[RFC PATCH v2 06/11] kexec: replace call to copy_file_from_fd() with kernel version

Mon Jan 25 17:20:31 PST 2016

Hi, Mimi

On 01/25/16 at 10:04am, Mimi Zohar wrote:
> On Mon, 2016-01-25 at 14:37 +0800, Dave Young wrote:
> > Hi, Mimi
> > 
> > Besides of code issues, I have several thing to be understand:
> > 
> > What is the effect to kexec behavior with this patchset?
> >   - without IMA enabled (kconfig or kernel cmdline) it will be same as before?
> 
> Yes, without IMA configured or an IMA policy, it is the same as before.
> 
> >   - with IMA enabled for kernel bzImage, kexec_file_load will check both ima
> >     signature and original pe file signature, those two mechanisms are
> >     somehow duplicated. I'm not sure if we need both for bzImage.
> 
> IMA provides a uniform method of measuring and appraising all files on
> the system, based on policy.  The IMA policy could prevent the original
> kexec syscall.  On systems without MODULE_SIG_FORCE, the IMA policy
> would require an IMA signature as well.  (The current patch would
> require both, even when MODULE_SIG_FORCE is enabled.)

Hmm, enabling policy is in userspace (initramfs?) so it may not be good
enough for secure boot case. IMA can be used as a uniform method for kexec
kernel signature verification for !UEFI or !secure-boot case. 

> 
> The pe format is supported on x86.  Why require the pe file signature
> format on all platforms?

For secure boot purpose, an uefi bootable kernel (as an uefi applicatioin)
require it to be a pe file.

But for !secure-boot it is not mandatory.

> 
> > Do you have a simple usage documentation about how to test it?
> 
> The wiki[1] and ima-evm-ctl package[2] have directions for enabling
> IMA/IMA-appraisal.
> 
> To include just the kexec image and initramfs file hashes in the IMA
> measurement list, create a file containing the following IMA policy
> rules.  "cat" the policy and redirect the output
> to /sys/kernel/security/ima/policy.   After loading the kexec image and
> initramfs, the IMA measurements will be included in the measurement list
> (/sys/kernel/security/ima/ascii_runtime_measurements)
> 
> IMA policy: 
> measure func=KEXEC_CHECK
> measure func=INITRAMFS_CHECK
> 
> Appraising the kexec image and initramfs is a bit more complicated as it
> requires creating a key, which is signed by a key on the system keyring,
> and loading the key onto the trusted IMA keyring.  To simplify testing,
> without CONFIG_IMA_TRUSTED_KEYRING enabled, the key being loaded onto
> the IMA keyring does not need to be signed.  The evmctl man page[2]
> contains directions for creating and loading the key onto the IMA
> keyring. 
> 
> To appraise just the kexec image and initramfs files, add the following
> two rules to the IMA policy and load the policy as before.  (The policy
> can only be loaded once per boot, unless IMA_WRITE_POLICY is configured.
> With the default appraisal policy, the policy would need to signed.)
> Sign the kexec image and initramfs with evmctl before loading them.
> 
> # evmctl ima_sign -k <private key> -a sha256 <VM image>
> # evmctl ima_sign -k <private key> -a sha256 <initramfs>
> 
> IMA appraise policy:
> appraise func=KEXEC_CHECK appraise_type=imasig
> appraise func=INITRAMFS_CHECK appraise_type=imasig
> 
> [1] http://sourceforge.net/p/linux-ima/wiki/Home
> [2] http://linux-ima.sourceforge.net/evmctl.1.html

Thank you, will try

> 
> > > +{
> > > +	struct fd f = fdget(fd);
> > > +	int ret = -ENOEXEC;
> > 
> > -EBADF looks better?
> 
> Sure.
> 

Seems you missed another comment about the policy id name?
can the name be like below?
KEXEC_KERNEL_CHECK
KEXEC_INITRAMFS_CHECK

Thanks
Dave