On Tue, 2018-05-01 at 21:59 +0000, Matthew Garrett wrote: > On Tue, May 1, 2018 at 2:50 PM Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote: > > > On Tue, 2018-05-01 at 21:02 +0000, Matthew Garrett wrote: > > > Hm. My concern is that distributions are going to ship IMA in a > > > configuration that allows users to add their own keys at boot time (it's > > > difficult to use it in a generic way otherwise), and that's going to > allow > > > kexecing of arbitrary images without requiring physical access. I think > > > kexec_file_load() needs to be relying on non-IMA signatures. > > > I don't see how. Unless the kernel was built with extra room for a > > local CA public key (CONFIG_SYSTEM_EXTRA_CERTIFICATE), which would be > > loaded onto the builtin keyring, there is no way of adding keys to the > > IMA keyring. Adding the extra public key would require the kernel to > > be resigned. > > Oh, is kexec verified off the _module keyring? We still end up with the > problem that distributions don't have a mechanism to ship IMA signatures > yet, but that avoids the user modification problem. I've just posted a > patchset to debian-dpkg, we'll see how that goes. I'm not aware of a _module keyring. With IMA-appraisal, the signature verification of the kernel image (kexec_file_load) uses the trusted IMA keyring. Nayna Jain posted a patch that defines a new platform keyring[1], which would only be used to validate the kernel image and initramfs signatures. Your review would be much appreciated! I really do hope that some version of including file signatures in Debian packages will be upstreamed soon. Good luck! [1] https://lkml.org/lkml/2018/2/28/1089 Mimi
