| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <fbd8ca54-19ff-b77b-9e15-d900168bbdb3@linux.vnet.ibm.com>
Date: Thu, 17 Oct 2019 08:58:50 -0400
From: Nayna <nayna@...ux.vnet.ibm.com>
To: Michael Ellerman <mpe@...erman.id.au>,
Nayna Jain <nayna@...ux.ibm.com>, linuxppc-dev@...abs.org,
linux-efi@...r.kernel.org, linux-integrity@...r.kernel.org
Cc: Ard Biesheuvel <ard.biesheuvel@...aro.org>,
Eric Ricther <erichte@...ux.ibm.com>,
linux-kernel@...r.kernel.org, Mimi Zohar <zohar@...ux.ibm.com>,
Claudio Carvalho <cclaudio@...ux.ibm.com>,
Matthew Garret <matthew.garret@...ula.com>,
Paul Mackerras <paulus@...ba.org>, Jeremy Kerr <jk@...abs.org>,
Elaine Palmer <erpalmer@...ibm.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
"Oliver O'Halloran" <oohall@...il.com>,
George Wilson <gcwilson@...ux.ibm.com>
Subject: Re: [PATCH v7 2/8] powerpc: add support to initialize ima policy
rules
On 10/15/2019 07:29 AM, Michael Ellerman wrote:
> Nayna Jain <nayna@...ux.ibm.com> writes:
>> PowerNV systems uses kernel based bootloader, thus its secure boot
>> implementation uses kernel IMA security subsystem to verify the kernel
>> before kexec. Since the verification policy might differ based on the
>> secure boot mode of the system, the policies are defined at runtime.
>>
>> This patch implements the arch-specific support to define the IMA policy
>> rules based on the runtime secure boot mode of the system.
>>
>> This patch provides arch-specific IMA policies if PPC_SECURE_BOOT
>> config is enabled.
> ...
>> diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
>> new file mode 100644
>> index 000000000000..c22d82965eb4
>> --- /dev/null
>> +++ b/arch/powerpc/kernel/ima_arch.c
>> @@ -0,0 +1,33 @@
>> +// SPDX-License-Identifier: GPL-2.0
>> +/*
>> + * Copyright (C) 2019 IBM Corporation
>> + * Author: Nayna Jain
>> + */
>> +
>> +#include <linux/ima.h>
>> +#include <asm/secure_boot.h>
>> +
>> +bool arch_ima_get_secureboot(void)
>> +{
>> + return is_powerpc_os_secureboot_enabled();
>> +}
>> +
>> +/* Defines IMA appraise rules for secureboot */
>> +static const char *const arch_rules[] = {
>> + "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig",
>> +#if !IS_ENABLED(CONFIG_MODULE_SIG_FORCE)
>> + "appraise func=MODULE_CHECK appraise_type=imasig|modsig",
>> +#endif
> This confuses me.
>
> If I spell it out we get:
>
> #if IS_ENABLED(CONFIG_MODULE_SIG_FORCE)
> // nothing
> #else
> "appraise func=MODULE_CHECK appraise_type=imasig|modsig",
> #endif
>
> Which is just:
>
> #ifdef CONFIG_MODULE_SIG_FORCE
> // nothing
> #else
> "appraise func=MODULE_CHECK appraise_type=imasig|modsig",
> #endif
>
> But CONFIG_MODULE_SIG_FORCE enabled says that we *do* require modules to
> have a valid signature. Isn't that the inverse of what the rules say?
>
> Presumably I'm misunderstanding something :)
To avoid duplicate signature verification as much as possible, the IMA
policy rule is added only if CONFIG_MODULE_SIG_FORCE is not enabled.
CONFIG_MODULE_SIG_FORCE is part of modules support. IMA signature
verification is based on policy.
Thanks & Regards,
- Nayna
Powered by blists - more mailing lists