Linux-Integrity Archive on lore.kernel.org
 help / color / Atom feed
From: Bruno Meneguele <bmeneg@redhat.com>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org,
	erichte@linux.ibm.com, nayna@linux.ibm.com
Subject: Re: [PATCH v3 2/2] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime
Date: Mon, 29 Jun 2020 20:47:44 -0300
Message-ID: <20200629234744.GA2756@glitch> (raw)
In-Reply-To: <1593204023.27152.476.camel@linux.ibm.com>


[-- Attachment #1: Type: text/plain, Size: 2931 bytes --]

On Fri, Jun 26, 2020 at 04:40:23PM -0400, Mimi Zohar wrote:
> On Tue, 2020-06-23 at 17:26 -0300, Bruno Meneguele wrote:
> <snip>
> 
> > diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
> > index edde88dbe576..62dc11a5af01 100644
> > --- a/security/integrity/ima/Kconfig
> > +++ b/security/integrity/ima/Kconfig
> > @@ -232,7 +232,7 @@ config IMA_APPRAISE_REQUIRE_POLICY_SIGS
> >  
> >  config IMA_APPRAISE_BOOTPARAM
> >  	bool "ima_appraise boot parameter"
> > -	depends on IMA_APPRAISE && !IMA_ARCH_POLICY
> > +	depends on IMA_APPRAISE
> 
> Ok
> 
> >  	default y
> >  	help
> >  	  This option enables the different "ima_appraise=" modes
> > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> > index e493063a3c34..6742f86b6c60 100644
> > --- a/security/integrity/ima/ima_policy.c
> > +++ b/security/integrity/ima/ima_policy.c
> > @@ -732,12 +732,20 @@ void __init ima_init_policy(void)
> >  	 * and custom policies, prior to other appraise rules.
> >  	 * (Highest priority)
> >  	 */
> > -	arch_entries = ima_init_arch_policy();
> > -	if (!arch_entries)
> > -		pr_info("No architecture policies found\n");
> > -	else
> > -		add_rules(arch_policy_entry, arch_entries,
> > -			  IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
> > +	if (arch_ima_secure_or_trusted_boot()) {
> 
> Today only "measure" and "appraise" rules are included in the arch
> specific policy, but someone might decide they want to include "audit"
> rules as well.
> 

Right, but both arches (powerpc and x86) using specific arch policies
only add it in case secure and/or trusted boot are enabled. That's why I
considered enclosing the whole arch_policy loading in the secure/trusted
boot checking there. I would say that a fine-grained check for which
action the rules have can be added later, in a separate patchset.

> I'm not if the "secure_boot" flag is available prior to calling
> default_appraise_setup(), but if it is, you could modify the test
> there to also check if the system is booted in secure boot mode (eg.
> IS_ENABLED(CONFIG_IMA_APPRAISE_BOOTPARAM) &&
> !arch_ima_get_secureboot())
> 

Well pointed. I built a custom x86 kernel with some workaround to get
this flag status within default_appraise_setup() and as a result the
flag is was correctly available. 

Considering the nature of this flag (platform's firmware (in all
arches?)) can we trust that every arch supporting secure/trusted boot
will have it available in the __setup() call time?

> > +		/* In secure and/or trusted boot the appraisal must be
> > +		 * enforced, regardless kernel parameters, preventing
> > +		 * runtime changes */
> 
> Only "appraise" rules are enforced.
> 

Hmm.. do you mean the comment wording is wrong/"could be better",
pointing the "appraise" action explicitly?

-- 
bmeneg 
PGP Key: http://bmeneg.com/pubkey.txt

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

  reply index

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-23 20:26 [PATCH v3 0/2] ima: make appraisal state runtime dependent on secure boot Bruno Meneguele
2020-06-23 20:26 ` [PATCH v3 1/2] arch/ima: extend secure boot check to include trusted boot Bruno Meneguele
2020-06-26 20:23   ` Mimi Zohar
2020-06-29 23:52     ` Bruno Meneguele
2020-06-23 20:26 ` [PATCH v3 2/2] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime Bruno Meneguele
2020-06-26 20:40   ` Mimi Zohar
2020-06-29 23:47     ` Bruno Meneguele [this message]
2020-06-30 11:00       ` Mimi Zohar
2020-06-30 17:00         ` Bruno Meneguele
2020-07-02 19:12           ` Bruno Meneguele
2020-06-26 14:46 ` [PATCH v3 0/2] ima: make appraisal state runtime dependent on secure boot Bruno Meneguele

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200629234744.GA2756@glitch \
    --to=bmeneg@redhat.com \
    --cc=erichte@linux.ibm.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=nayna@linux.ibm.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Integrity Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-integrity/0 linux-integrity/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-integrity linux-integrity/ https://lore.kernel.org/linux-integrity \
		linux-integrity@vger.kernel.org
	public-inbox-index linux-integrity

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-integrity


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git