| Message ID | 20200623202640.4936-1-bmeneg@redhat.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | ima: make appraisal state runtime dependent on secure boot | expand |
Gentle ping for review. I also forgot to add the changelog for the patch, please see below. On Tue, Jun 23, 2020 at 05:26:38PM -0300, Bruno Meneguele wrote: > To switch APPRAISE_BOOTPARAM and ARCH_POLICY dependency from compile time to > run time the secure boot checking code (specific to each arch) had to be > slightly modified to include, in the PowerPC arch, the Trusted Boot state, > which is also relevant to the arch policy choice and also required the > ima_appraise to be enforced. > > With that I changed the checking order: instead of first check the > arch_policy and then the secure/trusted boot state, now we first check the > boot state, set ima_appraise to be enforced and then the existence of arch > policy. In other words, whenever secure/trusted boot is enabled, > (ima_appraise & IMA_APPRAISE_ENFORCE) == true. > > I've tested these patches in a x86_64 platform with and without secure boot > enabled and in a PowerPC without secure boot enabled: > > 1) with secure boot enabled (x86_64) and ima_policy=appraise_tcb, the > ima_appraise= options were completly ignored and the boot always failed with > "missing-hash" for /sbin/init, which is the expected result; > > 2) with secure boot enabled (x86_64), but no ima_policy: > > [ 1.396111] ima: Allocated hash algorithm: sha256 > [ 1.424025] ima: setting IMA appraisal to enforced > [ 1.424039] audit: type=1807 audit(1592927955.557:2): action=measure func=KEXEC_KERNEL_CHECK res=1 > [ 1.424040] audit: type=1807 audit(1592927955.557:3): action=measure func=MODULE_CHECK res=1 > > 3) with secure boot disabled (PowerPC and x86_64) and > "ima_policy=appraise_tcb ima_appraise=fix", audit messages were triggered > with "op=appraisal_data cause=missing-hash" but the system worked fine due > to "fix". Changelog: v2: - pr_info() message prefix correction v3: - extend secure boot arch checker to also consider trusted boot - enforce IMA appraisal when secure boot is effectively enabled (Nayna) - fix ima_appraise flag assignment by or'ing it (Mimi) > > Bruno Meneguele (2): > arch/ima: extend secure boot check to include trusted boot > ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime > > arch/powerpc/kernel/ima_arch.c | 5 +++-- > arch/s390/kernel/ima_arch.c | 2 +- > arch/x86/kernel/ima_arch.c | 4 ++-- > include/linux/ima.h | 4 ++-- > security/integrity/ima/Kconfig | 2 +- > security/integrity/ima/ima_main.c | 2 +- > security/integrity/ima/ima_policy.c | 20 ++++++++++++++------ > 7 files changed, 24 insertions(+), 15 deletions(-) > > -- > 2.26.2 >