[PATCH] kexec_file: ima: allow loading a kernel with its IMA signature verified

Eric Snowberg eric.snowberg at oracle.com
Thu Jul 13 10:59:38 PDT 2023 


> On Jul 12, 2023, at 12:31 PM, Mimi Zohar <zohar at linux.ibm.com> wrote:
> 
> [Cc'ing the LSM mailing list.]
> 
> On Tue, 2023-07-11 at 11:16 +0800, Coiby Xu wrote:
>> When IMA has verified the signature of the kernel image, kexec'ing this
>> kernel should be allowed.
>> 
>> Fixes: af16df54b89d ("ima: force signature verification when CONFIG_KEXEC_SIG is configured")
>> Signed-off-by: Coiby Xu <coxu at redhat.com>
> 
> The original commit  29d3c1c8dfe7 ("kexec: Allow kexec_file() with
> appropriate IMA policy when locked down") was not in lieu of the PE-
> COFF signature, but allowed using the IMA signature on other
> architectures.
> 
> Currently on systems with both PE-COFF and IMA signatures, both
> signatures are verified, assuming the file is in the IMA policy.  If
> either signature verification fails, the kexec fails.
> 
> With this patch, only the IMA signature would be verified.
> 
>> ---
>> kernel/kexec_file.c | 14 +++++++++-----
>> 1 file changed, 9 insertions(+), 5 deletions(-)
>> 
>> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
>> index 881ba0d1714c..96fce001fbc0 100644
>> --- a/kernel/kexec_file.c
>> +++ b/kernel/kexec_file.c
>> @@ -162,6 +162,13 @@ kimage_validate_signature(struct kimage *image)
>> 	ret = kexec_image_verify_sig(image, image->kernel_buf,
>> 				     image->kernel_buf_len);
>> 	if (ret) {
>> +		/*
>> +		 * If the kernel image already has its IMA signature verified, permit it.
>> +		 */
>> +		if (ima_appraise_signature(READING_KEXEC_IMAGE)) {
>> +			pr_notice("The kernel image already has its IMA signature verified.\n");
>> +			return 0;
>> +		}

The issue I see here is ret could be many things, for example it could be
-EKEYREJECTED, meaning it was contained on a revocation list.  With this patch
the revocation could be overruled if the image was IMA signed with a different
key.  Do we really want to add the ability to overrule a revocation?

>> 
>> 		if (sig_enforce) {
>> 			pr_notice("Enforced kernel signature verification failed (%d).\n", ret);
>> @@ -169,12 +176,9 @@ kimage_validate_signature(struct kimage *image)
>> 		}
>> 
>> 		/*
>> -		 * If IMA is guaranteed to appraise a signature on the kexec
>> -		 * image, permit it even if the kernel is otherwise locked
>> -		 * down.
>> +		 * When both IMA and KEXEC_SIG fail in lockdown mode, reject it.
>> 		 */
>> -		if (!ima_appraise_signature(READING_KEXEC_IMAGE) &&
>> -		    security_locked_down(LOCKDOWN_KEXEC))
>> +		if (security_locked_down(LOCKDOWN_KEXEC))
>> 			return -EPERM;
>> 
>> 		pr_debug("kernel signature verification failed (%d).\n", ret);
> 
>

More information about the kexec mailing list