| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 25 Apr 2022 18:21:20 -0400
From: Eric Snowberg <eric.snowberg@...cle.com>
To: zohar@...ux.ibm.com
Cc: dmitry.kasatkin@...il.com, jmorris@...ei.org, serge@...lyn.com,
eric.snowberg@...cle.com, linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH] integrity: Allow ima_appraise bootparam to be set when SB is enabled
The IMA_APPRAISE_BOOTPARM config allows enabling different "ima_appraise="
modes (log, fix, enforce) to be configured at boot time. When booting
with Secure Boot enabled, all modes are ignored except enforce. To use
log or fix, Secure Boot must be disabled.
With a policy such as:
appraise func=BPRM_CHECK appraise_type=imasig
A user may just want to audit signature validation. Not all users
are interested in full enforcement and find the audit log appropriate
for their use case.
Add a new IMA_APPRAISE_SB_BOOTPARAM config allowing "ima_appraise="
to work when Secure Boot is enabled.
Signed-off-by: Eric Snowberg <eric.snowberg@...cle.com>
---
security/integrity/ima/Kconfig | 9 +++++++++
security/integrity/ima/ima_appraise.c | 2 +-
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index f3a9cc201c8c..66d25345e478 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -237,6 +237,15 @@ config IMA_APPRAISE_BOOTPARAM
This option enables the different "ima_appraise=" modes
(eg. fix, log) from the boot command line.
+config IMA_APPRAISE_SB_BOOTPARAM
+ bool "ima_appraise secure boot parameter"
+ depends on IMA_APPRAISE_BOOTPARAM
+ default n
+ help
+ This option enables the different "ima_appraise=" modes
+ (eg. fix, log) from the boot command line when booting
+ with Secure Boot enabled.
+
config IMA_APPRAISE_MODSIG
bool "Support module-style signatures for appraisal"
depends on IMA_APPRAISE
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 17232bbfb9f9..a66b1e271806 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -43,7 +43,7 @@ void __init ima_appraise_parse_cmdline(void)
/* If appraisal state was changed, but secure boot is enabled,
* keep its default */
- if (sb_state) {
+ if (sb_state && !IS_ENABLED(CONFIG_IMA_APPRAISE_SB_BOOTPARAM)) {
if (!(appraisal_state & IMA_APPRAISE_ENFORCE))
pr_info("Secure boot enabled: ignoring ima_appraise=%s option",
str);
--
2.27.0
Powered by blists - more mailing lists