| Message ID | 20200623202640.4936-2-bmeneg@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | ima: make appraisal state runtime dependent on secure boot | expand |
On Tue, 2020-06-23 at 17:26 -0300, Bruno Meneguele wrote: <snip> > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c > index c1583d98c5e5..a760094e8f8d 100644 > --- a/security/integrity/ima/ima_main.c > +++ b/security/integrity/ima/ima_main.c > @@ -694,7 +694,7 @@ int ima_load_data(enum kernel_load_data_id id) > switch (id) { > case LOADING_KEXEC_IMAGE: > if (IS_ENABLED(CONFIG_KEXEC_SIG) > - && arch_ima_get_secureboot()) { > + && arch_ima_secure_or_trusted_boot()) { > pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n"); > return -EACCES; > } Only IMA-appraisal enforces file integrity based on policy. Mimi
On Fri, Jun 26, 2020 at 04:23:12PM -0400, Mimi Zohar wrote: > On Tue, 2020-06-23 at 17:26 -0300, Bruno Meneguele wrote: > <snip> > > > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c > > index c1583d98c5e5..a760094e8f8d 100644 > > --- a/security/integrity/ima/ima_main.c > > +++ b/security/integrity/ima/ima_main.c > > @@ -694,7 +694,7 @@ int ima_load_data(enum kernel_load_data_id id) > > switch (id) { > > case LOADING_KEXEC_IMAGE: > > if (IS_ENABLED(CONFIG_KEXEC_SIG) > > - && arch_ima_get_secureboot()) { > > + && arch_ima_secure_or_trusted_boot()) { > > pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n"); > > return -EACCES; > > } > > Only IMA-appraisal enforces file integrity based on policy. > Right, but I didn't get the relation to the code above: I basically renamed the function: "arch_ima_get_secureboot" -> "arch_ima_secure_or_trusted_boot". Which doesn't change the ima_load_data logic.
diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c index 957abd592075..32b26b491c07 100644 --- a/arch/powerpc/kernel/ima_arch.c +++ b/arch/powerpc/kernel/ima_arch.c @@ -7,9 +7,10 @@ #include <linux/ima.h> #include <asm/secure_boot.h> -bool arch_ima_get_secureboot(void) +bool arch_ima_secure_or_trusted_boot(void) { - return is_ppc_secureboot_enabled(); + return (is_ppc_secureboot_enabled() || + is_ppc_trustedboot_enabled()); } /* diff --git a/arch/s390/kernel/ima_arch.c b/arch/s390/kernel/ima_arch.c index f3c3e6e1c5d3..9cf823cf2b79 100644 --- a/arch/s390/kernel/ima_arch.c +++ b/arch/s390/kernel/ima_arch.c @@ -3,7 +3,7 @@ #include <linux/ima.h> #include <asm/boot_data.h> -bool arch_ima_get_secureboot(void) +bool arch_ima_secure_or_trusted_boot(void) { return ipl_secure_flag; } diff --git a/arch/x86/kernel/ima_arch.c b/arch/x86/kernel/ima_arch.c index 7dfb1e808928..168393d399ba 100644 --- a/arch/x86/kernel/ima_arch.c +++ b/arch/x86/kernel/ima_arch.c @@ -51,7 +51,7 @@ static enum efi_secureboot_mode get_sb_mode(void) return efi_secureboot_mode_enabled; } -bool arch_ima_get_secureboot(void) +bool arch_ima_secure_or_trusted_boot(void) { static enum efi_secureboot_mode sb_mode; static bool initialized; @@ -85,7 +85,8 @@ static const char * const sb_arch_rules[] = { const char * const *arch_get_ima_policy(void) { - if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) { + if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && + arch_ima_secure_or_tusted_boot()) { if (IS_ENABLED(CONFIG_MODULE_SIG)) set_module_sig_enforced(); return sb_arch_rules; diff --git a/include/linux/ima.h b/include/linux/ima.h index 9164e1534ec9..839b5c376ed6 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -32,10 +32,10 @@ extern void ima_add_kexec_buffer(struct kimage *image); #endif #ifdef CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT -extern bool arch_ima_get_secureboot(void); +extern bool arch_ima_secure_or_trusted_boot(void); extern const char * const *arch_get_ima_policy(void); #else -static inline bool arch_ima_get_secureboot(void) +static inline bool arch_ima_secure_or_trusted_boot(void) { return false; } diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index c1583d98c5e5..a760094e8f8d 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -694,7 +694,7 @@ int ima_load_data(enum kernel_load_data_id id) switch (id) { case LOADING_KEXEC_IMAGE: if (IS_ENABLED(CONFIG_KEXEC_SIG) - && arch_ima_get_secureboot()) { + && arch_ima_secure_or_trusted_boot()) { pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n"); return -EACCES; }
ima_get_secureboot() has been used for checking platform's secure boot state for enabling different arch specific IMA policies where available. However, for powerpc there also is the concept of Trusted Boot, which is also relevant to the check code. This patch extend the code or'ing the Trusted Boot state in PowerPC arch while leaving the other arches (x86 and s390) unchanged. The only changes performed in the other arches is related to the function name change. Signed-off-by: Bruno Meneguele <bmeneg@redhat.com> --- arch/powerpc/kernel/ima_arch.c | 5 +++-- arch/s390/kernel/ima_arch.c | 2 +- arch/x86/kernel/ima_arch.c | 5 +++-- include/linux/ima.h | 4 ++-- security/integrity/ima/ima_main.c | 2 +- 5 files changed, 10 insertions(+), 8 deletions(-)