Re: [PATCH] kexec_file: ima: allow loading a kernel with its IMA signature verified

From: Eric Snowberg
Date: Thu Jul 13 2023 - 14:00:24 EST

Next message: John Allen: "[PATCH] linux-firmware: Update AMD cpu microcode"
Previous message: Tejun Heo: "Re: [PATCH v5] blk-mq: fix start_time_ns and alloc_time_ns for pre-allocated rq"
In reply to: Mimi Zohar: "Re: [PATCH] kexec_file: ima: allow loading a kernel with its IMA signature verified"
Next in thread: Coiby Xu: "Re: [PATCH] kexec_file: ima: allow loading a kernel with its IMA signature verified"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On Jul 12, 2023, at 12:31 PM, Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:
>
> [Cc'ing the LSM mailing list.]
>
> On Tue, 2023-07-11 at 11:16 +0800, Coiby Xu wrote:
>> When IMA has verified the signature of the kernel image, kexec'ing this
>> kernel should be allowed.
>>
>> Fixes: af16df54b89d ("ima: force signature verification when CONFIG_KEXEC_SIG is configured")
>> Signed-off-by: Coiby Xu <coxu@xxxxxxxxxx>
>
> The original commit 29d3c1c8dfe7 ("kexec: Allow kexec_file() with
> appropriate IMA policy when locked down") was not in lieu of the PE-
> COFF signature, but allowed using the IMA signature on other
> architectures.
>
> Currently on systems with both PE-COFF and IMA signatures, both
> signatures are verified, assuming the file is in the IMA policy. If
> either signature verification fails, the kexec fails.
>
> With this patch, only the IMA signature would be verified.
>
>> ---
>> kernel/kexec_file.c | 14 +++++++++-----
>> 1 file changed, 9 insertions(+), 5 deletions(-)
>>
>> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
>> index 881ba0d1714c..96fce001fbc0 100644
>> --- a/kernel/kexec_file.c
>> +++ b/kernel/kexec_file.c
>> @@ -162,6 +162,13 @@ kimage_validate_signature(struct kimage *image)
>> ret = kexec_image_verify_sig(image, image->kernel_buf,
>> image->kernel_buf_len);
>> if (ret) {
>> + /*
>> + * If the kernel image already has its IMA signature verified, permit it.
>> + */
>> + if (ima_appraise_signature(READING_KEXEC_IMAGE)) {
>> + pr_notice("The kernel image already has its IMA signature verified.\n");
>> + return 0;
>> + }

The issue I see here is ret could be many things, for example it could be
-EKEYREJECTED, meaning it was contained on a revocation list. With this patch
the revocation could be overruled if the image was IMA signed with a different
key. Do we really want to add the ability to overrule a revocation?

>>
>> if (sig_enforce) {
>> pr_notice("Enforced kernel signature verification failed (%d).\n", ret);
>> @@ -169,12 +176,9 @@ kimage_validate_signature(struct kimage *image)
>> }
>>
>> /*
>> - * If IMA is guaranteed to appraise a signature on the kexec
>> - * image, permit it even if the kernel is otherwise locked
>> - * down.
>> + * When both IMA and KEXEC_SIG fail in lockdown mode, reject it.
>> */
>> - if (!ima_appraise_signature(READING_KEXEC_IMAGE) &&
>> - security_locked_down(LOCKDOWN_KEXEC))
>> + if (security_locked_down(LOCKDOWN_KEXEC))
>> return -EPERM;
>>
>> pr_debug("kernel signature verification failed (%d).\n", ret);
>
>

Next message: John Allen: "[PATCH] linux-firmware: Update AMD cpu microcode"
Previous message: Tejun Heo: "Re: [PATCH v5] blk-mq: fix start_time_ns and alloc_time_ns for pre-allocated rq"
In reply to: Mimi Zohar: "Re: [PATCH] kexec_file: ima: allow loading a kernel with its IMA signature verified"
Next in thread: Coiby Xu: "Re: [PATCH] kexec_file: ima: allow loading a kernel with its IMA signature verified"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]