Re: [PATCH v3 2/2] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime
From: Bruno Meneguele
Date: Mon Jun 29 2020 - 19:47:55 EST
On Fri, Jun 26, 2020 at 04:40:23PM -0400, Mimi Zohar wrote:
> On Tue, 2020-06-23 at 17:26 -0300, Bruno Meneguele wrote:
> <snip>
>
> > diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
> > index edde88dbe576..62dc11a5af01 100644
> > --- a/security/integrity/ima/Kconfig
> > +++ b/security/integrity/ima/Kconfig
> > @@ -232,7 +232,7 @@ config IMA_APPRAISE_REQUIRE_POLICY_SIGS
> >
> > config IMA_APPRAISE_BOOTPARAM
> > bool "ima_appraise boot parameter"
> > - depends on IMA_APPRAISE && !IMA_ARCH_POLICY
> > + depends on IMA_APPRAISE
>
> Ok
>
> > default y
> > help
> > This option enables the different "ima_appraise=" modes
> > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> > index e493063a3c34..6742f86b6c60 100644
> > --- a/security/integrity/ima/ima_policy.c
> > +++ b/security/integrity/ima/ima_policy.c
> > @@ -732,12 +732,20 @@ void __init ima_init_policy(void)
> > * and custom policies, prior to other appraise rules.
> > * (Highest priority)
> > */
> > - arch_entries = ima_init_arch_policy();
> > - if (!arch_entries)
> > - pr_info("No architecture policies found\n");
> > - else
> > - add_rules(arch_policy_entry, arch_entries,
> > - IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
> > + if (arch_ima_secure_or_trusted_boot()) {
>
> Today only "measure" and "appraise" rules are included in the arch
> specific policy, but someone might decide they want to include "audit"
> rules as well.
>
Right, but both arches (powerpc and x86) using specific arch policies
only add it in case secure and/or trusted boot are enabled. That's why I
considered enclosing the whole arch_policy loading in the secure/trusted
boot checking there. I would say that a fine-grained check for which
action the rules have can be added later, in a separate patchset.
> I'm not if the "secure_boot" flag is available prior to calling
> default_appraise_setup(), but if it is, you could modify the test
> there to also check if the system is booted in secure boot mode (eg.
> IS_ENABLED(CONFIG_IMA_APPRAISE_BOOTPARAM) &&
> !arch_ima_get_secureboot())
>
Well pointed. I built a custom x86 kernel with some workaround to get
this flag status within default_appraise_setup() and as a result the
flag is was correctly available.
Considering the nature of this flag (platform's firmware (in all
arches?)) can we trust that every arch supporting secure/trusted boot
will have it available in the __setup() call time?
> > + /* In secure and/or trusted boot the appraisal must be
> > + * enforced, regardless kernel parameters, preventing
> > + * runtime changes */
>
> Only "appraise" rules are enforced.
>
Hmm.. do you mean the comment wording is wrong/"could be better",
pointing the "appraise" action explicitly?
--
bmeneg
PGP Key: http://bmeneg.com/pubkey.txt
Attachment:
signature.asc
Description: PGP signature