[RFC] Kdump with UEFI secure boot (Re: [PATCH v2] kdump: pass acpi_rsdp= to 2nd kernel for efi booting)

Vivek Goyal vgoyal at redhat.com
Tue Oct 23 10:59:20 EDT 2012


On Tue, Oct 23, 2012 at 09:18:54AM -0400, Vivek Goyal wrote:

[..]
> > >> There are 3 options for trusting /sbin/kexec.  There are IMA and EMA,
> > >> and it is conceivable to have ELF note sections with signatures for
> > >> executables.
> > >
> > > Can you please tell more about what is EMA and IMA. I did quick google
> > > and could not find much.
> > 
> > That should have been EVM and IMA.  Look under security/integrity/.  I
> > don't know much about them but they appear to be security modules with a
> > focus on verifying checksum or perhaps encrypted hashes of executables
> > are consistent.
> 
> I will do some quick search there and I see if I can understand something.
> 

Ok, I quickly went through following paper.

http://mirror.transact.net.au/sourceforge/l/project/li/linux-ima/linux-ima/Integrity_overview.pdf

So it looks like that IMA can store the hashes of files and at execute
time ensure those hashes are unchanged to protect against the possibility
of modification of files.

But what about creation of a new program which can call kexec_load()
and execute an unsigned kernel. Doesn't look like that will be
prevented using IMA.

Whole idea behind UEFI secure boot seems to be that all signing happens
outside the running system and now only signed code can run with higher
priviliges. IMA seems to be only protecting against only making sure
existing binaries are not modifed but it does not seem to prevent against
installation of new binaries and these binaries take advantage of kexec
system call to load an unsigned kernel. 

Thanks
Vivek



More information about the kexec mailing list