On Mon, Jul 20, 2020 at 10:56:55AM -0400, Mimi Zohar wrote: > On Mon, 2020-07-20 at 10:40 -0400, Nayna wrote: > > On 7/13/20 12:48 PM, Bruno Meneguele wrote: > > > The IMA_APPRAISE_BOOTPARAM config allows enabling different "ima_appraise=" > > > modes - log, fix, enforce - at run time, but not when IMA architecture > > > specific policies are enabled.  This prevents properly labeling the > > > filesystem on systems where secure boot is supported, but not enabled on the > > > platform.  Only when secure boot is actually enabled should these IMA > > > appraise modes be disabled. > > > > > > This patch removes the compile time dependency and makes it a runtime > > > decision, based on the secure boot state of that platform. > > > > > > Test results as follows: > > > > > > -> x86-64 with secure boot enabled > > > > > > [ 0.015637] Kernel command line: <...> ima_policy=appraise_tcb ima_appraise=fix > > > [ 0.015668] ima: Secure boot enabled: ignoring ima_appraise=fix boot parameter option > > > > > Is it common to have two colons in the same line?  Is the colon being > used as a delimiter when parsing the kernel logs?  Should the second > colon be replaced with a hyphen?  (No need to repost.  I'll fix it > up.) >   AFAICS it has been used without any limitations, e.g: PM: hibernation: Registered nosave memory: [mem 0x00000000-0x00000fff] clocksource: hpet: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 133484873504 ns microcode: CPU0: patch_level=0x08701013 Lockdown: modprobe: unsigned module loading is restricted; see man kernel_lockdown.7 ... I'd say we're fine using it. > > > > -> powerpc with secure boot disabled > > > > > > [ 0.000000] Kernel command line: <...> ima_policy=appraise_tcb ima_appraise=fix > > > [ 0.000000] Secure boot mode disabled > > > > > > -> Running the system without secure boot and with both options set: > > > > > > CONFIG_IMA_APPRAISE_BOOTPARAM=y > > > CONFIG_IMA_ARCH_POLICY=y > > > > > > Audit prompts "missing-hash" but still allow execution and, consequently, > > > filesystem labeling: > > > > > > type=INTEGRITY_DATA msg=audit(07/09/2020 12:30:27.778:1691) : pid=4976 > > > uid=root auid=root ses=2 > > > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=appraise_data > > > cause=missing-hash comm=bash name=/usr/bin/evmctl dev="dm-0" ino=493150 > > > res=no > > > > > > Cc: stable@vger.kernel.org > > > Fixes: d958083a8f64 ("x86/ima: define arch_get_ima_policy() for x86") > > > Signed-off-by: Bruno Meneguele > > > > > > Reviewed-by: Nayna Jain > > Tested-by: Nayna Jain > > Thanks, Nayna. > > Mimi > -- bmeneg PGP Key: http://bmeneg.com/pubkey.txt