On Tue, May 1, 2018 at 2:50 PM Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote: > On Tue, 2018-05-01 at 21:02 +0000, Matthew Garrett wrote: > > Hm. My concern is that distributions are going to ship IMA in a > > configuration that allows users to add their own keys at boot time (it's > > difficult to use it in a generic way otherwise), and that's going to allow > > kexecing of arbitrary images without requiring physical access. I think > > kexec_file_load() needs to be relying on non-IMA signatures. > I don't see how. Unless the kernel was built with extra room for a > local CA public key (CONFIG_SYSTEM_EXTRA_CERTIFICATE), which would be > loaded onto the builtin keyring, there is no way of adding keys to the > IMA keyring. Adding the extra public key would require the kernel to > be resigned. Oh, is kexec verified off the _module keyring? We still end up with the problem that distributions don't have a mechanism to ship IMA signatures yet, but that avoids the user modification problem. I've just posted a patchset to debian-dpkg, we'll see how that goes.
