Received: by 2002:a05:6358:7058:b0:131:369:b2a3 with SMTP id 24csp1860958rwp; Thu, 13 Jul 2023 18:39:04 -0700 (PDT) X-Google-Smtp-Source: APBJJlGQQ+gMDKXpPoss26b8Tv1a05PHwHGLdVJfdEHS24zndn7S7P4XTk91EeDZaysNgUUuHGRy X-Received: by 2002:a17:906:10ca:b0:994:3395:942f with SMTP id v10-20020a17090610ca00b009943395942fmr2752426ejv.17.1689298744304; Thu, 13 Jul 2023 18:39:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689298744; cv=none; d=google.com; s=arc-20160816; b=mNFue1d8roytGbk1OmFGLB2pxJeT+E6hT/bjIkMHXKyPSoGtnUU8mZ6vS+DLQC+0Yb HAlHdJ/T2yl+GtltO41QMIKUqr7Bjlcxzw7Wrog+AwD9eV1mURCy9b0C5mVKBEErsnih BmL4VDDEYV/FxajHYrxp6LbNB29gRDTGKZQY44t+Ub5luecDZEQT1IcRckzUOWiUY4g3 foI4nKAA1+5W0bbhWZctTkYiuAlQGa3OpOyoduQ3LMl5xOYpukNB76MogYcOYAQmNBsg n9ebRcJYnOj9dzbZpovWaQ9bD4FDs1YY3Q1+xLbW0+HA0zvnmFLnmJiiOI1nC4SaZO2K baPg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=hg3g8npLeTm73F7FXPVIMRbHW6X0157DFp2TVsm0Cjc=; fh=VbZZRaZI0Os17Vt6pdLdKM5OwB+HGIN+WglVEnQvjjk=; b=QvbKx3oeomvQM3szJHJD4SBtWvMegK1/E2ldsS8zG9JusrpuUTfozdso+EM0k2JKxt f50swwnyn0jUorIhGoZj6Ap3G9ZMCEYxWfKIECJ4Gkvs+bTANCcGF+5TsOwr9TquvcTl 2BlvHlMc7daWlS9E7dc151edlDoivIvyyvVgER2CLFhNcJnwZrJU1/I6Ab5Kbl8hYFwi zwITEIcSjIvEgYJRYQs/6pKb6X1oGLSuRBWji91MQHqmC9Mha7DorDERMLHO7vv727// yTXOU1ZHyUGz+64OWNIoyMEWgH36ewrFMs4oxap5fnt1pNTqe7/QdJGbedwP4Ba4oi2y TueQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Pmg6iq23; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id v21-20020a1709064e9500b009903666fcd1si8099098eju.462.2023.07.13.18.38.40; Thu, 13 Jul 2023 18:39:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Pmg6iq23; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233207AbjGNBbB (ORCPT + 99 others); Thu, 13 Jul 2023 21:31:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56424 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233414AbjGNBa5 (ORCPT ); Thu, 13 Jul 2023 21:30:57 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A82552D61 for ; Thu, 13 Jul 2023 18:30:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1689298207; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=hg3g8npLeTm73F7FXPVIMRbHW6X0157DFp2TVsm0Cjc=; b=Pmg6iq2345a8lB7iqYYWnGKd+Rcr+eki+wJflIpnwWcAU4YKB+mn+Ecs/UuIKH/ZiXwX1J /nUHy39YiaeBA7sX0xGp+GAEAlg/ew4rDFwVmTHAn+14cEl29AO2j8fBcj0gR7aHd89vnF m/1moDAMjuDoOKrPCfQ4qzQvBW6L17M= Received: from mail-pg1-f200.google.com (mail-pg1-f200.google.com [209.85.215.200]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-35-nLkAvV_rOpiiN3XCq-jUug-1; Thu, 13 Jul 2023 21:30:06 -0400 X-MC-Unique: nLkAvV_rOpiiN3XCq-jUug-1 Received: by mail-pg1-f200.google.com with SMTP id 41be03b00d2f7-55c964d031aso673234a12.1 for ; Thu, 13 Jul 2023 18:30:05 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689298205; x=1691890205; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=hg3g8npLeTm73F7FXPVIMRbHW6X0157DFp2TVsm0Cjc=; b=iLgXFDsc+T3c2E9uF1ZHfosKr8FoP8MTO5YlwaF3AFZoLs6INYqKXhX8AHvSn297x9 N76iqDw8PYIRvtjgu3mlpapdeLd6etmoNuYx3eVSUV/72JXg+NWL+kFox7Feng8rqTG0 iPfC71Z8UIYrD6pCtyIknQCrFnHOFqC6l1mQhlSIm4qEIDVq/SXTHAtleqRg8FUmA4K4 