| Message ID | 20230711031604.717124-1-coxu@redhat.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:a6b2:0:b0:3e4:2afc:c1 with SMTP id c18csp224155vqm;
Mon, 10 Jul 2023 20:50:03 -0700 (PDT)
X-Google-Smtp-Source:
APBJJlGCu79JPduiWjPy9Ry3h5d2Rj/ds7FM14IY+J0/OlWce16XvDJSNeg5p9PiHLQF2319Vl+y
X-Received: by 2002:adf:dbc4:0:b0:314:43c7:2597 with SMTP id
e4-20020adfdbc4000000b0031443c72597mr13561497wrj.57.1689047403184;
Mon, 10 Jul 2023 20:50:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1689047403; cv=none;
d=google.com; s=arc-20160816;
b=UPLM23OShJSqc6pQ4ezpTRF3WG0Wozn+Z7iy/NrhaLeb1YsAIX1sPG9Flk4ysSues5
Pvs6vk7ZCScZtwZggB/GUfK7JsCLkC1wqyN2NVtmTttswH26u1Qoi1W1gVhjGpAPMaoV
ZmEgevTLXs6WaQJk8E5RbN+ESrui9T8D/uXjlngpyn7sYWvCjYXWkxxrDCNz/0h+0ovB
HqGnGGOCfZg9MDUnk6ik7g//5+VbjEOGpQxpzFzW4aN3anY++ZfCOdFERZiQTVtyzrgL
ZPzso0OOio6o5JEIni3NAezSeuG3YuvQkl4gRNvsK7nGJqvcCa2K8Yx0sSgW7Yqawwxc
ps1A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=fXhj7EzANXxG2zR22cPkd+LCDvsMw/4Z29S4c6txddw=;
fh=kv6sZweKA6/rmn5uskgyc+9y8flCPKthtA3rkmpZbzA=;
b=m321Y2sYoewEHSuc+K57JEKnA1nA1oJQgVWShPvet31ewR9R7UHBnak1nAY3eb4ny9
nDn1N7YZILrS9incrz2WvbEDXmcg2Xo1d80hVMVFYCTZSyFUGmoK0r9JSkphIduw/4r1
XanB+q3t819FUK9qkxfhUfjxAKByj5+yDePwA5dqhAiURghaZqw3vEiBJWOAq7XRrnm7
B+t7joFOajsC4FiIWG0dTUlSJ/giR/nY0T9cImd1pAL/b1LUMhiTwH1lyKh/05W5Pael
25JDlif3ZntWCCD4Ol/4/BlC8FVrvieds0nFneh3jyL32gc+jJ0iSG5TN8zUfyEO27DO
l8sA==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@redhat.com header.s=mimecast20190719
header.b=GbbFDT9p;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
jj4-20020a170907984400b00992bbb918dfsi1108358ejc.173.2023.07.10.20.49.39;
Mon, 10 Jul 2023 20:50:03 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@redhat.com header.s=mimecast20190719
header.b=GbbFDT9p;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S230302AbjGKDRG (ORCPT <rfc822;gnulinuxfreebsd@gmail.com>
+ 99 others); Mon, 10 Jul 2023 23:17:06 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53904 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229774AbjGKDRE (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Mon, 10 Jul 2023 23:17:04 -0400
Received: from us-smtp-delivery-124.mimecast.com
(us-smtp-delivery-124.mimecast.com [170.10.133.124])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8A790F9
for <linux-kernel@vger.kernel.org>;
Mon, 10 Jul 2023 20:16:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1689045376;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding;
bh=fXhj7EzANXxG2zR22cPkd+LCDvsMw/4Z29S4c6txddw=;
b=GbbFDT9pMIGhkhP/CKNTCvEA52857SvX5YaW5PnYE1kbhMtYE/HVSPzY1a5R1SYJVfCTrt
OieZzDJ4C7dZSbLQhjr7s8SfdAtwAeT9p43UDUOO52lrfOtVOj5XvZJBPMqzx/YE02GRwN
