Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp2201438ybh; Fri, 17 Jul 2020 11:43:24 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwqMwV4Pf7HjPonwAkX5Ldz/XV3sENCXIedAje/9Huh4b6ElZlofqvhGQyNRspIfqSkU6MX X-Received: by 2002:aa7:db57:: with SMTP id n23mr10427610edt.235.1595011404145; Fri, 17 Jul 2020 11:43:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595011404; cv=none; d=google.com; s=arc-20160816; b=ROmImli3sIk4/2N2QMOH4B6PaECH3xso/MqlSFN8ZJe0taAI7AVHaIVo0MVvf+Gxr7 uGmyaaspuNenQsMJU+20wvKBpS8J94L9yvwiLwfG0KwZg6DD6PwtzBq6jslhxYF+O60R dha6u1euHj7TE4Ozw22Pjli1Lc1+ykIEzg998P50zZrozFzMg+iihu4yPTXd2YA1aILT lOStpnGftRwzoq51byCsE0zelLVv/jBHPhvt9Bm0yq/kXm7TZIQkz0drJpU1RVZ5bKm3 6dgte66c/Hl11HDBJmSfr8xoGHbTJJYjEzICEGChZGaTuRE4h6zeTy+qubYBo7MVOIfa YFGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-disposition:in-reply-to :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=loX3iNxnC34Mh5q85vIpxAcyIoCVZ/OKd+6NErIYBZY=; b=GZHEJy9f9DiNNWD3LBzLtSd2ZHq2gXR5UPjK6h7gmDCNStLIhAAiCKuojpERyOTtA4 VvjXP95Ab15HLIwWJxquuxRvvoUJLikdsWLrDDcHB4qcJ1OS4KJ3aTPdBI0TstaVrMW5 KkRekyvbzbL5IBflsJiM9rzJUhQjJ2HpFymU90FT31jeg9MH7DmhlDTku9mxZh/6LYNv JpDsFgIlaQqHz7CsJiG1gLm7M5ec0RDww/KRHtl9kVHptILPJdGagSPqtmY4cZ5zVdYJ eUhU5PoIIi8enRHjyGvXLhcpibRLzatVdPnAjth5m6i0YsGZShlZMxDmp45LqcP80Pha 9adQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Hx2jYpob; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o9si5645871edr.292.2020.07.17.11.43.01; Fri, 17 Jul 2020 11:43:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Hx2jYpob; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728066AbgGQSkn (ORCPT + 99 others); Fri, 17 Jul 2020 14:40:43 -0400 Received: from us-smtp-2.mimecast.com ([205.139.110.61]:49880 "EHLO us-smtp-delivery-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726322AbgGQSkm (ORCPT ); Fri, 17 Jul 2020 14:40:42 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1595011241; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=loX3iNxnC34Mh5q85vIpxAcyIoCVZ/OKd+6NErIYBZY=; b=Hx2jYpobPHoxgsywJd0cNh+bbJ1Ma4JIoX/84aHm4zBf19luxtb63tLWOymi37Is1ccOBc qqCOCh+B43nasPOq5D0wjP2SLM0SH3oFlrj0A0GZB+21yTAo0iZxjiHvGb4FgiSW9GOdnf 6FI/Y5850zpFX1MsqVgQnvsc4IQczWM= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-276-9d_YNwHZM0KEqKVjKlTnUQ-1; Fri, 17 Jul 2020 14:40:23 -0400 X-MC-Unique: 9d_YNwHZM0KEqKVjKlTnUQ-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 535D5800468; Fri, 17 Jul 2020 18:40:21 +0000 (UTC) Received: from localhost (ovpn-116-105.gru2.redhat.com [10.97.116.105]) by smtp.corp.redhat.com (Postfix) with ESMTP id 83F0760E3E; Fri, 17 Jul 2020 18:40:20 +0000 (UTC) Date: Fri, 17 Jul 2020 15:40:19 -0300 From: Bruno Meneguele To: linux-kernel@vger.kernel.org, x86@kernel.org, linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org, linux-integrity@vger.kernel.org Cc: zohar@linux.ibm.com, erichte@linux.ibm.com, nayna@linux.ibm.com, stable@vger.kernel.org Subject: Re: [PATCH v6] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime Message-ID: <20200717184019.GI2984@glitch> References: <20200713164830.101165-1-bmeneg@redhat.com> MIME-Version: 1.0 In-Reply-To: <20200713164830.101165-1-bmeneg@redhat.com> X-PGP-Key: http://keys.gnupg.net/pks/lookup?op=get&search=0x3823031E4660608D X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="xQR6quUbZ63TTuTU" Content-Disposition: inline Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --xQR6quUbZ63TTuTU Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jul 13, 2020 at 01:48:30PM -0300, Bruno Meneguele wrote: > The IMA_APPRAISE_BOOTPARAM config allows enabling different "ima_appraise= =3D" > modes - log, fix, enforce - at run time, but not when IMA architecture > specific policies are enabled. =A0This prevents properly labeling the > filesystem on systems where secure boot is supported, but not enabled on = the > platform. =A0Only when secure boot is actually enabled should these IMA > appraise modes be disabled. >=20 > This patch removes the compile time dependency and makes it a runtime > decision, based on the secure boot state of that platform. >=20 > Test results as follows: >=20 > -> x86-64 with secure boot enabled >=20 > [ 0.015637] Kernel command line: <...