From: Bruno Meneguele <bmeneg@redhat.com>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: Nayna <nayna@linux.vnet.ibm.com>,
linux-kernel@vger.kernel.org, x86@kernel.org,
linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org,
linux-integrity@vger.kernel.org, erichte@linux.ibm.com,
nayna@linux.ibm.com, stable@vger.kernel.org
Subject: Re: [PATCH v6] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime
Date: Mon, 20 Jul 2020 12:38:41 -0300 [thread overview]
Message-ID: <20200720153841.GG10323@glitch> (raw)
In-Reply-To: <1595257015.5055.8.camel@linux.ibm.com>
[-- Attachment #1: Type: text/plain, Size: 2792 bytes --]
On Mon, Jul 20, 2020 at 10:56:55AM -0400, Mimi Zohar wrote:
> On Mon, 2020-07-20 at 10:40 -0400, Nayna wrote:
> > On 7/13/20 12:48 PM, Bruno Meneguele wrote:
> > > The IMA_APPRAISE_BOOTPARAM config allows enabling different "ima_appraise="
> > > modes - log, fix, enforce - at run time, but not when IMA architecture
> > > specific policies are enabled. This prevents properly labeling the
> > > filesystem on systems where secure boot is supported, but not enabled on the
> > > platform. Only when secure boot is actually enabled should these IMA
> > > appraise modes be disabled.
> > >
> > > This patch removes the compile time dependency and makes it a runtime
> > > decision, based on the secure boot state of that platform.
> > >
> > > Test results as follows:
> > >
> > > -> x86-64 with secure boot enabled
> > >
> > > [ 0.015637] Kernel command line: <...> ima_policy=appraise_tcb ima_appraise=fix
> > > [ 0.015668] ima: Secure boot enabled: ignoring ima_appraise=fix boot parameter option
> > >
>
> Is it common to have two colons in the same line? Is the colon being
> used as a delimiter when parsing the kernel logs? Should the second
> colon be replaced with a hyphen? (No need to repost. I'll fix it
> up.)
>
AFAICS it has been used without any limitations, e.g:
PM: hibernation: Registered nosave memory: [mem 0x00000000-0x00000fff]
clocksource: hpet: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 133484873504 ns
microcode: CPU0: patch_level=0x08701013
Lockdown: modprobe: unsigned module loading is restricted; see man kernel_lockdown.7
...
I'd say we're fine using it.
>
> > > -> powerpc with secure boot disabled
> > >
> > > [ 0.000000] Kernel command line: <...> ima_policy=appraise_tcb ima_appraise=fix
> > > [ 0.000000] Secure boot mode disabled
> > >
> > > -> Running the system without secure boot and with both options set:
> > >
> > > CONFIG_IMA_APPRAISE_BOOTPARAM=y
> > > CONFIG_IMA_ARCH_POLICY=y
> > >
> > > Audit prompts "missing-hash" but still allow execution and, consequently,
> > > filesystem labeling:
> > >
> > > type=INTEGRITY_DATA msg=audit(07/09/2020 12:30:27.778:1691) : pid=4976
> > > uid=root auid=root ses=2
> > > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=appraise_data
> > > cause=missing-hash comm=bash name=/usr/bin/evmctl dev="dm-0" ino=493150
> > > res=no
> > >
> > > Cc: stable@vger.kernel.org
> > > Fixes: d958083a8f64 ("x86/ima: define arch_get_ima_policy() for x86")
> > > Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
> >
> >
> > Reviewed-by: Nayna Jain<nayna@linux.ibm.com>
> > Tested-by: Nayna Jain<nayna@linux.ibm.com>
>
> Thanks, Nayna.