VVPMp3UsMrhSbP5v7340cfMAMoH1JBM=
Received: from mail-oi1-f200.google.com (mail-oi1-f200.google.com
[209.85.167.200]) by relay.mimecast.com with ESMTP with STARTTLS
(version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
us-mta-52-WyDR3BM8NDWyxCJVnoIbcw-1; Mon, 10 Jul 2023 23:16:15 -0400
X-MC-Unique: WyDR3BM8NDWyxCJVnoIbcw-1
Received: by mail-oi1-f200.google.com with SMTP id
5614622812f47-3a3df1e1f38so4768842b6e.2
for <linux-kernel@vger.kernel.org>;
Mon, 10 Jul 2023 20:16:15 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20221208; t=1689045374; x=1691637374;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=fXhj7EzANXxG2zR22cPkd+LCDvsMw/4Z29S4c6txddw=;
b=LGSYOKJvvAzPKUj6uNr9g6/tQ6WTHnHNY2ZTGyBh6rKd0vh7BmOOL71dVzmIdyQYNj
0bEnmerPF/3oVrjEutIwKY9OBcG0zZMKmlgJsSLhF3NuLDePcJ/YoQ4jPTdh7XXHRceU
ZCUbDwVPCN+XoLqVm/lYAPVCPGEAItucPjrH2WiwXyDWcbKtxOKaYIQ1YYiHuG1mmwzz
/A9PTn7nH1SmIxChcf+oseB9N7729TaDvR8edc0JKV+G2i7deXeTP9jghPYZP4T4uAnS
cvtmk8dLpAx9TuNGL7Ufy943qtg5dDxJGn5tqLBZbH1xeFOLn5t7h63yX4jJMxrb41k/
u/VQ==
X-Gm-Message-State: ABy/qLYh0SqjOWfWtaVhvYTZTvzJqq21a3qScyBijIxpli/QW0FPQAV+
HpUQRm/OLX9FPejAK3/9usu0bDC3edN25gx4lLKWgmzSK17eTjhfumpY6WRq61JkLgGVtFgS4/q
xyfHDK4RCctehrqkXO1IBBJ+r
X-Received: by 2002:a05:6808:190b:b0:3a3:aedd:6b21 with SMTP id
bf11-20020a056808190b00b003a3aedd6b21mr18778774oib.39.1689045374372;
Mon, 10 Jul 2023 20:16:14 -0700 (PDT)
X-Received: by 2002:a05:6808:190b:b0:3a3:aedd:6b21 with SMTP id
bf11-20020a056808190b00b003a3aedd6b21mr18778752oib.39.1689045373985;
Mon, 10 Jul 2023 20:16:13 -0700 (PDT)
Received: from localhost ([43.228.180.230])
by smtp.gmail.com with ESMTPSA id
s4-20020aa78284000000b0066883d75932sm488806pfm.204.2023.07.10.20.16.11
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Mon, 10 Jul 2023 20:16:13 -0700 (PDT)
From: Coiby Xu <coxu@redhat.com>
To: linux-integrity@vger.kernel.org
Cc: Eric Biederman <ebiederm@xmission.com>,
Mimi Zohar <zohar@linux.ibm.com>,
kexec@lists.infradead.org (open list:KEXEC),
linux-kernel@vger.kernel.org (open list)
Subject: [PATCH] kexec_file: ima: allow loading a kernel with its IMA
signature verified
Date: Tue, 11 Jul 2023 11:16:03 +0800
Message-ID: <20230711031604.717124-1-coxu@redhat.com>
X-Mailer: git-send-email 2.41.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE,
T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1771094570053443820
X-GMAIL-MSGID: 1771094570053443820
|
| Series |
kexec_file: ima: allow loading a kernel with its IMA signature verified
|
|
Commit Message
Coiby Xu
July 11, 2023, 3:16 a.m. UTC
When IMA has verified the signature of the kernel image, kexec'ing this
kernel should be allowed.
