Linux-Integrity Archive on lore.kernel.org
 help / color / Atom feed
From: Bruno Meneguele <bmeneg@redhat.com>
To: linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: zohar@linux.ibm.com, erichte@linux.ibm.com, nayna@linux.ibm.com,
	Bruno Meneguele <bmeneg@redhat.com>
Subject: [PATCH v3 2/2] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime
Date: Tue, 23 Jun 2020 17:26:40 -0300
Message-ID: <20200623202640.4936-3-bmeneg@redhat.com> (raw)
In-Reply-To: <20200623202640.4936-1-bmeneg@redhat.com>

IMA_APPRAISE_BOOTPARAM has been marked as dependent on !IMA_ARCH_POLICY in
compile time, enforcing the appraisal whenever the kernel had the arch
policy option enabled.

However it breaks systems where the option is actually set but the system
wasn't booted in a "secure boot" platform. In this scenario, anytime an
appraisal policy (i.e. ima_policy=appraisal_tcb) is used it will be forced,
giving no chance to the user set the 'fix' state (ima_appraise=fix) to
actually measure system's files.

This patch remove this compile time dependency and move it to a runtime
decision: all architecture that supports it so far (powerpc, x86 and s390)
only enable such specific policies if the secure/trusted boot is actually
enabled in the platform, thus the IMA_APPRAISE_ENFORCE flag is set whenever
the secure/trusted boot state is met, otherwise the kernel paramenter value
passed is used.

Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
---
 arch/x86/kernel/ima_arch.c          |  3 +--
 security/integrity/ima/Kconfig      |  2 +-
 security/integrity/ima/ima_policy.c | 20 ++++++++++++++------
 3 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/arch/x86/kernel/ima_arch.c b/arch/x86/kernel/ima_arch.c
index 168393d399ba..78fb61b2e480 100644
--- a/arch/x86/kernel/ima_arch.c
+++ b/arch/x86/kernel/ima_arch.c
@@ -85,8 +85,7 @@ static const char * const sb_arch_rules[] = {
 
 const char * const *arch_get_ima_policy(void)
 {
-	if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) &&
-	    arch_ima_secure_or_tusted_boot()) {
+	if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY)) {
 		if (IS_ENABLED(CONFIG_MODULE_SIG))
 			set_module_sig_enforced();
 		return sb_arch_rules;
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index edde88dbe576..62dc11a5af01 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -232,7 +232,7 @@ config IMA_APPRAISE_REQUIRE_POLICY_SIGS
 
 config IMA_APPRAISE_BOOTPARAM
 	bool "ima_appraise boot parameter"
-	depends on IMA_APPRAISE && !IMA_ARCH_POLICY
+	depends on IMA_APPRAISE
 	default y
 	help
 	  This option enables the different "ima_appraise=" modes
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index e493063a3c34..6742f86b6c60 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -732,12 +732,20 @@ void __init ima_init_policy(void)
 	 * and custom policies, prior to other appraise rules.
 	 * (Highest priority)
 	 */
-	arch_entries = ima_init_arch_policy();
-	if (!arch_entries)
-		pr_info("No architecture policies found\n");
-	else
-		add_rules(arch_policy_entry, arch_entries,
-			  IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
+	if (arch_ima_secure_or_trusted_boot()) {
+		/* In secure and/or trusted boot the appraisal must be
+		 * enforced, regardless kernel parameters, preventing
+		 * runtime changes */
+		pr_info("setting IMA appraisal to enforced\n");
+		ima_appraise |= IMA_APPRAISE_ENFORCE;
+
+		arch_entries = ima_init_arch_policy();
+		if (!arch_entries)
+			pr_info("No architecture policies found\n");
+		else
+			add_rules(arch_policy_entry, arch_entries,
+				  IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
+	}
 
 	/*
 	 * Insert the builtin "secure_boot" policy rules requiring file
-- 
2.26.2


  parent reply index

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-23 20:26 [PATCH v3 0/2] ima: make appraisal state runtime dependent on secure boot Bruno Meneguele
2020-06-23 20:26 ` [PATCH v3 1/2] arch/ima: extend secure boot check to include trusted boot Bruno Meneguele
2020-06-26 20:23   ` Mimi Zohar
2020-06-29 23:52     ` Bruno Meneguele
2020-06-23 20:26 ` Bruno Meneguele [this message]
2020-06-26 20:40   ` [PATCH v3 2/2] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime Mimi Zohar
2020-06-29 23:47     ` Bruno Meneguele
2020-06-30 11:00       ` Mimi Zohar
2020-06-30 17:00         ` Bruno Meneguele
2020-07-02 19:12           ` Bruno Meneguele
2020-06-26 14:46 ` [PATCH v3 0/2] ima: make appraisal state runtime dependent on secure boot Bruno Meneguele

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200623202640.4936-3-bmeneg@redhat.com \
    --to=bmeneg@redhat.com \
    --cc=erichte@linux.ibm.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=nayna@linux.ibm.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Integrity Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-integrity/0 linux-integrity/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-integrity linux-integrity/ https://lore.kernel.org/linux-integrity \
		linux-integrity@vger.kernel.org
	public-inbox-index linux-integrity

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-integrity


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git