Linux-Integrity Archive on lore.kernel.org
 help / color / Atom feed
From: Bruno Meneguele <bmeneg@redhat.com>
To: linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: zohar@linux.ibm.com, erichte@linux.ibm.com, nayna@linux.ibm.com
Subject: Re: [PATCH v3 0/2] ima: make appraisal state runtime dependent on secure boot
Date: Fri, 26 Jun 2020 11:46:31 -0300
Message-ID: <20200626144631.GC2702@glitch> (raw)
In-Reply-To: <20200623202640.4936-1-bmeneg@redhat.com>


[-- Attachment #1: Type: text/plain, Size: 2760 bytes --]

Gentle ping for review.

I also forgot to add the changelog for the patch, please see below.

On Tue, Jun 23, 2020 at 05:26:38PM -0300, Bruno Meneguele wrote:
> To switch APPRAISE_BOOTPARAM and ARCH_POLICY dependency from compile time to
> run time the secure boot checking code (specific to each arch) had to be
> slightly modified to include, in the PowerPC arch, the Trusted Boot state,
> which is also relevant to the arch policy choice and also required the
> ima_appraise to be enforced. 
> 
> With that I changed the checking order: instead of first check the
> arch_policy and then the secure/trusted boot state, now we first check the
> boot state, set ima_appraise to be enforced and then the existence of arch
> policy. In other words, whenever secure/trusted boot is enabled,
> (ima_appraise & IMA_APPRAISE_ENFORCE) == true.
> 
> I've tested these patches in a x86_64 platform with and without secure boot
> enabled and in a PowerPC without secure boot enabled:
> 
> 1) with secure boot enabled (x86_64) and ima_policy=appraise_tcb, the
> ima_appraise= options were completly ignored and the boot always failed with
> "missing-hash" for /sbin/init, which is the expected result;
> 
> 2) with secure boot enabled (x86_64), but no ima_policy:
> 
> [    1.396111] ima: Allocated hash algorithm: sha256
> [    1.424025] ima: setting IMA appraisal to enforced
> [    1.424039] audit: type=1807 audit(1592927955.557:2): action=measure func=KEXEC_KERNEL_CHECK res=1
> [    1.424040] audit: type=1807 audit(1592927955.557:3): action=measure func=MODULE_CHECK res=1
> 
> 3) with secure boot disabled (PowerPC and x86_64) and
> "ima_policy=appraise_tcb ima_appraise=fix", audit messages were triggered
> with "op=appraisal_data cause=missing-hash" but the system worked fine due
> to "fix".

Changelog:

v2:
  - pr_info() message prefix correction
v3:
  - extend secure boot arch checker to also consider trusted boot
  - enforce IMA appraisal when secure boot is effectively enabled (Nayna)
  - fix ima_appraise flag assignment by or'ing it (Mimi)

> 
> Bruno Meneguele (2):
>   arch/ima: extend secure boot check to include trusted boot
>   ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime
> 
>  arch/powerpc/kernel/ima_arch.c      |  5 +++--
>  arch/s390/kernel/ima_arch.c         |  2 +-
>  arch/x86/kernel/ima_arch.c          |  4 ++--
>  include/linux/ima.h                 |  4 ++--
>  security/integrity/ima/Kconfig      |  2 +-
>  security/integrity/ima/ima_main.c   |  2 +-
>  security/integrity/ima/ima_policy.c | 20 ++++++++++++++------
>  7 files changed, 24 insertions(+), 15 deletions(-)
> 
> -- 
> 2.26.2
> 

-- 
bmeneg 
PGP Key: http://bmeneg.com/pubkey.txt

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

      parent reply index

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-23 20:26 Bruno Meneguele
2020-06-23 20:26 ` [PATCH v3 1/2] arch/ima: extend secure boot check to include trusted boot Bruno Meneguele
2020-06-26 20:23   ` Mimi Zohar
2020-06-29 23:52     ` Bruno Meneguele
2020-06-23 20:26 ` [PATCH v3 2/2] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime Bruno Meneguele
2020-06-26 20:40   ` Mimi Zohar
2020-06-29 23:47     ` Bruno Meneguele
2020-06-30 11:00       ` Mimi Zohar
2020-06-30 17:00         ` Bruno Meneguele
2020-07-02 19:12           ` Bruno Meneguele
2020-06-26 14:46 ` Bruno Meneguele [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200626144631.GC2702@glitch \
    --to=bmeneg@redhat.com \
    --cc=erichte@linux.ibm.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=nayna@linux.ibm.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Integrity Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-integrity/0 linux-integrity/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-integrity linux-integrity/ https://lore.kernel.org/linux-integrity \
		linux-integrity@vger.kernel.org
	public-inbox-index linux-integrity

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-integrity


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git