> ima_policy=3Dappraise_tcb ima_a= ppraise=3Dfix > [ 0.015668] ima: Secure boot enabled: ignoring ima_appraise=3Dfix boot= parameter option >=20 > -> powerpc with secure boot disabled >=20 > [ 0.000000] Kernel command line: <...> ima_policy=3Dappraise_tcb ima_a= ppraise=3Dfix > [ 0.000000] Secure boot mode disabled >=20 > -> Running the system without secure boot and with both options set: >=20 > CONFIG_IMA_APPRAISE_BOOTPARAM=3Dy > CONFIG_IMA_ARCH_POLICY=3Dy >=20 > Audit prompts "missing-hash" but still allow execution and, consequently, > filesystem labeling: >=20 > type=3DINTEGRITY_DATA msg=3Daudit(07/09/2020 12:30:27.778:1691) : pid=3D4= 976 > uid=3Droot auid=3Droot ses=3D2 > subj=3Dunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=3Dapprais= e_data > cause=3Dmissing-hash comm=3Dbash name=3D/usr/bin/evmctl dev=3D"dm-0" ino= =3D493150 > res=3Dno >=20 > Cc: stable@vger.kernel.org > Fixes: d958083a8f64 ("x86/ima: define arch_get_ima_policy() for x86") > Signed-off-by: Bruno Meneguele > --- > v6: > - explictly print the bootparam being ignored to the user (Mimi) > v5: > - add pr_info() to inform user the ima_appraise=3D boot param is being > =09ignored due to secure boot enabled (Nayna) > - add some testing results to commit log > v4: > - instead of change arch_policy loading code, check secure boot state a= t > =09"ima_appraise=3D" parameter handler (Mimi) > v3: > - extend secure boot arch checker to also consider trusted boot > - enforce IMA appraisal when secure boot is effectively enabled (Nayna) > - fix ima_appraise flag assignment by or'ing it (Mimi) > v2: > - pr_info() message prefix correction > security/integrity/ima/Kconfig | 2 +- > security/integrity/ima/ima_appraise.c | 6 ++++++ > 2 files changed, 7 insertions(+), 1 deletion(-) >=20 > diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kcon= fig > index edde88dbe576..62dc11a5af01 100644 > --- a/security/integrity/ima/Kconfig > +++ b/security/integrity/ima/Kconfig > @@ -232,7 +232,7 @@ config IMA_APPRAISE_REQUIRE_POLICY_SIGS > =20 > config IMA_APPRAISE_BOOTPARAM > =09bool "ima_appraise boot parameter" > -=09depends on IMA_APPRAISE && !IMA_ARCH_POLICY > +=09depends on IMA_APPRAISE > =09default y > =09help > =09 This option enables the different "ima_appraise=3D" modes > diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/i= ma/ima_appraise.c > index a9649b04b9f1..28a59508c6bd 100644 > --- a/security/integrity/ima/ima_appraise.c > +++ b/security/integrity/ima/ima_appraise.c > @@ -19,6 +19,12 @@ > static int __init default_appraise_setup(char *str) > { > #ifdef CONFIG_IMA_APPRAISE_BOOTPARAM > +=09if (arch_ima_get_secureboot()) { > +=09=09pr_info("Secure boot enabled: ignoring ima_appraise=3D%s boot para= meter option", > +=09=09=09str); > +=09=09return 1; > +=09} > + > =09if (strncmp(str, "off", 3) =3D=3D 0) > =09=09ima_appraise =3D 0; > =09else if (strncmp(str, "log", 3) =3D=3D 0) > --=20 > 2.26.2 >=20 Ping for review. Many thanks. --=20 bmeneg=20 PGP Key: http://bmeneg.com/pubkey.txt --xQR6quUbZ63TTuTU Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEdWo6nTbnZdbDmXutYdRkFR+RokMFAl8R8JMACgkQYdRkFR+R okMiPAf+Lawa+3mJ/dDC1Np/eBpA/UCMscxAKYRNlkGVChCpXeeXX1JV4M4CKHzu bmfws9NGfx4kw++hn8IeF86ypV3XhdKQyz7zQ6L4Rgmv08a/AE1msMRwwSMky9li n/Mh5HcYsfnLmGrLrSYjR/PTNqmz0WPgRCOSpFaTRcqTVKkUMJ8m83cwTe/5Avm9 SmUyq80QY4AV4bJcedr1U+Ror8it5dHdtgy5bz0TPepRnhk/lE7Ro+mZE0e8N0R+ 3BiyCiYhUMD7E5LODlnMAWvbd/vEf3I0a0rYuQmxcauXs8HVI6j42A9Tmc/7PcDG EGRCFOvOOkQz6WddH1svTgptnLyGsA== =Ggbe -----END PGP SIGNATURE----- --xQR6quUbZ63TTuTU--