On Wed, 2020-07-29 at 12:29 -0400, Mimi Zohar wrote:
On Tue, 2020-07-28 at 12:43 -0700, Kees Cook wrote:
On Mon, Jul 27, 2020 at 06:57:45AM -0400, Mimi Zohar wrote:
On Fri, 2020-07-24 at 14:36 -0700, Kees Cook wrote:
Now that security_post_load_data() is wired up, use it instead of the NULL file argument style of security_post_read_file(), and update the security_kernel_load_data() call to indicate that a security_kernel_post_load_data() call is expected.
Wire up the IMA check to match earlier logic. Perhaps a generalized change to ima_post_load_data() might look something like this:
return process_buffer_measurement(buf, size, kernel_load_data_id_str(load_id), read_idmap[load_id] ?: FILE_CHECK, 0, NULL);Signed-off-by: Kees Cook keescook@chromium.org
process_measurement() measures, verifies a file signature - both signatures stored as an xattr and as an appended buffer signature - and augments audit records with the file hash. (Support for measuring, augmenting audit records, and/or verifying fs-verity signatures has yet to be added.)
As explained in my response to 11/19, the file descriptor provides the file pathname associated with the buffer data. In addition, IMA policy rules may be defined in terms of other file descriptor info - uid, euid, uuid, etc.
Recently support was added for measuring the kexec boot command line, certificates being loaded onto a keyring, and blacklisted file hashes (limited to appended signatures). None of these buffers are signed. process_buffer_measurement() was added for this reason and as a result is limited to just measuring the buffer data.
Whether process_measurement() or process_buffer_measurement() should be modified, needs to be determined. In either case to support the init_module syscall, would at minimum require the associated file pathname.
Right -- I don't intend to make changes to the init_module() syscall since it's deprecated, so this hook is more of a "fuller LSM coverage for old syscalls" addition.
IMA can happily continue to ignore it, which is what I have here, but I thought I'd at least show what it *might* look like. Perhaps BPF LSM is a better example.
Does anything need to change for this patch?
I wasn't aware that init_syscall was deprecated. From your original comments, it sounded like you wanted a new LSM for verifying kernel module signatures, as they're currently supported via init_module().
I was mistaken. Without a file descriptor, security_post_load_data() will measure the firmware, as Scott confirmed, but won't be able to verify the signature, whether he signed it using evmctl or not,
Actually, the partial firmware read should be calling security_kernel_read_file(). The sysfs firmware fallback is calling security_kernel_load_data(). Which firmware is calling security_kernel_post_load_data()?
thanks,
Mimi