Fixes: af16df54b89d ("ima: force signature verification when CONFIG_KEXEC_SIG is configured")
Signed-off-by: Coiby Xu <coxu@redhat.com>
---
kernel/kexec_file.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
Comments
[Cc'ing the LSM mailing list.] On Tue, 2023-07-11 at 11:16 +0800, Coiby Xu wrote: > When IMA has verified the signature of the kernel image, kexec'ing this > kernel should be allowed. > > Fixes: af16df54b89d ("ima: force signature verification when CONFIG_KEXEC_SIG is configured") > Signed-off-by: Coiby Xu <coxu@redhat.com> The original commit 29d3c1c8dfe7 ("kexec: Allow kexec_file() with appropriate IMA policy when locked down") was not in lieu of the PE- COFF signature, but allowed using the IMA signature on other architectures. Currently on systems with both PE-COFF and IMA signatures, both signatures are verified, assuming the file is in the IMA policy. If either signature verification fails, the kexec fails. With this patch, only the IMA signature would be verified. > --- > kernel/kexec_file.c | 14 +++++++++----- > 1 file changed, 9 insertions(+), 5 deletions(-) > > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c > index 881ba0d1714c..96fce001fbc0 100644 > --- a/kernel/kexec_file.c > +++ b/kernel/kexec_file.c > @@ -162,6 +162,13 @@ kimage_validate_signature(struct kimage *image) > ret = kexec_image_verify_sig(image, image->kernel_buf, > image->kernel_buf_len); > if (ret) { > + /* > + * If the kernel image already has its IMA signature verified, permit it. > + */ > + if (ima_appraise_signature(READING_KEXEC_IMAGE)) { > + pr_notice("The kernel image already has its IMA signature verified.\n"); > + return 0; > + } > > if (sig_enforce) { > pr_notice("Enforced kernel signature verification failed (%d).\n", ret); > @@ -169,12 +176,9 @@ kimage_validate_signature(struct kimage *image) > } > > /* > - * If IMA is guaranteed to appraise a signature on the kexec > - * image, permit it even if the kernel is otherwise locked > - * down. > + * When both IMA and KEXEC_SIG fail in lockdown mode, reject it. > */ > - if (!ima_appraise_signature(READING_KEXEC_IMAGE) && > - security_locked_down(LOCKDOWN_KEXEC)) > + if (security_locked_down(LOCKDOWN_KEXEC)) > return -EPERM; > > pr_debug("kernel signature verification failed (%d).\n", ret);
> On Jul 12, 2023, at 12:31 PM, Mimi Zohar <zohar@linux.ibm.com> wrote: > > [Cc'ing the LSM mailing list.] > > On Tue, 2023-07-11 at 11:16 +0800, Coiby Xu wrote: >> When IMA has verified the signature of the kernel image, kexec'ing this >> kernel should be allowed. >> >> Fixes: af16df54b89d ("ima: force signature verification when CONFIG_KEXEC_SIG is configured") >> Signed-off-by: Coiby Xu <coxu@redhat.com> > > The original commit 29d3c1c8dfe7 ("kexec: Allow kexec_file() with > appropriate IMA policy when locked down") was not in lieu of the PE- > COFF signature, but allowed using the IMA signature on other > architectures. > > Currently on systems with both PE-COFF and IMA signatures, both > signatures are verified, assuming the file is in the IMA policy. If > either signature verification fails, the kexec fails. > > With this patch, only the IMA signature would be verified. > >> --- >> kernel/kexec_file.c | 14 +++++++++----- >> 1 file changed, 9 insertions(+), 5 deletions(-) >> >> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c >> index 881ba0d1714c..96fce001fbc0 100644 >> --- a/kernel/kexec_file.c >> +++ b/kernel/kexec_file.c >> @@ -162,6 +162,13 @@ kimage_validate_signature(struct kimage *image) >> ret = kexec_image_verify_sig(image, image->kernel_buf, >> image->kernel_buf_len); >> if (ret) { >> + /* >> + * If the kernel image already has its IMA signature verified, permit it. >> + */ >> + if (ima_appraise_signature(READING_KEXEC_IMAGE)) { >> + pr_notice("The kernel image already has its IMA signature verified.\n"); >> + return 0; >> + } The issue I see here is ret could be many things, for example it could be -EKEYREJECTED, meaning it was contained on a revocation list. With this patch the revocation could be overruled if the image was IMA signed with a different key. Do we really want to add the ability to overrule a revocation? >> >> if (sig_enforce) { >> pr_notice("Enforced kernel signature verification failed (%d).\n", ret); >> @@ -169,12 +176,9 @@ kimage_validate_signature(struct kimage *image) >> } >> >> /* >> - * If IMA is guaranteed to appraise a signature on the kexec >> - * image, permit it even if the kernel is otherwise locked >> - * down. >> + * When both IMA and KEXEC_SIG fail in lockdown mode, reject it. >> */ >> - if (!ima_appraise_signature(READING_KEXEC_IMAGE) && >> - security_locked_down(LOCKDOWN_KEXEC)) >> + if (security_locked_down(LOCKDOWN_KEXEC)) >> return -EPERM; >> >> pr_debug("kernel signature verification failed (%d).\n", ret); > >
