVM, to detect off line modification of
mutable files and prevent their usage.

These patches https://lkml.org/lkml/2017/5/2/465 should provide some
of the missing functionality.

Mimi

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

2017-04-10 Thread David Howells

Mimi Zohar  wrote:

> From an IMA perspective, either a file hash or signature are valid,
> but for this usage it must be a signature.

Not necessarily.  If IMA can guarantee that a module is the same based on its
hash rather than on a key, I would've thought that should be fine.

David

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

2017-04-10 Thread David Howells

Mimi Zohar  wrote:

> From an IMA perspective, either a file hash or signature are valid,
> but for this usage it must be a signature.

Not necessarily.  If IMA can guarantee that a module is the same based on its
hash rather than on a key, I would've thought that should be fine.

David

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

2017-04-07 Thread Mimi Zohar

On Fri, 2017-04-07 at 10:17 +0100, David Howells wrote:
> Mimi Zohar  wrote:
> 
> > > Okay, fair enough.  I can stick in an OR with an IS_ENABLED on some IMA
> > > symbol.  CONFIG_IMA_KEXEC maybe?  And also require IMA be enabled?
> > 
> > Not quite, since as Dave pointed out, IMA is policy driven.  As a
> > policy is installed, we could set a flag.
> 
> Does such a flag exist as yet?

Not exactly what is needed.  There's a flag named ima_appraise, which
is used internally in IMA. A temporary flag is created, while
validating the rules.

if (default_appraise_rules[i].func == POLICY_CHECK)
temp_ima_appraise |= IMA_APPRAISE_POLICY;

if (!result && (entry->action == UNKNOWN))
result = -EINVAL;
else if (entry->func == MODULE_CHECK)
temp_ima_appraise |= IMA_APPRAISE_MODULES;
else if (entry->func == FIRMWARE_CHECK)
temp_ima_appraise |= IMA_APPRAISE_FIRMWARE;
else if (entry->func == POLICY_CHECK)
temp_ima_appraise |= IMA_APPRAISE_POLICY;

If the entire policy is valid,   ima_update_policy_flag() sets the ima_appraise 
flag.

ima_appraise |= temp_ima_appraise;

>From an IMA perspective, either a file hash or signature are valid,
but for this usage it must be a signature.  So in addition to testing
entry->func, above, entry->flags would need to be tested as well to
detect if IMA_DIGSIG_REQUIRED is set.

Mimi

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

2017-04-07 Thread Mimi Zohar

On Fri, 2017-04-07 at 10:17 +0100, David Howells wrote:
> Mimi Zohar  wrote:
> 
> > > Okay, fair enough.  I can stick in an OR with an IS_ENABLED on some IMA
> > > symbol.  CONFIG_IMA_KEXEC maybe?  And also require IMA be enabled?
> > 
> > Not quite, since as Dave pointed out, IMA is policy driven.  As a
> > policy is installed, we could set a flag.
> 
> Does such a flag exist as yet?

Not exactly what is needed.  There's a flag named ima_appraise, which
is used internally in IMA. A temporary flag is created, while
validating the rules.

if (default_appraise_rules[i].func == POLICY_CHECK)
temp_ima_appraise |= IMA_APPRAISE_POLICY;

if (!result && (entry->action == UNKNOWN))
result = -EINVAL;
else if (entry->func == MODULE_CHECK)
temp_ima_appraise |= IMA_APPRAISE_MODULES;
else if (entry->func == FIRMWARE_CHECK)
temp_ima_appraise |= IMA_APPRAISE_FIRMWARE;
else if (entry->func == POLICY_CHECK)
temp_ima_appraise |= IMA_APPRAISE_POLICY;

If the entire policy is valid,   ima_update_policy_flag() sets the ima_appraise 
flag.

ima_appraise |= temp_ima_appraise;

>From an IMA perspective, either a file hash or signature are valid,
but for this usage it must be a signature.  So in addition to testing
entry->func, above, entry->flags would need to be tested as well to
detect if IMA_DIGSIG_REQUIRED is set.

Mimi

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

2017-04-07 Thread David Howells

Mimi Zohar  wrote:

> > Okay, fair enough.  I can stick in an OR with an IS_ENABLED on some IMA
> > symbol.  CONFIG_IMA_KEXEC maybe?  And also require IMA be enabled?
> 
> Not quite, since as Dave pointed out, IMA is policy driven.  As a
> policy is installed, we could set a flag.

Does such a flag exist as yet?

David

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

2017-04-07 Thread David Howells

Mimi Zohar  wrote:

> > Okay, fair enough.  I can stick in an OR with an IS_ENABLED on some IMA
> > symbol.  CONFIG_IMA_KEXEC maybe?  And also require IMA be enabled?
> 
> Not quite, since as Dave pointed out, IMA is policy driven.  As a
> policy is installed, we could set a flag.

Does such a flag exist as yet?

David

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

2017-04-07 Thread Dave Young

On 04/07/17 at 04:28am, Mimi Zohar wrote:
> On Fri, 2017-04-07 at 15:41 +0800, Dave Young wrote:
> > On 04/07/17 at 08:07am, David Howells wrote:
> > > Dave Young  wrote:
> > > 
> > > > > > > + /* Don't permit images to be loaded into trusted kernels if 
> > > > > > > we're not
> > > > > > > +  * going to verify the signature on them
> > > > > > > +  */
> > > > > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && 
> > > > > > > kernel_is_locked_down())
> > > > > > > + return -EPERM;
> > > > > > > +
> > > > > > >  
> > > > > 
> > > > > IMA can be used to verify file signatures too, based on the LSM hooks
> > > > > in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
> > > > > required.
> > > > 
> > > > Mimi, I remember we talked somthing before about the two signature 
> > > > verification. One can change IMA policy in initramfs userspace,
> > > > also there are kernel cmdline param to disable IMA, so it can break the
> > > > lockdown? Suppose kexec boot with ima disabled cmdline param and then
> > > > kexec reboot again..
> > > 
> > > I guess I should lock down the parameter to disable IMA too.
> > 
> > That is one thing, user can change IMA policy in initramfs userspace,
> > I'm not sure if IMA enforce the signed policy now, if no it will be also
> > a problem.
> 
> I'm not sure how this relates to the question of whether IMA verifies
> the kexec kernel image signature, as the test would not be based on a
> Kconfig option, but on a runtime variable.

