Linux-Integrity Archive on lore.kernel.org
 help / color / Atom feed
From: Bruno Meneguele <bmeneg@redhat.com>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org,
	erichte@linux.ibm.com, nayna@linux.ibm.com
Subject: Re: [PATCH v3 2/2] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime
Date: Thu, 2 Jul 2020 16:12:50 -0300
Message-ID: <20200702191250.GB3669@glitch> (raw)
In-Reply-To: <20200630170043.GE2944@glitch>


[-- Attachment #1: Type: text/plain, Size: 1829 bytes --]

On Tue, Jun 30, 2020 at 02:00:43PM -0300, Bruno Meneguele wrote:
> On Tue, Jun 30, 2020 at 07:00:48AM -0400, Mimi Zohar wrote:
> > On Mon, 2020-06-29 at 20:47 -0300, Bruno Meneguele wrote:
> > 
> > > 
> > > > I'm not if the "secure_boot" flag is available prior to calling
> > > > default_appraise_setup(), but if it is, you could modify the test
> > > > there to also check if the system is booted in secure boot mode (eg.
> > > > IS_ENABLED(CONFIG_IMA_APPRAISE_BOOTPARAM) &&
> > > > !arch_ima_get_secureboot())
> > > > 
> > > 
> > > Well pointed. I built a custom x86 kernel with some workaround to get
> > > this flag status within default_appraise_setup() and as a result the
> > > flag is was correctly available. 
> > > 
> > > Considering the nature of this flag (platform's firmware (in all
> > > arches?)) can we trust that every arch supporting secure/trusted boot
> > > will have it available in the __setup() call time?
> > 
> > Calling default_appraise_setup() could be deferred.
> > 
> 
> Hmmm.. ok, I'm going to investigate it further.
> Didn't really know that.
> 

After some research on powerpc, x86 and s390 (the only users of arch
policies) codes it's clear that, no matter what, the secure boot flag
will be available even before the kernel cmdline is actually
copied/saved in kernel's memory.

Both powerpc and x86 populate it through setup_arch() call in
init/main.c:kernel_start(), where some early_params are handled, but
nothing about normal (non-early) __setup() params. s390 is a bit deeper
where it gets the flag, right down its boot code, even before
start_kernel().

With that said, it's safe checking it directly from
default_appraise_setup(). I'm going to prepare a v4, test it and post it
tomorrow. 

-- 
bmeneg 
PGP Key: http://bmeneg.com/pubkey.txt

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

  reply index

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-23 20:26 [PATCH v3 0/2] ima: make appraisal state runtime dependent on secure boot Bruno Meneguele
2020-06-23 20:26 ` [PATCH v3 1/2] arch/ima: extend secure boot check to include trusted boot Bruno Meneguele
2020-06-26 20:23   ` Mimi Zohar
2020-06-29 23:52     ` Bruno Meneguele
2020-06-23 20:26 ` [PATCH v3 2/2] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime Bruno Meneguele
2020-06-26 20:40   ` Mimi Zohar
2020-06-29 23:47     ` Bruno Meneguele
2020-06-30 11:00       ` Mimi Zohar
2020-06-30 17:00         ` Bruno Meneguele
2020-07-02 19:12           ` Bruno Meneguele [this message]
2020-06-26 14:46 ` [PATCH v3 0/2] ima: make appraisal state runtime dependent on secure boot Bruno Meneguele

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200702191250.GB3669@glitch \
    --to=bmeneg@redhat.com \
    --cc=erichte@linux.ibm.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=nayna@linux.ibm.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Integrity Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-integrity/0 linux-integrity/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-integrity linux-integrity/ https://lore.kernel.org/linux-integrity \
		linux-integrity@vger.kernel.org
	public-inbox-index linux-integrity

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-integrity


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git