On Wed, Jul 12, 2023 at 02:31:43PM -0400, Mimi Zohar wrote: >[Cc'ing the LSM mailing list.] > >On Tue, 2023-07-11 at 11:16 +0800, Coiby Xu wrote: >> When IMA has verified the signature of the kernel image, kexec'ing this >> kernel should be allowed. >> >> Fixes: af16df54b89d ("ima: force signature verification when CONFIG_KEXEC_SIG is configured") >> Signed-off-by: Coiby Xu <coxu@redhat.com> > >The original commit 29d3c1c8dfe7 ("kexec: Allow kexec_file() with >appropriate IMA policy when locked down") was not in lieu of the PE- >COFF signature, but allowed using the IMA signature on other >architectures. > >Currently on systems with both PE-COFF and IMA signatures, both >signatures are verified, assuming the file is in the IMA policy. If >either signature verification fails, the kexec fails. > >With this patch, only the IMA signature would be verified. Thanks for correcting me! I thought it's already a consensus that we could use either signature to verify a kernel image because that's what the code of commit 29d3c1c8dfe7 has done and the code comment seems to confirm it. But if we just read the commit message, it indeed didn't give an answer on whether x86 and ARM are only allowed to use PE-COFF signature. > >> --- >> kernel/kexec_file.c | 14 +++++++++----- >> 1 file changed, 9 insertions(+), 5 deletions(-) >> >> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c >> index 881ba0d1714c..96fce001fbc0 100644 >> --- a/kernel/kexec_file.c >> +++ b/kernel/kexec_file.c >> @@ -162,6 +162,13 @@ kimage_validate_signature(struct kimage *image) >> ret = kexec_image_verify_sig(image, image->kernel_buf, >> image->kernel_buf_len); >> if (ret) { >> + /* >> + * If the kernel image already has its IMA signature verified, permit it. >> + */ >> + if (ima_appraise_signature(READING_KEXEC_IMAGE)) { >> + pr_notice("The kernel image already has its IMA signature verified.\n"); >> + return 0; >> + } >> >> if (sig_enforce) { >> pr_notice("Enforced kernel signature verification failed (%d).\n", ret); >> @@ -169,12 +176,9 @@ kimage_validate_signature(struct kimage *image) >> } >> >> /* >> - * If IMA is guaranteed to appraise a signature on the kexec >> - * image, permit it even if the kernel is otherwise locked >> - * down. >> + * When both IMA and KEXEC_SIG fail in lockdown mode, reject it. >> */ >> - if (!ima_appraise_signature(READING_KEXEC_IMAGE) && >> - security_locked_down(LOCKDOWN_KEXEC)) >> + if (security_locked_down(LOCKDOWN_KEXEC)) >> return -EPERM; >> >> pr_debug("kernel signature verification failed (%d).\n", ret); > >
On Thu, Jul 13, 2023 at 05:59:38PM +0000, Eric Snowberg wrote: > > >> On Jul 12, 2023, at 12:31 PM, Mimi Zohar <zohar@linux.ibm.com> wrote: >> >> [Cc'ing the LSM mailing list.] >> >> On Tue, 2023-07-11 at 11:16 +0800, Coiby Xu wrote: >>> When IMA has verified the signature of the kernel image, kexec'ing this >>> kernel should be allowed. >>> >>> Fixes: af16df54b89d ("ima: force signature verification when CONFIG_KEXEC_SIG is configured") >>> Signed-off-by: Coiby Xu <coxu@redhat.com> >> >> The original commit 29d3c1c8dfe7 ("kexec: Allow kexec_file() with >> appropriate IMA policy when locked down") was not in lieu of the PE- >> COFF signature, but allowed using the IMA signature on other >> architectures. >> >> Currently on systems with both PE-COFF and IMA signatures, both >> signatures are verified, assuming the file is in the IMA policy. If >> either signature verification fails, the kexec fails. >> >> With this patch, only the IMA signature would be verified. >> >>> --- >>> kernel/kexec_file.c | 14 +++++++++----- >>> 1 file changed, 9 insertions(+), 5 deletions(-) >>> >>> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c >>> index 881ba0d1714c..96fce001fbc0 100644 >>> --- a/kernel/kexec_file.c >>> +++ b/kernel/kexec_file.c >>> @@ -162,6 +162,13 @@ kimage_validate_signature(struct kimage *image) >>> ret = kexec_image_verify_sig(image, image->kernel_buf, >>> image->kernel_buf_len); >>> if (ret) { >>> + /* >>> + * If the kernel image already has its IMA signature verified, permit it. >>> + */ >>> + if (ima_appraise_signature(READING_KEXEC_IMAGE)) { >>> + pr_notice("The kernel image already has its IMA signature verified.\n"); >>> + return 0; >>> + } > >The issue I see here is ret could be many things, for example it could be >-EKEYREJECTED, meaning it was contained on a revocation list. With this patch >the revocation could be overruled if the image was IMA signed with a different >key. Do we really want to add the ability to overrule a revocation? Thanks for raising the concern! I haven't thought about this case of the key being in a revocation list. If the IMA signature comes from a distribution, the distribution should also blocklist the IMA key when the PE-COFF signature key is added to the revocation list. If the IMA signature is from an end-user, I think the user wants to pass the verification in this case. Or how about only allowing IMA signature when EFI runtime services are disabled? Another reason I am yet to add to the commit message is a real-time kernel currently disables EFI runtime services for latency issues so it can't access the MOK keys to verify the PECOFF signature.