I assumed one can change the policy to avoid kexec and initramfs check
And we use a global IMA status in the -EPERM check for the lockdown
checking.  But if there is some fine grained checking to ensure kernel
signature verification it should be fine.
> 
> To answer your question, the rule for requiring the policy to be
> signed is:  appraise func=POLICY_CHECK appraise_type=imasig
> 
> When the ability to append rules is Kconfig enabled, the builtin
> policy requires the new policy or additional rules to be signed.
>  Unfortunately, always requiring the policy to be signed, would have
> broken userspace.
> 
> Mimi
> 

Thanks
Dave

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

2017-04-07 Thread Dave Young

On 04/07/17 at 04:28am, Mimi Zohar wrote:
> On Fri, 2017-04-07 at 15:41 +0800, Dave Young wrote:
> > On 04/07/17 at 08:07am, David Howells wrote:
> > > Dave Young  wrote:
> > > 
> > > > > > > + /* Don't permit images to be loaded into trusted kernels if 
> > > > > > > we're not
> > > > > > > +  * going to verify the signature on them
> > > > > > > +  */
> > > > > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && 
> > > > > > > kernel_is_locked_down())
> > > > > > > + return -EPERM;
> > > > > > > +
> > > > > > >  
> > > > > 
> > > > > IMA can be used to verify file signatures too, based on the LSM hooks
> > > > > in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
> > > > > required.
> > > > 
> > > > Mimi, I remember we talked somthing before about the two signature 
> > > > verification. One can change IMA policy in initramfs userspace,
> > > > also there are kernel cmdline param to disable IMA, so it can break the
> > > > lockdown? Suppose kexec boot with ima disabled cmdline param and then
> > > > kexec reboot again..
> > > 
> > > I guess I should lock down the parameter to disable IMA too.
> > 
> > That is one thing, user can change IMA policy in initramfs userspace,
> > I'm not sure if IMA enforce the signed policy now, if no it will be also
> > a problem.
> 
> I'm not sure how this relates to the question of whether IMA verifies
> the kexec kernel image signature, as the test would not be based on a
> Kconfig option, but on a runtime variable.

I assumed one can change the policy to avoid kexec and initramfs check
And we use a global IMA status in the -EPERM check for the lockdown
checking.  But if there is some fine grained checking to ensure kernel
signature verification it should be fine.
> 
> To answer your question, the rule for requiring the policy to be
> signed is:  appraise func=POLICY_CHECK appraise_type=imasig
> 
> When the ability to append rules is Kconfig enabled, the builtin
> policy requires the new policy or additional rules to be signed.
>  Unfortunately, always requiring the policy to be signed, would have
> broken userspace.
> 
> Mimi
> 

Thanks
Dave

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

2017-04-07 Thread Mimi Zohar

On Fri, 2017-04-07 at 15:41 +0800, Dave Young wrote:
> On 04/07/17 at 08:07am, David Howells wrote:
> > Dave Young  wrote:
> > 
> > > > > > +   /* Don't permit images to be loaded into trusted kernels if 
> > > > > > we're not
> > > > > > +* going to verify the signature on them
> > > > > > +*/
> > > > > > +   if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && 
> > > > > > kernel_is_locked_down())
> > > > > > +   return -EPERM;
> > > > > > +
> > > > > >  
> > > > 
> > > > IMA can be used to verify file signatures too, based on the LSM hooks
> > > > in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
> > > > required.
> > > 
> > > Mimi, I remember we talked somthing before about the two signature 
> > > verification. One can change IMA policy in initramfs userspace,
> > > also there are kernel cmdline param to disable IMA, so it can break the
> > > lockdown? Suppose kexec boot with ima disabled cmdline param and then
> > > kexec reboot again..
> > 
> > I guess I should lock down the parameter to disable IMA too.
> 
> That is one thing, user can change IMA policy in initramfs userspace,
> I'm not sure if IMA enforce the signed policy now, if no it will be also
> a problem.

I'm not sure how this relates to the question of whether IMA verifies
the kexec kernel image signature, as the test would not be based on a
Kconfig option, but on a runtime variable.

To answer your question, the rule for requiring the policy to be
signed is:  appraise func=POLICY_CHECK appraise_type=imasig

When the ability to append rules is Kconfig enabled, the builtin
policy requires the new policy or additional rules to be signed.
 Unfortunately, always requiring the policy to be signed, would have
broken userspace.

Mimi

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

2017-04-07 Thread Mimi Zohar

On Fri, 2017-04-07 at 15:41 +0800, Dave Young wrote:
> On 04/07/17 at 08:07am, David Howells wrote:
> > Dave Young  wrote:
> > 
> > > > > > +   /* Don't permit images to be loaded into trusted kernels if 
> > > > > > we're not
> > > > > > +* going to verify the signature on them
> > > > > > +*/
> > > > > > +   if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && 
> > > > > > kernel_is_locked_down())
> > > > > > +   return -EPERM;
> > > > > > +
> > > > > >  
> > > > 
> > > > IMA can be used to verify file signatures too, based on the LSM hooks
> > > > in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
> > > > required.
> > > 
> > > Mimi, I remember we talked somthing before about the two signature 
> > > verification. One can change IMA policy in initramfs userspace,
> > > also there are kernel cmdline param to disable IMA, so it can break the
> > > lockdown? Suppose kexec boot with ima disabled cmdline param and then
> > > kexec reboot again..
> > 
> > I guess I should lock down the parameter to disable IMA too.
> 
> That is one thing, user can change IMA policy in initramfs userspace,
> I'm not sure if IMA enforce the signed policy now, if no it will be also
> a problem.

