• Eric Snowberg's avatar
    lockdown: Fix kexec lockdown bypass with ima policy · 543ce63b
    Eric Snowberg authored
    The lockdown LSM is primarily used in conjunction with UEFI Secure Boot.
    This LSM may also be used on machines without UEFI.  It can also be
    enabled when UEFI Secure Boot is disabled.  One of lockdown's features
    is to prevent kexec from loading untrusted kernels.  Lockdown can be
    enabled through a bootparam or after the kernel has booted through
    securityfs.
    
    If IMA appraisal is used with the "ima_appraise=log" boot param,
    lockdown can be defeated with kexec on any machine when Secure Boot is
    disabled or unavailable.  IMA prevents setting "ima_appraise=log" from
    the boot param when Secure Boot is enabled, but this does not cover
    cases where lockdown is used without Secure Boot.
    
    To defeat lockdown, boot without Secure Boot and add ima_appraise=log to
    the kernel command line; then:
    
      $ echo "integrity" > /sys/kernel/security/lockdown
      $ echo "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig" > \
        /sys/kernel/security/ima/policy
      $ kexec -ls unsigned-kernel
    
    Add a call to verify ima appraisal is set to "enforce" whenever lockdown
    is enabled.  This fixes CVE-2022-21505.
    
    Cc: stable@vger.kernel.org
    Fixes: 29d3c1c8 ("kexec: Allow kexec_file() with appropriate IMA policy when locked down")
    Signed-off-by: default avatarEric Snowberg <eric.snowberg@oracle.com>
    Acked-by: default avatarMimi Zohar <zohar@linux.ibm.com>
    Reviewed-by: default avatarJohn Haxby <john.haxby@oracle.com>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    543ce63b
ima_policy.c 60.9 KB