[CC'ing Paul Moore] On Fri, 2023-07-14 at 09:46 +0800, Coiby Xu wrote: > On Wed, Jul 12, 2023 at 02:31:43PM -0400, Mimi Zohar wrote: > >[Cc'ing the LSM mailing list.] > > > >On Tue, 2023-07-11 at 11:16 +0800, Coiby Xu wrote: > >> When IMA has verified the signature of the kernel image, kexec'ing this > >> kernel should be allowed. > >> > >> Fixes: af16df54b89d ("ima: force signature verification when CONFIG_KEXEC_SIG is configured") > >> Signed-off-by: Coiby Xu <coxu@redhat.com> > > > >The original commit 29d3c1c8dfe7 ("kexec: Allow kexec_file() with > >appropriate IMA policy when locked down") was not in lieu of the PE- > >COFF signature, but allowed using the IMA signature on other > >architectures. > > > >Currently on systems with both PE-COFF and IMA signatures, both > >signatures are verified, assuming the file is in the IMA policy. If > >either signature verification fails, the kexec fails. > > > >With this patch, only the IMA signature would be verified. > > Thanks for correcting me! I thought it's already a consensus that we could use > either signature to verify a kernel image because that's what the code of > commit 29d3c1c8dfe7 has done and the code comment seems to confirm it. But if > we just read the commit message, it indeed didn't give an answer on whether x86 > and ARM are only allowed to use PE-COFF signature. I'm not aware of any consensus one way or the other. Commit 29d3c1c8dfe7 continued to fail the kexec on failure, when CONFIG_KEXEC_SIG_FORCE was enabled. As there isn't a lockdown maintainer, Paul are you ok with this change? > > > > >> --- > >> kernel/kexec_file.c | 14 +++++++++----- > >> 1 file changed, 9 insertions(+), 5 deletions(-) > >> > >> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c > >> index 881ba0d1714c..96fce001fbc0 100644 > >> --- a/kernel/kexec_file.c > >> +++ b/kernel/kexec_file.c > >> @@ -162,6 +162,13 @@ kimage_validate_signature(struct kimage *image) > >> ret = kexec_image_verify_sig(image, image->kernel_buf, > >> image->kernel_buf_len); > >> if (ret) { > >> + /* > >> + * If the kernel image already has its IMA signature verified, permit it. > >> + */ > >> + if (ima_appraise_signature(READING_KEXEC_IMAGE)) { > >> + pr_notice("The kernel image already has its IMA signature verified.\n"); > >> + return 0; > >> + } > >> > >> if (sig_enforce) { > >> pr_notice("Enforced kernel signature verification failed (%d).\n", ret); > >> @@ -169,12 +176,9 @@ kimage_validate_signature(struct kimage *image) > >> } > >> > >> /* > >> - * If IMA is guaranteed to appraise a signature on the kexec > >> - * image, permit it even if the kernel is otherwise locked > >> - * down. > >> + * When both IMA and KEXEC_SIG fail in lockdown mode, reject it. > >> */ > >> - if (!ima_appraise_signature(READING_KEXEC_IMAGE) && > >> - security_locked_down(LOCKDOWN_KEXEC)) > >> + if (security_locked_down(LOCKDOWN_KEXEC)) > >> return -EPERM; > >> > >> pr_debug("kernel signature verification failed (%d).\n", ret); > > > > >
> On Jul 13, 2023, at 8:29 PM, Coiby Xu <coxu@redhat.com> wrote: > > On Thu, Jul 13, 2023 at 05:59:38PM +0000, Eric Snowberg wrote: >> >> >>> On Jul 12, 2023, at 12:31 PM, Mimi Zohar <zohar@linux.ibm.com> wrote: >>> >>> [Cc'ing the LSM mailing list.] >>> >>> On Tue, 2023-07-11 at 11:16 +0800, Coiby Xu wrote: >>>> When IMA has verified the signature of the kernel image, kexec'ing this >>>> kernel should be allowed. >>>> >>>> Fixes: af16df54b89d ("ima: force signature verification when CONFIG_KEXEC_SIG is configured") >>>> Signed-off-by: Coiby Xu <coxu@redhat.com> >>> >>> The original commit 29d3c1c8dfe7 ("kexec: Allow kexec_file() with >>> appropriate IMA policy when locked down") was not in lieu of the PE- >>> COFF signature, but allowed