I'm not sure how this relates to the question of whether IMA verifies
the kexec kernel image signature, as the test would not be based on a
Kconfig option, but on a runtime variable.

To answer your question, the rule for requiring the policy to be
signed is:  appraise func=POLICY_CHECK appraise_type=imasig

When the ability to append rules is Kconfig enabled, the builtin
policy requires the new policy or additional rules to be signed.
 Unfortunately, always requiring the policy to be signed, would have
broken userspace.

Mimi

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

2017-04-07 Thread Dave Young

On 04/07/17 at 03:45am, Mimi Zohar wrote:
> On Fri, 2017-04-07 at 14:19 +0800, Dave Young wrote:
> > On 04/06/17 at 11:49pm, Mimi Zohar wrote:
> > > On Fri, 2017-04-07 at 11:05 +0800, Dave Young wrote:
> > > > On 04/05/17 at 09:15pm, David Howells wrote:
> > > > > From: Chun-Yi Lee 
> > > > > 
> > > > > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
> > > > > through kexec_file systemcall if securelevel has been set.
> > > > > 
> > > > > This code was showed in Matthew's patch but not in git:
> > > > > https://lkml.org/lkml/2015/3/13/778
> 
> I specifically checked to make sure that either kexec_file() signature
> verification was acceptable and would have commented then, if it had
> not been included.
> 
> > > > > Cc: Matthew Garrett 
> > > > > Signed-off-by: Chun-Yi Lee 
> > > > > Signed-off-by: David Howells 
> > > > > cc: ke...@lists.infradead.org
> > > > > ---
> > > > > 
> > > > >  kernel/kexec_file.c |6 ++
> > > > >  1 file changed, 6 insertions(+)
> > > > > 
> > > > > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> > > > > index b118735fea9d..f6937eecd1eb 100644
> > > > > --- a/kernel/kexec_file.c
> > > > > +++ b/kernel/kexec_file.c
> > > > > @@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, 
> > > > > int, initrd_fd,
> > > > >   if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
> > > > >   return -EPERM;
> > > > >  
> > > > > + /* Don't permit images to be loaded into trusted kernels if 
> > > > > we're not
> > > > > +  * going to verify the signature on them
> > > > > +  */
> > > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && 
> > > > > kernel_is_locked_down())
> > > > > + return -EPERM;
> > > > > +
> > > > >  
> > > 
> > > IMA can be used to verify file signatures too, based on the LSM hooks
> > > in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
> > > required.
> > 
> > Mimi, I remember we talked somthing before about the two signature 
> > verification. One can change IMA policy in initramfs userspace,
> > also there are kernel cmdline param to disable IMA, so it can break the
> > lockdown? Suppose kexec boot with ima disabled cmdline param and then
> > kexec reboot again..
> 
> Right, we discussed that the same method of measuring the kexec image
> and initramfs, for extending trusted boot to the OS, could also be
> used for verifying the kexec image and initramfs signatures, for
> extending secure boot to the OS.  The file hash would be calculated
> once for both.
> 
> All of your concerns could be addressed with very minor changes to
> IMA.  (Continued in response to David.)

Thanks! As long as IMA can ensure not breaking the lockdown it should be
fine to add an check for either !CONFIG_KEXEC_VERIFY_SIG or !IMA
enforced.

> 
> > > 
> > > > /* Make sure we have a legal set of flags */
> > > > >   if (flags != (flags & KEXEC_FILE_FLAGS))
> > > > >   return -EINVAL;
> > > > > 
> > > > > 
> > > > > ___
> > > > > kexec mailing list
> > > > > ke...@lists.infradead.org
> > > > > http://lists.infradead.org/mailman/listinfo/kexec
> > > > 
> > > > Acked-by: Dave Young 
> > > > 
> > > > Thanks
> > > > Dave
> > > > --
> > > > To unsubscribe from this list: send the line "unsubscribe 
> > > > linux-security-module" in
> > > > the body of a message to majord...@vger.kernel.org
> > > > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > > > 
> > > 
> > 
>

