lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:   Wed, 8 Jul 2020 10:39:41 -0300
From:   Bruno Meneguele <bmeneg@...hat.com>
To:     Nayna <nayna@...ux.vnet.ibm.com>
Cc:     linux-integrity@...r.kernel.org, linux-kernel@...r.kernel.org,
        zohar@...ux.ibm.com, erichte@...ux.ibm.com, nayna@...ux.ibm.com,
        stable@...r.kernel.org
Subject: Re: [PATCH v4] ima: move APPRAISE_BOOTPARAM dependency on
 ARCH_POLICY to runtime

On Tue, Jul 07, 2020 at 07:56:37PM -0400, Nayna wrote:
> 
> On 7/3/20 2:00 PM, Bruno Meneguele wrote:
> > APPRAISE_BOOTPARAM has been marked as dependent on !ARCH_POLICY in compile
> > time, enforcing the appraisal whenever the kernel had the arch policy option
> > enabled.
> > 
> > However it breaks systems where the option is set but the system wasn't
> > booted in a "secure boot" platform. In this scenario, anytime an appraisal
> > policy (i.e. ima_policy=appraisal_tcb) is used it will be forced, giving no
> > chance to the user set the 'fix' state (ima_appraise=fix) to actually
> > measure system's files.
> 
> "measure" is incorrect. It is appraisal.
> 

Yes, of course, sorry.

> How about changing the statement to "without giving the user the opportunity
> to label the filesystem, before enforcing integrity." ?
> 

Ack.
That's better :)

> > diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> > index a9649b04b9f1..4fc83b3fbd5c 100644
> > --- a/security/integrity/ima/ima_appraise.c
> > +++ b/security/integrity/ima/ima_appraise.c
> > @@ -18,14 +18,16 @@
> >   static int __init default_appraise_setup(char *str)
> >   {
> > -#ifdef CONFIG_IMA_APPRAISE_BOOTPARAM
> > -	if (strncmp(str, "off", 3) == 0)
> > -		ima_appraise = 0;
> > -	else if (strncmp(str, "log", 3) == 0)
> > -		ima_appraise = IMA_APPRAISE_LOG;
> > -	else if (strncmp(str, "fix", 3) == 0)
> > -		ima_appraise = IMA_APPRAISE_FIX;
> > -#endif
> > +	if (IS_ENABLED(CONFIG_IMA_APPRAISE_BOOTPARAM) &&
> > +	    !arch_ima_get_secureboot()) {
> > +		if (strncmp(str, "off", 3) == 0)
> > +			ima_appraise = 0;
> > +		else if (strncmp(str, "log", 3) == 0)
> > +			ima_appraise = IMA_APPRAISE_LOG;
> > +		else if (strncmp(str, "fix", 3) == 0)
> > +			ima_appraise = IMA_APPRAISE_FIX;
> > +	}
> > +
> >   	return 1;
> >   }
> 
> If secureboot is enabled, it is silently ignoring the boot parameters. It
> would be helpful if there is a log message notifying user about that.
> 
> Can you please Cc powerpc, s390, and x86 mailing list and maintainers, when
> you post the next version ?
> 
> I would try to test it sometime in this week.
> 

Sure. I'm preparing a new version and will post soon.

> Thanks & Regards,
> 

Thank you.

-- 
bmeneg 
PGP Key: http://bmeneg.com/pubkey.txt

Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists