Message ID | 20220719171647.3574253-1-eric.snowberg@oracle.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | lockdown: Fix kexec lockdown bypass with ima policy | expand |
> On 19 Jul 2022, at 18:16, Eric Snowberg <eric.snowberg@oracle.com> wrote: > > The lockdown LSM is primarily used in conjunction with UEFI Secure Boot. > This LSM may also be used on machines without UEFI. It can also be enabled > when UEFI Secure Boot is disabled. One of lockdown's features is to prevent > kexec from loading untrusted kernels. Lockdown can be enabled through a > bootparam or after the kernel has booted through securityfs. > > If IMA appraisal is used with the "ima_appraise=log" boot param, > lockdown can be defeated with kexec on any machine when Secure Boot is > disabled or unavailable. IMA prevents setting "ima_appraise=log" > from the boot param when Secure Boot is enabled, but this does not cover > cases where lockdown is used without Secure Boot. > > To defeat lockdown, boot without Secure Boot and add ima_appraise=log > to the kernel command line; then: > > $ echo "integrity" > /sys/kernel/security/lockdown > $ echo "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig" > \ > /sys/kernel/security/ima/policy > $ kexec -ls unsigned-kernel > > Add a call to verify ima appraisal is set to "enforce" whenever lockdown > is enabled. This fixes CVE-2022-21505. > > Fixes: 29d3c1c8dfe7 ("kexec: Allow kexec_file() with appropriate IMA policy when locked down") > Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> > Acked-by: Mimi Zohar <zohar@linux.ibm.com> Reviewed-by: John Haxby <john.haxby@oracle.com> > --- > security/integrity/ima/ima_policy.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c > index 73917413365b..a8802b8da946 100644 > --- a/security/integrity/ima/ima_policy.c > +++ b/security/integrity/ima/ima_policy.c > @@ -2247,6 +2247,10 @@ bool ima_appraise_signature(enum kernel_read_file_id id) > if (id >= READING_MAX_ID) > return false; > > + if (id == READING_KEXEC_IMAGE && !(ima_appraise & IMA_APPRAISE_ENFORCE) > + && security_locked_down(LOCKDOWN_KEXEC)) > + return false; > + > func = read_idmap[id] ?: FILE_CHECK; > > rcu_read_lock(); > -- > 2.27.0 > >
On Tue, Jul 19, 2022 at 01:16:47PM -0400, Eric Snowberg wrote: > The lockdown LSM is primarily used in conjunction with UEFI Secure Boot. > This LSM may also be used on machines without UEFI. It can also be enabled > when UEFI Secure Boot is disabled. One of lockdown's features is to prevent > kexec from loading untrusted kernels. Lockdown can be enabled through a > bootparam or after the kernel has booted through securityfs. > > If IMA appraisal is used with the "ima_appraise=log" boot param, > lockdown can be defeated with kexec on any machine when Secure Boot is > disabled or unavailable. IMA prevents setting "ima_appraise=log" > from the boot param when Secure Boot is enabled, but this does not cover > cases where lockdown is used without Secure Boot. > > To defeat lockdown, boot without Secure Boot and add ima_appraise=log > to the kernel command line; then: > > $ echo "integrity" > /sys/kernel/security/lockdown > $ echo "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig" > \ > /sys/kernel/security/ima/policy > $ kexec -ls unsigned-kernel > > Add a call to verify ima appraisal is set to "enforce" whenever lockdown > is enabled. This fixes CVE-2022-21505. > > Fixes: 29d3c1c8dfe7 ("kexec: Allow kexec_file() with appropriate IMA policy when locked down") > Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> > Acked-by: Mimi Zohar <zohar@linux.ibm.com> > --- > security/integrity/ima/ima_policy.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c > index 73917413365b..a8802b8da946 100644 > --- a/security/integrity/ima/ima_policy.c > +++ b/security/integrity/ima/ima_policy.c > @@ -2247,6 +2247,10 @@ bool ima_appraise_signature(enum kernel_read_file_id id) > if (id >= READING_MAX_ID) > return false; > > + if (id == READING_KEXEC_IMAGE && !(ima_appraise & IMA_APPRAISE_ENFORCE) > + && security_locked_down(LOCKDOWN_KEXEC)) > + return false; > + > func = read_idmap[id] ?: FILE_CHECK; > > rcu_read_lock(); > -- > 2.27.0 > <formletter> This is not the correct way to submit patches for inclusion in the stable kernel tree. Please read: https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html for how to do this properly. </formletter>
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 73917413365b..a8802b8da946 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -2247,6 +2247,10 @@ bool ima_appraise_signature(enum kernel_read_file_id id) if (id >= READING_MAX_ID) return false; + if (id == READING_KEXEC_IMAGE && !(ima_appraise & IMA_APPRAISE_ENFORCE) + && security_locked_down(LOCKDOWN_KEXEC)) + return false; + func = read_idmap[id] ?: FILE_CHECK; rcu_read_lock();