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

2017-04-07 Thread Dave Young

On 04/07/17 at 03:45am, Mimi Zohar wrote:
> On Fri, 2017-04-07 at 14:19 +0800, Dave Young wrote:
> > On 04/06/17 at 11:49pm, Mimi Zohar wrote:
> > > On Fri, 2017-04-07 at 11:05 +0800, Dave Young wrote:
> > > > On 04/05/17 at 09:15pm, David Howells wrote:
> > > > > From: Chun-Yi Lee 
> > > > > 
> > > > > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
> > > > > through kexec_file systemcall if securelevel has been set.
> > > > > 
> > > > > This code was showed in Matthew's patch but not in git:
> > > > > https://lkml.org/lkml/2015/3/13/778
> 
> I specifically checked to make sure that either kexec_file() signature
> verification was acceptable and would have commented then, if it had
> not been included.
> 
> > > > > Cc: Matthew Garrett 
> > > > > Signed-off-by: Chun-Yi Lee 
> > > > > Signed-off-by: David Howells 
> > > > > cc: ke...@lists.infradead.org
> > > > > ---
> > > > > 
> > > > >  kernel/kexec_file.c |6 ++
> > > > >  1 file changed, 6 insertions(+)
> > > > > 
> > > > > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> > > > > index b118735fea9d..f6937eecd1eb 100644
> > > > > --- a/kernel/kexec_file.c
> > > > > +++ b/kernel/kexec_file.c
> > > > > @@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, 
> > > > > int, initrd_fd,
> > > > >   if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
> > > > >   return -EPERM;
> > > > >  
> > > > > + /* Don't permit images to be loaded into trusted kernels if 
> > > > > we're not
> > > > > +  * going to verify the signature on them
> > > > > +  */
> > > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && 
> > > > > kernel_is_locked_down())
> > > > > + return -EPERM;
> > > > > +
> > > > >  
> > > 
> > > IMA can be used to verify file signatures too, based on the LSM hooks
> > > in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
> > > required.
> > 
> > Mimi, I remember we talked somthing before about the two signature 
> > verification. One can change IMA policy in initramfs userspace,
> > also there are kernel cmdline param to disable IMA, so it can break the
> > lockdown? Suppose kexec boot with ima disabled cmdline param and then
> > kexec reboot again..
> 
> Right, we discussed that the same method of measuring the kexec image
> and initramfs, for extending trusted boot to the OS, could also be
> used for verifying the kexec image and initramfs signatures, for
> extending secure boot to the OS.  The file hash would be calculated
> once for both.
> 
> All of your concerns could be addressed with very minor changes to
> IMA.  (Continued in response to David.)

Thanks! As long as IMA can ensure not breaking the lockdown it should be
fine to add an check for either !CONFIG_KEXEC_VERIFY_SIG or !IMA
enforced.

> 
> > > 
> > > > /* Make sure we have a legal set of flags */
> > > > >   if (flags != (flags & KEXEC_FILE_FLAGS))
> > > > >   return -EINVAL;
> > > > > 
> > > > > 
> > > > > ___
> > > > > kexec mailing list
> > > > > ke...@lists.infradead.org
> > > > > http://lists.infradead.org/mailman/listinfo/kexec
> > > > 
> > > > Acked-by: Dave Young 
> > > > 
> > > > Thanks
> > > > Dave
> > > > --
> > > > To unsubscribe from this list: send the line "unsubscribe 
> > > > linux-security-module" in
> > > > the body of a message to majord...@vger.kernel.org
> > > > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > > > 
> > > 
> > 
>

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

2017-04-07 Thread Mimi Zohar

On Fri, 2017-04-07 at 08:09 +0100, David Howells wrote:
> Mimi Zohar  wrote:
> 
> > > > +   if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && 
> > > > kernel_is_locked_down())
> > > > +   return -EPERM;
> > > > +
> > > >  
> > 
> > IMA can be used to verify file signatures too, based on the LSM hooks
> > in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
> > required.
> 
> Okay, fair enough.  I can stick in an OR with an IS_ENABLED on some IMA
> symbol.  CONFIG_IMA_KEXEC maybe?  And also require IMA be enabled?

Not quite, since as Dave pointed out, IMA is policy driven.  As a
policy is installed, we could set a flag.

Mimi

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

2017-04-07 Thread Mimi Zohar

On Fri, 2017-04-07 at 08:09 +0100, David Howells wrote:
> Mimi Zohar  wrote:
> 
> > > > +   if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && 
> > > > kernel_is_locked_down())
> > > > +   return -EPERM;
> > > > +
> > > >  
> > 
> > IMA can be used to verify file signatures too, based on the LSM hooks
> > in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
> > required.
> 
> Okay, fair enough.  I can stick in an OR with an IS_ENABLED on some IMA
> symbol.  CONFIG_IMA_KEXEC maybe?  And also require IMA be enabled?

Not quite, since as Dave pointed out, IMA is policy driven.  As a
policy is installed, we could set a flag.

Mimi

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

2017-04-07 Thread Mimi Zohar

On Fri, 2017-04-07 at 14:19 +0800, Dave Young wrote:
> On 04/06/17 at 11:49pm, Mimi Zohar wrote:
> > On Fri, 2017-04-07 at 11:05 +0800, Dave Young wrote:
> > > On 04/05/17 at 09:15pm, David Howells wrote:
> > > > From: Chun-Yi Lee 
> > > > 
> > > > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
> > > > through kexec_file systemcall if securelevel has been set.
> > > > 
> > > > This code was showed in Matthew's patch but not in git:
> > > > https://lkml.org/lkml/2015/3/13/778

I specifically checked to make sure that either kexec_file() signature
verification was acceptable and would have commented then, if it had
not been included.

> > > > Cc: Matthew Garrett 
> > > > Signed-off-by: Chun-Yi Lee 
> > > > Signed-off-by: David Howells 
> > > > cc: ke...@lists.infradead.org
> > > > ---
> > > > 
> > > >  kernel/kexec_file.c |6 ++
> > > >  1 file changed, 6 insertions(+)
> > > > 
> > > > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> > > > index b118735fea9d..f6937eecd1eb 100644
> > > > --- a/kernel/kexec_file.c
> > > > +++ b/kernel/kexec_file.c
> > > > @@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, 
> > > > int, initrd_fd,
> > > > if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
> > > > return -EPERM;
> > > >  
> > > > +   /* Don't permit images to be loaded into trusted kernels if 
> > > > we're not
> > > > +* going to verify the signature on them
> > > > +*/
> > > > +   if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && 
> > > > kernel_is_locked_down())
> > > > +   return -EPERM;
> > > > +
> > > >  
> > 
> > IMA can be used to verify file signatures too, based on the LSM hooks
> > in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
> > required.
> 
> Mimi, I remember we talked somthing before about the two signature 
> verification. One can change IMA policy in initramfs userspace,
> also there are kernel cmdline param to disable IMA, so it can break the
> lockdown? Suppose kexec boot with ima disabled cmdline param and then
> kexec reboot again..

