Re: [PATCH] kexec_file: ima: allow loading a kernel with its IMA signature verified

From: Mimi Zohar
Date: Wed Jul 12 2023 - 14:31:59 EST

Next message: Takahiro Itazuri: "[PATCH] KVM: pass through CPUID 0x80000005"
Previous message: Ricardo Neri: "Re: [PATCH] sched/topology: remove unneeded do while loop in cpu_attach_domain()"
In reply to: Coiby Xu: "[PATCH] kexec_file: ima: allow loading a kernel with its IMA signature verified"
Next in thread: Eric Snowberg: "Re: [PATCH] kexec_file: ima: allow loading a kernel with its IMA signature verified"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Cc'ing the LSM mailing list.]

On Tue, 2023-07-11 at 11:16 +0800, Coiby Xu wrote:
> When IMA has verified the signature of the kernel image, kexec'ing this
> kernel should be allowed.
>
> Fixes: af16df54b89d ("ima: force signature verification when CONFIG_KEXEC_SIG is configured")
> Signed-off-by: Coiby Xu <coxu@xxxxxxxxxx>

The original commit 29d3c1c8dfe7 ("kexec: Allow kexec_file() with
appropriate IMA policy when locked down") was not in lieu of the PE-
COFF signature, but allowed using the IMA signature on other
architectures.

Currently on systems with both PE-COFF and IMA signatures, both
signatures are verified, assuming the file is in the IMA policy. If
either signature verification fails, the kexec fails.

With this patch, only the IMA signature would be verified.

> ---
> kernel/kexec_file.c | 14 +++++++++-----
> 1 file changed, 9 insertions(+), 5 deletions(-)
>
> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> index 881ba0d1714c..96fce001fbc0 100644
> --- a/kernel/kexec_file.c
> +++ b/kernel/kexec_file.c
> @@ -162,6 +162,13 @@ kimage_validate_signature(struct kimage *image)
> ret = kexec_image_verify_sig(image, image->kernel_buf,
> image->kernel_buf_len);
> if (ret) {
> + /*
> + * If the kernel image already has its IMA signature verified, permit it.
> + */
> + if (ima_appraise_signature(READING_KEXEC_IMAGE)) {
> + pr_notice("The kernel image already has its IMA signature verified.\n");
> + return 0;
> + }
>
> if (sig_enforce) {
> pr_notice("Enforced kernel signature verification failed (%d).\n", ret);
> @@ -169,12 +176,9 @@ kimage_validate_signature(struct kimage *image)
> }
>
> /*
> - * If IMA is guaranteed to appraise a signature on the kexec
> - * image, permit it even if the kernel is otherwise locked
> - * down.
> + * When both IMA and KEXEC_SIG fail in lockdown mode, reject it.
> */
> - if (!ima_appraise_signature(READING_KEXEC_IMAGE) &&
> - security_locked_down(LOCKDOWN_KEXEC))
> + if (security_locked_down(LOCKDOWN_KEXEC))
> return -EPERM;
>
> pr_debug("kernel signature verification failed (%d).\n", ret);

Next message: Takahiro Itazuri: "[PATCH] KVM: pass through CPUID 0x80000005"
Previous message: Ricardo Neri: "Re: [PATCH] sched/topology: remove unneeded do while loop in cpu_attach_domain()"
In reply to: Coiby Xu: "[PATCH] kexec_file: ima: allow loading a kernel with its IMA signature verified"
Next in thread: Eric Snowberg: "Re: [PATCH] kexec_file: ima: allow loading a kernel with its IMA signature verified"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]