Re: [PATCH] integrity: Allow ima_appraise bootparam to be set when SB is enabled

From: Eric Snowberg
Date: Wed Apr 27 2022 - 12:14:48 EST

> On Apr 26, 2022, at 12:18 PM, Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:
> On Mon, 2022-04-25 at 18:21 -0400, Eric Snowberg wrote:
>> The IMA_APPRAISE_BOOTPARM config allows enabling different "ima_appraise="
>> modes (log, fix, enforce) to be configured at boot time. When booting
>> with Secure Boot enabled, all modes are ignored except enforce. To use
>> log or fix, Secure Boot must be disabled.
>> With a policy such as:
>> appraise func=BPRM_CHECK appraise_type=imasig
>> A user may just want to audit signature validation. Not all users
>> are interested in full enforcement and find the audit log appropriate
>> for their use case.
>> Add a new IMA_APPRAISE_SB_BOOTPARAM config allowing "ima_appraise="
>> to work when Secure Boot is enabled.
>> Signed-off-by: Eric Snowberg <eric.snowberg@xxxxxxxxxx>
> Since the IMA architecture specific policy rules were first
> upstreamed, either enabling IMA_APPRAISE_BOOTPARAM or IMA_ARCH_POLICY
> was permitted, but not both.

I don’t see code preventing this and just created a config with both of them
enabled. Is this an assumption everyone is supposed to understand?

> This Kconfig negates the assumptions on
> which the CONFIG_IMA_ARCH_POLICY and the ima_appraise_signature() are
> based without any indication of the ramifications. This impacts the
> kexec file syscall lockdown LSM assumptions as well.

I will fix this in the next round

> A fuller, more complete explanation for needing "log" mode when secure
> boot is enabled is required.

and add a more thorough explanation. Thanks.