[PATCH v3 2/2] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime

From: Bruno Meneguele <bmeneg@redhat.com>
To: linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: zohar@linux.ibm.com, erichte@linux.ibm.com, nayna@linux.ibm.com,
	Bruno Meneguele <bmeneg@redhat.com>
Subject: [PATCH v3 2/2] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime
Date: Tue, 23 Jun 2020 17:26:40 -0300	[thread overview]
Message-ID: <20200623202640.4936-3-bmeneg@redhat.com> (raw)
In-Reply-To: <20200623202640.4936-1-bmeneg@redhat.com>

IMA_APPRAISE_BOOTPARAM has been marked as dependent on !IMA_ARCH_POLICY in
compile time, enforcing the appraisal whenever the kernel had the arch
policy option enabled.

However it breaks systems where the option is actually set but the system
wasn't booted in a "secure boot" platform. In this scenario, anytime an
appraisal policy (i.e. ima_policy=appraisal_tcb) is used it will be forced,
giving no chance to the user set the 'fix' state (ima_appraise=fix) to
actually measure system's files.

This patch remove this compile time dependency and move it to a runtime
decision: all architecture that supports it so far (powerpc, x86 and s390)
only enable such specific policies if the secure/trusted boot is actually
enabled in the platform, thus the IMA_APPRAISE_ENFORCE flag is set whenever
the secure/trusted boot state is met, otherwise the kernel paramenter value
passed is used.

Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
---
 arch/x86/kernel/ima_arch.c          |  3 +--
 security/integrity/ima/Kconfig      |  2 +-
 security/integrity/ima/ima_policy.c | 20 ++++++++++++++------
 3 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/arch/x86/kernel/ima_arch.c b/arch/x86/kernel/ima_arch.c
index 168393d399ba..78fb61b2e480 100644
--- a/arch/x86/kernel/ima_arch.c
+++ b/arch/x86/kernel/ima_arch.c
@@ -85,8 +85,7 @@ static const char * const sb_arch_rules[] = {
 
 const char * const *arch_get_ima_policy(void)
 {
-	if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) &&
-	    arch_ima_secure_or_tusted_boot()) {
+	if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY)) {
 		if (IS_ENABLED(CONFIG_MODULE_SIG))
 			set_module_sig_enforced();
 		return sb_arch_rules;
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index edde88dbe576..62dc11a5af01 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -232,7 +232,7 @@ config IMA_APPRAISE_REQUIRE_POLICY_SIGS
 
 config IMA_APPRAISE_BOOTPARAM
 	bool "ima_appraise boot parameter"
-	depends on IMA_APPRAISE && !IMA_ARCH_POLICY
+	depends on IMA_APPRAISE
 	default y
 	help
 	  This option enables the different "ima_appraise=" modes
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index e493063a3c34..6742f86b6c60 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -732,12 +732,20 @@ void __init ima_init_policy(void)
 	 * and custom policies, prior to other appraise rules.
 	 * (Highest priority)
 	 */
-	arch_entries = ima_init_arch_policy();
-	if (!arch_entries)
-		pr_info("No architecture policies found\n");
-	else
-		add_rules(arch_policy_entry, arch_entries,
-			  IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
+	if (arch_ima_secure_or_trusted_boot()) {
+		/* In secure and/or trusted boot the appraisal must be
+		 * enforced, regardless kernel parameters, preventing
+		 * runtime changes */
+		pr_info("setting IMA appraisal to enforced\n");
+		ima_appraise |= IMA_APPRAISE_ENFORCE;
+
+		arch_entries = ima_init_arch_policy();
+		if (!arch_entries)
+			pr_info("No architecture policies found\n");
+		else
+			add_rules(arch_policy_entry, arch_entries,
+				  IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
+	}
 
 	/*
 	 * Insert the builtin "secure_boot" policy rules requiring file
-- 
2.26.2

