F20 System Wide Change: Enable kdump on secureboot machines

Vivek Goyal vgoyal at redhat.com
Fri Jul 19 15:52:49 UTC 2013 

On Thu, Jul 18, 2013 at 08:51:36PM +0200, Miloslav Trmač wrote:
> On Thu, Jul 11, 2013 at 1:40 PM, Jaroslav Reznik <jreznik at redhat.com> wrote:
> > = Proposed System Wide Change: Enable kdump on secureboot machines =
> > https://fedoraproject.org/wiki/Changes/Kdump_with_secureboot
> 
> > == Detailed description ==
> > /sbin/kexec prepares a binary blob, called purgatory. This code runs at
> > priviliged level between kernel transition. With secureboot enabled, no
> > unsigned code should run at privilige level 0, hence kexec/kdump is currently
> > disabled if secureboot is enabled.
> >
> > One proposed way to solve the problem is that sign /sbin/kexec utility. And
> > upon successful signature verification, allow it to load kernel, initramfs, and
> > binary blob. /sbin/kexec will verify signatures of kernel being loaded before
> > it asks running kernel to load it.
> 
> For someone like me unfamiliar with kdump architecture, wouldn't it be
> possible to generate all relevant blobs (kdump kernel/initrd, ...) at
> kernel build time and sign them using essentially the existing module
> signing mechanism, and let the _kernel_ do all signature verification?
>  Then /sbin/kexec wouldn't have to be trusted at all.
> 
> > === Build and ship ima-evm-utils package ===
> > /sbin/kexec will be signed by evmctl. This utility will put an xattr
> > security.ima on /sbin/kexec file and kernel will leverage IMA infrastructure in
> > kernel to verify signature of /sbin/kexec upon execution.
> 
> (My motivation for the above question is that I view IMA (and any
> approach based on verifying only a pre-specified subset of files) as
> rather suspect, and that dm-verity makes much more sense to me for
> enforcing a "trusted base OS".

IIUC, dm-verity will just ensure that what was loaded from disk matches
signature. It does not enforce any restrictions after that. That is make
sure once signatures are verified, nothing unsgined can change the 
address space.

So disable ptrace() from unsigned process, run executable run locked in
from memory etc.

IMA does not enforce this too. But it can possibly be enhanced to put
some metadata in signature which says file needs to be executed locked
in memory.

And IMA will allow me to do it per file and we don't have to sign
everything which is on disk.

So for this use case where we want to sign only one thing, there is
no need to make everything signed.

Thanks
Vivek

More information about the devel mailing list