Re: [PATCH V34 09/29] kexec_file: Restrict at runtime if the kernel is locked down

[PATCH V34 00/29] Lockdown as an LSM · Matthew Garrett <hidden> · 2019-06-22
[PATCH V34 01/29] security: Support early LSMs · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 01/29] security: Support early LSMs · Kees Cook <hidden> · 2019-06-22
[PATCH V34 02/29] security: Add a "locked down" LSM hook · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 02/29] security: Add a "locked down" LSM hook · Kees Cook <hidden> · 2019-06-22
[PATCH V34 03/29] security: Add a static lockdown policy LSM · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 03/29] security: Add a static lockdown policy LSM · Kees Cook <hidden> · 2019-06-22
[PATCH V34 04/29] Enforce module signatures if the kernel is locked down · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 04/29] Enforce module signatures if the kernel is locked down · Kees Cook <hidden> · 2019-06-22
[PATCH V34 05/29] Restrict /dev/{mem,kmem,port} when the kernel is locked down · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 05/29] Restrict /dev/{mem,kmem,port} when the kernel is locked down · Kees Cook <hidden> · 2019-06-22
[PATCH V34 06/29] kexec_load: Disable at runtime if the kernel is locked down · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 06/29] kexec_load: Disable at runtime if the kernel is locked down · Kees Cook <hidden> · 2019-06-22
[PATCH V34 07/29] Copy secure_boot flag in boot params across kexec reboot · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 07/29] Copy secure_boot flag in boot params across kexec reboot · Kees Cook <hidden> · 2019-06-22
[PATCH V34 08/29] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 08/29] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE · Dave Young <hidden> · 2019-06-24
Re: [PATCH V34 08/29] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE · Dave Young <hidden> · 2019-06-25
[PATCH V34 10/29] hibernate: Disable when the kernel is locked down · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 10/29] hibernate: Disable when the kernel is locked down · Pavel Machek <hidden> · 2019-06-22
Re: [PATCH V34 10/29] hibernate: Disable when the kernel is locked down · Jiri Kosina <jikos@kernel.org> · 2019-06-24
Re: [PATCH V34 10/29] hibernate: Disable when the kernel is locked down · Joey Lee <JLee@suse.com> · 2019-07-10
Re: [PATCH V34 10/29] hibernate: Disable when the kernel is locked down · joeyli <hidden> · 2019-07-11
Re: [PATCH V34 10/29] hibernate: Disable when the kernel is locked down · Kees Cook <hidden> · 2019-06-22
[PATCH V34 11/29] PCI: Lock down BAR access when the kernel is locked down · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 11/29] PCI: Lock down BAR access when the kernel is locked down · Kees Cook <hidden> · 2019-06-22
[PATCH V34 12/29] x86: Lock down IO port access when the kernel is locked down · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 12/29] x86: Lock down IO port access when the kernel is locked down · Kees Cook <hidden> · 2019-06-22
[PATCH V34 15/29] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 15/29] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down · Kees Cook <hidden> · 2019-06-22
[PATCH V34 17/29] Prohibit PCMCIA CIS storage when the kernel is locked down · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 17/29] Prohibit PCMCIA CIS storage when the kernel is locked down · Kees Cook <hidden> · 2019-06-23
[PATCH V34 18/29] Lock down TIOCSSERIAL · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 18/29] Lock down TIOCSSERIAL · Kees Cook <hidden> · 2019-06-23
[PATCH V34 20/29] x86/mmiotrace: Lock down the testmmiotrace module · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 20/29] x86/mmiotrace: Lock down the testmmiotrace module · Kees Cook <hidden> · 2019-06-23
Re: [PATCH V34 20/29] x86/mmiotrace: Lock down the testmmiotrace module · Thomas Gleixner <hidden> · 2019-06-23
[PATCH V34 21/29] Lock down /proc/kcore · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 21/29] Lock down /proc/kcore · Kees Cook <hidden> · 2019-06-23
[PATCH V34 24/29] Lock down perf when in confidentiality mode · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 24/29] Lock down perf when in confidentiality mode · Kees Cook <hidden> · 2019-06-23
[PATCH V34 27/29] tracefs: Restrict tracefs when the kernel is locked down · Matthew Garrett <hidden> · 2019-06-22
[PATCH V34 28/29] efi: Restrict efivar_ssdt_load when the kernel is locked down · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 28/29] efi: Restrict efivar_ssdt_load when the kernel is locked down · Kees Cook <hidden> · 2019-06-23
Re: [PATCH V34 28/29] efi: Restrict efivar_ssdt_load when the kernel is locked down · Ard Biesheuvel <hidden> · 2019-06-25
[PATCH V34 29/29] lockdown: Print current->comm in restriction messages · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 29/29] lockdown: Print current->comm in restriction messages · Kees Cook <hidden> · 2019-06-23
