Received: by 2002:ab2:6991:0:b0:1f2:fff1:ace7 with SMTP id v17csp177227lqo; Wed, 27 Mar 2024 09:54:44 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVY7XVxERFctOzHCWRFHF3UmwrcCClBfQL/9/pg/eLiJhvWaCBMeLXJf7ebSvto6fp9BJrm1Ffkg0sn92RtN/8AUNbqbOicaAmo/BUNQw== X-Google-Smtp-Source: AGHT+IHRrqbBF7H7yfVuh9xMPwD7w/D/BFzLZzFXiMfRwMITTTN9xIfvUvw48+iN+qo1SE2srnEI X-Received: by 2002:a05:622a:1206:b0:431:7ed1:4d2e with SMTP id y6-20020a05622a120600b004317ed14d2emr217797qtx.68.1711558483910; Wed, 27 Mar 2024 09:54:43 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1711558483; cv=pass; d=google.com; s=arc-20160816; b=oAy6X1MAhUFB6hWD23uCDalYJMPDnzJ2WxDLHHCJE2ylJQQSzaC+fpsg20wIEMl8Xk D7RddnxdRr5HqxsqS5vLtUSjkz48D3+MfdCuDXWSvifWDLqEqdIbh3myZHYaO1i5ZvSP fWG4aRSCV0RkSjMrRQShn/wnmDkxJL/bb1cxS1fSEzbt5hnxRljv5ip05UKoy21S0O/M aI9MV9rdw09bjDW3KEU5UN16nzDWvL/k68GJfWs+h3i8eoIH4FTs2KKphBDDI59NY9Sx b+SjisPlV/oqeoGPgBFp8iYNMDXqHIZZq/GRJ4VJJRqq8PxIppQXrryojNl9ktXo02JO rOlQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:references:from:subject:cc:to:message-id:date :content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:dkim-signature; bh=tVSCRtiaDcokxlcUnwb8dQIFp3FnZVZ7KGgS5FwOALU=; fh=sZQWyD6zCbe6l7WwsxhYL8BRs0jbjRJnSfk4oIECESQ=; b=mMIVCD5fTMGl9yIPSJlsx4C2uZNJB0CE4GtEi+D+OYJ7oryrG2nLUrjq0swGYzaors X4EVr4+Gw3sUQTkt4hOmkiHYWPeCZdpwCZIYxqa0egBhhEyPIn9cVY41QIe95B3bSAN0 j8FS49Eb2j7v2m6S6Uac6c29U8fuzVxvSP9OAsK5HxCRcZRmRIn+492FUFZ1kBmynFeI HwOVboo1+jQVB8Vn2t+Iv3Uh50Dola/Qxv+Bow6pqrqNLslRMPgRXR1GmjHsh2+PBj8u 1GTb3htqJHVPcl5K2/aVOLShLxMXEo/Pvy3J8hdnGZvfJ1XblL5zi7HqTwdpObyetTVo FxDw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=VdznTPEg; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-121654-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-121654-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id 1-20020ac85901000000b00431483c29b2si8742822qty.174.2024.03.27.09.54.43 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Mar 2024 09:54:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-121654-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=VdznTPEg; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-121654-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-121654-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id A09E51C2F1E7 for ; Wed, 27 Mar 2024 16:54:43 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id D694A14D70A; Wed, 27 Mar 2024 16:54:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="VdznTPEg" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0233014D6FE; Wed, 27 Mar 2024 16:54:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711558460; cv=none; b=fKOiS8djKlMkbmNnVdP2Xi2I6jzuS3e482JDPA80WthrIaAuKKhhdW/xQ+UkaAdS1pqn3U6fNYi1ibG/6bxiPoQz+JLZgIcTUMBbIsby4rdVtKFoFAfWzPd+Gnkvl8cpPNsf2IvIuS655LCGjeyK3hw/cvG6hplwfj5k04DmvsA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711558460; c=relaxed/simple; bh=UuN+/yVlhFYfqrv1X4nW0lUiQAKVn7emAnsT71kKaNM=; h=Mime-Version:Content-Type:Date:Message-Id:To:Cc:Subject:From: