lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20200623202640.4936-1-bmeneg@redhat.com>
Date:   Tue, 23 Jun 2020 17:26:38 -0300
From:   Bruno Meneguele <bmeneg@...hat.com>
To:     linux-integrity@...r.kernel.org, linux-kernel@...r.kernel.org
Cc:     zohar@...ux.ibm.com, erichte@...ux.ibm.com, nayna@...ux.ibm.com,
        Bruno Meneguele <bmeneg@...hat.com>
Subject: [PATCH v3 0/2] ima: make appraisal state runtime dependent on secure boot

To switch APPRAISE_BOOTPARAM and ARCH_POLICY dependency from compile time to
run time the secure boot checking code (specific to each arch) had to be
slightly modified to include, in the PowerPC arch, the Trusted Boot state,
which is also relevant to the arch policy choice and also required the
ima_appraise to be enforced. 

With that I changed the checking order: instead of first check the
arch_policy and then the secure/trusted boot state, now we first check the
boot state, set ima_appraise to be enforced and then the existence of arch
policy. In other words, whenever secure/trusted boot is enabled,
(ima_appraise & IMA_APPRAISE_ENFORCE) == true.

I've tested these patches in a x86_64 platform with and without secure boot
enabled and in a PowerPC without secure boot enabled:

1) with secure boot enabled (x86_64) and ima_policy=appraise_tcb, the
ima_appraise= options were completly ignored and the boot always failed with
"missing-hash" for /sbin/init, which is the expected result;

2) with secure boot enabled (x86_64), but no ima_policy:

[    1.396111] ima: Allocated hash algorithm: sha256
[    1.424025] ima: setting IMA appraisal to enforced
[    1.424039] audit: type=1807 audit(1592927955.557:2): action=measure func=KEXEC_KERNEL_CHECK res=1
[    1.424040] audit: type=1807 audit(1592927955.557:3): action=measure func=MODULE_CHECK res=1

3) with secure boot disabled (PowerPC and x86_64) and
"ima_policy=appraise_tcb ima_appraise=fix", audit messages were triggered
with "op=appraisal_data cause=missing-hash" but the system worked fine due
to "fix".

Bruno Meneguele (2):
  arch/ima: extend secure boot check to include trusted boot
  ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime

 arch/powerpc/kernel/ima_arch.c      |  5 +++--
 arch/s390/kernel/ima_arch.c         |  2 +-
 arch/x86/kernel/ima_arch.c          |  4 ++--
 include/linux/ima.h                 |  4 ++--
 security/integrity/ima/Kconfig      |  2 +-
 security/integrity/ima/ima_main.c   |  2 +-
 security/integrity/ima/ima_policy.c | 20 ++++++++++++++------
 7 files changed, 24 insertions(+), 15 deletions(-)

-- 
2.26.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