Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp1724565ybt; Thu, 2 Jul 2020 12:13:59 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwap+jk9SPgZGk1koyl4kaVIG/uEqKv3XaKtNatFMxv5g/+x1sMOdzfEYcxses4BViu6OvH X-Received: by 2002:a17:906:3787:: with SMTP id n7mr27824766ejc.551.1593717238947; Thu, 02 Jul 2020 12:13:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1593717238; cv=none; d=google.com; s=arc-20160816; b=jPS2O8gUWFHx5g7GkeOpAJEP5flvNMfjnCT64vJkR4UWtRBTZdjz1U/1LTasKaJCkP 4QxY6gcNUF0z1+t4UoUexQwsQlUXpNNWwgmRi7gYSC0/DC5b3oOI1H2lZmRgt2j0T8VE c0DDoX4hx4L5A+Yaz4CwzeRh/zxCpEtaszstFmLXTySeE6ZnDkeGJ60gUK1/HW+Ie10v 7z3tyJ4gt+n1nHuI+Bk/9Oi/P6XqxgUkG9MXsJstfS9mV9vJoOP28aHfmtGCGPvJ44jO fVCclf/8Jzj7MGkYICeie5kmDgiBpCWfjIQf6MEJc+WsG032BqWoj2bBr7DUGyBw/nvo CmTg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-disposition:in-reply-to :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=FzBxpCXjYpYykVqIIHvJqM6p4BizB/f7pG6TYVbhSrc=; b=yyKibcB5aiQEuxgKycMOmVSzrk64OScJlmqd1i/mSQcMH4lJMMAIP77AUEe/cpa7Al AfICf8ulw411A92kkRNoTMO9QDd/mr22MSb2V2E5PIrrqvxSP0AQD+lSzxmRiL7zENdR 91NFjFLQImBOtYw4Pi3KXau1fXthmlbWrdTDsBNOvDr+phkqcm7NvuJ0Bs/KFKXIcxQw HNxHroMU3rxi4IcYQmPf3BDrAbRKFbxSI73+OlhhQnZZwpzK3ijaESDhldR6iCPDx8MG QEHMOU39EWHP91CSqWSkC+PpeMJDnOKrOO1SiwYzXg7ClFrOFgt3Bjo3BVKHPVR558ZS VkLw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=KvkswkY+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g22si6516857edm.294.2020.07.02.12.13.35; Thu, 02 Jul 2020 12:13:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=KvkswkY+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726014AbgGBTNM (ORCPT + 99 others); Thu, 2 Jul 2020 15:13:12 -0400 Received: from us-smtp-2.mimecast.com ([207.211.31.81]:48721 "EHLO us-smtp-delivery-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725847AbgGBTNM (ORCPT ); Thu, 2 Jul 2020 15:13:12 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1593717190; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=FzBxpCXjYpYykVqIIHvJqM6p4BizB/f7pG6TYVbhSrc=; b=KvkswkY+IXgiBLS8E4T87/8vw2/nkqiUtP0SydJXr5glJWPAfxSpJ8fiImdhUsuU3Ye59T KhOk484AbacwdlcMaOkHimNgDwlTw1ZHLVyZhojxOtc1rA5CUR4LXJlf2Zo810rfqG+Hjd NIvTPNZw5fwfHbmhkNUDYb0vWpYKek8= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-211-agXmqbaCMZaa2Q3O-dcvyA-1; Thu, 02 Jul 2020 15:12:58 -0400 X-MC-Unique: agXmqbaCMZaa2Q3O-dcvyA-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 52D8980B70D; Thu, 2 Jul 2020 19:12:52 +0000 (UTC) Received: from localhost (ovpn-116-143.gru2.redhat.com [10.97.116.143]) by smtp.corp.redhat.com (Postfix) with ESMTP id E627A79258; Thu, 2 Jul 2020 19:12:51 +0000 (UTC) Date: Thu, 2 Jul 2020 16:12:50 -0300 From: Bruno Meneguele To: Mimi Zohar Cc: linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, erichte@linux.ibm.com, nayna@linux.ibm.com Subject: Re: [PATCH v3 2/2] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime Message-ID: <20200702191250.GB3669@glitch> References: <20200623202640.4936-1-bmeneg@redhat.com> <20200623202640.4936-3-bmeneg@redhat.com> <1593204023.27152.476.camel@linux.ibm.com> <20200629234744.GA2756@glitch> <1593514848.5085.82.camel@linux.ibm.com> <20200630170043.GE2944@glitch> MIME-Version: 1.0 In-Reply-To: <20200630170043.GE2944@glitch> X-PGP-Key: http://keys.gnupg.net/pks/lookup?op=get&search=0x3823031E4660608D X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=bmeneg@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="+g7M9IMkV8truYOl" Content-Disposition: inline Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --+g7M9IMkV8truYOl Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jun 30, 2020 at 02:00:43PM -0300, Bruno Meneguele wrote: > On Tue, Jun 30, 2020 at 07:00:48AM -0400, Mimi Zohar wrote: > > On Mon, 2020-06-29 at 20:47 -0300, Bruno Meneguele wrote: > >=20 > > >=20 > > > > I'm not if the "secure_boot" flag is available prior to calling > > > > default_appraise_setup(), but if it is, you could modify the test > > > > there to also check if the system is booted in secure boot mode (eg= . > > > > IS_ENABLED(CONFIG_IMA_APPRAISE_BOOTPARAM) && > > > > !arch_ima_get_secureboot()) > > > >=20 > > >=20 > > > Well pointed. I built a custom x86 kernel with some workaround to get > > > this flag status within default_appraise_setup() and as a result the > > > flag is was correctly available.=20 > > >=20 > > > Considering the nature of this flag (platform's firmware (in all > > > arches?)) can we trust that every arch supporting secure/trusted boot > > > will have it available in the __setup() call time? > >=20 > > Calling=A0default_appraise_setup() could be deferred. > >=20 >=20 > Hmmm.. ok, I'm going to investigate it further. > Didn't really know that. >=20 After some research on powerpc, x86 and s390 (the only users of arch policies) codes it's clear that, no matter what, the secure boot flag will be available even before the kernel cmdline is actually copied/saved in kernel's memory. Both powerpc and x86 populate it through setup_arch() call in init/main.c:kernel_start(), where some early_params are handled, but nothing about normal (non-early) __setup() params. s390 is a bit deeper where it gets the flag, right down its boot code, even before start_kernel(). With that said, it's safe checking it directly from default_appraise_setup(). I'm going to prepare a v4, test it and post it tomorrow.=20 --=20 bmeneg=20 PGP Key: http://bmeneg.com/pubkey.txt --+g7M9IMkV8truYOl Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEdWo6nTbnZdbDmXutYdRkFR+RokMFAl7+MbIACgkQYdRkFR+R okOE9wgAtlCT2xp0XdlQd9PXMOlQZrofYigVUIMXsGtC0ln+HzCr87RDqf6ZGir4 z0TApF2+fb6SvtW654EDJiXQM8WalA++rsuXSzW47jPUuwkrvyHoaykHDKVbwm8h WoYoylK8wMNo/sjO6m+78O3j3qnE0vESewUimHf5PIv8ihFS2FwNY7B6oO0P2ygu YHpIg93bZfkSxUSWe/XA+0OvbMlsC7cS5PVEl/Cf81HR5G6knavZe9jFpGPY7rNi QxhJQAyDfSUmZNnIQWdWn+SBKQSxsILJ9sylvDtprR8fD13fknuERlyRHjMCg83E I04QUaw5LwbE9GhpXn0zSr/13JfuJg== =sFZi -----END PGP SIGNATURE----- --+g7M9IMkV8truYOl--