Right, we discussed that the same method of measuring the kexec image
and initramfs, for extending trusted boot to the OS, could also be
used for verifying the kexec image and initramfs signatures, for
extending secure boot to the OS.  The file hash would be calculated
once for both.

All of your concerns could be addressed with very minor changes to
IMA.  (Continued in response to David.)

> > 
> > >   /* Make sure we have a legal set of flags */
> > > > if (flags != (flags & KEXEC_FILE_FLAGS))
> > > > return -EINVAL;
> > > > 
> > > > 
> > > > ___
> > > > kexec mailing list
> > > > ke...@lists.infradead.org
> > > > http://lists.infradead.org/mailman/listinfo/kexec
> > > 
> > > Acked-by: Dave Young 
> > > 
> > > Thanks
> > > Dave
> > > --
> > > To unsubscribe from this list: send the line "unsubscribe 
> > > linux-security-module" in
> > > the body of a message to majord...@vger.kernel.org
> > > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > > 
> > 
>

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

2017-04-07 Thread Mimi Zohar

On Fri, 2017-04-07 at 14:19 +0800, Dave Young wrote:
> On 04/06/17 at 11:49pm, Mimi Zohar wrote:
> > On Fri, 2017-04-07 at 11:05 +0800, Dave Young wrote:
> > > On 04/05/17 at 09:15pm, David Howells wrote:
> > > > From: Chun-Yi Lee 
> > > > 
> > > > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
> > > > through kexec_file systemcall if securelevel has been set.
> > > > 
> > > > This code was showed in Matthew's patch but not in git:
> > > > https://lkml.org/lkml/2015/3/13/778

I specifically checked to make sure that either kexec_file() signature
verification was acceptable and would have commented then, if it had
not been included.

> > > > Cc: Matthew Garrett 
> > > > Signed-off-by: Chun-Yi Lee 
> > > > Signed-off-by: David Howells 
> > > > cc: ke...@lists.infradead.org
> > > > ---
> > > > 
> > > >  kernel/kexec_file.c |6 ++
> > > >  1 file changed, 6 insertions(+)
> > > > 
> > > > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> > > > index b118735fea9d..f6937eecd1eb 100644
> > > > --- a/kernel/kexec_file.c
> > > > +++ b/kernel/kexec_file.c
> > > > @@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, 
> > > > int, initrd_fd,
> > > > if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
> > > > return -EPERM;
> > > >  
> > > > +   /* Don't permit images to be loaded into trusted kernels if 
> > > > we're not
> > > > +* going to verify the signature on them
> > > > +*/
> > > > +   if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && 
> > > > kernel_is_locked_down())
> > > > +   return -EPERM;
> > > > +
> > > >  
> > 
> > IMA can be used to verify file signatures too, based on the LSM hooks
> > in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
> > required.
> 
> Mimi, I remember we talked somthing before about the two signature 
> verification. One can change IMA policy in initramfs userspace,
> also there are kernel cmdline param to disable IMA, so it can break the
> lockdown? Suppose kexec boot with ima disabled cmdline param and then
> kexec reboot again..

Right, we discussed that the same method of measuring the kexec image
and initramfs, for extending trusted boot to the OS, could also be
used for verifying the kexec image and initramfs signatures, for
extending secure boot to the OS.  The file hash would be calculated
once for both.

All of your concerns could be addressed with very minor changes to
IMA.  (Continued in response to David.)

> > 
> > >   /* Make sure we have a legal set of flags */
> > > > if (flags != (flags & KEXEC_FILE_FLAGS))
> > > > return -EINVAL;
> > > > 
> > > > 
> > > > ___
> > > > kexec mailing list
> > > > ke...@lists.infradead.org
> > > > http://lists.infradead.org/mailman/listinfo/kexec
> > > 
> > > Acked-by: Dave Young 
> > > 
> > > Thanks
> > > Dave
> > > --
> > > To unsubscribe from this list: send the line "unsubscribe 
> > > linux-security-module" in
> > > the body of a message to majord...@vger.kernel.org
> > > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > > 
> > 
>

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

2017-04-07 Thread Dave Young

On 04/07/17 at 08:07am, David Howells wrote:
> Dave Young  wrote:
> 
> > > > > + /* Don't permit images to be loaded into trusted kernels if 
> > > > > we're not
> > > > > +  * going to verify the signature on them
> > > > > +  */
> > > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && 
> > > > > kernel_is_locked_down())
> > > > > + return -EPERM;
> > > > > +
> > > > >  
> > > 
> > > IMA can be used to verify file signatures too, based on the LSM hooks
> > > in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
> > > required.
> > 
> > Mimi, I remember we talked somthing before about the two signature 
> > verification. One can change IMA policy in initramfs userspace,
> > also there are kernel cmdline param to disable IMA, so it can break the
> > lockdown? Suppose kexec boot with ima disabled cmdline param and then
> > kexec reboot again..
> 
> I guess I should lock down the parameter to disable IMA too.

That is one thing, user can change IMA policy in initramfs userspace,
I'm not sure if IMA enforce the signed policy now, if no it will be also
a problem.

Thanks
Dave

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

2017-04-07 Thread Dave Young

On 04/07/17 at 08:07am, David Howells wrote:
> Dave Young  wrote:
> 
> > > > > + /* Don't permit images to be loaded into trusted kernels if 
> > > > > we're not
> > > > > +  * going to verify the signature on them
> > > > > +  */
> > > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && 
> > > > > kernel_is_locked_down())
> > > > > + return -EPERM;
> > > > > +
> > > > >  
> > > 
> > > IMA can be used to verify file signatures too, based on the LSM hooks
> > > in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
> > > required.
> > 
> > Mimi, I remember we talked somthing before about the two signature 
> > verification. One can change IMA policy in initramfs userspace,
> > also there are kernel cmdline param to disable IMA, so it can break the
> > lockdown? Suppose kexec boot with ima disabled cmdline param and then
> > kexec reboot again..
> 
> I guess I should lock down the parameter to disable IMA too.

