Received: by 2002:a25:d7c1:0:0:0:0:0 with SMTP id o184csp2264848ybg; Sat, 19 Oct 2019 11:30:48 -0700 (PDT) X-Google-Smtp-Source: APXvYqxlx8/rP5OI6kSwlPxj6yAF9u/wv5rw6Dc5I8WndSEXD60oFQx/uhVN0Vj1us4C8luVvqeh X-Received: by 2002:a17:907:429c:: with SMTP id ny20mr14068728ejb.234.1571509847943; Sat, 19 Oct 2019 11:30:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1571509847; cv=none; d=google.com; s=arc-20160816; b=wEA9zuJ72H8jGNh/+53J//axBzTsAfc1wz3B/0W9QQnIQRRO/OoED++DtuIEE+FBEw IKDtVzKEplzLfs8d4COnbdYFDaE+WW53Reyt4E1mRSMVocwjiHvAR0xaa9Nt8cf6DygP HlH9Gh0w53PiQ4KqS5AzDzgdeM8AC4AbdgoOjgYWYqgjEj/eLq27TWnVdtwpjSDYnyW0 OxAP4sSUXYzN5UuTarO20JDLGRvE5aeV4VSaRHla6qWAsRNF6lmkRcAZ4rrOuQu64psC f1gG+Q+yYJeAOPCHc2ujjjfeGhHoWzUeIXxJwi0yk1Olx2GMp69WD6PPJVIqFEITOgU8 he5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=NuyikXey+FWAjWmAae3FEjh2InZGPCvnytmNl7D3ECw=; b=lEH2agS00Aikn85pmsm12RcXKGVjaaMe9epazvDtvcVQEcZt65mgR/6L5r3a1v3arm KZMXcGp3Hsd8P4RKsrZLmOM+yftvW0xCV8dYQVuSlZmlPo+skqdvDQdvlGRg9cqIcpZ3 0tfJ0mSJuRhg45A/COeLWggQo3YXot2PIMTbTw3cLbpb52C/jkVSZLzHohxp5aQ0cpgz Bi8nHgMCG59Ah9tJIUa8ZhdAdfIH7F/8PDlffx5OBfXtENqAwbM9iyizLVe2sq3Ikw1E P7J5YiZdkhWYFjRfOn9bQMJfBVOx0jcbTOJr/h9IjbtQ9/UV5b0LrTPwI1Vfa8xIM24R MVFw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g32si6623623eda.330.2019.10.19.11.30.18; Sat, 19 Oct 2019 11:30:47 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726144AbfJSS1i (ORCPT + 99 others); Sat, 19 Oct 2019 14:27:38 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:7876 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726078AbfJSS1i (ORCPT ); Sat, 19 Oct 2019 14:27:38 -0400 Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x9JI6gdE139327; Sat, 19 Oct 2019 14:27:14 -0400 Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-001b2d01.pphosted.com with ESMTP id 2vqv3tfb2p-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 19 Oct 2019 14:27:14 -0400 Received: from m0098416.ppops.net (m0098416.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.27/8.16.0.27) with SMTP id x9JI75Hl140249; Sat, 19 Oct 2019 14:27:14 -0400 Received: from ppma04wdc.us.ibm.com (1a.90.2fa9.ip4.static.sl-reverse.com [169.47.144.26]) by mx0b-001b2d01.pphosted.com with ESMTP id 2vqv3tfb2e-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 19 Oct 2019 14:27:13 -0400 Received: from pps.filterd (ppma04wdc.us.ibm.com [127.0.0.1]) by ppma04wdc.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id x9JIPMQS000439; Sat, 19 Oct 2019 18:27:13 GMT Received: from b03cxnp08028.gho.boulder.ibm.com (b03cxnp08028.gho.boulder.ibm.com [9.17.130.20]) by ppma04wdc.us.ibm.com with ESMTP id 2vqt46msw1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 19 Oct 2019 18:27:13 +0000 Received: from b03ledav002.gho.boulder.ibm.com (b03ledav002.gho.boulder.ibm.com [9.17.130.233]) by b03cxnp08028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x9JIRBnc63373698 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sat, 19 Oct 2019 18:27:11 GMT Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 13B36136060; Sat, 19 Oct 2019 18:27:11 +0000 (GMT) Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 79FD3136051; Sat, 19 Oct 2019 18:27:08 +0000 (GMT) Received: from swastik.ibm.com (unknown [9.85.146.216]) by b03ledav002.gho.boulder.ibm.com (Postfix) with ESMTP; Sat, 19 Oct 2019 18:27:08 +0000 (GMT) Subject: Re: [PATCH v7 4/8] powerpc/ima: add measurement rules to ima arch specific policy To: Michael Ellerman , Nayna Jain , linuxppc-dev@ozlabs.org, linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Benjamin Herrenschmidt , Paul Mackerras , Ard Biesheuvel , Jeremy Kerr , Matthew Garret , Mimi Zohar , Greg Kroah-Hartman , Claudio Carvalho , George Wilson , Elaine Palmer , Eric Ricther , "Oliver O'Halloran" References: <1570497267-13672-1-git-send-email-nayna@linux.ibm.com> <1570497267-13672-5-git-send-email-nayna@linux.ibm.com> <8736fuuu0x.fsf@mpe.ellerman.id.au> From: Nayna Message-ID: <6f1d20dc-fb1e-58ed-a060-1537c19beed0@linux.vnet.ibm.com> Date: Sat, 19 Oct 2019 14:27:07 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <8736fuuu0x.fsf@mpe.ellerman.id.au> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-10-19_04:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1908290000 definitions=main-1910190171 