On Thu, Feb 14, 2013 at 03:54:45PM -0500, Vivek Goyal wrote: > On Thu, Feb 14, 2013 at 02:49:16PM -0500, Mimi Zohar wrote: > > [..] > > > > I think you're making this more complicated than it needs to be. Allow > > > > the execution unless the file failed signature verification. The > > > > additional capability is given only if the signature verification > > > > succeeds. > > > > > > I am just trying to bring it inline with module signature verification. > > > There also module loading fails if signatures are present but kernel > > > can't verify it. > > > > A specific hook is defined for kernel module signature verification, > > which is enabled/disabled in Kconfig. When enabled, only signed modules > > are loaded. The kernel module hook does not verify the integrity of the > > userspace application (eg. insmod, modprobe), but of the kernel module > > being loaded. > > > > Your original patches verified the integrity of the userspace > > application kexec, not the image being loaded. ima_bprm_check() > > verifies the integrity of executables. To permit both signed and > > unsigned files to execute, we defined the 'optional' IMA policy flag, > > with the intention of giving more capability to signed executables. > > > > Unless we define a kexec specific hook for verifying kernel images, it's > > not the same. > > I think we are talking of two different things here. > > I am referring to kernel module signing where signatures are appended > to module (not IMA hook). > > Also I am just referring to behavior about what happens if some error > happens while signature verification. > > - If signature verification fails, it is clear what to do. > - If signature verification passes, it is clear what to do. > - Grey area is, what happens if some error is encountered during signature > verification. Should the module loading be allowed/disallowed. Looking > at the module loading code, once it is determined that module has > signature appended to it, module loading fails if some error occurs > during signature verification. > > So I am just referring to that fact and trying to draw parallels between > error handling during module signature verification and error handling > when file appraisal happens in IMA. > > There can be two options. > > - Disallow execution only if signature verification fails. If some error > happens during verification, ignore it, let the executable continue. > Just that it does not get extra capability. > > - Disallow execution only if executable is not signed or it has valid > signature. If executable is signed and some error happens during the > process of verifying signature, execution is denied. >
Little typo in second option. I meant "Allow execution only if executable is not signed or it has valid signatures". Thanks Vivek -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
