On Tue, May 1, 2018 at 3:21 PM Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote: > On Tue, 2018-05-01 at 21:59 +0000, Matthew Garrett wrote: > > Oh, is kexec verified off the _module keyring? We still end up with the > > problem that distributions don't have a mechanism to ship IMA signatures > > yet, but that avoids the user modification problem. I've just posted a > > patchset to debian-dpkg, we'll see how that goes. > I'm not aware of a _module keyring. With IMA-appraisal, the signature > verification of the kernel image (kexec_file_load) uses the trusted > IMA keyring. Nayna Jain posted a patch that defines a new platform > keyring[1], which would only be used to validate the kernel image and > initramfs signatures. INTEGRITY_KEYRING_MODULE is defined, but doesn't appear to be used anywhere. Odd. Anyway, distributions are unlikely to ship with CONFIG_INTEGRITY_TRUSTED_KEYRING since it makes it impossible for users to determine which set of IMA or EVM signatures they want to trust. So if validation is against the IMA keyring rather than builtin_trusted_keys, it's going to be possible for users to extend the set of trusted keys. If CONFIG_KEXEC_BZIMAGE_VERIFY_SIG is set then the kernel seems to do the right thing here, but it's not clear to me how that's supposed to interact with IMA?
