On 04/07/17 at 04:28am, Mimi Zohar wrote: > On Fri, 2017-04-07 at 15:41 +0800, Dave Young wrote: > > On 04/07/17 at 08:07am, David Howells wrote: > > > Dave Young <dyoung at redhat.com> wrote: > > > > > > > > > > + /* Don't permit images to be loaded into trusted kernels if we're not > > > > > > > + * going to verify the signature on them > > > > > > > + */ > > > > > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && kernel_is_locked_down()) > > > > > > > + return -EPERM; > > > > > > > + > > > > > > > > > > > > > > > > > IMA can be used to verify file signatures too, based on the LSM hooks > > > > > in ?kernel_read_file_from_fd(). ?CONFIG_KEXEC_VERIFY_SIG should not be > > > > > required. > > > > > > > > Mimi, I remember we talked somthing before about the two signature > > > > verification. One can change IMA policy in initramfs userspace, > > > > also there are kernel cmdline param to disable IMA, so it can break the > > > > lockdown? Suppose kexec boot with ima disabled cmdline param and then > > > > kexec reboot again.. > > > > > > I guess I should lock down the parameter to disable IMA too. > > > > That is one thing, user can change IMA policy in initramfs userspace, > > I'm not sure if IMA enforce the signed policy now, if no it will be also > > a problem. > > I'm not sure how this relates to the question of whether IMA verifies > the kexec kernel image signature, as the test would not be based on a > Kconfig option, but on a runtime variable. I assumed one can change the policy to avoid kexec and initramfs check And we use a global IMA status in the -EPERM check for the lockdown checking. But if there is some fine grained checking to ensure kernel signature verification it should be fine. > > To answer your question, the rule for requiring the policy to be > signed is: ?appraise func=POLICY_CHECK appraise_type=imasig > > When the ability to append rules is Kconfig enabled, the builtin > policy requires the new policy or additional rules to be signed. > ?Unfortunately, always requiring the policy to be signed, would have > broken userspace. > > Mimi > Thanks Dave
