* [PATCH v2] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime
@ 2020-06-22 17:27 Bruno Meneguele
2020-06-22 19:01 ` Nayna
2020-06-22 19:28 ` Mimi Zohar
0 siblings, 2 replies; 5+ messages in thread
From: Bruno Meneguele @ 2020-06-22 17:27 UTC (permalink / raw)
To: linux-integrity, linux-kernel
Cc: zohar, erichte, nayna, Bruno Meneguele, stable
IMA_APPRAISE_BOOTPARAM has been marked as dependent on !IMA_ARCH_POLICY in
compile time, enforcing the appraisal whenever the kernel had the arch
policy option enabled.
However it breaks systems where the option is actually set but the system
wasn't booted in a "secure boot" platform. In this scenario, anytime the
an appraisal policy (i.e. ima_policy=appraisal_tcb) is used it will be
forced, giving no chance to the user set the 'fix' state (ima_appraise=fix)
to actually measure system's files.
This patch remove this compile time dependency and move it to a runtime
decision, based on the arch policy loading failure/success.
Cc: stable@vger.kernel.org
Fixes: d958083a8f64 ("x86/ima: define arch_get_ima_policy() for x86")
Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
---
changes from v1:
- removed "ima:" prefix from pr_info() message
security/integrity/ima/Kconfig | 2 +-
security/integrity/ima/ima_policy.c | 8 ++++++--
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index edde88dbe576..62dc11a5af01 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -232,7 +232,7 @@ config IMA_APPRAISE_REQUIRE_POLICY_SIGS
config IMA_APPRAISE_BOOTPARAM
bool "ima_appraise boot parameter"
- depends on IMA_APPRAISE && !IMA_ARCH_POLICY
+ depends on IMA_APPRAISE
default y
help
This option enables the different "ima_appraise=" modes
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index e493063a3c34..c876617d4210 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -733,11 +733,15 @@ void __init ima_init_policy(void)
* (Highest priority)
*/
arch_entries = ima_init_arch_policy();
- if (!arch_entries)
+ if (!arch_entries) {
pr_info("No architecture policies found\n");
- else
+ } else {
+ /* Force appraisal, preventing runtime xattr changes */
+ pr_info("setting IMA appraisal to enforced\n");
+ ima_appraise = IMA_APPRAISE_ENFORCE;
add_rules(arch_policy_entry, arch_entries,
IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
+ }
/*
* Insert the builtin "secure_boot" policy rules requiring file
--
2.26.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH v2] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime
2020-06-22 17:27 [PATCH v2] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime Bruno Meneguele
@ 2020-06-22 19:01 ` Nayna
2020-06-22 19:21 ` Bruno Meneguele
2020-06-22 19:28 ` Mimi Zohar
1 sibling, 1 reply; 5+ messages in thread
From: Nayna @ 2020-06-22 19:01 UTC (permalink / raw)
To: Bruno Meneguele
Cc: linux-integrity, linux-kernel, zohar, erichte, nayna, stable
On 6/22/20 1:27 PM, Bruno Meneguele wrote:
> IMA_APPRAISE_BOOTPARAM has been marked as dependent on !IMA_ARCH_POLICY in
> compile time, enforcing the appraisal whenever the kernel had the arch
> policy option enabled.
>
> However it breaks systems where the option is actually set but the system
> wasn't booted in a "secure boot" platform. In this scenario, anytime the
> an appraisal policy (i.e. ima_policy=appraisal_tcb) is used it will be
> forced, giving no chance to the user set the 'fix' state (ima_appraise=fix)
> to actually measure system's files.
>
> This patch remove this compile time dependency and move it to a runtime
> decision, based on the arch policy loading failure/success.
Thanks for looking at this.
For arch specific policies, kernel signature verification is enabled
based on the secure boot state of the system. Perhaps, enforce the
appraisal as well based on if secure boot is enabled.
Thanks & Regards,
- Nayna
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime
2020-06-22 19:01 ` Nayna
@ 2020-06-22 19:21 ` Bruno Meneguele
0 siblings, 0 replies; 5+ messages in thread
From: Bruno Meneguele @ 2020-06-22 19:21 UTC (permalink / raw)
To: Nayna; +Cc: linux-integrity, linux-kernel, zohar, erichte, nayna, stable
[-- Attachment #1: Type: text/plain, Size: 1266 bytes --]
On Mon, Jun 22, 2020 at 03:01:27PM -0400, Nayna wrote:
>
> On 6/22/20 1:27 PM, Bruno Meneguele wrote:
> > IMA_APPRAISE_BOOTPARAM has been marked as dependent on !IMA_ARCH_POLICY in
> > compile time, enforcing the appraisal whenever the kernel had the arch
> > policy option enabled.
