[Linux-ima-devel] [PATCH v2 4/7] ima: measure and appraise kexec image and initramfs
Dave Young
dyoung at redhat.com
Sun Dec 27 18:08:29 PST 2015
Hi, Mimi
On 12/25/15 at 09:45am, Mimi Zohar wrote:
> On Fri, 2015-12-25 at 13:33 +0800, Dave Young wrote:
> > Hi, Mimi
> >
> > CCing kexec list, not all kexec people subscribed to IMA list.
> > I just subscribed to it since Vivek CCed me last time about the V1 of this
> > series.
>
> Thanks!
>
> > On 12/23/15 at 06:55pm, Mimi Zohar wrote:
> > > This patch defines a new IMA hook ima_hash_and_process_file() for
> > > measuring and appraising files read by the kernel. The caller loads
> > > the file into memory before calling this function, which calculates
> > > the hash followed by the normal IMA policy based processing.
> > >
> > > Two new IMA policy functions named KEXEC_CHECK and INITRAMFS_CHECK
> > > are defined for measuring, appraising or auditing the kexec image
> > > and initramfs.
> >
> > Could you help us understand why do we need it first.
>
> IMA can be viewed as extending secure and trusted boot to the running
> system in a uniform and consistent manner. As files are accessed,
> based on policy, IMA measures them, appends the file measurements to the
> running measurement list (<securityfs>/ima/ascii_runtime_measurements)
> and appraises the file's integrity, based on either the file's hash or
> signature, which are stored as extended attributes in "security.ima".
>
> There are still a couple of file measurement and appraisal gaps that
> need to be closed.
>
> > I think I do not really understand the purpose of the IMA handling
> > about kexec kernel and initramfs.
>
> One of those measurement and appraisal gaps are files that are read by
> the kernel, like the kexec image and initramfs.
>
> [There is a lot of code duplication in the kernel for reading a file and
> verifying its signature. Each place does it just a bit differently
> than the other. I'm working with Luis Rodriguez on defining a single,
> common function - https://lkml.org/lkml/2015/12/21/478.]
>
> > * Does the files in disk space have already contains some hash values
> > and when kernel load it IMA functions will do some checking? But seems I do not
> > see such handling..
>
> IMA sits on a number of the LSM hooks, where they exist, and in other
> places defines its own hook. This patch set defines a new IMA hook for
> measuring and appraising files being read by the kernel.
>
> > * Does it try to calculate the hash of the file buffer after copying,
>
> IMA calculates the file hash, in this case, based on the buffer
> contents. The hash is calculated once and used for both measurement
> and appraisal. If the file integrity appraisal fails (eg. hash
> comparison or signature failure), IMA prevents the kexec files from
> being used.
>
Ok, thanks for the explanatioin. But I have another question, why do we
need a special hook for KEXEC? Shouldn't all files use same way to do the
measurement and appraisal?
Thanks
Dave
More information about the kexec
mailing list