Re: Linux Firmware Signing

From: Mimi Zohar
Date: Wed Sep 02 2015 - 23:01:44 EST

On Thu, 2015-09-03 at 02:29 +0200, Luis R. Rodriguez wrote:
> On Wed, Sep 02, 2015 at 08:05:36PM -0400, Mimi Zohar wrote:
> > On Wed, 2015-09-02 at 20:46 +0200, Luis R. Rodriguez wrote:
> > > On Tue, Sep 01, 2015 at 11:35:05PM -0400, Mimi Zohar wrote:

> > > We want something that is not only useful for IMA but any other LSM,
> > > and FILE_CHECK seems very broad, not sure what BPRM_CHECK is even upon
> > > inspecting kernel code. Likewise for POST_SETATTR. POLICY_CHECK might
> > > be broad, perhaps its best we define then a generic set of enums to
> > > which IMA can map them to then and let it decide. This would ensure
> > > that the kernel defines each use caes for file inspection carefully,
> > > documents and defines them and if an LSM wants to bunch a set together
> > > it can do so easily with a switch statement to map set of generic
> > > file checks in kernel to a group it already handles.
> >
> > The names are based on the calling security hook. For a description of
> > each of these security hooks refer to include/linux/lsm_hooks.h.
> I see, thanks, ok so BPRM_CHECK = for binary loading, are you folks
> really wanting to unify LSM hooks for firmware, modules, and binary
> data ?

You're asking me?! From my point of view that it is already unified.
The same mechanism used for appraising files in general could be used
for appraising those mentioned. :)

The main issue is having the file data and metadata (eg. signatures)
distributed together. Thanks to Fionnula and Florian support for
including file signatures in rpm packages was released today -

> POST_SETATTR seems to be for inode_post_setxattr, so that as well?

No. The IMA policy rules can be defined in terms of file metadata (eg.
uid). Changing the file metadata might result in files that previously
weren't appraised, now need to be appraised. The EVM security xattr is
an hmac of the file metadata. So that needs to be updated to reflect
the change.

> POLICY_CHECK seems broad, not sure what to relate that to exactly.
> Is this just SELinux polify files? Or is this something more broad?

This hook is currently limited to verifying the IMA policy signature,
but could be the basis for a more generalized hook.


To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at