> >
> > However it breaks systems where the option is actually set but the system
> > wasn't booted in a "secure boot" platform. In this scenario, anytime the
> > an appraisal policy (i.e. ima_policy=appraisal_tcb) is used it will be
> > forced, giving no chance to the user set the 'fix' state (ima_appraise=fix)
> > to actually measure system's files.
> >
> > This patch remove this compile time dependency and move it to a runtime
> > decision, based on the arch policy loading failure/success.
>
> Thanks for looking at this.
>
> For arch specific policies, kernel signature verification is enabled based
> on the secure boot state of the system. Perhaps, enforce the appraisal as
> well based on if secure boot is enabled.
>
> Thanks & Regards,
That's a good point.
I'm going to take another look and see where the check fits better and
come back with a new patch(set).
Thanks Nayna.
--
bmeneg
PGP Key: http://bmeneg.com/pubkey.txt
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime
2020-06-22 17:27 [PATCH v2] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime Bruno Meneguele
2020-06-22 19:01 ` Nayna
@ 2020-06-22 19:28 ` Mimi Zohar
2020-06-22 20:16 ` Bruno Meneguele
1 sibling, 1 reply; 5+ messages in thread
From: Mimi Zohar @ 2020-06-22 19:28 UTC (permalink / raw)
To: Bruno Meneguele, linux-integrity, linux-kernel; +Cc: erichte, nayna, stable
On Mon, 2020-06-22 at 14:27 -0300, Bruno Meneguele wrote:
> IMA_APPRAISE_BOOTPARAM has been marked as dependent on !IMA_ARCH_POLICY in
> compile time, enforcing the appraisal whenever the kernel had the arch
> policy option enabled.
>
> However it breaks systems where the option is actually set but the system
> wasn't booted in a "secure boot" platform. In this scenario, anytime the
> an appraisal policy (i.e. ima_policy=appraisal_tcb) is used it will be
> forced, giving no chance to the user set the 'fix' state (ima_appraise=fix)
> to actually measure system's files.
>
> This patch remove this compile time dependency and move it to a runtime
> decision, based on the arch policy loading failure/success.
>
> Cc: stable@vger.kernel.org
> Fixes: d958083a8f64 ("x86/ima: define arch_get_ima_policy() for x86")
> Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
> ---
> changes from v1:
> - removed "ima:" prefix from pr_info() message
>
> security/integrity/ima/Kconfig | 2 +-
> security/integrity/ima/ima_policy.c | 8 ++++++--
> 2 files changed, 7 insertions(+), 3 deletions(-)
>
> diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
> index edde88dbe576..62dc11a5af01 100644
> --- a/security/integrity/ima/Kconfig
> +++ b/security/integrity/ima/Kconfig
> @@ -232,7 +232,7 @@ config IMA_APPRAISE_REQUIRE_POLICY_SIGS
>
> config IMA_APPRAISE_BOOTPARAM
> bool "ima_appraise boot parameter"
> - depends on IMA_APPRAISE && !IMA_ARCH_POLICY
> + depends on IMA_APPRAISE
> default y
> help
> This option enables the different "ima_appraise=" modes
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index e493063a3c34..c876617d4210 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -733,11 +733,15 @@ void __init ima_init_policy(void)
> * (Highest priority)
> */
> arch_entries = ima_init_arch_policy();
> - if (!arch_entries)
> + if (!arch_entries) {
> pr_info("No architecture policies found\n");
> - else
> + } else {
> + /* Force appraisal, preventing runtime xattr changes */
> + pr_info("setting IMA appraisal to enforced\n");
> + ima_appraise = IMA_APPRAISE_ENFORCE;
> add_rules(arch_policy_entry, arch_entries,
> IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
> + }
>
> /*
> * Insert the builtin "secure_boot" policy rules requiring file
CONFIG_IMA_APPRAISE_BOOTPARAM controls the "ima_appraise" mode bits.
The mode bits are or'ed with the MODULES, FIRMWARE, POLICY, and KEXEC
bits, which have already been set in ima_init_arch_policy().
From ima.h:
/* Appraise integrity measurements */
#define IMA_APPRAISE_ENFORCE 0x01
#define IMA_APPRAISE_FIX 0x02
#define IMA_APPRAISE_LOG 0x04
#define IMA_APPRAISE_MODULES 0x08
#define IMA_APPRAISE_FIRMWARE 0x10
#define IMA_APPRAISE_POLICY 0x20
#define IMA_APPRAISE_KEXEC 0x40
As Nayna pointed out, only when an architecture specific "secure boot"
policy is loaded, is this applicable.