using the IMA signature on other >>> architectures. >>> >>> Currently on systems with both PE-COFF and IMA signatures, both >>> signatures are verified, assuming the file is in the IMA policy. If >>> either signature verification fails, the kexec fails. >>> >>> With this patch, only the IMA signature would be verified. >>> >>>> --- >>>> kernel/kexec_file.c | 14 +++++++++----- >>>> 1 file changed, 9 insertions(+), 5 deletions(-) >>>> >>>> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c >>>> index 881ba0d1714c..96fce001fbc0 100644 >>>> --- a/kernel/kexec_file.c >>>> +++ b/kernel/kexec_file.c >>>> @@ -162,6 +162,13 @@ kimage_validate_signature(struct kimage *image) >>>> ret = kexec_image_verify_sig(image, image->kernel_buf, >>>> image->kernel_buf_len); >>>> if (ret) { >>>> + /* >>>> + * If the kernel image already has its IMA signature verified, permit it. >>>> + */ >>>> + if (ima_appraise_signature(READING_KEXEC_IMAGE)) { >>>> + pr_notice("The kernel image already has its IMA signature verified.\n"); >>>> + return 0; >>>> + } >> >> The issue I see here is ret could be many things, for example it could be >> -EKEYREJECTED, meaning it was contained on a revocation list. With this patch >> the revocation could be overruled if the image was IMA signed with a different >> key. Do we really want to add the ability to overrule a revocation? > > Thanks for raising the concern! I haven't thought about this case of the > key being in a revocation list. If the IMA signature comes from a > distribution, the distribution should also blocklist the IMA key when > the PE-COFF signature key is added to the revocation list. If the IMA > signature is from an end-user, I think the user wants to pass the > verification in this case. Correct, the IMA signature should be on the revocation list in this case. However, the embedded signature in the kernel doesn’t have to be the same as the IMA signature in the extended attribute. If they don’t match up, IMA could be used as a bypass mechanism to kexec a kernel that shouldn’t load. > Or how about only allowing IMA signature when EFI runtime services are > disabled? Another reason I am yet to add to the commit message is a > real-time kernel currently disables EFI runtime services for latency > issues so it can't access the MOK keys to verify the PECOFF signature. Possibly? On a UEFI system, the IMA signature on a kernel is ignored during boot, GRUB2 doesn’t have a way to validate it. If GRUB2 is booting a kernel on a system with EFI runtime services disabled, not only will you be missing the MOK keys, but you will be missing the MOKX and DBX too.
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index 881ba0d1714c..96fce001fbc0 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -162,6 +162,13 @@ kimage_validate_signature(struct kimage *image) ret = kexec_image_verify_sig(image, image->kernel_buf, image->kernel_buf_len); if (ret) { + /* + * If the kernel image already has its IMA signature verified, permit it. + */ + if (ima_appraise_signature(READING_KEXEC_IMAGE)) { + pr_notice("The kernel image already has its IMA signature verified.\n"); + return 0; + } if (sig_enforce) { pr_notice("Enforced kernel signature verification failed (%d).\n", ret); @@ -169,12 +176,9 @@ kimage_validate_signature(struct kimage *image) } /* - * If IMA is guaranteed to appraise a signature on the kexec - * image, permit it even if the kernel is otherwise locked - * down. + * When both IMA and KEXEC_SIG fail in lockdown mode, reject it. */ - if (!ima_appraise_signature(READING_KEXEC_IMAGE) && - security_locked_down(LOCKDOWN_KEXEC)) + if (security_locked_down(LOCKDOWN_KEXEC)) return -EPERM; pr_debug("kernel signature verification failed (%d).\n", ret);