On 07/11/2013 01:40 PM, Jaroslav Reznik wrote:
=== Build and ship ima-evm-utils package === /sbin/kexec will be signed by evmctl. This utility will put an xattr security.ima on /sbin/kexec file and kernel will leverage IMA infrastructure in kernel to verify signature of /sbin/kexec upon execution. * There is a bz open 807476 for inclusion of this package since long time. Not sure what it is stuck on though. * There are some patches which are not upstream yet (like lock down executable in memory) which we need to carry in this patckage till patches get upstream.
Is there a chance this (and the other patches mentioned below) actually makes it in the kernel? Are at least the VM changes part of upstream already?
I don't think it would make sense to add more and more Fedora-specific patches which implement security functionality. I don't want Fedora to become the next Android.
=== Kernel Changes === Kernel needs to carry additional patches to do verify elf binary signature. * There are patches to extend keyctl() so that user space can use it to verify signature of a user buffer (vmlinuz in this case). * These patches are not upstream, so these need to be carried in fedora till patches get upstream. * Kernel need to be signed using evmctl and detached signature need to be generated. These signatures need to be installed on vmlinuz upon kernel rpm installation in security.ima xattr.
Does this mean your implementation of signature checking will be completely independent of UEFI Secure Boot (unless you decide to use that to obtain the trust root)?
=== Signing Key Management === Yet to be figured out. There are couple of ideas on table. * Embed few keys in kernel and one of these keys will be used to sign /sbin/kexec. In case of a key is revoked, use a new key from set of embedded keys.
How do you intend to handle revocation?
* Ship a PE/COFF wrapped key in kexec-tools package. This PE/COFF binary should be signed by appropriate authority so it can be loaded in system keyring.
Who is the appropriate authority? -- Florian Weimer / Red Hat Product Security Team -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
