lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20220425222120.1998888-1-eric.snowberg@oracle.com>
Date:   Mon, 25 Apr 2022 18:21:20 -0400
From:   Eric Snowberg <eric.snowberg@...cle.com>
To:     zohar@...ux.ibm.com
Cc:     dmitry.kasatkin@...il.com, jmorris@...ei.org, serge@...lyn.com,
        eric.snowberg@...cle.com, linux-integrity@...r.kernel.org,
        linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH] integrity: Allow ima_appraise bootparam to be set when SB is enabled

The IMA_APPRAISE_BOOTPARM config allows enabling different "ima_appraise="
modes (log, fix, enforce) to be configured at boot time.  When booting
with Secure Boot enabled, all modes are ignored except enforce.  To use
log or fix, Secure Boot must be disabled.

With a policy such as:

appraise func=BPRM_CHECK appraise_type=imasig

A user may just want to audit signature validation. Not all users
are interested in full enforcement and find the audit log appropriate
for their use case.

Add a new IMA_APPRAISE_SB_BOOTPARAM config allowing "ima_appraise="
to work when Secure Boot is enabled.

Signed-off-by: Eric Snowberg <eric.snowberg@...cle.com>
---
 security/integrity/ima/Kconfig        | 9 +++++++++
 security/integrity/ima/ima_appraise.c | 2 +-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index f3a9cc201c8c..66d25345e478 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -237,6 +237,15 @@ config IMA_APPRAISE_BOOTPARAM
 	  This option enables the different "ima_appraise=" modes
 	  (eg. fix, log) from the boot command line.
 
+config IMA_APPRAISE_SB_BOOTPARAM
+	bool "ima_appraise secure boot parameter"
+	depends on IMA_APPRAISE_BOOTPARAM
+	default n
+	help
+	  This option enables the different "ima_appraise=" modes
+	  (eg. fix, log) from the boot command line when booting
+	  with Secure Boot enabled.
+
 config IMA_APPRAISE_MODSIG
 	bool "Support module-style signatures for appraisal"
 	depends on IMA_APPRAISE
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 17232bbfb9f9..a66b1e271806 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -43,7 +43,7 @@ void __init ima_appraise_parse_cmdline(void)
 
 	/* If appraisal state was changed, but secure boot is enabled,
 	 * keep its default */
-	if (sb_state) {
+	if (sb_state && !IS_ENABLED(CONFIG_IMA_APPRAISE_SB_BOOTPARAM)) {
 		if (!(appraisal_state & IMA_APPRAISE_ENFORCE))
 			pr_info("Secure boot enabled: ignoring ima_appraise=%s option",
 				str);
-- 
2.27.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