Re: [PATCH v5 3/8] ima: based on policy require signed kexec kernel images

From: Mimi Zohar
Date: Tue Jul 03 2018 - 09:08:14 EST

Next message: Robin Murphy: "[PATCH] dma-mapping: Relax warnings for per-device areas"
Previous message: Sudeep Holla: "Re: [RFC PATCH] ACPI: bus: match of_device_id using acpi device"
In reply to: J Freyensee: "Re: [PATCH v5 3/8] ima: based on policy require signed kexec kernel images"
Next in thread: Mimi Zohar: "[PATCH v5 6/8] ima: add build time policy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 2018-07-02 at 11:31 -0700, J Freyensee wrote:
>
> On 7/2/18 7:37 AM, Mimi Zohar wrote:
> > The original kexec_load syscall can not verify file signatures, nor can
> > the kexec image be measured. Based on policy, deny the kexec_load
> > syscall.
>
>
> Curiosity question: I thought kexec_load() syscall was used to load a
> crashdump?

kexec is used to collect the memory used to analyze the crash dump.

> If this is true, how would this work if kexec_load() is
> being denied?Â I don't think I'd want to be hindered in cases where I'm
> trying to diagnose a crash.

For trusted & secure boot, we need a full measurement list and
signature chain of trust rooted in HW. ÂPermitting kexec_load would
break these chains of trust.

Permitting/denying kexec_load is based on a runtime IMA policy. ÂPatch
6/8 "ima: add build time policy", in this patch set, introduces the
concept of a build time policy. ÂWith these patches, you could
configure your kernel and/or load an IMA policy permitting kexec_load.

Mimi

Next message: Robin Murphy: "[PATCH] dma-mapping: Relax warnings for per-device areas"
Previous message: Sudeep Holla: "Re: [RFC PATCH] ACPI: bus: match of_device_id using acpi device"
In reply to: J Freyensee: "Re: [PATCH v5 3/8] ima: based on policy require signed kexec kernel images"
Next in thread: Mimi Zohar: "[PATCH v5 6/8] ima: add build time policy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]