That is one thing, user can change IMA policy in initramfs userspace,
I'm not sure if IMA enforce the signed policy now, if no it will be also
a problem.

Thanks
Dave

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

2017-04-07 Thread David Howells

Mimi Zohar  wrote:

> > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
> > > + return -EPERM;
> > > +
> > >  
> 
> IMA can be used to verify file signatures too, based on the LSM hooks
> in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
> required.

Okay, fair enough.  I can stick in an OR with an IS_ENABLED on some IMA
symbol.  CONFIG_IMA_KEXEC maybe?  And also require IMA be enabled?

David

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

2017-04-07 Thread David Howells

Mimi Zohar  wrote:

> > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
> > > + return -EPERM;
> > > +
> > >  
> 
> IMA can be used to verify file signatures too, based on the LSM hooks
> in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
> required.

Okay, fair enough.  I can stick in an OR with an IS_ENABLED on some IMA
symbol.  CONFIG_IMA_KEXEC maybe?  And also require IMA be enabled?

David

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

2017-04-07 Thread David Howells

Dave Young  wrote:

> > > > +   /* Don't permit images to be loaded into trusted kernels if 
> > > > we're not
> > > > +* going to verify the signature on them
> > > > +*/
> > > > +   if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && 
> > > > kernel_is_locked_down())
> > > > +   return -EPERM;
> > > > +
> > > >  
> > 
> > IMA can be used to verify file signatures too, based on the LSM hooks
> > in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
> > required.
> 
> Mimi, I remember we talked somthing before about the two signature 
> verification. One can change IMA policy in initramfs userspace,
> also there are kernel cmdline param to disable IMA, so it can break the
> lockdown? Suppose kexec boot with ima disabled cmdline param and then
> kexec reboot again..

I guess I should lock down the parameter to disable IMA too.

David

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

2017-04-07 Thread David Howells

Dave Young  wrote:

> > > > +   /* Don't permit images to be loaded into trusted kernels if 
> > > > we're not
> > > > +* going to verify the signature on them
> > > > +*/
> > > > +   if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && 
> > > > kernel_is_locked_down())
> > > > +   return -EPERM;
> > > > +
> > > >  
> > 
> > IMA can be used to verify file signatures too, based on the LSM hooks
> > in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
> > required.
> 
> Mimi, I remember we talked somthing before about the two signature 
> verification. One can change IMA policy in initramfs userspace,
> also there are kernel cmdline param to disable IMA, so it can break the
> lockdown? Suppose kexec boot with ima disabled cmdline param and then
> kexec reboot again..

I guess I should lock down the parameter to disable IMA too.

David

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

2017-04-07 Thread Dave Young

On 04/06/17 at 11:49pm, Mimi Zohar wrote:
> On Fri, 2017-04-07 at 11:05 +0800, Dave Young wrote:
> > On 04/05/17 at 09:15pm, David Howells wrote:
> > > From: Chun-Yi Lee 
> > > 
> > > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
> > > through kexec_file systemcall if securelevel has been set.
> > > 
> > > This code was showed in Matthew's patch but not in git:
> > > https://lkml.org/lkml/2015/3/13/778
> > > 
> > > Cc: Matthew Garrett 
> > > Signed-off-by: Chun-Yi Lee 
> > > Signed-off-by: David Howells 
> > > cc: ke...@lists.infradead.org
> > > ---
> > > 
> > >  kernel/kexec_file.c |6 ++
> > >  1 file changed, 6 insertions(+)
> > > 
> > > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> > > index b118735fea9d..f6937eecd1eb 100644
> > > --- a/kernel/kexec_file.c
> > > +++ b/kernel/kexec_file.c
> > > @@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, 
> > > int, initrd_fd,
> > >   if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
> > >   return -EPERM;
> > >  
> > > + /* Don't permit images to be loaded into trusted kernels if we're not
> > > +  * going to verify the signature on them
> > > +  */
> > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
> > > + return -EPERM;
> > > +
> > >  
> 
> IMA can be used to verify file signatures too, based on the LSM hooks
> in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
> required.

Mimi, I remember we talked somthing before about the two signature 
verification. One can change IMA policy in initramfs userspace,
also there are kernel cmdline param to disable IMA, so it can break the
lockdown? Suppose kexec boot with ima disabled cmdline param and then
kexec reboot again..

> 
> Mimi
> 
> 
> > /* Make sure we have a legal set of flags */
> > >   if (flags != (flags & KEXEC_FILE_FLAGS))
> > >   return -EINVAL;
> > > 
> > > 
> > > ___
> > > kexec mailing list
> > > ke...@lists.infradead.org
> > > http://lists.infradead.org/mailman/listinfo/kexec
> > 
> > Acked-by: Dave Young 
> > 
> > Thanks
> > Dave
> > --
> > To unsubscribe from this list: send the line "unsubscribe 
> > linux-security-module" in
> > the body of a message to majord...@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > 
>

