Received: by 2002:a05:6a10:9e8c:0:0:0:0 with SMTP id y12csp1205385pxx; Fri, 30 Oct 2020 04:54:49 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwH4bK5du1uJfFIB9uhGajOMsZhhiGyha84sbxPc8NyqepujdY5QlP8emkJTXijMBiD68gq X-Received: by 2002:a17:906:3641:: with SMTP id r1mr1945739ejb.405.1604058889507; Fri, 30 Oct 2020 04:54:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1604058889; cv=none; d=google.com; s=arc-20160816; b=ONEbcYWzdOsr8XtLdmq7JhInEbAzUn2C1AGnk9KVaanQeOIT0iM7NmodwrfLEgeK/R rjuQnEY2HKwoovjWbHbTsI6oz8MlLND0RT82339tYOtAJilY9ZCEgPzqZ3ISmvo2HM5o O7QAiu+OJcEWA+ofcHWdE5jExnC376vs3Zo0JHYv19tq3zGHxGr7bYVM9sOlVCQOyXoQ w6BN3V8G+O7mZ6AIhK17XrAn38pkddpaqe4bEvBwFM9e2nFz6H8qzeFkP0heqD91Y3m1 Jy6Tdu/AFd4SWdL1ZuGQyXja0Cf+/VTn38jcY91ONJ4+6Ps5LxQEWPcdnj2bSLrZEFQx O3iw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=KNjrIwqAtzTshKMvgowhfWNvzlpYvFyWmbJHtiZFW6s=; b=yLA6PZ+cvtiHDiUlNEz9lfjeYkZIndBU56KJlSQ9Fi2o4g4KKngbwgMXg36uAateJm 9DrGuQRC663xHP8qSEPXMRfPgbUHN+mt/277PGY3/pjh1p130fWm83AT5yNHVKuPgcX6 MxOW+sz6yGmAvM+1EG5FJSP19Up7MvdUPUjei3XOYNI5ffpyEx4qDhh4W7NoRZGeINzx QafXotEsacWKf4BkUD7Q4zs7i5lMx5GOTd2AZXzOFXDnIhEJBIoV7/DGtQAfrQkUcyIk ivWOj3w34nsPzAvxg8FenDOphreJHWj9N/7vdkpORml4hS4Ad4Vr+QqgGSbvB2j93Y67 k5eA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=t5aHrghm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r8si837285edm.62.2020.10.30.04.54.25; Fri, 30 Oct 2020 04:54:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=t5aHrghm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726394AbgJ3Lww (ORCPT + 99 others); Fri, 30 Oct 2020 07:52:52 -0400 Received: from mail.kernel.org ([198.145.29.99]:39194 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726120AbgJ3Lwv (ORCPT ); Fri, 30 Oct 2020 07:52:51 -0400 Received: from mail-oi1-f177.google.com (mail-oi1-f177.google.com [209.85.167.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4DF4B22227; Fri, 30 Oct 2020 11:52:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1604058757; bh=a2P2yJXerbf+BStG2FxqbjJ8wAhWTITOLQDhr7Hmh3Y=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=t5aHrghmpzjeM/9/si8n4dGoZIODp982zCoJECUd4xSO0OiO8nS9O2m/Cm0q580h1 AfFLCFBWh2XNVxRMn/XClEUBFzYXhx4xu+pT0WdeE/K2NwJFKMvf09T+E4MG3DFFIS foFIM/WU3nNA4hWIdR4Z8MM2ajQGd8F8qUeS0VXQ= Received: by mail-oi1-f177.google.com with SMTP id x1so6325620oic.13; Fri, 30 Oct 2020 04:52:37 -0700 (PDT) X-Gm-Message-State: AOAM532xzF+KC3v/fdemBq7vSJrvEe5SEw/x3eQOygpIyH72rJHIwbu7 v/a1biZYGgYK8h+icPp02uXOI0jicaK14yW96L8= X-Received: by 2002:aca:5c82:: with SMTP id q124mr1314195oib.33.1604058756433; Fri, 30 Oct 2020 04:52:36 -0700 (PDT) MIME-Version: 1.0 References: <20201030060840.1810-1-clin@suse.com> <20201030060840.1810-3-clin@suse.com> In-Reply-To: <20201030060840.1810-3-clin@suse.com> From: Ard Biesheuvel Date: Fri, 30 Oct 2020 12:52:25 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v3 2/3] ima: replace arch-specific get_sb_mode() with a common helper ima_get_efi_secureboot() To: Chester Lin Cc: Mimi Zohar , James Morris , "Serge E. Hallyn" , Dmitry Kasatkin , Catalin Marinas , Will Deacon , Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" , Linux Kernel Mailing List , Linux ARM , linux-efi , linux-integrity , linux-security-module@vger.kernel.org, X86 ML , "Lee, Chun-Yi" Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 30 Oct 2020 at 07:09, Chester Lin wrote: > > remove the get_sb_mode() from x86/kernel/ima_arch.c and create a common > helper ima_get_efi_secureboot() in IMA so that all EFI-based architectures > can refer to the same procedure. > > Signed-off-by: Chester Lin > --- > arch/x86/kernel/ima_arch.c | 69 +++++++------------------------- > include/linux/ima.h | 10 +++++ > security/integrity/ima/Makefile | 1 + > security/integrity/ima/ima_efi.c | 26 ++++++++++++ > 4 files changed, 51 insertions(+), 55 deletions(-) > create mode 100644 security/integrity/ima/ima_efi.c > > diff --git a/arch/x86/kernel/ima_arch.c b/arch/x86/kernel/ima_arch.c > index 7dfb1e808928..2c773532ff0a 100644 > --- a/arch/x86/kernel/ima_arch.c > +++ b/arch/x86/kernel/ima_arch.c > @@ -8,69 +8,28 @@ > > extern struct boot_params boot_params; > > -static enum efi_secureboot_mode get_sb_mode(void) > -{ > - efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID; > - efi_status_t