F20 System Wide Change: Enable kdump on secureboot machines

Florian Weimer fweimer at redhat.com
Thu Jul 11 13:57:38 UTC 2013 

On 07/11/2013 01:40 PM, Jaroslav Reznik wrote:
> === Build and ship ima-evm-utils package ===
> /sbin/kexec will be signed by evmctl. This utility will put an xattr
> security.ima on /sbin/kexec file and kernel will leverage IMA infrastructure in
> kernel to verify signature of /sbin/kexec upon execution.
>
> * There is a bz open 807476 for inclusion of this package since long time. Not
> sure what it is stuck on though.
>
> * There are some patches which are not upstream yet (like lock down executable
> in memory) which we need to carry in this patckage till patches get upstream.

Is there a chance this (and the other patches mentioned below) actually 
makes it in the kernel?  Are at least the VM changes part of upstream 
already?

I don't think it would make sense to add more and more Fedora-specific 
patches which implement security functionality.  I don't want Fedora to 
become the next Android.

> === Kernel Changes ===
> Kernel needs to carry additional patches to do verify elf binary signature.
> * There are patches to extend keyctl() so that user space can use it to verify
> signature of a user buffer (vmlinuz in this case).
> * These patches are not upstream, so these need to be carried in fedora till
> patches get upstream.
> * Kernel need to be signed using evmctl and detached signature need to be
> generated. These signatures need to be installed on vmlinuz upon kernel rpm
> installation in security.ima xattr.

Does this mean your implementation of signature checking will be 
completely independent of UEFI Secure Boot (unless you decide to use 
that to obtain the trust root)?

> === Signing Key Management ===
> Yet to be figured out. There are couple of ideas on table.
>
> * Embed few keys in kernel and one of these keys will be used to sign
> /sbin/kexec. In case of a key is revoked, use a new key from set of embedded
> keys.

How do you intend to handle revocation?

> * Ship a PE/COFF wrapped key in kexec-tools package. This PE/COFF binary
> should be signed by appropriate authority so it can be loaded in system
> keyring.

Who is the appropriate authority?

-- 
Florian Weimer / Red Hat Product Security Team

More information about the devel mailing list