[PATCH 0/4] integrity: improve user feedback for invalid bootparams

[PATCH 0/4] integrity: improve user feedback for invalid bootparams

[Bruno Meneguele]

Some boot paramenters under integrity/ don't report any feedback to the user
in case an invalid/unknown option is passed. With this patch, try to be more
informative about what went wrong, including a more strict secure boot
feedback.

Bruno Meneguele (4):
  ima: add check for enforced appraise option
  integrity: invalid kernel parameters feedback
  ima: limit secure boot feedback scope on appraise bootparam
  integrity: prompt keyring name for unknown key request

 security/integrity/digsig_asymmetric.c | 10 ++++++++--
 security/integrity/evm/evm_main.c      |  3 +++
 security/integrity/ima/ima_appraise.c  | 20 +++++++++++++++-----
 security/integrity/ima/ima_main.c      | 13 +++++++++----
 security/integrity/ima/ima_policy.c    |  2 ++
 5 files changed, 37 insertions(+), 11 deletions(-)

-- 
2.26.2

[PATCH 1/4] ima: add check for enforced appraise option

[Bruno Meneguele]

The "enforce" string is allowed as an option for ima_appraise= kernel
paramenter per kernel-paramenters.txt and should be considered on the
parameter setup checking as a matter of completeness. Also it allows futher
checking on the options being passed by the user.

Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
---
 security/integrity/ima/ima_appraise.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 372d16382960..580b771e3458 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -31,6 +31,8 @@ static int __init default_appraise_setup(char *str)
 		ima_appraise = IMA_APPRAISE_LOG;
 	else if (strncmp(str, "fix", 3) == 0)
 		ima_appraise = IMA_APPRAISE_FIX;
+	else if (strncmp(str, "enforce", 7) == 0)
+		ima_appraise = IMA_APPRAISE_ENFORCE;
 #endif
 	return 1;
 }
-- 
2.26.2

[PATCH 2/4] integrity: invalid kernel parameters feedback

[Bruno Meneguele]

Prompt a message to kmsg in case the user entered any invalid option to some
of the ima_{policy,appraise,hash} and evm kernel parameters. It's already
done for ima_template.

Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
---
 security/integrity/evm/evm_main.c     |  3 +++
 security/integrity/ima/ima_appraise.c |  2 ++
 security/integrity/ima/ima_main.c     | 13 +++++++++----
 security/integrity/ima/ima_policy.c   |  2 ++
 4 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 0d36259b690d..6ae00fee1d34 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -59,6 +59,9 @@ static int __init evm_set_fixmode(char *str)
 {
 	if (strncmp(str, "fix", 3) == 0)
 		evm_fixmode = 1;
+	else
+		pr_err("invalid \"%s\" mode", str);
+
 	return 0;
 }
 __setup("evm=", evm_set_fixmode);
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 580b771e3458..2193b51c2743 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -33,6 +33,8 @@ static int __init default_appraise_setup(char *str)
 		ima_appraise = IMA_APPRAISE_FIX;
 	else if (strncmp(str, "enforce", 7) == 0)
 		ima_appraise = IMA_APPRAISE_ENFORCE;
+	else
+		pr_err("invalid \"%s\" appraise option", str);
 #endif
 	return 1;
 }
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 8a91711ca79b..2b22932b140d 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -50,18 +50,23 @@ static int __init hash_setup(char *str)
 		return 1;
 
 	if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) {
-		if (strncmp(str, "sha1", 4) == 0)
+		if (strncmp(str, "sha1", 4) == 0) {
 			ima_hash_algo = HASH_ALGO_SHA1;
-		else if (strncmp(str, "md5", 3) == 0)
+		} else if (strncmp(str, "md5", 3) == 0) {
 			ima_hash_algo = HASH_ALGO_MD5;
-		else
+		} else {
+			pr_err("invalid hash algorithm \"%s\" for template \"%s\"",
+				str, IMA_TEMPLATE_IMA_NAME);
 			return 1;
+		}
 		goto out;
 	}
 
 	i = match_string(hash_algo_name, HASH_ALGO__LAST, str);
-	if (i < 0)
+	if (i < 0) {
+		pr_err("invalid hash algorithm \"%s\"", str);
 		return 1;
+	}
 
 	ima_hash_algo = i;
 out:
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 07f033634b27..880d10887de8 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -240,6 +240,8 @@ static int __init policy_setup(char *str)
 			ima_use_secure_boot = true;
 		else if (strcmp(p, "fail_securely") == 0)
 			ima_fail_unverifiable_sigs = true;
+		else
+			pr_err("policy \"%s\" not found", p);
 	}
 
 	return 1;
-- 
2.26.2

[PATCH 3/4] ima: limit secure boot feedback scope for appraise

[Bruno Meneguele]

Instead of print to kmsg any ima_appraise= option passed by the user in case
of secure boot being enabled, first check if the state was really changed
from its original "enforce" state, otherwise don't print anything.

Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
---
 security/integrity/ima/ima_appraise.c | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 2193b51c2743..000df14f198a 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -19,11 +19,7 @@
 static int __init default_appraise_setup(char *str)
 {
 #ifdef CONFIG_IMA_APPRAISE_BOOTPARAM
-	if (arch_ima_get_secureboot()) {
-		pr_info("Secure boot enabled: ignoring ima_appraise=%s boot parameter option",
-			str);
-		return 1;
-	}
+	bool sb_state = arch_ima_get_secureboot();
 
 	if (strncmp(str, "off", 3) == 0)
 		ima_appraise = 0;
@@ -35,6 +31,16 @@ static int __init default_appraise_setup(char *str)
 		ima_appraise = IMA_APPRAISE_ENFORCE;
 	else
 		pr_err("invalid \"%s\" appraise option", str);
+
+	/* If appraisal state was changed, but secure boot is enabled,
+	 * reset it to enforced */
+	if (sb_state) {
+		if (!is_ima_appraise_enabled()) {
+			pr_info("Secure boot enabled: ignoring ima_appraise=%s option",
+				str);
+			ima_appraise = IMA_APPRAISE_ENFORCE;
+		}
+	}
 #endif
 	return 1;
 }
-- 
2.26.2

[PATCH 4/4] integrity: prompt keyring name for unknown key request

[Bruno Meneguele]

Depending on the IMA policy a key can be searched in multiple keyrings (e.g.
.ima and .platform) and possibly failing for both. However, for the user not
aware of the searching order it's not clear what's the keyring the kernel
didn't find the key. With this patch we improve this feedback by printing
the keyring "description" (name).

Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
---
 security/integrity/digsig_asymmetric.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c
index cfa4127d0518..14de98ef67f6 100644
--- a/security/integrity/digsig_asymmetric.c
+++ b/security/integrity/digsig_asymmetric.c
@@ -55,8 +55,14 @@ static struct key *request_asymmetric_key(struct key *keyring, uint32_t keyid)
 	}
 
 	if (IS_ERR(key)) {
-		pr_err_ratelimited("Request for unknown key '%s' err %ld\n",
-				   name, PTR_ERR(key));
+		if (keyring)
+			pr_err_ratelimited("Request for unknown key '%s' in '%s' keyring. err %ld\n",
+					   name, keyring->description,
+					   PTR_ERR(key));
+		else
+			pr_err_ratelimited("Request for unknown key '%s' err %ld\n",
+					   name, PTR_ERR(key));
+
 		switch (PTR_ERR(key)) {
 			/* Hide some search errors */
 		case -EACCES:
-- 
2.26.2

Re: [PATCH 3/4] ima: limit secure boot feedback scope for appraise

[Mimi Zohar]

On Mon, 2020-08-17 at 18:52 -0300, Bruno Meneguele wrote:
> Instead of print to kmsg any ima_appraise= option passed by the user in case
> of secure boot being enabled, first check if the state was really changed
> from its original "enforce" state, otherwise don't print anything.

Please reword this patch description, removing "Instead of print to
kmsg".

> 
> Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
> ---
>  security/integrity/ima/ima_appraise.c | 16 +++++++++++-----
>  1 file changed, 11 insertions(+), 5 deletions(-)
> 
> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> index 2193b51c2743..000df14f198a 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -19,11 +19,7 @@
>  static int __init default_appraise_setup(char *str)
>  {
>  #ifdef CONFIG_IMA_APPRAISE_BOOTPARAM
> -	if (arch_ima_get_secureboot()) {
> -		pr_info("Secure boot enabled: ignoring ima_appraise=%s boot parameter option",
> -			str);
> -		return 1;
> -	}
> +	bool sb_state = arch_ima_get_secureboot();
>  
>  	if (strncmp(str, "off", 3) == 0)
>  		ima_appraise = 0;
> @@ -35,6 +31,16 @@ static int __init default_appraise_setup(char *str)
>  		ima_appraise = IMA_APPRAISE_ENFORCE;
>  	else
>  		pr_err("invalid \"%s\" appraise option", str);
> +
> +	/* If appraisal state was changed, but secure boot is enabled,
> +	 * reset it to enforced */
> +	if (sb_state) {
> +		if (!is_ima_appraise_enabled()) {
> +			pr_info("Secure boot enabled: ignoring ima_appraise=%s option",
> +				str);
> +			ima_appraise = IMA_APPRAISE_ENFORCE;
> +		}
> +	}