Mimi
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime
2020-06-22 19:28 ` Mimi Zohar
@ 2020-06-22 20:16 ` Bruno Meneguele
0 siblings, 0 replies; 5+ messages in thread
From: Bruno Meneguele @ 2020-06-22 20:16 UTC (permalink / raw)
To: Mimi Zohar; +Cc: linux-integrity, linux-kernel, erichte, nayna, stable
[-- Attachment #1: Type: text/plain, Size: 3572 bytes --]
On Mon, Jun 22, 2020 at 03:28:13PM -0400, Mimi Zohar wrote:
> On Mon, 2020-06-22 at 14:27 -0300, Bruno Meneguele wrote:
> > IMA_APPRAISE_BOOTPARAM has been marked as dependent on !IMA_ARCH_POLICY in
> > compile time, enforcing the appraisal whenever the kernel had the arch
> > policy option enabled.
> >
> > However it breaks systems where the option is actually set but the system
> > wasn't booted in a "secure boot" platform. In this scenario, anytime the
> > an appraisal policy (i.e. ima_policy=appraisal_tcb) is used it will be
> > forced, giving no chance to the user set the 'fix' state (ima_appraise=fix)
> > to actually measure system's files.
> >
> > This patch remove this compile time dependency and move it to a runtime
> > decision, based on the arch policy loading failure/success.
> >
> > Cc: stable@vger.kernel.org
> > Fixes: d958083a8f64 ("x86/ima: define arch_get_ima_policy() for x86")
> > Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
> > ---
> > changes from v1:
> > - removed "ima:" prefix from pr_info() message
> >
> > security/integrity/ima/Kconfig | 2 +-
> > security/integrity/ima/ima_policy.c | 8 ++++++--
> > 2 files changed, 7 insertions(+), 3 deletions(-)
> >
> > diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
> > index edde88dbe576..62dc11a5af01 100644
> > --- a/security/integrity/ima/Kconfig
> > +++ b/security/integrity/ima/Kconfig
> > @@ -232,7 +232,7 @@ config IMA_APPRAISE_REQUIRE_POLICY_SIGS
> >
> > config IMA_APPRAISE_BOOTPARAM
> > bool "ima_appraise boot parameter"
> > - depends on IMA_APPRAISE && !IMA_ARCH_POLICY
> > + depends on IMA_APPRAISE
> > default y
> > help
> > This option enables the different "ima_appraise=" modes
> > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> > index e493063a3c34..c876617d4210 100644
> > --- a/security/integrity/ima/ima_policy.c
> > +++ b/security/integrity/ima/ima_policy.c
> > @@ -733,11 +733,15 @@ void __init ima_init_policy(void)
> > * (Highest priority)
> > */
> > arch_entries = ima_init_arch_policy();
> > - if (!arch_entries)
> > + if (!arch_entries) {
> > pr_info("No architecture policies found\n");
> > - else
> > + } else {
> > + /* Force appraisal, preventing runtime xattr changes */
> > + pr_info("setting IMA appraisal to enforced\n");
> > + ima_appraise = IMA_APPRAISE_ENFORCE;
> > add_rules(arch_policy_entry, arch_entries,
> > IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
> > + }
> >
> > /*
> > * Insert the builtin "secure_boot" policy rules requiring file
>
> CONFIG_IMA_APPRAISE_BOOTPARAM controls the "ima_appraise" mode bits.
> The mode bits are or'ed with the MODULES, FIRMWARE, POLICY, and KEXEC
> bits, which have already been set in ima_init_arch_policy().
>
Sorry for missing this part! Of course I should've spoted that just my
following ima_appraise down the code.
> From ima.h:
> /* Appraise integrity measurements */
> #define IMA_APPRAISE_ENFORCE 0x01
> #define IMA_APPRAISE_FIX 0x02
> #define IMA_APPRAISE_LOG 0x04
> #define IMA_APPRAISE_MODULES 0x08
> #define IMA_APPRAISE_FIRMWARE 0x10
> #define IMA_APPRAISE_POLICY 0x20
> #define IMA_APPRAISE_KEXEC 0x40
>
> As Nayna pointed out, only when an architecture specific "secure boot"
> policy is loaded, is this applicable.
Yes, will come up with patch covering only this case.
Thanks Mimi!
--
bmeneg
PGP Key: http://bmeneg.com/pubkey.txt
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-06-22 20:16 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-22 17:27 [PATCH v2] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime Bruno Meneguele
2020-06-22 19:01 ` Nayna
2020-06-22 19:21 ` Bruno Meneguele
2020-06-22 19:28 ` Mimi Zohar
2020-06-22 20:16 ` Bruno Meneguele
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).