Re: [RFC PATCH 0/2] ima: uncompressed module appraisal support
From: Eric Snowberg <eric.snowberg@oracle.com>
Date: 2020-02-07 21:38:55
Also in:
linux-integrity, lkml
On Feb 7, 2020, at 11:54 AM, Mimi Zohar [off-list ref] wrote: On Fri, 2020-02-07 at 11:45 -0700, Eric Snowberg wrote:quoted
quoted
On Feb 7, 2020, at 11:28 AM, Mimi Zohar [off-list ref] wrote: On Fri, 2020-02-07 at 10:49 -0700, Eric Snowberg wrote:quoted
quoted
On Feb 7, 2020, at 10:40 AM, Mimi Zohar [off-list ref] wrote:quoted
$ insmod ./foo.ko insmod: ERROR: could not insert module ./foo.ko: Permission denied last entry from audit log: type=INTEGRITY_DATA msg=audit(1581089373.076:83): pid=2874 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0- s0:c0.c1023 op=appraise_data cause=invalid-signature comm="insmod" name="/root/keys/modules/foo.ko" dev="dm-0" ino=10918365 res=0^]UID="root" AUID=“root" This is because modsig_verify() will be called from within ima_appraise_measurement(), since try_modsig is true. Then modsig_verify() will return INTEGRITY_FAIL.Why is it an "invalid signature"? For that you need to look at the kernel messages. Most likely it can't find the public key on the .ima keyring to verify the signature.It is invalid because the module has not been ima signed.With the IMA policy rule "appraise func=MODULE_CHECK appraise_type=imasig|modsig", IMA first tries to verify the IMA signature stored as an xattr and on failure then attempts to verify the appended signatures. The audit message above indicates that there was a signature, but the signature validation failed.I do have CONFIG_IMA_APPRAISE_MODSIG enabled. I believe the audit message above is coming from modsig_verify in security/integrity/ima/ima_appraise.c.Right, and it's calling: rc = integrity_modsig_verify(INTEGRITY_KEYRING_IMA, modsig); It's failing because it is trying to find the public key on the .ima keyring. Make sure that the public needed to validate the kernel module is on the IMA keyring (eg. keyctl show %keyring:.ima).
I know that will validate the module properly, but that is not what I’m trying to solve here. I thought the point of adding “|modsig” to the ima policy was to tell ima it can either validate against an ima keyring OR default back to the kernel keyring. This is what happens with the compressed module. There isn’t anything in the ima keyring to validate the compressed modules and it loads when I add “|modsig”. The use case I’m trying to solve is when someone boots with ima_policy=secure_boot. If their initramfs contains compressed modules with appended signatures the system boots. If they use the same ima policy with an initramfs that contains uncompressed modules, it doesn't boot. I thought the point of adding “|modsig” was to help with the initramfs problem, since it is difficult to ima sign things within it.