Linux-Integrity Archive on
 help / color / Atom feed
From: Bruno Meneguele <>
	Bruno Meneguele <>
Subject: [PATCH v3 0/2] ima: make appraisal state runtime dependent on secure boot
Date: Tue, 23 Jun 2020 17:26:38 -0300
Message-ID: <> (raw)

To switch APPRAISE_BOOTPARAM and ARCH_POLICY dependency from compile time to
run time the secure boot checking code (specific to each arch) had to be
slightly modified to include, in the PowerPC arch, the Trusted Boot state,
which is also relevant to the arch policy choice and also required the
ima_appraise to be enforced. 

With that I changed the checking order: instead of first check the
arch_policy and then the secure/trusted boot state, now we first check the
boot state, set ima_appraise to be enforced and then the existence of arch
policy. In other words, whenever secure/trusted boot is enabled,
(ima_appraise & IMA_APPRAISE_ENFORCE) == true.

I've tested these patches in a x86_64 platform with and without secure boot
enabled and in a PowerPC without secure boot enabled:

1) with secure boot enabled (x86_64) and ima_policy=appraise_tcb, the
ima_appraise= options were completly ignored and the boot always failed with
"missing-hash" for /sbin/init, which is the expected result;

2) with secure boot enabled (x86_64), but no ima_policy:

[    1.396111] ima: Allocated hash algorithm: sha256
[    1.424025] ima: setting IMA appraisal to enforced
[    1.424039] audit: type=1807 audit(1592927955.557:2): action=measure func=KEXEC_KERNEL_CHECK res=1
[    1.424040] audit: type=1807 audit(1592927955.557:3): action=measure func=MODULE_CHECK res=1

3) with secure boot disabled (PowerPC and x86_64) and
"ima_policy=appraise_tcb ima_appraise=fix", audit messages were triggered
with "op=appraisal_data cause=missing-hash" but the system worked fine due
to "fix".

Bruno Meneguele (2):
  arch/ima: extend secure boot check to include trusted boot
  ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime

 arch/powerpc/kernel/ima_arch.c      |  5 +++--
 arch/s390/kernel/ima_arch.c         |  2 +-
 arch/x86/kernel/ima_arch.c          |  4 ++--
 include/linux/ima.h                 |  4 ++--
 security/integrity/ima/Kconfig      |  2 +-
 security/integrity/ima/ima_main.c   |  2 +-
 security/integrity/ima/ima_policy.c | 20 ++++++++++++++------
 7 files changed, 24 insertions(+), 15 deletions(-)


             reply index

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-23 20:26 Bruno Meneguele [this message]
2020-06-23 20:26 ` [PATCH v3 1/2] arch/ima: extend secure boot check to include trusted boot Bruno Meneguele
2020-06-26 20:23   ` Mimi Zohar
2020-06-29 23:52     ` Bruno Meneguele
2020-06-23 20:26 ` [PATCH v3 2/2] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime Bruno Meneguele
2020-06-26 20:40   ` Mimi Zohar
2020-06-29 23:47     ` Bruno Meneguele
2020-06-30 11:00       ` Mimi Zohar
2020-06-30 17:00         ` Bruno Meneguele
2020-07-02 19:12           ` Bruno Meneguele
2020-06-26 14:46 ` [PATCH v3 0/2] ima: make appraisal state runtime dependent on secure boot Bruno Meneguele

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Integrity Archive on

Archives are clonable:
	git clone --mirror linux-integrity/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-integrity linux-integrity/ \
	public-inbox-index linux-integrity

Example config snippet for mirrors

Newsgroup available over NNTP:

AGPL code for this site: git clone