On Thu, 2018-04-05 at 10:16 +0800, joeyli wrote: > Hi David, > > On Wed, Apr 04, 2018 at 05:17:24PM +0100, David Howells wrote: > > Andy Lutomirski <luto@xxxxxxxxxx> wrote: > > > > > Since this thread has devolved horribly, I'm going to propose a solution. > > > > > > 1. Split the "lockdown" state into three levels: (please don't > > > bikeshed about the names right now.) > > > > > > LOCKDOWN_NONE: normal behavior > > > > > > LOCKDOWN_PROTECT_INTEGREITY: kernel tries to keep root from writing to > > > kernel memory > > > > > > LOCKDOWN_PROTECT_INTEGRITY_AND_SECRECY: kernel tries to keep root from > > > reading or writing kernel memory. > > > > In theory, it's good idea, but in practice it's not as easy to implement as I > > think you think. > > > > Let me list here the things that currently get restricted by lockdown: > > > [...snip] > > (5) Kexec. > > > > About IMA with kernel module signing and kexec(not on x86_64 yet)... Only carrying the measurement list across kexec is architecture specific, but everything else should work. > Because IMA can be used to verify the integrity of kernel module or even > the image for kexec. I think that the > IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY must be enabled at runtime > when kernel is locked-down. I think we need to understand the problem a bit better. Is the problem that you're using the secondary keyring and loading the UEFI keys onto the secondary keyring? > Because the root can enroll master key to keyring then IMA trusts the ima key > derived from master key. It causes that the arbitrary signed module can be loaded > when the root compromised. With only the builtin keyring, only keys signed by a builtin key can be added to the IMA keyring. Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html