linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH v3] IMA: Measure kernel version in early boot
@ 2021-01-26  0:50 Raphael Gianotti
  2021-01-26 16:14 ` Mimi Zohar
  0 siblings, 1 reply; 2+ messages in thread
From: Raphael Gianotti @ 2021-01-26  0:50 UTC (permalink / raw)
  To: zohar; +Cc: linux-integrity, linux-kernel, tusharsu, nramas, tyhicks

The integrity of a kernel can be verified by the boot loader on cold
boot, and during kexec, by the current running kernel, before it is
loaded. However, it is still possible that the new kernel being
loaded is older than the current kernel, and/or has known
vulnerabilities. Therefore, it is imperative that an attestation
service be able to verify the version of the kernel being loaded on
the client, from cold boot and subsequent kexec system calls,
ensuring that only kernels with versions known to be good are loaded.

Measure the kernel version using ima_measure_critical_data() early on
in the boot sequence, reducing the chances of known kernel
vulnerabilities being exploited. With IMA being part of the kernel,
this overall approach makes the measurement itself more trustworthy.

To enable measuring the kernel version "ima_policy=critical_data"
needs to be added to the kernel command line arguments.
For example,
        BOOT_IMAGE=/boot/vmlinuz-5.11.0-rc3+ root=UUID=fd643309-a5d2-4ed3-b10d-3c579a5fab2f ro nomodeset ima_policy=critical_data

If runtime measurement of the kernel version is ever needed, the
following should be added to /etc/ima/ima-policy:

        measure func=CRITICAL_DATA label=kernel_info

To extract the measured data after boot, the following command can be used:

        grep -m 1 "kernel_version" \
        /sys/kernel/security/integrity/ima/ascii_runtime_measurements

Sample output from the command above:

        10 a8297d408e9d5155728b619761d0dd4cedf5ef5f ima-buf
        sha256:5660e19945be0119bc19cbbf8d9c33a09935ab5d30dad48aa11f879c67d70988
        kernel_version 352e31312e302d7263332d31363138372d676564623634666537383234342d6469727479

The above corresponds to the following (decoded) version string:

        5.11.0-rc3-16187-gedb64fe78244-dirty

Signed-off-by: Raphael Gianotti <raphgi@linux.microsoft.com>
---
Change Log v3:
        - Updated critical data label as kernel_info in
          Documentation/ABI/testing/ima_policy
        - Moved the ima_measure_critical_data() call to ima_init()

Change Log v2:
        - Changed the measurement to align with the latest version of
          ima_measure_critical_data(), without the need for queueing
        - Scoped the measurement to only measure the kernel version,
          found in UTS_RELEASE, instead of the entire linux_banner
          string

This patch is based on
commit e58bb688f2e4 "Merge branch 'measure-critical-data' into next-integrity"
in "next-integrity-testing" branch

 Documentation/ABI/testing/ima_policy | 2 +-
 security/integrity/ima/ima_init.c    | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index 8365596cb42b..bc8e1cbe5e61 100644
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -52,7 +52,7 @@ Description:
 			template:= name of a defined IMA template type
 			(eg, ima-ng). Only valid when action is "measure".
 			pcr:= decimal value
-			label:= [selinux]|[data_label]
+			label:= [selinux]|[kernel_info]|[data_label]
 			data_label:= a unique string used for grouping and limiting critical data.
 			For example, "selinux" to measure critical data for SELinux.
 
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
index 4902fe7bd570..6e8742916d1d 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -15,6 +15,8 @@
 #include <linux/scatterlist.h>
 #include <linux/slab.h>
 #include <linux/err.h>
+#include <linux/ima.h>
+#include <generated/utsrelease.h>
 
 #include "ima.h"
 
@@ -147,5 +149,8 @@ int __init ima_init(void)
 
 	ima_init_key_queue();
 
+	ima_measure_critical_data("kernel_info", "kernel_version",
+				  UTS_RELEASE, strlen(UTS_RELEASE), false);
+
 	return rc;
 }
-- 
2.28.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH v3] IMA: Measure kernel version in early boot
  2021-01-26  0:50 [PATCH v3] IMA: Measure kernel version in early boot Raphael Gianotti
@ 2021-01-26 16:14 ` Mimi Zohar
  0 siblings, 0 replies; 2+ messages in thread
From: Mimi Zohar @ 2021-01-26 16:14 UTC (permalink / raw)
  To: Raphael Gianotti; +Cc: linux-integrity, linux-kernel, tusharsu, nramas, tyhicks

On Mon, 2021-01-25 at 16:50 -0800, Raphael Gianotti wrote:
> The integrity of a kernel can be verified by the boot loader on cold
> boot, and during kexec, by the current running kernel, before it is
> loaded. However, it is still possible that the new kernel being
> loaded is older than the current kernel, and/or has known
> vulnerabilities. Therefore, it is imperative that an attestation
> service be able to verify the version of the kernel being loaded on
> the client, from cold boot and subsequent kexec system calls,
> ensuring that only kernels with versions known to be good are loaded.
> 
> Measure the kernel version using ima_measure_critical_data() early on
> in the boot sequence, reducing the chances of known kernel
> vulnerabilities being exploited. With IMA being part of the kernel,
> this overall approach makes the measurement itself more trustworthy.
> 
> To enable measuring the kernel version "ima_policy=critical_data"
> needs to be added to the kernel command line arguments.
> For example,
>         BOOT_IMAGE=/boot/vmlinuz-5.11.0-rc3+ root=UUID=fd643309-a5d2-4ed3-b10d-3c579a5fab2f ro nomodeset ima_policy=critical_data
> 
> If runtime measurement of the kernel version is ever needed, the
> following should be added to /etc/ima/ima-policy:
> 
>         measure func=CRITICAL_DATA label=kernel_info
> 
> To extract the measured data after boot, the following command can be used:
> 
>         grep -m 1 "kernel_version" \
>         /sys/kernel/security/integrity/ima/ascii_runtime_measurements
> 
> Sample output from the command above:
> 
>         10 a8297d408e9d5155728b619761d0dd4cedf5ef5f ima-buf
>         sha256:5660e19945be0119bc19cbbf8d9c33a09935ab5d30dad48aa11f879c67d70988
>         kernel_version 352e31312e302d7263332d31363138372d676564623634666537383234342d6469727479
> 
> The above corresponds to the following (decoded) version string:

Instead of the above, the following is clearer.

    The above hex-ascii string corresponds to the kernel version
    (e.g. xxd -r -p):
> 
>         5.11.0-rc3-16187-gedb64fe78244-dirty

> 
> Signed-off-by: Raphael Gianotti <raphgi@linux.microsoft.com>

Assuming the above or similar change,

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>


^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-01-26 16:16 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-26  0:50 [PATCH v3] IMA: Measure kernel version in early boot Raphael Gianotti
2021-01-26 16:14 ` Mimi Zohar

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).