| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20200710180338.GA10547@glitch>
Date: Fri, 10 Jul 2020 15:03:38 -0300
From: Bruno Meneguele <bmeneg@...hat.com>
To: Mimi Zohar <zohar@...ux.ibm.com>
Cc: linux-kernel@...r.kernel.org, x86@...nel.org,
linuxppc-dev@...ts.ozlabs.org, linux-s390@...r.kernel.org,
linux-integrity@...r.kernel.org, erichte@...ux.ibm.com,
nayna@...ux.ibm.com, stable@...r.kernel.org
Subject: Re: [PATCH v5] ima: move APPRAISE_BOOTPARAM dependency on
ARCH_POLICY to runtime
On Fri, Jul 10, 2020 at 01:23:24PM -0400, Mimi Zohar wrote:
> On Thu, 2020-07-09 at 13:46 -0300, Bruno Meneguele wrote:
> > APPRAISE_BOOTPARAM has been marked as dependent on !ARCH_POLICY in compile
> > time, enforcing the appraisal whenever the kernel had the arch policy option
> > enabled.
>
> > However it breaks systems where the option is set but the system didn't
> > boot in a "secure boot" platform. In this scenario, anytime an appraisal
> > policy (i.e. ima_policy=appraisal_tcb) is used it will be forced, without
> > giving the user the opportunity to label the filesystem, before enforcing
> > integrity.
> >
> > Considering the ARCH_POLICY is only effective when secure boot is actually
> > enabled this patch remove the compile time dependency and move it to a
> > runtime decision, based on the secure boot state of that platform.
>
> Perhaps we could simplify this patch description a bit?
>
> The IMA_APPRAISE_BOOTPARAM config allows enabling different
> "ima_appraise=" modes - log, fix, enforce - at run time, but not when
> IMA architecture specific policies are enabled. This prevents
> properly labeling the filesystem on systems where secure boot is
> supported, but not enabled on the platform. Only when secure boot is
> enabled, should these IMA appraise modes be disabled.
>
> This patch removes the compile time dependency and makes it a runtime
> decision, based on the secure boot state of that platform.
>
Sounds good to me.
> <snip>
>
> > diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> > index a9649b04b9f1..884de471b38a 100644
> > --- a/security/integrity/ima/ima_appraise.c
> > +++ b/security/integrity/ima/ima_appraise.c
> > @@ -19,6 +19,11 @@
> > static int __init default_appraise_setup(c
>
> > har *str)
> > {
> > #ifdef CONFIG_IMA_APPRAISE_BOOTPARAM
> > + if (arch_ima_get_secureboot()) {
> > + pr_info("appraise boot param ignored: secure boot enabled");
>
> Instead of a generic statement, is it possible to include the actual
> option being denied? Perhaps something like: "Secure boot enabled,
> ignoring %s boot command line option"
>
> Mimi
>
Yes, sure.
Thanks!
> > + return 1;
> > + }
> > +
> > if (strncmp(str, "off", 3) == 0)
> > ima_appraise = 0;
> > else if (strncmp(str, "log", 3) == 0)
>
--
bmeneg
PGP Key: http://bmeneg.com/pubkey.txt
Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)
Powered by blists - more mailing lists