Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp532857ybe; Mon, 2 Sep 2019 05:36:45 -0700 (PDT) X-Google-Smtp-Source: APXvYqwKbaLC5P9x+Xnr0y6cLwUnVDhFDDxx3jrJdAy+odBAJw8itFDkSRTY71LJmjUq2YqEZGrC X-Received: by 2002:a62:f247:: with SMTP id y7mr34089081pfl.236.1567427805229; Mon, 02 Sep 2019 05:36:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1567427805; cv=none; d=google.com; s=arc-20160816; b=fRBTFzMliKeQ30GSDj05xusYakXWVtW5FLRfTlz/LtJ6SeE3obTno44k+ZLt2r/Bmp UpmGMYRknFS4VE3Tikth24z64t/hCna/R7tHzrRPgylyUX97ZbiTigQmIdsdt8U3yxao PHUt17zCcFldK9/o9rPUPv50RbYw1yJSVkcMLhW6HYDJ3jtksGw5+wjZdPsT8aLD6k5G BRWHq/ivEpoTJEX4U2RcRN3xhbbNSFT8j4G4z/wkLHc3Q/BvPLQeYIDS6flmgAOeZVBa LW836dWyMqLhgCJ6bNUuCa2dtBxrPjgEd6IWKxKQ93zy/Ai0xeowAhpYDOtX2eshlV3q W+dw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from; bh=v/i+TQQcpPDPV6D6FMsY8z/2WlY8+rZhYFgrr09tqx8=; b=kiBCUeijeaCvj0QntbSfuiE4vqIKTNThPxoyVIJOFTgSU2qVsQq30qGkreMOvz1XQD UizWmjqZNe7C74kiLoG7sRfWsbfquAZ2oogH071BoWTDc2iJ05W8AEKh9IFBdEPgcQxf cx1gWrjngXZfC2je6X4Ifbti0d/wXUID2SWwUhaXJUYG3k3Qs7NoBBfJ9fWouc+M+pMU 3lLuTAd6fzEhygBmXs4WN6xBElCxERiof3YL7N0lJpj5+TzqsXDWTZflfz5aszzbtDWv IbYWgDxzrqqp04d6gT1rl/iOLQL8GUnC+yuIh4lgTdUb4CSoVtTyNEjWjWVzFiLH2bUb 2mXg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m186si14728147pfb.38.2019.09.02.05.36.29; Mon, 02 Sep 2019 05:36:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730730AbfIBLwv (ORCPT + 99 others); Mon, 2 Sep 2019 07:52:51 -0400 Received: from bilbo.ozlabs.org ([203.11.71.1]:46967 "EHLO ozlabs.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731213AbfIBLwt (ORCPT ); Mon, 2 Sep 2019 07:52:49 -0400 Received: from authenticated.ozlabs.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.ozlabs.org (Postfix) with ESMTPSA id 46MT3f0ptxz9sNk; Mon, 2 Sep 2019 21:52:46 +1000 (AEST) From: Michael Ellerman To: Nayna Jain , linuxppc-dev@ozlabs.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Paul Mackerras , Benjamin Herrenschmidt , Ard Biesheuvel , Jeremy Kerr , Matthew Garret , Mimi Zohar , Claudio Carvalho , Elaine Palmer , George Wilson , Eric Ricther , Nayna Jain Subject: Re: [PATCH v5 2/2] powerpc: Add support to initialize ima policy rules In-Reply-To: <1566218108-12705-3-git-send-email-nayna@linux.ibm.com> References: <1566218108-12705-1-git-send-email-nayna@linux.ibm.com> <1566218108-12705-3-git-send-email-nayna@linux.ibm.com> Date: Mon, 02 Sep 2019 21:52:46 +1000 Message-ID: <87sgpesynl.fsf@mpe.ellerman.id.au> MIME-Version: 1.0 Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Nayna, Some more comments below. Nayna Jain writes: > POWER secure boot relies on the kernel IMA security subsystem to > perform the OS kernel image signature verification. Again this is just a design choice we've made, it's not specified anywhere or anything like that. And it only applies to bare metal secure boot, at least so far. AIUI. > Since each secure > boot mode has different IMA policy requirements, dynamic definition of > the policy rules based on the runtime secure boot mode of the system is > required. On systems that support secure boot, but have it disabled, > only measurement policy rules of the kernel image and modules are > defined. It's probably worth mentioning that we intend to use this in our Linux-based boot loader, which uses kexec, and that's one of the reasons why we're particularly interested in defining the rules for kexec? > This patch defines the arch-specific implementation to retrieve the > secure boot mode of the system and accordingly configures the IMA policy > rules. > > This patch provides arch-specific IMA policies if PPC_SECURE_BOOT > config is enabled. > > Signed-off-by: Nayna Jain > --- > arch/powerpc/Kconfig | 2 ++ > arch/powerpc/kernel/Makefile | 2 +- > arch/powerpc/kernel/ima_arch.c | 50 ++++++++++++++++++++++++++++++++++ > include/linux/ima.h | 3 +- > 4 files changed, 55 insertions(+), 2 deletions(-) > create mode 100644 arch/powerpc/kernel/ima_arch.c > > diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig > index c902a39124dc..42109682b727 100644 > --- a/arch/powerpc/Kconfig > +++ b/arch/powerpc/Kconfig > @@ -917,6 +917,8 @@ config PPC_SECURE_BOOT > bool > default n > depends on PPC64 > + depends on IMA > + depends on IMA_ARCH_POLICY > help > Linux on POWER with firmware secure boot enabled needs to define > security policies to extend secure boot to the OS.This config > diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile > index d310ebb4e526..520b1c814197 100644 > --- a/arch/powerpc/kernel/Makefile > +++ b/arch/powerpc/kernel/Makefile > @@ -157,7 +157,7 @@ endif > obj-$(CONFIG_EPAPR_PARAVIRT) += epapr_paravirt.o epapr_hcalls.o > obj-$(CONFIG_KVM_GUEST) += kvm.o kvm_emul.o > > -obj-$(CONFIG_PPC_SECURE_BOOT) += secboot.o > +obj-$(CONFIG_PPC_SECURE_BOOT) += secboot.o ima_arch.o > > # Disable GCOV, KCOV & sanitizers in odd or sensitive code > GCOV_PROFILE_prom_init.o := n > diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c > new file mode 100644 > index 000000000000..ac90fac83338 > --- /dev/null > +++ b/arch/powerpc/kernel/ima_arch.c > @@ -0,0 +1,50 @@ > +// SPDX-License-Identifier: GPL-2.0 > +/* > + * Copyright (C) 2019 IBM Corporation > + * Author: Nayna Jain > + * > + * ima_arch.c > + * - initialize ima policies for PowerPC Secure Boot > + */ > + > +#include > +#include > + > +bool arch_ima_get_secureboot(void) > +{ > + return get_powerpc_secureboot(); > +} > + > +/* > + * File signature verification is not needed, include only measurements > + */ > +static const char *const default_arch_rules[] = { > + "measure func=KEXEC_KERNEL_CHECK", > + "measure func=MODULE_CHECK", > + NULL > +}; The rules above seem fairly self explanatory. > + > +/* Both file signature verification and measurements are needed */ > +static const char *const sb_arch_rules[] = { > + "measure func=KEXEC_KERNEL_CHECK template=ima-modsig", > + "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig", > +#if IS_ENABLED(CONFIG_MODULE_SIG) > + "measure func=MODULE_CHECK", > +#else > + "measure func=MODULE_CHECK template=ima-modsig", > + "appraise func=MODULE_CHECK appraise_type=imasig|modsig", > +#endif But these ones are not so obvious, at least to me who knows very little about IMA. Can you add a one line comment to each of the ones in here saying what it does and why we want it? > + NULL > +}; > + > +/* > + * On PowerPC, file measurements are to be added to the IMA measurement list > + * irrespective of the secure boot state of the system. Why? Just because we think it's useful? Would be good to provide some further justification. * Signature verification > + * is conditionally enabled based on the secure boot state. > + */ > +const char *const *arch_get_ima_policy(void) > +{ > + if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) > + return sb_arch_rules; > + return default_arch_rules; > +} > diff --git a/include/linux/ima.h b/include/linux/ima.h > index a20ad398d260..10af09b5b478 100644 > --- a/include/linux/ima.h > +++ b/include/linux/ima.h > @@ -29,7 +29,8 @@ extern void ima_kexec_cmdline(const void *buf, int size); > extern void ima_add_kexec_buffer(struct kimage *image); > #endif > > -#if (defined(CONFIG_X86) && defined(CONFIG_EFI)) || defined(CONFIG_S390) > +#if (defined(CONFIG_X86) && defined(CONFIG_EFI)) || defined(CONFIG_S390) \ > + || defined(CONFIG_PPC_SECURE_BOOT) > extern bool arch_ima_get_secureboot(void); > extern const char * const *arch_get_ima_policy(void); > #else cheers