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Michael, On 10/15/2019 07:29 AM, Michael Ellerman wrote: > Nayna Jain writes: >> This patch adds the measurement rules to the arch specific policies on >> trusted boot enabled systems. >> >> Signed-off-by: Nayna Jain >> Reviewed-by: Mimi Zohar >> --- >> arch/powerpc/kernel/ima_arch.c | 45 +++++++++++++++++++++++++++++++--- >> 1 file changed, 42 insertions(+), 3 deletions(-) >> >> diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c >> index c22d82965eb4..88bfe4a1a9a5 100644 >> --- a/arch/powerpc/kernel/ima_arch.c >> +++ b/arch/powerpc/kernel/ima_arch.c >> @@ -12,8 +12,19 @@ bool arch_ima_get_secureboot(void) >> return is_powerpc_os_secureboot_enabled(); >> } >> >> -/* Defines IMA appraise rules for secureboot */ >> +/* >> + * The "arch_rules" contains both the securebot and trustedboot rules for adding >> + * the kexec kernel image and kernel modules file hashes to the IMA measurement >> + * list and verifying the file signatures against known good values. >> + * >> + * The "appraise_type=imasig|modsig" option allows the good signature to be >> + * stored as an xattr or as an appended signature. The "template=ima-modsig" >> + * option includes the appended signature, when available, in the IMA >> + * measurement list. >> + */ >> static const char *const arch_rules[] = { >> + "measure func=KEXEC_KERNEL_CHECK template=ima-modsig", >> + "measure func=MODULE_CHECK template=ima-modsig", >> "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig", >> #if !IS_ENABLED(CONFIG_MODULE_SIG_FORCE) >> "appraise func=MODULE_CHECK appraise_type=imasig|modsig", >> @@ -22,12 +33,40 @@ static const char *const arch_rules[] = { >> }; >> >> /* >> - * Returns the relevant IMA arch policies based on the system secureboot state. >> + * The "measure_rules" are enabled only on "trustedboot" enabled systems. >> + * These rules add the kexec kernel image and kernel modules file hashes to >> + * the IMA measurement list. >> + */ >> +static const char *const measure_rules[] = { >> + "measure func=KEXEC_KERNEL_CHECK", >> + "measure func=MODULE_CHECK", > Why do these ones not have "template=ima-modsig" on the end? ima-modsig template is applicable only when IMA "collects" the appended signatures. IMA can then include it in the measurement list. > >> + NULL >> +}; >> + >> +/* >> + * Returns the relevant IMA arch policies based on the system secureboot >> + * and trustedboot state. >> */ >> const char *const *arch_get_ima_policy(void) >> { >> - if (is_powerpc_os_secureboot_enabled()) >> + const char *const *rules; >> + int offset = 0; >> + >> + for (rules = arch_rules; *rules != NULL; rules++) { >> + if (strncmp(*rules, "appraise", 8) == 0) >> + break; >> + offset++; >> + } > This seems like kind of a hack, doesn't it? :) > > What we really want is three sets of rules isn't it? But some of them > are shared between the different sets. But they just have to be flat > arrays of strings. > > I think it would probably be cleaner to just use a #define for the > shared part of the rules, eg something like: > > #ifdef CONFIG_MODULE_SIG_FORCE > #define APPRAISE_MODULE > #else > #define APPRAISE_MODULE \ > "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig", > #endif > > #define APPRAISE_KERNEL \ > "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig" > > #define MEASURE_KERNEL \ > "measure func=KEXEC_KERNEL_CHECK" > > #define MEASURE_MODULE \ > "measure func=MODULE_CHECK" > > #define APPEND_TEMPLATE_IMA_MODSIG \ > " template=ima-modsig" > > static const char *const secure_and_trusted_rules[] = { > MEASURE_KERNEL APPEND_TEMPLATE_IMA_MODSIG, > MEASURE_MODULE APPEND_TEMPLATE_IMA_MODSIG, > APPRAISE_KERNEL, > APPRAISE_MODULE > NULL > }; > > static const char *const secure_rules[] = { > APPRAISE_KERNEL, > APPRAISE_MODULE > NULL > }; > > static const char *const trusted_rules[] = { > MEASURE_KERNEL, > MEASURE_MODULE, > NULL > }; Yes, I agree it is sort of a hack to walk through the rules to find the start of the appraise policy.  While trying your suggestion, I realized that defining three arrays, with some rule duplication, can fix the hack without #defines. This also improves readability of the rules. I have just now posted the new version with the changes. Please let me know if this looks ok. Thanks & Regards,      - Nayna