* [meta-security] [dunfell] [PATCH 0/3] Backport several IMA fixes to LTS dunfell
@ 2021-04-19 6:41 Ming Liu
2021-04-19 6:41 ` [meta-security] [dunfell] [PATCH 1/3] ima-evm-keys: add file-checksums to IMA_EVM_X509 Ming Liu
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: Ming Liu @ 2021-04-19 6:41 UTC (permalink / raw)
To: yocto; +Cc: akuster808, sergio.prado, Ming Liu
From: Ming Liu <ming.liu@toradex.com>
Ming Liu (3):
ima-evm-keys: add file-checksums to IMA_EVM_X509
meta: drop IMA_POLICY from policy recipes
initramfs-framework-ima: introduce IMA_FORCE
.../initrdscripts/initramfs-framework-ima.bb | 5 +++++
.../initrdscripts/initramfs-framework-ima/ima | 9 +++++++--
.../recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb | 1 +
.../ima-policy-appraise-all_1.0.bb | 9 ++-------
.../ima_policy_hashed/ima-policy-hashed_1.0.bb | 9 ++-------
.../ima_policy_simple/ima-policy-simple_1.0.bb | 9 ++-------
6 files changed, 19 insertions(+), 23 deletions(-)
--
2.29.0
^ permalink raw reply [flat|nested] 6+ messages in thread
* [meta-security] [dunfell] [PATCH 1/3] ima-evm-keys: add file-checksums to IMA_EVM_X509
2021-04-19 6:41 [meta-security] [dunfell] [PATCH 0/3] Backport several IMA fixes to LTS dunfell Ming Liu
@ 2021-04-19 6:41 ` Ming Liu
2021-04-19 6:41 ` [meta-security] [dunfell] [PATCH 2/3] meta: drop IMA_POLICY from policy recipes Ming Liu
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Ming Liu @ 2021-04-19 6:41 UTC (permalink / raw)
To: yocto; +Cc: akuster808, sergio.prado, Ming Liu
From: Ming Liu <liu.ming50@gmail.com>
This ensures when a end user change the IMA_EVM_X509 key file,
ima-evm-keys recipe will be rebuilt.
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb b/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb
index 62685bb..7708aef 100644
--- a/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb
+++ b/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb
@@ -14,3 +14,4 @@ do_install () {
lnr ${D}${sysconfdir}/keys/x509_evm.der ${D}${sysconfdir}/keys/x509_ima.der
fi
}
+do_install[file-checksums] += "${@'${IMA_EVM_X509}:%s' % os.path.exists('${IMA_EVM_X509}')}"
--
2.29.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [meta-security] [dunfell] [PATCH 2/3] meta: drop IMA_POLICY from policy recipes
2021-04-19 6:41 [meta-security] [dunfell] [PATCH 0/3] Backport several IMA fixes to LTS dunfell Ming Liu
2021-04-19 6:41 ` [meta-security] [dunfell] [PATCH 1/3] ima-evm-keys: add file-checksums to IMA_EVM_X509 Ming Liu
@ 2021-04-19 6:41 ` Ming Liu
2021-04-19 6:41 ` [meta-security] [dunfell] [PATCH 3/3] initramfs-framework-ima: introduce IMA_FORCE Ming Liu
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Ming Liu @ 2021-04-19 6:41 UTC (permalink / raw)
To: yocto; +Cc: akuster808, sergio.prado, Ming Liu
From: Ming Liu <liu.ming50@gmail.com>
IMA_POLICY is being referred as policy recipe name in some places and it
is also being referred as policy file in other places, they are
conflicting with each other which make it impossible to set a IMA_POLICY
global variable in config file.
Fix it by dropping IMA_POLICY definitions from policy recipes
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../ima-policy-appraise-all_1.0.bb | 9 ++-------
.../ima_policy_hashed/ima-policy-hashed_1.0.bb | 9 ++-------
.../ima_policy_simple/ima-policy-simple_1.0.bb | 9 ++-------
3 files changed, 6 insertions(+), 21 deletions(-)
diff --git a/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb b/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb
index da62a4c..84ea161 100644
--- a/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb
+++ b/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb
@@ -2,19 +2,14 @@ SUMMARY = "IMA sample simple appraise policy "
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
-# This policy file will get installed as /etc/ima/ima-policy.
-# It is located via the normal file search path, so a .bbappend
-# to this recipe can just point towards one of its own files.