MMlJdTghMC1GxvlW0AlSKG4fAU1ankK8rdQy6wEl8PSEJgJoENNLtbRoT4T/D4oXguPJ +2J4+NT5uK/JHwtbOFgv62S5Xe7X9JRjUf2ZGVdEmvGtJ2X+0XZDgtJatL3RRH0x77BP +ZQQ== X-Gm-Message-State: ABy/qLYDJpm1Z5bs1RmX4lrzjlmchHWknkDcy1zxQobArtIbSJEcM9sS rN/BisSbg1Pxu3Tg43sCACy+is1yB+SSkU7pkd18CA7o3m9piQT6LQxwcGB8PSgmSwSdmfoOcCJ Oy3o208vNa3hLTHYtsHrQjbUZ X-Received: by 2002:a05:6a21:7803:b0:118:eeef:2a25 with SMTP id be3-20020a056a21780300b00118eeef2a25mr3486160pzc.34.1689298205010; Thu, 13 Jul 2023 18:30:05 -0700 (PDT) X-Received: by 2002:a05:6a21:7803:b0:118:eeef:2a25 with SMTP id be3-20020a056a21780300b00118eeef2a25mr3486143pzc.34.1689298204665; Thu, 13 Jul 2023 18:30:04 -0700 (PDT) Received: from localhost ([112.80.132.180]) by smtp.gmail.com with ESMTPSA id a12-20020aa7864c000000b00666e649ca46sm6009531pfo.101.2023.07.13.18.30.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Jul 2023 18:30:04 -0700 (PDT) Date: Fri, 14 Jul 2023 09:29:04 +0800 From: Coiby Xu To: Mimi Zohar Cc: linux-integrity@vger.kernel.org, Dmitry Kasatkin , Paul Moore , James Morris , "Serge E. Hallyn" , "open list:SECURITY SUBSYSTEM" , open list Subject: Re: [PATCH] ima: require signed IMA policy when UEFI secure boot is enabled Message-ID: References: <20230703115442.129725-1-coxu@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 04, 2023 at 08:57:10AM -0400, Mimi Zohar wrote: >On Mon, 2023-07-03 at 19:54 +0800, Coiby Xu wrote: >> With the introduction of the .machine keyring for UEFI-based systems, >> users are able to add custom CAs keys via MOK. This allow users to sign >> their own IMA polices. For the sake of security, mandate signed IMA >> policy when UEFI secure boot is enabled. >> >> Suggested-by: Mimi Zohar >> Signed-off-by: Coiby Xu >> --- >> security/integrity/ima/ima_efi.c | 3 +++ >> 1 file changed, 3 insertions(+) >> >> diff --git a/security/integrity/ima/ima_efi.c b/security/integrity/ima/ima_efi.c >> index 9db66fe310d4..bb2881759505 100644 >> --- a/security/integrity/ima/ima_efi.c >> +++ b/security/integrity/ima/ima_efi.c >> @@ -58,6 +58,9 @@ static const char * const sb_arch_rules[] = { >> #if !IS_ENABLED(CONFIG_MODULE_SIG) >> "appraise func=MODULE_CHECK appraise_type=imasig", >> #endif >> +#if IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && IS_ENABLED(CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY) >> + "appraise func=POLICY_CHECK appraise_type=imasig", >> +#endif /* CONFIG_INTEGRITY_MACHINE_KEYRING && IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY */ >> "measure func=MODULE_CHECK", >> NULL >> }; > >Thanks, Coiby. You are welcome! > >Using IS_ENABLED() is not wrong, but unnecessary. IS_BUILTIN() >suffices. Thanks for the reminding! When I was going to apply this suggestion, I noticed ima_efi.c uses IS_ENABLED for all configuration items i.e. CONFIG_MODULE_SIG and CONFIG_KEXEC_SIG which are all of bool type. Would you like me to switch all IS_ENABLEs to IS_BUILTIN or still use IS_ENABLED? While IS_BUILTIN is exclusively for bool type, it's not as intuitive as IS_ENABLED. So it's not easy for me to make a choice. > >-- >thanks, > >Mimi > -- Best regards, Coiby