[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200626144631.GC2702@glitch>
Date: Fri, 26 Jun 2020 11:46:31 -0300
From: Bruno Meneguele <bmeneg@...hat.com>
To: linux-integrity@...r.kernel.org, linux-kernel@...r.kernel.org
Cc: zohar@...ux.ibm.com, erichte@...ux.ibm.com, nayna@...ux.ibm.com
Subject: Re: [PATCH v3 0/2] ima: make appraisal state runtime dependent on
secure boot
Gentle ping for review.
I also forgot to add the changelog for the patch, please see below.
On Tue, Jun 23, 2020 at 05:26:38PM -0300, Bruno Meneguele wrote:
> To switch APPRAISE_BOOTPARAM and ARCH_POLICY dependency from compile time to
> run time the secure boot checking code (specific to each arch) had to be
> slightly modified to include, in the PowerPC arch, the Trusted Boot state,
> which is also relevant to the arch policy choice and also required the
> ima_appraise to be enforced.
>
> With that I changed the checking order: instead of first check the
> arch_policy and then the secure/trusted boot state, now we first check the
> boot state, set ima_appraise to be enforced and then the existence of arch
> policy. In other words, whenever secure/trusted boot is enabled,
> (ima_appraise & IMA_APPRAISE_ENFORCE) == true.
>
> I've tested these patches in a x86_64 platform with and without secure boot
> enabled and in a PowerPC without secure boot enabled:
>
> 1) with secure boot enabled (x86_64) and ima_policy=appraise_tcb, the
> ima_appraise= options were completly ignored and the boot always failed with
> "missing-hash" for /sbin/init, which is the expected result;
>
> 2) with secure boot enabled (x86_64), but no ima_policy:
>
> [ 1.396111] ima: Allocated hash algorithm: sha256
> [ 1.424025] ima: setting IMA appraisal to enforced
> [ 1.424039] audit: type=1807 audit(1592927955.557:2): action=measure func=KEXEC_KERNEL_CHECK res=1
> [ 1.424040] audit: type=1807 audit(1592927955.557:3): action=measure func=MODULE_CHECK res=1
>
> 3) with secure boot disabled (PowerPC and x86_64) and
> "ima_policy=appraise_tcb ima_appraise=fix", audit messages were triggered
> with "op=appraisal_data cause=missing-hash" but the system worked fine due
> to "fix".
Changelog:
v2:
- pr_info() message prefix correction
v3:
- extend secure boot arch checker to also consider trusted boot
- enforce IMA appraisal when secure boot is effectively enabled (Nayna)
- fix ima_appraise flag assignment by or'ing it (Mimi)
>
> Bruno Meneguele (2):
> arch/ima: extend secure boot check to include trusted boot
> ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime
>
> arch/powerpc/kernel/ima_arch.c | 5 +++--
> arch/s390/kernel/ima_arch.c | 2 +-
> arch/x86/kernel/ima_arch.c | 4 ++--
> include/linux/ima.h | 4 ++--
> security/integrity/ima/Kconfig | 2 +-
> security/integrity/ima/ima_main.c | 2 +-
> security/integrity/ima/ima_policy.c | 20 ++++++++++++++------
> 7 files changed, 24 insertions(+), 15 deletions(-)
>
> --
> 2.26.2
>
--
bmeneg
PGP Key: http://bmeneg.com/pubkey.txt
Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)
Powered by blists - more mailing lists