-IMA_POLICY ?= "ima_policy_appraise_all"
-
-SRC_URI = " file://${IMA_POLICY}"
+SRC_URI = " file://ima_policy_appraise_all"
inherit features_check
REQUIRED_DISTRO_FEATURES = "ima"
do_install () {
install -d ${D}/${sysconfdir}/ima
- install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy
+ install ${WORKDIR}/ima_policy_appraise_all ${D}/${sysconfdir}/ima/ima-policy
}
FILES_${PN} = "${sysconfdir}/ima"
diff --git a/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb b/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb
index ebb0426..ff7169e 100644
--- a/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb
+++ b/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb
@@ -2,13 +2,8 @@ SUMMARY = "IMA sample hash policy"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
-# This policy file will get installed as /etc/ima/ima-policy.
-# It is located via the normal file search path, so a .bbappend
-# to this recipe can just point towards one of its own files.
-IMA_POLICY ?= "ima_policy_hashed"
-
SRC_URI = " \
- file://${IMA_POLICY} \
+ file://ima_policy_hashed \
"
inherit features_check
@@ -16,7 +11,7 @@ REQUIRED_DISTRO_FEATURES = "ima"
do_install () {
install -d ${D}/${sysconfdir}/ima
- install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy
+ install ${WORKDIR}/ima_policy_hashed ${D}/${sysconfdir}/ima/ima-policy
}
FILES_${PN} = "${sysconfdir}/ima"
diff --git a/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb b/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb
index cb4b6b8..0e56aec 100644
--- a/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb
+++ b/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb
@@ -2,19 +2,14 @@ SUMMARY = "IMA sample simple policy"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
-# This policy file will get installed as /etc/ima/ima-policy.
-# It is located via the normal file search path, so a .bbappend
-# to this recipe can just point towards one of its own files.
-IMA_POLICY ?= "ima_policy_simple"
-
-SRC_URI = " file://${IMA_POLICY}"
+SRC_URI = " file://ima_policy_simple"
inherit features_check
REQUIRED_DISTRO_FEATURES = "ima"
do_install () {
install -d ${D}/${sysconfdir}/ima
- install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy
+ install ${WORKDIR}/ima_policy_simple ${D}/${sysconfdir}/ima/ima-policy
}
FILES_${PN} = "${sysconfdir}/ima"
--
2.29.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [meta-security] [dunfell] [PATCH 3/3] initramfs-framework-ima: introduce IMA_FORCE
2021-04-19 6:41 [meta-security] [dunfell] [PATCH 0/3] Backport several IMA fixes to LTS dunfell Ming Liu
2021-04-19 6:41 ` [meta-security] [dunfell] [PATCH 1/3] ima-evm-keys: add file-checksums to IMA_EVM_X509 Ming Liu
2021-04-19 6:41 ` [meta-security] [dunfell] [PATCH 2/3] meta: drop IMA_POLICY from policy recipes Ming Liu
@ 2021-04-19 6:41 ` Ming Liu
2021-04-26 18:04 ` [meta-security] [dunfell] [PATCH 0/3] Backport several IMA fixes to LTS dunfell Armin Kuster
2021-04-28 23:01 ` Armin Kuster
4 siblings, 0 replies; 6+ messages in thread
From: Ming Liu @ 2021-04-19 6:41 UTC (permalink / raw)
To: yocto; +Cc: akuster808, sergio.prado, Ming Liu
From: Ming Liu <liu.ming50@gmail.com>
Introduce IMA_FORCE to allow the IMA policy be applied forcely even
'no_ima' boot parameter is available.
This ensures the end users have a way to disable 'no_ima' support if
they want to, because it may expose a security risk if an attacker can
find a way to change kernel arguments, it will easily bypass rootfs
authenticity checks.
Signed-off-by: Sergio Prado <sergio.prado@toradex.com>
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../initrdscripts/initramfs-framework-ima.bb | 5 +++++
.../initrdscripts/initramfs-framework-ima/ima | 9 +++++++--
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
index 77f6f7c..6471c53 100644
--- a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
+++ b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
@@ -14,6 +14,9 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384
# to this recipe can just point towards one of its own files.
IMA_POLICY ?= "ima-policy-hashed"
+# Force proceed IMA procedure even 'no_ima' boot parameter is available.
