From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DBCCCC3A59E for ; Mon, 2 Sep 2019 11:56:32 +0000 (UTC) Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 664BC217D7 for ; Mon, 2 Sep 2019 11:56:32 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 664BC217D7 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=ellerman.id.au Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org Received: from bilbo.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 46MT7y1kPczDqgd for ; Mon, 2 Sep 2019 21:56:30 +1000 (AEST) Received: from ozlabs.org (bilbo.ozlabs.org [203.11.71.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 46MT3j1VJFzDqbh for ; Mon, 2 Sep 2019 21:52:49 +1000 (AEST) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=ellerman.id.au Received: by ozlabs.org (Postfix) id 46MT3f2jkGz9sNx; Mon, 2 Sep 2019 21:52:46 +1000 (AEST) Received: from authenticated.ozlabs.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.ozlabs.org (Postfix) with ESMTPSA id 46MT3f0ptxz9sNk; Mon, 2 Sep 2019 21:52:46 +1000 (AEST) From: Michael Ellerman To: Nayna Jain , linuxppc-dev@ozlabs.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v5 2/2] powerpc: Add support to initialize ima policy rules In-Reply-To: <1566218108-12705-3-git-send-email-nayna@linux.ibm.com> References: <1566218108-12705-1-git-send-email-nayna@linux.ibm.com> <1566218108-12705-3-git-send-email-nayna@linux.ibm.com> Date: Mon, 02 Sep 2019 21:52:46 +1000 Message-ID: <87sgpesynl.fsf@mpe.ellerman.id.au> MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: linuxppc-dev@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Ard Biesheuvel , Eric Ricther , Nayna Jain , Claudio Carvalho , Mimi Zohar , Matthew Garret , Paul Mackerras , Jeremy Kerr , Elaine Palmer , George Wilson Errors-To: linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org Sender: "Linuxppc-dev" Hi Nayna, Some more comments below. Nayna Jain writes: > POWER secure boot relies on the kernel IMA security subsystem to > perform the OS kernel image signature verification. Again this is just a design choice we've made, it's not specified anywhere or anything like that. And it only applies to bare metal secure boot, at least so far. AIUI. > Since each secure > boot mode has different IMA policy requirements, dynamic definition of > the policy rules based on the runtime secure boot mode of the system is > required. On systems that support secure boot, but have it disabled, > only measurement policy rules of the kernel image and modules are > defined. It's probably worth mentioning that we intend to use this in our Linux-based boot loader, which uses kexec, and that's one of the reasons why we're particularly interested in defining the rules for kexec? > This patch defines the arch-specific implementation to retrieve the > secure boot mode of the system and accordingly configures the IMA policy > rules. > > This patch provides arch-specific IMA policies if PPC_SECURE_BOOT > config is enabled. > > Signed-off-by: Nayna Jain > --- > arch/powerpc/Kconfig | 2 ++ > arch/powerpc/kernel/Makefile | 2 +- > arch/powerpc/kernel/ima_arch.c | 50 ++++++++++++++++++++++++++++++++++ > include/linux/ima.h | 3 +- > 4 files changed, 55 insertions(+), 2 deletions(-) > create mode 100644 arch/powerpc/kernel/ima_arch.c > > diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig > index c902a39124dc..42109682b727 100644 > --- a/arch/powerpc/Kconfig > +++ b/arch/powerpc/Kconfig > @@ -917,6 +917,8 @@ config PPC_SECURE_BOOT > bool > default n > depends on PPC64 > + depends on IMA > + depends on IMA_ARCH_POLICY > help > Linux on POWER with firmware secure boot enabled needs to define > security policies to extend secure boot to the OS.This config > diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile > index d310ebb4e526..520b1c814197 100644 > --- a/arch/powerpc/kernel/Makefile > +++ b/arch/powerpc/kernel/Makefile > @@ -157,7 +157,7 @@ endif > obj-$(CONFIG_EPAPR_PARAVIRT) += epapr_paravirt.o epapr_hcalls.o > obj-$(CONFIG_KVM_GUEST) += kvm.o kvm_emul.o > > -obj-$(CONFIG_PPC_SECURE_BOOT) += secboot.o > +obj-$(CONFIG_PPC_SECURE_BOOT) += secboot.o ima_arch.o > > # Disable GCOV, KCOV & sanitizers in odd or sensitive code > GCOV_PROFILE_prom_init.o := n > diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c > new file mode 100644 > index 000000000000..ac90fac83338 > --- /dev/null > +++ b/arch/powerpc/kernel/ima_arch.c > @@ -0,0 +1,50 @@ > +// SPDX-License-Identifier: GPL-2.0 > +/* > + * Copyright (C) 2019 IBM Corporation > + * Author: Nayna Jain > + * > + * ima_arch.c > + * - initialize ima policies for PowerPC Secure Boot > + */ > + > +#include > +#include > + > +bool arch_ima_get_secureboot(void) > +{ > + return get_powerpc_secureboot(); > +} > + > +/* > + * File signature verification is not needed, include only measurements > + */ > +static const char *const default_arch_rules[] = { > + "measure func=KEXEC_KERNEL_CHECK", > + "measure func=MODULE_CHECK", > + NULL > +}; The rules above seem fairly self explanatory. > + > +/* Both file signature verification and measurements are needed */ > +static const char *const sb_arch_rules[] = { > + "measure func=KEXEC_KERNEL_CHECK template=ima-modsig", > + "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig", > +#if IS_ENABLED(CONFIG_MODULE_SIG) > + "measure func=MODULE_CHECK", > +#else > + "measure func=MODULE_CHECK template=ima-modsig", > + "appraise func=MODULE_CHECK appraise_type=imasig|modsig", > +#endif But these ones are not so obvious, at least to me who knows very little about IMA. Can you add a one line comment to each of the ones in here saying what it does and why we want it? > + NULL > +}; > + > +/* > + * On PowerPC, file measurements are to be added to the IMA measurement list > + * irrespective of the secure boot state of the system. Why? Just because we think it's useful? Would be good to provide some further justification. * Signature verification > + * is conditionally enabled based on the secure boot state. > + */ > +const char *const *arch_get_ima_policy(void) > +{ > + if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) > + return sb_arch_rules; > + return default_arch_rules; > +} > diff --git a/include/linux/ima.h b/include/linux/ima.h > index a20ad398d260..10af09b5b478 100644 > --- a/include/linux/ima.h > +++ b/include/linux/ima.h > @@ -29,7 +29,8 @@ extern void ima_kexec_cmdline(const void *buf, int size); > extern void ima_add_kexec_buffer(struct kimage *image); > #endif > > -#if (defined(CONFIG_X86) && defined(CONFIG_EFI)) || defined(CONFIG_S390) > +#if (defined(CONFIG_X86) && defined(CONFIG_EFI)) || defined(CONFIG_S390) \ > + || defined(CONFIG_PPC_SECURE_BOOT) > extern bool arch_ima_get_secureboot(void); > extern const char * const *arch_get_ima_policy(void); > #else cheers