From: Eric Snowberg <eric.snowberg@oracle.com>
To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org
Cc: dhowells@redhat.com, dwmw2@infradead.org,
dmitry.kasatkin@gmail.com, eric.snowberg@oracle.com,
jmorris@namei.org, jarkko@kernel.org,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, zohar@linux.ibm.com,
torvalds@linux-foundation.org, serge@hallyn.com,
James.Bottomley@HansenPartnership.com, pjones@redhat.com,
glin@suse.com
Subject: [RFC PATCH 3/3] ima: Enable IMA SB Policy if MokIMAPolicy found
Date: Mon, 17 May 2021 18:57:14 -0400 [thread overview]
Message-ID: <20210517225714.498032-4-eric.snowberg@oracle.com> (raw)
In-Reply-To: <20210517225714.498032-1-eric.snowberg@oracle.com>
A new MOK variable called MokIMAPolicy has been introduced in shim.
When this UEFI variable is set, it indicates the end-user has made
the decision that they wish to use the built-in kernel IMA architecture
specific policy base on the run time secure boot flags.
By default, this new MOK variable is not defined. This causes the
IMA architecture specific secure boot policy to be disabled. Since
this changes the current behavior, a new Kconfig option called
IMA_UEFI_ARCH_POLICY has been added.
Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
security/integrity/ima/Kconfig | 8 ++++++++
security/integrity/ima/ima_efi.c | 24 ++++++++++++++++++++++++
2 files changed, 32 insertions(+)
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 12e9250c1bec..3773d2d1ddc4 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -172,6 +172,14 @@ config IMA_ARCH_POLICY
This option enables loading an IMA architecture specific policy
based on run time secure boot flags.
+config IMA_UEFI_ARCH_POLICY
+ bool "Enable IMA archecture specific policy thru a UEFI variable"
+ depends on IMA_ARCH_POLICY
+ default n
+ help
+ This option allows the IMA archecture specific policy to be
+ enabled or disabled thru a UEFI variable setup thru the shim.
+
config IMA_APPRAISE_BUILD_POLICY
bool "IMA build time configured policy rules"
depends on IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS
diff --git a/security/integrity/ima/ima_efi.c b/security/integrity/ima/ima_efi.c
index 71786d01946f..46873a94c934 100644
--- a/security/integrity/ima/ima_efi.c
+++ b/security/integrity/ima/ima_efi.c
@@ -62,8 +62,32 @@ static const char * const sb_arch_rules[] = {
NULL
};
+static __init int is_uefi_arch_policy_enabled(void)
+{
+ efi_status_t status;
+ unsigned int enabled = 0;
+ unsigned long size = sizeof(enabled);
+ efi_guid_t guid = EFI_SHIM_LOCK_GUID;
+ u32 attr;
+
+ status = efi.get_variable(L"MokIMAPolicy", &guid, &attr, &size, &enabled);
+
+ /*
+ * The EFI_VARIABLE_NON_VOLATILE check is to verify MokIMAPolicy
+ * was set thru the shim mirrioring and not by a user from the host os.
+ * According to the UEFI spec, once EBS is performed, only variables
+ * that have EFI_VARIABLE_RUNTIME_ACCESS & EFI_VARIABLE_NON_VOLATILE
+ * set can be set with SetVariable().
+ */
+ return (status == EFI_SUCCESS && (!(attr & EFI_VARIABLE_NON_VOLATILE)));
+}
+
const char * const *arch_get_ima_policy(void)
{
+ if (IS_ENABLED(CONFIG_IMA_UEFI_ARCH_POLICY))
+ if (!is_uefi_arch_policy_enabled())
+ return NULL;
+
if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) {
if (IS_ENABLED(CONFIG_MODULE_SIG))
set_module_sig_enforced();
--
2.18.4
next prev parent reply other threads:[~2021-05-17 22:58 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-17 22:57 [RFC PATCH 0/3] Add additional MOK vars Eric Snowberg
2021-05-17 22:57 ` [RFC PATCH 1/3] keys: Add ability to trust the platform keyring Eric Snowberg
2021-05-20 15:59 ` Jarkko Sakkinen
2021-05-17 22:57 ` [RFC PATCH 2/3] keys: Trust platform keyring if MokTrustPlatform found Eric Snowberg
2021-05-17 22:57 ` Eric Snowberg [this message]
2021-05-19 7:55 ` [RFC PATCH 0/3] Add additional MOK vars Jarkko Sakkinen
2021-05-19 14:32 ` Mimi Zohar
2021-05-19 22:04 ` Eric Snowberg
2021-05-20 12:22 ` Mimi Zohar
2021-05-20 20:37 ` Eric Snowberg
2021-05-21 11:44 ` Mimi Zohar
2021-05-24 0:57 ` Eric Snowberg
2021-05-24 11:12 ` Mimi Zohar
2021-06-01 15:24 ` Eric Snowberg
2021-05-24 10:09 ` Dr. Greg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210517225714.498032-4-eric.snowberg@oracle.com \
--to=eric.snowberg@oracle.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=dwmw2@infradead.org \
--cc=glin@suse.com \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=pjones@redhat.com \
--cc=serge@hallyn.com \
--cc=torvalds@linux-foundation.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.