On Wed, Mar 13, 2019 at 4:58 AM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:
>
> On Tue, 2019-03-12 at 12:57 -0700, Matthew Garrett wrote:
> > Systems in lockdown mode should block the kexec of untrusted kernels.
> > For x86 and ARM we can ensure that a kernel is trustworthy by validating
> > a PE signature, but this isn't possible on other architectures. On those
> > platforms we can use IMA instead, either with native IMA digital
> > signatures or EVM-protected IMA hashes. Add a function to determine
> > whether IMA will verify signatures on kexec files, and if so permit
> > kexec_file() even if the kernel is otherwise locked down. This is
> > restricted to cases where CONFIG_INTEGRITY_TRUSTED_KEYRING is set in
> > order to prevent an attacker from loading additional keys at runtime.
>
> Thank you for working on this! With the changes suggested below, it
> might work. :)
Ok, I'll incorporate them - just one question:
> > +bool evm_key_loaded(void)
> > {
> > return (bool)(evm_initialized & EVM_KEY_MASK);
> > }
>
> This might be sufficient for your environment, but in general it
> isn't.
Oh hm. The only case I can see where this isn't sufficient is if the
filesystem returns EOPNOTSUPP for the EVM xattr, but in that case we
should already have failed to get the IMA xattr and will fail
appraisal as a result?
> > +#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING)
>
> With these defines, the function isn't limited to just "lockdown".
> Either fix the defines or the patch description.
The function will be called even when lockdown isn't enabled, but it
won't have any impact on the logic flow.