References:In-Reply-To; b=oF3zoFyiGhkrAMuEZVx4ZIj08HX0PJoAE6526tDGg/G3kOvgcDPF6VrMCFCskLhLASxYExQSjpkixYKCTKvUtB7jPgBocNC3+K3Oy0Fh51iVdHPcWiy46leUmTtnsVc8Fe15dOQ1RpSB16/v535Gqk2hKDoeKaZwBNJ6JeFGV40= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=VdznTPEg; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 05AFCC43141; Wed, 27 Mar 2024 16:54:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1711558459; bh=UuN+/yVlhFYfqrv1X4nW0lUiQAKVn7emAnsT71kKaNM=; h=Date:To:Cc:Subject:From:References:In-Reply-To:From; b=VdznTPEgYpRW2KJZteflSdemSgEbTzuadvjOPsPxT/etXe4Tp/Mi2l9GrR9WydQ0C Vxx9DO2dr0szfSXJr+iijjnFWVPOQZyhZA55gSCfc33oIWhOPIEyWsmzTW8f1/mTDB y29tQRHZTSoxB8pZ0RO/IQBYdAL+5eqwLxrTLSeY3vwtnV4OOD22b1MIQOkBx5/Tvv FqLYdllfiSD34uHLnXph9IzqBWRVVi2ZehcMJg9bWYMjoOG2ioUk4+89PnHWjf2lgw Zxfj9ieYwF33sat6lvfafnMEqN9mKNJ2lqZjZrWOBMtBEd2jNGLoNSFCvr3Kq1FKiU i2aOUsIk5KjKw== Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Wed, 27 Mar 2024 18:54:16 +0200 Message-Id: To: "Mimi Zohar" , "Luis Chamberlain" Cc: , , "Roberto Sassu" , , "Ken Goldman" Subject: Re: [PATCH] ima: define an init_module critical data record From: "Jarkko Sakkinen" X-Mailer: aerc 0.17.0 References: <20240327150019.81477-1-zohar@linux.ibm.com> In-Reply-To: <20240327150019.81477-1-zohar@linux.ibm.com> On Wed Mar 27, 2024 at 5:00 PM EET, Mimi Zohar wrote: > The init_module syscall loads an ELF image into kernel space without > measuring the buffer containing the ELF image. To close this kernel > module integrity gap, define a new critical-data record which includes > the hash of the ELF image. > > Instead of including the buffer data in the IMA measurement list, > include the hash of the buffer data to avoid large IMA measurement > list records. The buffer data hash would be the same value as the > finit_module syscall file hash. > > To enable measuring the init_module buffer and other critical data from > boot, define "ima_policy=3Dcritical_data" on the boot command line. Sinc= e > builtin policies are not persistent, a custom IMA policy must include > the rule as well: measure func=3DCRITICAL_DATA label=3Dmodules > > To verify the template data hash value, first convert the buffer data > hash to binary: > grep "init_module" \ > /sys/kernel/security/integrity/ima/ascii_runtime_measurements | \ > tail -1 | cut -d' ' -f 6 | xxd -r -p | sha256sum > > Reported-by: Ken Goldman > Signed-off-by: Mimi Zohar > --- > security/integrity/ima/ima_main.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/i= ma_main.c > index c84e8c55333d..4b4348d681a6 100644 > --- a/security/integrity/ima/ima_main.c > +++ b/security/integrity/ima/ima_main.c > @@ -902,6 +902,13 @@ static int ima_post_load_data(char *buf, loff_t size= , > return 0; > } > =20 > + /* > + * Measure the init_module syscall buffer containing the ELF image. > + */ > + if (load_id =3D=3D LOADING_MODULE) > + ima_measure_critical_data("modules", "init_module", > + buf, size, true, NULL, 0); No reason not to ack but could be just as well (passing checkpatch): if (load_id =3D=3D LOADING_MODULE) ima_measure_critical_data("modules", "init_module", buf, size, true, NULL= , 0); < 100 characters > + > return 0; > } > =20 Reviewed-by: Jarkko Sakkinen BR, Jarkko