Instead of changing ima_appraise and then resetting it back to
enforcing, how about using a temporary variable instead?  Maybe
something like:

if (!is_ima_appraise_enabled())
	pr_info( ...)
else
   ima_appraise = temporary value

>  #endif
>  	return 1;
>  }

Re: [PATCH 2/4] integrity: invalid kernel parameters feedback

[Mimi Zohar]

On Mon, 2020-08-17 at 18:52 -0300, Bruno Meneguele wrote:
> Prompt a message to kmsg in case the user entered any invalid option to some
> of the ima_{policy,appraise,hash} and evm kernel parameters. It's already
> done for ima_template.

I think what you are trying to say is don't silently ignore unknown or
invalid  ima_{policy,appraise,hash} and evm kernel boot command line
options.

Mimi

Re: [PATCH 4/4] integrity: prompt keyring name for unknown key request

[Mimi Zohar]

On Mon, 2020-08-17 at 18:52 -0300, Bruno Meneguele wrote:
> Depending on the IMA policy a key can be searched in multiple keyrings (e.g.
> .ima and .platform) and possibly failing for both. However, for the user not
> aware of the searching order it's not clear what's the keyring the kernel
> didn't find the key. With this patch we improve this feedback by printing
> the keyring "description" (name).
> 
> Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>

Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>

Re: [PATCH 3/4] ima: limit secure boot feedback scope for appraise

[Bruno Meneguele]

[-- Attachment #1: Type: text/plain, Size: 2494 bytes --]

On Mon, Aug 24, 2020 at 04:11:22PM -0400, Mimi Zohar wrote:
> On Mon, 2020-08-17 at 18:52 -0300, Bruno Meneguele wrote:
> > Instead of print to kmsg any ima_appraise= option passed by the user in case
> > of secure boot being enabled, first check if the state was really changed
> > from its original "enforce" state, otherwise don't print anything.
> 
> Please reword this patch description, removing "Instead of print to
> kmsg".
> 

ack

> > 
> > Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
> > ---
> >  security/integrity/ima/ima_appraise.c | 16 +++++++++++-----
> >  1 file changed, 11 insertions(+), 5 deletions(-)
> > 
> > diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> > index 2193b51c2743..000df14f198a 100644
> > --- a/security/integrity/ima/ima_appraise.c
> > +++ b/security/integrity/ima/ima_appraise.c
> > @@ -19,11 +19,7 @@
> >  static int __init default_appraise_setup(char *str)
> >  {
> >  #ifdef CONFIG_IMA_APPRAISE_BOOTPARAM
> > -	if (arch_ima_get_secureboot()) {
> > -		pr_info("Secure boot enabled: ignoring ima_appraise=%s boot parameter option",
> > -			str);
> > -		return 1;
> > -	}
> > +	bool sb_state = arch_ima_get_secureboot();
> >  
> >  	if (strncmp(str, "off", 3) == 0)
> >  		ima_appraise = 0;
> > @@ -35,6 +31,16 @@ static int __init default_appraise_setup(char *str)
> >  		ima_appraise = IMA_APPRAISE_ENFORCE;
> >  	else
> >  		pr_err("invalid \"%s\" appraise option", str);
> > +
> > +	/* If appraisal state was changed, but secure boot is enabled,
> > +	 * reset it to enforced */
> > +	if (sb_state) {
> > +		if (!is_ima_appraise_enabled()) {
> > +			pr_info("Secure boot enabled: ignoring ima_appraise=%s option",
> > +				str);
> > +			ima_appraise = IMA_APPRAISE_ENFORCE;
> > +		}
> > +	}
> 
> Instead of changing ima_appraise and then resetting it back to
> enforcing, how about using a temporary variable instead?  Maybe
> something like:
> 
> if (!is_ima_appraise_enabled())
> 	pr_info( ...)
> else
>    ima_appraise = temporary value
> 

Yes, indeed it would be nice to keep the default state unchanged. Only
thing is that 'is_ima_appraise_enabled()' directly checks 'ima_appraise &
IMA_APPRAISE_ENFORCE', changing to a temp var would require the if() to
check it directly.

I'm going to send a v2 with it changed.

Thanks.

> >  #endif
> >  	return 1;
> >  }
> 
> 

-- 
bmeneg 
PGP Key: http://bmeneg.com/pubkey.txt

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]