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

2017-04-07 Thread Dave Young

On 04/06/17 at 11:49pm, Mimi Zohar wrote:
> On Fri, 2017-04-07 at 11:05 +0800, Dave Young wrote:
> > On 04/05/17 at 09:15pm, David Howells wrote:
> > > From: Chun-Yi Lee 
> > > 
> > > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
> > > through kexec_file systemcall if securelevel has been set.
> > > 
> > > This code was showed in Matthew's patch but not in git:
> > > https://lkml.org/lkml/2015/3/13/778
> > > 
> > > Cc: Matthew Garrett 
> > > Signed-off-by: Chun-Yi Lee 
> > > Signed-off-by: David Howells 
> > > cc: ke...@lists.infradead.org
> > > ---
> > > 
> > >  kernel/kexec_file.c |6 ++
> > >  1 file changed, 6 insertions(+)
> > > 
> > > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> > > index b118735fea9d..f6937eecd1eb 100644
> > > --- a/kernel/kexec_file.c
> > > +++ b/kernel/kexec_file.c
> > > @@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, 
> > > int, initrd_fd,
> > >   if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
> > >   return -EPERM;
> > >  
> > > + /* Don't permit images to be loaded into trusted kernels if we're not
> > > +  * going to verify the signature on them
> > > +  */
> > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
> > > + return -EPERM;
> > > +
> > >  
> 
> IMA can be used to verify file signatures too, based on the LSM hooks
> in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
> required.

Mimi, I remember we talked somthing before about the two signature 
verification. One can change IMA policy in initramfs userspace,
also there are kernel cmdline param to disable IMA, so it can break the
lockdown? Suppose kexec boot with ima disabled cmdline param and then
kexec reboot again..

> 
> Mimi
> 
> 
> > /* Make sure we have a legal set of flags */
> > >   if (flags != (flags & KEXEC_FILE_FLAGS))
> > >   return -EINVAL;
> > > 
> > > 
> > > ___
> > > kexec mailing list
> > > ke...@lists.infradead.org
> > > http://lists.infradead.org/mailman/listinfo/kexec
> > 
> > Acked-by: Dave Young 
> > 
> > Thanks
> > Dave
> > --
> > To unsubscribe from this list: send the line "unsubscribe 
> > linux-security-module" in
> > the body of a message to majord...@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > 
>

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

2017-04-06 Thread Mimi Zohar

On Fri, 2017-04-07 at 11:05 +0800, Dave Young wrote:
> On 04/05/17 at 09:15pm, David Howells wrote:
> > From: Chun-Yi Lee 
> > 
> > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
> > through kexec_file systemcall if securelevel has been set.
> > 
> > This code was showed in Matthew's patch but not in git:
> > https://lkml.org/lkml/2015/3/13/778
> > 
> > Cc: Matthew Garrett 
> > Signed-off-by: Chun-Yi Lee 
> > Signed-off-by: David Howells 
> > cc: ke...@lists.infradead.org
> > ---
> > 
> >  kernel/kexec_file.c |6 ++
> >  1 file changed, 6 insertions(+)
> > 
> > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> > index b118735fea9d..f6937eecd1eb 100644
> > --- a/kernel/kexec_file.c
> > +++ b/kernel/kexec_file.c
> > @@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, 
> > initrd_fd,
> > if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
> > return -EPERM;
> >  
> > +   /* Don't permit images to be loaded into trusted kernels if we're not
> > +* going to verify the signature on them
> > +*/
> > +   if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
> > +   return -EPERM;
> > +
> >  

IMA can be used to verify file signatures too, based on the LSM hooks
in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
required.

Mimi


>   /* Make sure we have a legal set of flags */
> > if (flags != (flags & KEXEC_FILE_FLAGS))
> > return -EINVAL;
> > 
> > 
> > ___
> > kexec mailing list
> > ke...@lists.infradead.org
> > http://lists.infradead.org/mailman/listinfo/kexec
> 
> Acked-by: Dave Young 
> 
> Thanks
> Dave
> --
> To unsubscribe from this list: send the line "unsubscribe 
> linux-security-module" in
> the body of a message to majord...@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

2017-04-06 Thread Mimi Zohar

On Fri, 2017-04-07 at 11:05 +0800, Dave Young wrote:
> On 04/05/17 at 09:15pm, David Howells wrote:
> > From: Chun-Yi Lee 
> > 
> > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
> > through kexec_file systemcall if securelevel has been set.
> > 
> > This code was showed in Matthew's patch but not in git:
> > https://lkml.org/lkml/2015/3/13/778
> > 
> > Cc: Matthew Garrett 
> > Signed-off-by: Chun-Yi Lee 
> > Signed-off-by: David Howells 
> > cc: ke...@lists.infradead.org
> > ---
> > 
> >  kernel/kexec_file.c |6 ++
> >  1 file changed, 6 insertions(+)
> > 
> > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> > index b118735fea9d..f6937eecd1eb 100644
> > --- a/kernel/kexec_file.c
> > +++ b/kernel/kexec_file.c
> > @@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, 
> > initrd_fd,
> > if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
> > return -EPERM;
> >  
> > +   /* Don't permit images to be loaded into trusted kernels if we're not
> > +* going to verify the signature on them
> > +*/
> > +   if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
> > +   return -EPERM;
> > +
> >  

IMA can be used to verify file signatures too, based on the LSM hooks
in  kernel_read_file_from_fd().  CONFIG_KEXEC_VERIFY_SIG should not be
required.

