Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set
From: Mimi Zohar
Date: Mon Oct 30 2017 - 12:44:14 EST
On Mon, 2017-10-30 at 15:49 +0000, David Howells wrote:
> Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:
>
> > Huh?! ÂWith the "secure_boot" policy enabled on the boot command line,
> > IMA-appraisal would verify the kexec kernel image, firmware, kernel
> > modules, and custom IMA policy signatures.
>
> What happens if the "secure_boot" policy isn't enabled on the boot command
> line? Can you sum up both cases in a paragraph I can add to the patch
> description?
The other patch automatically enables "secure_boot" for lockdown mode.
So there is no need to specify "secure_boot" on the boot command line.
ÂReordering the patches so that the other patch comes before any call
to is_ima_appraise_enabled() will simplify this patch description.
> > Other patches in this patch series need to be updated as well to check
> > if IMA-appraisal is enabled.
>
> Which exactly? I've added your "!is_ima_appraise_enabled() &&" line to
> kexec_file() and module_sig_check(). Anything else?
load_module(), which calls module_sig_check(), is called by both the
old and new kernel module syscalls. ÂIMA is only on the new syscall.
ÂDid you differentiate between the kernel module syscalls?
There doesn't seem to be any other patches affected. ÂThat said, the
IMA "secure_boot" policy is more stringent than what you have without
it. ÂFor example, with the "secure_boot" policy enabled, firwmware
needs to be signed as well. ÂAt some point, we'll want to also require
the initramfs be signed as well.
Both methods work independently of each other, but there needs to be
better coordination for when both methods are enabled at the same time
(eg. are both signatures required?).
For testing purposes, you can use the same certs/signing_key to sign
the kexec image, kernel modules and firmware, by loading the
signing_key on the .ima keyring. ÂUsing evmctl, sign the files
(eg.Âevmctl ima_sign -a sha256 -k certs/signing_key.pemÂÂ--imasig
/boot/<vmlinuz>).
Mimi