lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <043e52d4-6835-c2c4-bc9d-d36ddb3db0e9@linux.vnet.ibm.com>
Date:   Mon, 22 Jun 2020 15:01:27 -0400
From:   Nayna <nayna@...ux.vnet.ibm.com>
To:     Bruno Meneguele <bmeneg@...hat.com>
Cc:     linux-integrity@...r.kernel.org, linux-kernel@...r.kernel.org,
        zohar@...ux.ibm.com, erichte@...ux.ibm.com, nayna@...ux.ibm.com,
        stable@...r.kernel.org
Subject: Re: [PATCH v2] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY
 to runtime


On 6/22/20 1:27 PM, Bruno Meneguele wrote:
> IMA_APPRAISE_BOOTPARAM has been marked as dependent on !IMA_ARCH_POLICY in
> compile time, enforcing the appraisal whenever the kernel had the arch
> policy option enabled.
>
> However it breaks systems where the option is actually set but the system
> wasn't booted in a "secure boot" platform. In this scenario, anytime the
> an appraisal policy (i.e. ima_policy=appraisal_tcb) is used it will be
> forced, giving no chance to the user set the 'fix' state (ima_appraise=fix)
> to actually measure system's files.
>
> This patch remove this compile time dependency and move it to a runtime
> decision, based on the arch policy loading failure/success.

Thanks for looking at this.

For arch specific policies, kernel signature verification is enabled 
based on the secure boot state of the system. Perhaps, enforce the 
appraisal as well based on if secure boot is enabled.

Thanks & Regards,

     - Nayna

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