On Tue, 2018-05-01 at 21:02 +0000, Matthew Garrett wrote: > On Tue, May 1, 2018 at 1:15 PM Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote: > > a) Requiring two signatures was addressed by a patch titled "lockdown: > > fix coordination of kernel module signature verification" [1] > > Ah, I'd missed that - thanks! > > > There's been further discussions as to what should remain in the > > "lockdown" patch set. Based on the discussion here [2], it seems like > > "[PATCH 06/24] kexec_load: Disable at runtime if the kernel is locked > > down" will be removed. > > > Instead of preventing the loading of a kernel image (kexec_load > > syscall) being dependent on the lockdown flag, it could be dependent > > on the kernel_read_file_id READING_KEXEC_IMAGE. A version of these > > patches was posted [3]. > > Hm. My concern is that distributions are going to ship IMA in a > configuration that allows users to add their own keys at boot time (it's > difficult to use it in a generic way otherwise), and that's going to allow > kexecing of arbitrary images without requiring physical access. I think > kexec_file_load() needs to be relying on non-IMA signatures. I don't see how. Unless the kernel was built with extra room for a local CA public key (CONFIG_SYSTEM_EXTRA_CERTIFICATE), which would be loaded onto the builtin keyring, there is no way of adding keys to the IMA keyring. Adding the extra public key would require the kernel to be resigned. Mimi