>
> Mimi
>
--
bmeneg
PGP Key: http://bmeneg.com/pubkey.txt
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: Bruno Meneguele <bmeneg@redhat.com>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: linux-s390@vger.kernel.org, Nayna <nayna@linux.vnet.ibm.com>,
erichte@linux.ibm.com, nayna@linux.ibm.com, x86@kernel.org,
linux-kernel@vger.kernel.org, stable@vger.kernel.org,
linux-integrity@vger.kernel.org, linuxppc-dev@lists.ozlabs.org
Subject: Re: [PATCH v6] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime
Date: Mon, 20 Jul 2020 12:38:41 -0300 [thread overview]
Message-ID: <20200720153841.GG10323@glitch> (raw)
In-Reply-To: <1595257015.5055.8.camel@linux.ibm.com>
[-- Attachment #1: Type: text/plain, Size: 2792 bytes --]
On Mon, Jul 20, 2020 at 10:56:55AM -0400, Mimi Zohar wrote:
> On Mon, 2020-07-20 at 10:40 -0400, Nayna wrote:
> > On 7/13/20 12:48 PM, Bruno Meneguele wrote:
> > > The IMA_APPRAISE_BOOTPARAM config allows enabling different "ima_appraise="
> > > modes - log, fix, enforce - at run time, but not when IMA architecture
> > > specific policies are enabled. This prevents properly labeling the
> > > filesystem on systems where secure boot is supported, but not enabled on the
> > > platform. Only when secure boot is actually enabled should these IMA
> > > appraise modes be disabled.
> > >
> > > This patch removes the compile time dependency and makes it a runtime
> > > decision, based on the secure boot state of that platform.
> > >
> > > Test results as follows:
> > >
> > > -> x86-64 with secure boot enabled
> > >
> > > [ 0.015637] Kernel command line: <...> ima_policy=appraise_tcb ima_appraise=fix
> > > [ 0.015668] ima: Secure boot enabled: ignoring ima_appraise=fix boot parameter option
> > >
>
> Is it common to have two colons in the same line? Is the colon being
> used as a delimiter when parsing the kernel logs? Should the second
> colon be replaced with a hyphen? (No need to repost. I'll fix it
> up.)
>
AFAICS it has been used without any limitations, e.g:
PM: hibernation: Registered nosave memory: [mem 0x00000000-0x00000fff]
clocksource: hpet: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 133484873504 ns
microcode: CPU0: patch_level=0x08701013
Lockdown: modprobe: unsigned module loading is restricted; see man kernel_lockdown.7
...
I'd say we're fine using it.
>
> > > -> powerpc with secure boot disabled
> > >
> > > [ 0.000000] Kernel command line: <...> ima_policy=appraise_tcb ima_appraise=fix
> > > [ 0.000000] Secure boot mode disabled
> > >
> > > -> Running the system without secure boot and with both options set:
> > >
> > > CONFIG_IMA_APPRAISE_BOOTPARAM=y
> > > CONFIG_IMA_ARCH_POLICY=y
> > >
> > > Audit prompts "missing-hash" but still allow execution and, consequently,
> > > filesystem labeling:
> > >
> > > type=INTEGRITY_DATA msg=audit(07/09/2020 12:30:27.778:1691) : pid=4976
> > > uid=root auid=root ses=2
> > > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=appraise_data
> > > cause=missing-hash comm=bash name=/usr/bin/evmctl dev="dm-0" ino=493150
> > > res=no
> > >
> > > Cc: stable@vger.kernel.org
> > > Fixes: d958083a8f64 ("x86/ima: define arch_get_ima_policy() for x86")
> > > Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
> >
> >
> > Reviewed-by: Nayna Jain<nayna@linux.ibm.com>
> > Tested-by: Nayna Jain<nayna@linux.ibm.com>
>
> Thanks, Nayna.
>
> Mimi
>
--
bmeneg
PGP Key: http://bmeneg.com/pubkey.txt
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
next prev parent reply other threads:[~2020-07-20 16:48 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-13 16:48 [PATCH v6] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime Bruno Meneguele
2020-07-13 16:48 ` Bruno Meneguele
2020-07-17 18:40 ` Bruno Meneguele
2020-07-17 18:40 ` Bruno Meneguele
2020-07-20 14:40 ` Nayna
2020-07-20 14:56 ` Mimi Zohar
2020-07-20 15:38 ` Bruno Meneguele [this message]
2020-07-20 15:38 ` Bruno Meneguele
2020-07-21 17:26 ` Mimi Zohar
2020-07-21 17:26 ` Mimi Zohar
2020-07-21 19:38 ` Bruno Meneguele
2020-07-21 19:38 ` Bruno Meneguele
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200720153841.GG10323@glitch \
--to=bmeneg@redhat.com \
--cc=erichte@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=nayna@linux.ibm.com \
--cc=nayna@linux.vnet.ibm.com \
--cc=stable@vger.kernel.org \
--cc=x86@kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.