Re: [PATHC v2 0/9] ima: carry the measurement list across kexec
From: Eric W. Biederman
Date: Fri Sep 16 2016 - 17:18:01 EST
ebiederm@xxxxxxxxxxxx (Eric W. Biederman) writes:
> Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> writes:
>
>> Hi Andrew,
>>
>> On Wed, 2016-08-31 at 18:38 -0400, Mimi Zohar wrote:
>>> On Wed, 2016-08-31 at 13:50 -0700, Andrew Morton wrote:
>>> > On Tue, 30 Aug 2016 18:40:02 -0400 Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:
>>> >
>>> > > The TPM PCRs are only reset on a hard reboot. In order to validate a
>>> > > TPM's quote after a soft reboot (eg. kexec -e), the IMA measurement list
>>> > > of the running kernel must be saved and then restored on the subsequent
>>> > > boot, possibly of a different architecture.
>>> > >
>>> > > The existing securityfs binary_runtime_measurements file conveniently
>>> > > provides a serialized format of the IMA measurement list. This patch
>>> > > set serializes the measurement list in this format and restores it.
>>> > >
>>> > > Up to now, the binary_runtime_measurements was defined as architecture
>>> > > native format. The assumption being that userspace could and would
>>> > > handle any architecture conversions. With the ability of carrying the
>>> > > measurement list across kexec, possibly from one architecture to a
>>> > > different one, the per boot architecture information is lost and with it
>>> > > the ability of recalculating the template digest hash. To resolve this
>>> > > problem, without breaking the existing ABI, this patch set introduces
>>> > > the boot command line option "ima_canonical_fmt", which is arbitrarily
>>> > > defined as little endian.
>>> > >
>>> > > The need for this boot command line option will be limited to the
>>> > > existing version 1 format of the binary_runtime_measurements.
>>> > > Subsequent formats will be defined as canonical format (eg. TPM 2.0
>>> > > support for larger digests).
>>> > >
>>> > > This patch set pre-req's Thiago Bauermann's "kexec_file: Add buffer
>>> > > hand-over for the next kernel" patch set.
>>> > >
>>> > > These patches can also be found in the next-kexec-restore branch of:
>>> > > git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
>>> >
>>> > I'll merge these into -mm to get some linux-next exposure. I don't
>>> > know what your upstream merge plans will be?
>>>
>>> Sounds good. I'm hoping to get some review/comments on this patch set
>>> as well. At the moment, I'm chasing down a kernel test robot report
>>> from this afternoon.
>>
>> My concern about changing the canonical format as originally defined in
>> patch 9/9 from big endian to little endian never materialized. Andreas
>> Steffan, the patch author, is happy either way.
>>
>> We proposed two methods of addressing Eric Biederman's concerns of not
>> including the IMA measurement list segment in the kexec hash as
>> described in https://lkml.org/lkml/2016/9/9/355.
>>
>> - defer calculating and verifying the serialized IMA measurement list
>> buffer hash to IMA
>> - calculate the kexec hash on load, verify it on the kexec execute,
>> before re-calculating and updating it.
>
> I need to ask: How this is anticipated to interact with kexec on panic?
> Because honestly I can't see this ever working in that case. The
> assumption is that the original kernel has gone crazy. So from a
> practical standpoint any trusted path should have been invalided.
>
> This entire idea of updating the kexec image makes me extremely
> extremely nervious. It feels like sticking a screw driver through the
> spokes of your bicicle tires while ridding down the road.
>
> I can see tracking to see if the list has changed at some
> point and causing a reboot(LINUX_REBOOT_CMD_KEXEC) to fail.
>
> At least the common bootloader cases that I know of using kexec are very
> minimal distributions that live in a ramdisk and as such it should be
> very straight forward to measure what is needed at or before
> sys_kexec_load. But that was completely dismissed as unrealistic so I
> don't have a clue what actual problem you are trying to solve.
>
> If there is anyway we can start small and not with this big scary
> infrastructure change I would very much prefer it.
I have thought about this a little more and the entire reason for
updating things on the fly really really disturbs me. To prove you are
trusted the new kernel is going to have to present that whole trusted
list of files to someone. Which means in my naive understanding of the
situation that any change in that list of files is going to have to be
tracked and audited.
So the idea that we have to be super flexible in the kernel (when we are
inflexible in userspace) does not make a bit of sense to me.
So no. I am not in favor of adding a mechanism to kexec that gives me
the screaming heebie jeebies and that appears to be complete at odds
with what that mechanism is trying to do.
AKA if you are going to trust any old thing, or any old change on the
reboot path than it doesn't make sense to track them. If you are
tracking them it doesn't make sense to have a mechanism where anything
goes.
Eric