[PATCH v3 0/2] ima: make appraisal state runtime dependent on secure boot

From: Bruno Meneguele <bmeneg@redhat.com>
To: linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: zohar@linux.ibm.com, erichte@linux.ibm.com, nayna@linux.ibm.com,
	Bruno Meneguele <bmeneg@redhat.com>
Subject: [PATCH v3 0/2] ima: make appraisal state runtime dependent on secure boot
Date: Tue, 23 Jun 2020 17:26:38 -0300	[thread overview]
Message-ID: <20200623202640.4936-1-bmeneg@redhat.com> (raw)

To switch APPRAISE_BOOTPARAM and ARCH_POLICY dependency from compile time to
run time the secure boot checking code (specific to each arch) had to be
slightly modified to include, in the PowerPC arch, the Trusted Boot state,
which is also relevant to the arch policy choice and also required the
ima_appraise to be enforced. 

With that I changed the checking order: instead of first check the
arch_policy and then the secure/trusted boot state, now we first check the
boot state, set ima_appraise to be enforced and then the existence of arch
policy. In other words, whenever secure/trusted boot is enabled,
(ima_appraise & IMA_APPRAISE_ENFORCE) == true.

I've tested these patches in a x86_64 platform with and without secure boot
enabled and in a PowerPC without secure boot enabled:

1) with secure boot enabled (x86_64) and ima_policy=appraise_tcb, the
ima_appraise= options were completly ignored and the boot always failed with
"missing-hash" for /sbin/init, which is the expected result;

2) with secure boot enabled (x86_64), but no ima_policy:

[    1.396111] ima: Allocated hash algorithm: sha256
[    1.424025] ima: setting IMA appraisal to enforced
[    1.424039] audit: type=1807 audit(1592927955.557:2): action=measure func=KEXEC_KERNEL_CHECK res=1
[    1.424040] audit: type=1807 audit(1592927955.557:3): action=measure func=MODULE_CHECK res=1

3) with secure boot disabled (PowerPC and x86_64) and
"ima_policy=appraise_tcb ima_appraise=fix", audit messages were triggered
with "op=appraisal_data cause=missing-hash" but the system worked fine due
to "fix".

Bruno Meneguele (2):
  arch/ima: extend secure boot check to include trusted boot
  ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime

 arch/powerpc/kernel/ima_arch.c      |  5 +++--
 arch/s390/kernel/ima_arch.c         |  2 +-
 arch/x86/kernel/ima_arch.c          |  4 ++--
 include/linux/ima.h                 |  4 ++--
 security/integrity/ima/Kconfig      |  2 +-
 security/integrity/ima/ima_main.c   |  2 +-
 security/integrity/ima/ima_policy.c | 20 ++++++++++++++------
 7 files changed, 24 insertions(+), 15 deletions(-)

-- 
2.26.2