Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp26505ybt;
        Tue, 23 Jun 2020 14:20:57 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwZef+fiiKsBJMTlVE/O3rlLl4z0to3DBUhunQHTS11TxjnWM53WM7zRDNh3hHHn+RVBfQ9
X-Received: by 2002:a17:907:4240:: with SMTP id oi24mr3880038ejb.23.1592947257321;
        Tue, 23 Jun 2020 14:20:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1592947257; cv=none;
        d=google.com; s=arc-20160816;
        b=X6JAFIeIrW4SFZi56O0CRC+6RCHIqUx4zgqskNDq6epsdjvrx6DAR6ZDk7ItpR/cqv
         UcMwzEwK7LFFkaY0hl3opiwUV1YlBySushSOcxAJNz6xWllK01XF/HLscAziQEoeDp00
         1FwUe6N1UFLn35TtibJgEoUH3nLLu6m8PjIxBxrw00Z/RI04SnLWNEE7tFXSBLkzbUg5
         DCAkVxo3V4k5uQ+1xRQgFl5IE3PJhhjqV6HBhclrxmUJAGxF0T3bZD7R5mxT7CsGzlaz
         5SI/9p0IBg17s3dV6m83CekbhS0u5iBZMugN4seyyS4cHMJh3lwD5+xuamnVvHdA0mza
         pJqg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=LsRPxMKdg3wg3/L+rwnuc4Avfs5K49uylfJOpJywC20=;
        b=QKzOmivgus+Rk1Vs6ufd5NFjmfXnoUfl/yZocyrMA78FXJsF6SSnIQk14QI5MX14jt
         p1BCVT/cepimkpNEjLL2ZNth2uVZlcGOmqVJFUyoOh2G4/bziBJyv56Ndo4zdAKg1fSu
         WVz+aQ9Wg7Sy+kGSt5heqwXmyuD5PsvBhkaAcGc+BwgDZ7lbrGV9hjuWmkaLULIMxyCC
         UfaWHMLItt8H9fK6eY4VVUkmEbm2WfV3a+QwVCEHV8v5Pnw4jNZN3OY8AddGnGIaPGiL
         AfF7P8wc2BmqKEtvEobeLQPKws2mAOjPVoBJmBghBl55munEGbH+sFZ5fT5t5E+y0F3S
         N9dg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=aqX51ZCY;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id lz22si2300710ejb.742.2020.06.23.14.20.34;
        Tue, 23 Jun 2020 14:20:57 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=aqX51ZCY;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2392026AbgFWVRJ (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 99 others); Tue, 23 Jun 2020 17:17:09 -0400
Received: from us-smtp-delivery-1.mimecast.com ([205.139.110.120]:38404 "EHLO
        us-smtp-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org
        with ESMTP id S2390513AbgFWU1B (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 23 Jun 2020 16:27:01 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1592944020;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:
         content-transfer-encoding:content-transfer-encoding;
        bh=LsRPxMKdg3wg3/L+rwnuc4Avfs5K49uylfJOpJywC20=;
        b=aqX51ZCYV3UDvqTsUUgO2awydbpLkONCAlaEZcuMKgl/OnC/RhP6KyWsMdc/WOaDRe1xGa
        48syNEhRB17Eneg6MbCwyd+lM6mW90C4Y7h/tzYSq/OdzhyORf4seUy2E1/sWqGWkbyqKz
        lEL5rmOCv25T27RLDoOLKDOXgRf1eKo=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-410-84sBE2vBO8mcm2IjICeKGw-1; Tue, 23 Jun 2020 16:26:58 -0400
X-MC-Unique: 84sBE2vBO8mcm2IjICeKGw-1
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mimecast-mx01.redhat.com (Postfix) with ESMTPS id CDD86363F8;
        Tue, 23 Jun 2020 20:26:46 +0000 (UTC)
Received: from localhost (ovpn-116-10.gru2.redhat.com [10.97.116.10])
        by smtp.corp.redhat.com (Postfix) with ESMTP id 10B7A70C37;
        Tue, 23 Jun 2020 20:26:42 +0000 (UTC)
From:   Bruno Meneguele <bmeneg@redhat.com>
To:     linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org
Cc:     zohar@linux.ibm.com, erichte@linux.ibm.com, nayna@linux.ibm.com,
        Bruno Meneguele <bmeneg@redhat.com>
Subject: [PATCH v3 0/2] ima: make appraisal state runtime dependent on secure boot
Date:   Tue, 23 Jun 2020 17:26:38 -0300
Message-Id: <20200623202640.4936-1-bmeneg@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

To switch APPRAISE_BOOTPARAM and ARCH_POLICY dependency from compile time to
run time the secure boot checking code (specific to each arch) had to be
slightly modified to include, in the PowerPC arch, the Trusted Boot state,
which is also relevant to the arch policy choice and also required the
ima_appraise to be enforced. 

With that I changed the checking order: instead of first check the
arch_policy and then the secure/trusted boot state, now we first check the
boot state, set ima_appraise to be enforced and then the existence of arch
policy. In other words, whenever secure/trusted boot is enabled,
(ima_appraise & IMA_APPRAISE_ENFORCE) == true.

I've tested these patches in a x86_64 platform with and without secure boot
enabled and in a PowerPC without secure boot enabled:

1) with secure boot enabled (x86_64) and ima_policy=appraise_tcb, the
ima_appraise= options were completly ignored and the boot always failed with
"missing-hash" for /sbin/init, which is the expected result;

2) with secure boot enabled (x86_64), but no ima_policy:

[    1.396111] ima: Allocated hash algorithm: sha256
[    1.424025] ima: setting IMA appraisal to enforced
[    1.424039] audit: type=1807 audit(1592927955.557:2): action=measure func=KEXEC_KERNEL_CHECK res=1
[    1.424040] audit: type=1807 audit(1592927955.557:3): action=measure func=MODULE_CHECK res=1

3) with secure boot disabled (PowerPC and x86_64) and
"ima_policy=appraise_tcb ima_appraise=fix", audit messages were triggered
with "op=appraisal_data cause=missing-hash" but the system worked fine due
to "fix".

Bruno Meneguele (2):
  arch/ima: extend secure boot check to include trusted boot
  ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime

 arch/powerpc/kernel/ima_arch.c      |  5 +++--
 arch/s390/kernel/ima_arch.c         |  2 +-
 arch/x86/kernel/ima_arch.c          |  4 ++--
 include/linux/ima.h                 |  4 ++--
 security/integrity/ima/Kconfig      |  2 +-
 security/integrity/ima/ima_main.c   |  2 +-
 security/integrity/ima/ima_policy.c | 20 ++++++++++++++------
 7 files changed, 24 insertions(+), 15 deletions(-)

-- 
2.26.2