[PATCH V34 26/29] debugfs: Restrict debugfs when the kernel is locked down · Matthew Garrett <hidden> · 2019-06-22
[PATCH V34 25/29] kexec: Allow kexec_file() with appropriate IMA policy when locked down · Matthew Garrett <hidden> · 2019-06-22
[PATCH V34 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode · Kees Cook <hidden> · 2019-06-23
Re: [PATCH V34 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode · Daniel Borkmann <daniel@iogearbox.net> · 2019-06-24
Re: [PATCH V34 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode · Matthew Garrett <hidden> · 2019-06-24
Re: [PATCH V34 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode · Andy Lutomirski <luto@kernel.org> · 2019-06-24
Re: [PATCH V34 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode · Matthew Garrett <hidden> · 2019-06-24
Re: [PATCH V34 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode · Daniel Borkmann <daniel@iogearbox.net> · 2019-06-24
Re: [PATCH V34 23/29] bpf: Restrict bpf when kernel lockdown is in confidentiality mode · Matthew Garrett <hidden> · 2019-06-24
[PATCH V34 22/29] Lock down tracing and perf kprobes when in confidentiality mode · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 22/29] Lock down tracing and perf kprobes when in confidentiality mode · Kees Cook <hidden> · 2019-06-23
Re: [PATCH V34 22/29] Lock down tracing and perf kprobes when in confidentiality mode · Masami Hiramatsu <mhiramat@kernel.org> · 2019-06-23
[PATCH V34 19/29] Lock down module params that specify hardware parameters (eg. ioport) · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 19/29] Lock down module params that specify hardware parameters (eg. ioport) · Kees Cook <hidden> · 2019-06-23
Re: [PATCH V34 19/29] Lock down module params that specify hardware parameters (eg. ioport) · Daniel Axtens <hidden> · 2019-06-27
Re: [PATCH V34 19/29] Lock down module params that specify hardware parameters (eg. ioport) · Matthew Garrett <hidden> · 2019-06-27
[PATCH V34 16/29] acpi: Disable ACPI table override if the kernel is locked down · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 16/29] acpi: Disable ACPI table override if the kernel is locked down · Kees Cook <hidden> · 2019-06-23
[PATCH V34 13/29] x86/msr: Restrict MSR access when the kernel is locked down · Matthew Garrett <hidden> · 2019-06-22
[PATCH V34 14/29] ACPI: Limit access to custom_method when the kernel is locked down · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 14/29] ACPI: Limit access to custom_method when the kernel is locked down · Kees Cook <hidden> · 2019-06-22
[PATCH V34 09/29] kexec_file: Restrict at runtime if the kernel is locked down · Matthew Garrett <hidden> · 2019-06-22
Re: [PATCH V34 09/29] kexec_file: Restrict at runtime if the kernel is locked down · Kees Cook <hidden> · 2019-06-22
Re: [PATCH V34 09/29] kexec_file: Restrict at runtime if the kernel is locked down · James Morris <jmorris@namei.org> · 2019-06-27
Re: [PATCH V34 09/29] kexec_file: Restrict at runtime if the kernel is locked down · Matthew Garrett <hidden> · 2019-06-27
Re: [PATCH V34 09/29] kexec_file: Restrict at runtime if the kernel is locked down · James Morris <jmorris@namei.org> · 2019-06-27
Re: [PATCH V34 09/29] kexec_file: Restrict at runtime if the kernel is locked down · Matthew Garrett <hidden> · 2019-06-27
Re: [PATCH V34 00/29] Lockdown as an LSM · James Morris <jmorris@namei.org> · 2019-06-24
Re: [PATCH V34 00/29] Lockdown as an LSM · Casey Schaufler <casey@schaufler-ca.com> · 2019-06-24
Re: [PATCH V34 00/29] Lockdown as an LSM · Matthew Garrett <hidden> · 2019-06-24
Re: [PATCH V34 00/29] Lockdown as an LSM · James Morris <jmorris@namei.org> · 2019-06-25
Re: [PATCH V34 00/29] Lockdown as an LSM · John Johansen <john.johansen@canonical.com> · 2019-06-25

From: Matthew Garrett <hidden>
Date: 2019-06-27 15:28:23
Also in: kexec, linux-api, lkml

On Wed, Jun 26, 2019 at 9:59 PM James Morris [off-list ref] wrote:

This is not a criticism of the patch but a related issue which I haven't
seen discussed (apologies if it has).

If signed code is loaded into ring 0, verified by the kernel, then
executed, you still lose your secure/trusted/verified boot state. If the
currently running kernel has been runtime-compromised, any signature
verification performed by the kernel cannot be trusted.

This problem is out of scope for the lockdown threat model (which
naturally cannot include a compromised kernel), but folk should be aware
that signature-verified kexec does not provide equivalent assurance to a
full reboot on a secure-boot system.

By that metric, on a secure boot system how do we determine that code
running in the firmware environment wasn't compromised before it
launched the initial signed kernel?

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help