+IMA_FORCE ?= "false"
+
SRC_URI = " file://ima"
inherit features_check
@@ -23,6 +26,8 @@ do_install () {
install -d ${D}/${sysconfdir}/ima
install -d ${D}/init.d
install ${WORKDIR}/ima ${D}/init.d/20-ima
+
+ sed -i "s/@@FORCE_IMA@@/${IMA_FORCE}/g" ${D}/init.d/20-ima
}
FILES_${PN} = "/init.d ${sysconfdir}"
diff --git a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima
index cff26a3..8971494 100644
--- a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima
+++ b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima
@@ -2,11 +2,16 @@
#
# Loads IMA policy into the kernel.
+force_ima=@@FORCE_IMA@@
+
ima_enabled() {
- if [ "$bootparam_no_ima" = "true" ]; then
+ if [ "$force_ima" = "true" ]; then
+ return 0
+ elif [ "$bootparam_no_ima" = "true" ]; then
return 1
+ else
+ return 0
fi
- return 0
}
ima_run() {
--
2.29.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [meta-security] [dunfell] [PATCH 0/3] Backport several IMA fixes to LTS dunfell
2021-04-19 6:41 [meta-security] [dunfell] [PATCH 0/3] Backport several IMA fixes to LTS dunfell Ming Liu
` (2 preceding siblings ...)
2021-04-19 6:41 ` [meta-security] [dunfell] [PATCH 3/3] initramfs-framework-ima: introduce IMA_FORCE Ming Liu
@ 2021-04-26 18:04 ` Armin Kuster
2021-04-28 23:01 ` Armin Kuster
4 siblings, 0 replies; 6+ messages in thread
From: Armin Kuster @ 2021-04-26 18:04 UTC (permalink / raw)
To: liu.ming50, yocto; +Cc: sergio.prado, Ming Liu
On 4/18/21 11:41 PM, liu.ming50@gmail.com wrote:
> From: Ming Liu <ming.liu@toradex.com>
I have not forgotten about these. My build system is backlogged.
I hope to process these by this weekend.
-armin
>
> Ming Liu (3):
> ima-evm-keys: add file-checksums to IMA_EVM_X509
> meta: drop IMA_POLICY from policy recipes
> initramfs-framework-ima: introduce IMA_FORCE
>
> .../initrdscripts/initramfs-framework-ima.bb | 5 +++++
> .../initrdscripts/initramfs-framework-ima/ima | 9 +++++++--
> .../recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb | 1 +
> .../ima-policy-appraise-all_1.0.bb | 9 ++-------
> .../ima_policy_hashed/ima-policy-hashed_1.0.bb | 9 ++-------
> .../ima_policy_simple/ima-policy-simple_1.0.bb | 9 ++-------
> 6 files changed, 19 insertions(+), 23 deletions(-)
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [meta-security] [dunfell] [PATCH 0/3] Backport several IMA fixes to LTS dunfell
2021-04-19 6:41 [meta-security] [dunfell] [PATCH 0/3] Backport several IMA fixes to LTS dunfell Ming Liu
` (3 preceding siblings ...)
2021-04-26 18:04 ` [meta-security] [dunfell] [PATCH 0/3] Backport several IMA fixes to LTS dunfell Armin Kuster
@ 2021-04-28 23:01 ` Armin Kuster
4 siblings, 0 replies; 6+ messages in thread
From: Armin Kuster @ 2021-04-28 23:01 UTC (permalink / raw)
To: liu.ming50, yocto; +Cc: sergio.prado, Ming Liu
merged.
thanks
On 4/18/21 11:41 PM, liu.ming50@gmail.com wrote:
> From: Ming Liu <ming.liu@toradex.com>
>
> Ming Liu (3):
> ima-evm-keys: add file-checksums to IMA_EVM_X509
> meta: drop IMA_POLICY from policy recipes
> initramfs-framework-ima: introduce IMA_FORCE
>
> .../initrdscripts/initramfs-framework-ima.bb | 5 +++++
> .../initrdscripts/initramfs-framework-ima/ima | 9 +++++++--
> .../recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb | 1 +
> .../ima-policy-appraise-all_1.0.bb | 9 ++-------
> .../ima_policy_hashed/ima-policy-hashed_1.0.bb | 9 ++-------
> .../ima_policy_simple/ima-policy-simple_1.0.bb | 9 ++-------
> 6 files changed, 19 insertions(+), 23 deletions(-)
>
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-04-28 23:01 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-19 6:41 [meta-security] [dunfell] [PATCH 0/3] Backport several IMA fixes to LTS dunfell Ming Liu
2021-04-19 6:41 ` [meta-security] [dunfell] [PATCH 1/3] ima-evm-keys: add file-checksums to IMA_EVM_X509 Ming Liu
2021-04-19 6:41 ` [meta-security] [dunfell] [PATCH 2/3] meta: drop IMA_POLICY from policy recipes Ming Liu
2021-04-19 6:41 ` [meta-security] [dunfell] [PATCH 3/3] initramfs-framework-ima: introduce IMA_FORCE Ming Liu
2021-04-26 18:04 ` [meta-security] [dunfell] [PATCH 0/3] Backport several IMA fixes to LTS dunfell Armin Kuster
2021-04-28 23:01 ` Armin Kuster
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.