On Sat, 2017-10-28 at 16:34 +0800, joeyli wrote:

On Fri, Oct 27, 2017 at 03:32:26PM -0400, Mimi Zohar wrote:

quoted

On Thu, 2017-10-26 at 10:17 -0400, Mimi Zohar wrote:

quoted

On Thu, 2017-10-26 at 15:42 +0800, joeyli wrote:

quoted

Hi Mimi,

Thank you for reviewing.

On Mon, Oct 23, 2017 at 11:54:43AM -0400, Mimi Zohar wrote:

quoted

On Thu, 2017-10-19 at 15:51 +0100, David Howells wrote:

quoted

From: Chun-Yi Lee <redacted>

When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
through kexec_file systemcall if securelevel has been set.

The patch title and description needs to be updated to refer to
lockdown, not securelevel.

As previously mentioned the last time these patches were posted, this
leaves out testing to see if the integrity subsystem is enabled.

Commit 503ceaef8e2e "ima: define a set of appraisal rules requiring
file signatures" was upstreamed. ?An additional patch could force
these rules to be added to the custom policy, if lockdown is enabled.
?This and other patches in this series could then check to see if
is_ima_appraise_enabled() is true.

Mimi

I have updated the patch title and description, and I also added
is_ima_appraise_enabled() as the following. Is it good to you?

Yes, that works. ?Thanks! ?Remember is_ima_appraise_enabled() is
dependent on the "ima: require secure_boot rules in lockdown mode"
patch -?http://kernsec.org/pipermail/linux-security-module-archive/201
7-October/003910.html.

The IMA "secure_boot" policy can be specified on the boot command line
as ima_policy="secure_boot". ?It requires kernel modules, firmware,
kexec kernel image and the IMA custom policy to be signed. ?In
lockdown mode, these rules are enabled by default and added to the
custom policy.

quoted

On the other hand, I am not good on IMA. I have traced the code path
in kimage_file_prepare_segments(). Looks that the READING_KEXEC_IMAGE
doesn't show in selinux_kernel_read_file(). Where is the exact code
in IMA for checking the signature when loading crash kernel file?

kernel_read_file_from_fd() calls the security_kernel_read_file() and
security_kernel_post_read_file() hooks, which call ima_read_file() and
ima_post_read_file() respectively.

Hm, with "lockdown" enabled on the boot command line, I'm now able to
do the kexec load, but not the unload.  :/ ? After the kexec load with

I have tried on Qemu with OVMF, I can load and unload second kernel by
kexec tool (on openSUSE is in kexec-tools RPM):  

# kexec -u -s

Thanks, I left off the "-s" option, causing it to fail. ?This is the
correct behavior. ?So both with/without the "-s" option are working
properly.

I add -s for using kexec-load-file, and I signed kernel by pesign.

quoted

the "--reuse-cmdline" option, the system reboots, but isn't in
"lockdown" mode.

Either enabling secure boot in EFI firmware or using _lockdown_ kernel
parameter, the second kernel can be locked down on my OVMF VM.

I used following commands:

# kexec -s -l /boot/vmlinuz-4.14.0-rc2-default+ --append="$(cat /proc/cmdline)" --initrd=/boot/initrd-4.14.0-rc2-default+
# umount -a; mount -o remount,ro /I'
# kexec -e

The kernel source is from David's linux-fs git with lockdown-20171026 tag.
The kernel is also signed by pesign.

Yes, based on the patches in David's tree, "lockdown" is being carried
to the target OS properly.

Mimi

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html