Mimi


>   /* Make sure we have a legal set of flags */
> > if (flags != (flags & KEXEC_FILE_FLAGS))
> > return -EINVAL;
> > 
> > 
> > ___
> > kexec mailing list
> > ke...@lists.infradead.org
> > http://lists.infradead.org/mailman/listinfo/kexec
> 
> Acked-by: Dave Young 
> 
> Thanks
> Dave
> --
> To unsubscribe from this list: send the line "unsubscribe 
> linux-security-module" in
> the body of a message to majord...@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

2017-04-06 Thread Dave Young

On 04/05/17 at 09:15pm, David Howells wrote:
> From: Chun-Yi Lee 
> 
> When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
> through kexec_file systemcall if securelevel has been set.
> 
> This code was showed in Matthew's patch but not in git:
> https://lkml.org/lkml/2015/3/13/778
> 
> Cc: Matthew Garrett 
> Signed-off-by: Chun-Yi Lee 
> Signed-off-by: David Howells 
> cc: ke...@lists.infradead.org
> ---
> 
>  kernel/kexec_file.c |6 ++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> index b118735fea9d..f6937eecd1eb 100644
> --- a/kernel/kexec_file.c
> +++ b/kernel/kexec_file.c
> @@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, 
> initrd_fd,
>   if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
>   return -EPERM;
>  
> + /* Don't permit images to be loaded into trusted kernels if we're not
> +  * going to verify the signature on them
> +  */
> + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
> + return -EPERM;
> +
>   /* Make sure we have a legal set of flags */
>   if (flags != (flags & KEXEC_FILE_FLAGS))
>   return -EINVAL;
> 
> 
> ___
> kexec mailing list
> ke...@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/kexec

Acked-by: Dave Young 

Thanks
Dave

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

2017-04-06 Thread Dave Young

On 04/05/17 at 09:15pm, David Howells wrote:
> From: Chun-Yi Lee 
> 
> When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
> through kexec_file systemcall if securelevel has been set.
> 
> This code was showed in Matthew's patch but not in git:
> https://lkml.org/lkml/2015/3/13/778
> 
> Cc: Matthew Garrett 
> Signed-off-by: Chun-Yi Lee 
> Signed-off-by: David Howells 
> cc: ke...@lists.infradead.org
> ---
> 
>  kernel/kexec_file.c |6 ++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> index b118735fea9d..f6937eecd1eb 100644
> --- a/kernel/kexec_file.c
> +++ b/kernel/kexec_file.c
> @@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, 
> initrd_fd,
>   if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
>   return -EPERM;
>  
> + /* Don't permit images to be loaded into trusted kernels if we're not
> +  * going to verify the signature on them
> +  */
> + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
> + return -EPERM;
> +
>   /* Make sure we have a legal set of flags */
>   if (flags != (flags & KEXEC_FILE_FLAGS))
>   return -EINVAL;
> 
> 
> ___
> kexec mailing list
> ke...@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/kexec

Acked-by: Dave Young 

Thanks
Dave

[PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

2017-04-05 Thread David Howells

From: Chun-Yi Lee 

When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
through kexec_file systemcall if securelevel has been set.

This code was showed in Matthew's patch but not in git:
https://lkml.org/lkml/2015/3/13/778

Cc: Matthew Garrett 
Signed-off-by: Chun-Yi Lee 
Signed-off-by: David Howells 
cc: ke...@lists.infradead.org
---

 kernel/kexec_file.c |6 ++
 1 file changed, 6 insertions(+)

diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index b118735fea9d..f6937eecd1eb 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, 
initrd_fd,
if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
return -EPERM;
 
+   /* Don't permit images to be loaded into trusted kernels if we're not
+* going to verify the signature on them
+*/
+   if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
+   return -EPERM;
+
/* Make sure we have a legal set of flags */
if (flags != (flags & KEXEC_FILE_FLAGS))
return -EINVAL;

[PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

2017-04-05 Thread David Howells

From: Chun-Yi Lee 

When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
through kexec_file systemcall if securelevel has been set.

This code was showed in Matthew's patch but not in git:
https://lkml.org/lkml/2015/3/13/778

Cc: Matthew Garrett 
Signed-off-by: Chun-Yi Lee 
Signed-off-by: David Howells 
cc: ke...@lists.infradead.org
---

 kernel/kexec_file.c |6 ++
 1 file changed, 6 insertions(+)

diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index b118735fea9d..f6937eecd1eb 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, 
initrd_fd,
if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
return -EPERM;
 
+   /* Don't permit images to be loaded into trusted kernels if we're not
+* going to verify the signature on them
+*/
+   if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
+   return -EPERM;
+
/* Make sure we have a legal set of flags */
if (flags != (flags & KEXEC_FILE_FLAGS))
return -EINVAL;

[PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

2017-04-05 Thread David Howells

From: Chun-Yi Lee 

When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
through kexec_file systemcall if securelevel has been set.

This code was showed in Matthew's patch but not in git:
https://lkml.org/lkml/2015/3/13/778

Cc: Matthew Garrett 
Signed-off-by: Chun-Yi Lee 
Signed-off-by: David Howells 
---

 kernel/kexec_file.c |6 ++
 1 file changed, 6 insertions(+)

diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index b118735fea9d..f6937eecd1eb 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, 
initrd_fd,
if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
return -EPERM;
 
+   /* Don't permit images to be loaded into trusted kernels if we're not
+* going to verify the signature on them
+*/
+   if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
+   return -EPERM;
+
/* Make sure we have a legal set of flags */
if (flags != (flags & KEXEC_FILE_FLAGS))
return -EINVAL;

[PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

2017-04-05 Thread David Howells

From: Chun-Yi Lee 

When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
through kexec_file systemcall if securelevel has been set.

This code was showed in Matthew's patch but not in git:
https://lkml.org/lkml/2015/3/13/778

Cc: Matthew Garrett 
Signed-off-by: Chun-Yi Lee 
Signed-off-by: David Howells 
---

 kernel/kexec_file.c |6 ++
 1 file changed, 6 insertions(+)

diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index b118735fea9d..f6937eecd1eb 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, 
initrd_fd,
if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
return -EPERM;
 
+   /* Don't permit images to be loaded into trusted kernels if we're not
+* going to verify the signature on them
+*/
+   if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down())
+   return -EPERM;
+
/* Make sure we have a legal set of flags */
if (flags != (flags & KEXEC_FILE_FLAGS))
return -EINVAL;

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

[PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

[PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

[PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

[PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

34 matches

Site Navigation

Mail list logo

Footer information