Re: [PATCH v6 8/8] ima: add FIRMWARE_PARTIAL_READ support
From: Scott Branden
Date: Fri Jun 05 2020 - 19:31:29 EST
Hi Mimi,
On 2020-06-05 4:19 p.m., Mimi Zohar wrote:
Hi Scott,
On Fri, 2020-06-05 at 15:59 -0700, Scott Branden wrote:
@@ -648,6 +667,9 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size,
enum ima_hooks func;
u32 secid;
+ if (!file && read_id == READING_FIRMWARE_PARTIAL_READ)
+ return 0;
The file should be measured on the pre security hook, not here on the
post security hook. ÂHere, whether "file" is defined or not, is
irrelevant. ÂThe test should just check "read_id".
OK, will remove the !file from here.
Have you tested measuring the firmware by booting a system with
"ima_policy=tcb" specified on the boot command line and compared the
measurement entry in the IMA measurement list with the file hash (eg.
sha1sum, sha256sum)?
Yes, I enabled IMA in my kernel and added ima_policy=tsb to the boot
command line,
Here are the entries from
/sys/kernel/security/ima/ascii_runtime_measurements of the files I am
accessing.
Please let me know if I am doing anything incorrectly.
10 4612bce355b2dbc45ecd95e17001636be8832c7f ima-ng
sha1:fddd9a28c2b15acf3b0fc9ec0cf187cb2153d7f2
/lib/firmware/vk-boot1-bcm958401m2.ecdsa.bin
10 4c0eb0fc30eb7ac3a30a27f05c1d2a8d28d6a9ec ima-ng
sha1:b16d343dd63352d10309690c71b110762a9444c3
/lib/firmware/vk-boot2-bcm958401m2_a72.ecdsn
The sha1 sum matches:
root@genericx86-64:/sys/kernel/security/ima# sha1sum
/lib/firmware/vk-boot1-bcm958401m2.ecdsa.bin
fddd9a28c2b15acf3b0fc9ec0cf187cb2153d7f2
/lib/firmware/vk-boot1-bcm958401m2.ecdsa.bin
root@genericx86-64:/sys/kernel/security/ima# sha1sum
/lib/firmware/vk-boot2-bcm958401m2_a72.ecdsa.bin
b16d343dd63352d10309690c71b110762a9444c3
/lib/firmware/vk-boot2-bcm958401m2_a72.ecdsa.bin
Mimi
+
if (!file && read_id == READING_FIRMWARE) {
if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
(ima_appraise & IMA_APPRAISE_ENFORCE)) {