status; > - unsigned long size; > - u8 secboot, setupmode; > - > - size = sizeof(secboot); > - > - if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) { > - pr_info("ima: secureboot mode unknown, no efi\n"); > - return efi_secureboot_mode_unknown; > - } > - > - /* Get variable contents into buffer */ > - status = efi.get_variable(L"SecureBoot", &efi_variable_guid, > - NULL, &size, &secboot); > - if (status == EFI_NOT_FOUND) { > - pr_info("ima: secureboot mode disabled\n"); > - return efi_secureboot_mode_disabled; > - } > - > - if (status != EFI_SUCCESS) { > - pr_info("ima: secureboot mode unknown\n"); > - return efi_secureboot_mode_unknown; > - } > - > - size = sizeof(setupmode); > - status = efi.get_variable(L"SetupMode", &efi_variable_guid, > - NULL, &size, &setupmode); > - > - if (status != EFI_SUCCESS) /* ignore unknown SetupMode */ > - setupmode = 0; > - > - if (secboot == 0 || setupmode == 1) { > - pr_info("ima: secureboot mode disabled\n"); > - return efi_secureboot_mode_disabled; > - } > - > - pr_info("ima: secureboot mode enabled\n"); > - return efi_secureboot_mode_enabled; > -} > - > bool arch_ima_get_secureboot(void) > { > - static enum efi_secureboot_mode sb_mode; > - static bool initialized; > - > - if (!initialized && efi_enabled(EFI_BOOT)) { > - sb_mode = boot_params.secure_boot; > + static bool sb_enabled, initialized; > > - if (sb_mode == efi_secureboot_mode_unset) > - sb_mode = get_sb_mode(); > + if (initialized) { > + return sb_enabled; > + } else if (efi_enabled(EFI_BOOT)) { > initialized = true; > + > + if (boot_params.secure_boot == efi_secureboot_mode_unset) { > + sb_enabled = ima_get_efi_secureboot(); > + return sb_enabled; > + } > } > > - if (sb_mode == efi_secureboot_mode_enabled) > - return true; > - else > - return false; > + if (boot_params.secure_boot == efi_secureboot_mode_enabled) > + sb_enabled = true; > + > + return sb_enabled; > } > > -/* secureboot arch rules */ > +/* secure and trusted boot arch rules */ > static const char * const sb_arch_rules[] = { > #if !IS_ENABLED(CONFIG_KEXEC_SIG) > "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig", > diff --git a/include/linux/ima.h b/include/linux/ima.h > index 8fa7bcfb2da2..9f9699f017be 100644 > --- a/include/linux/ima.h > +++ b/include/linux/ima.h > @@ -50,6 +50,16 @@ static inline const char * const *arch_get_ima_policy(void) > } > #endif > > +#if defined(CONFIG_EFI) && defined(CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT) > +extern bool ima_get_efi_secureboot(void); > +#else > +static inline bool ima_get_efi_secureboot(void) > +{ > + return false; > +} > +#endif > + > + > #else > static inline int ima_bprm_check(struct linux_binprm *bprm) > { > diff --git a/security/integrity/ima/Makefile b/security/integrity/ima/Makefile > index 67dabca670e2..32076b3fd292 100644 > --- a/security/integrity/ima/Makefile > +++ b/security/integrity/ima/Makefile > @@ -14,3 +14,4 @@ ima-$(CONFIG_HAVE_IMA_KEXEC) += ima_kexec.o > ima-$(CONFIG_IMA_BLACKLIST_KEYRING) += ima_mok.o > ima-$(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) += ima_asymmetric_keys.o > ima-$(CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS) += ima_queue_keys.o > +ima-$(CONFIG_EFI) += ima_efi.o > diff --git a/security/integrity/ima/ima_efi.c b/security/integrity/ima/ima_efi.c > new file mode 100644 > index 000000000000..a78f66e19689 > --- /dev/null > +++ b/security/integrity/ima/ima_efi.c > @@ -0,0 +1,26 @@ > +// SPDX-License-Identifier: GPL-2.0-only > +/* > + * Copyright (C) 2020 SUSE LLC > + * > + * Author: > + * Chester Lin > + */ > + > +#include > +#include > + > +#ifdef CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT > +bool ima_get_efi_secureboot(void) > +{ > + enum efi_secureboot_mode sb_mode; > + > + if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) { > + pr_info("ima: secureboot mode unknown, no efi\n"); > + return false; > + } > + > + sb_mode = efi_get_secureboot(efi.get_variable); > + As I mentioned in the other patch, these are not equivalent - you are introducing a MokSbState check which doesn't make sense at runtime (or at all perhaps) > + return (sb_mode == efi_secureboot_mode_enabled) ? true : false; > +} > +#endif > -- > 2.28.0 >