From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: David Howells <dhowells@redhat.com>
Cc: linux-integrity <linux-integrity@vger.kernel.org>
Subject: Re: IMA secure_boot rules and the kernel_lockdown manpage
Date: Fri, 10 Nov 2017 08:10:14 -0500 [thread overview]
Message-ID: <1510319414.3359.27.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <28799.1510313926@warthog.procyon.org.uk>
On Fri, 2017-11-10 at 11:38 +0000, David Howells wrote:
> Hi Mimi,
>
> I need to add a statement about the IMA secure_boot rules to the
> kernel_lockdown manual page. Is this enough:
>
> IMA requires the addition of the "secure_boot" rules to the policy,
> whether or not they are specified on the command line, for both the
> builtin and custom policies in secure boot lockdown mode.
Please add:
This initially enforces kernel modules, firmware, the kernel kexec
image, and the IMA policy itself are signed.
>
> I don't know what this actually does/achieves.
Like other policies (eg. tcb, appraise_tcb) the "secure_boot" policy
can be specified on the boot command line (eg.
ima_policy="secure_boot|tcb|appraise_tcb").
Currently the builtin "secure_boot" policy is defined as:
static struct ima_rule_entry secure_boot_rules[] __ro_after_init = {
{.action = APPRAISE, .func = MODULE_CHECK,
.flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
{.action = APPRAISE, .func = FIRMWARE_CHECK,
.flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
{.action = APPRAISE, .func = KEXEC_KERNEL_CHECK,
.flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
{.action = APPRAISE, .func = POLICY_CHECK,
.flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
};
These policies can be replaced at runtime with a custom policy.
"lockdown" mode includes these rules in the custom policy, before any
of the custom rules.
On a system with "CONFIG_IMA_READ_POLICY" enabled and commit
2068626d1345 "ima: don't remove the securityfs policy file" in James'
next-testing branch, the current policy can be seen by cat'ing
<securityfs>/ima/policy.
Mimi
next prev parent reply other threads:[~2017-11-10 13:10 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-10 11:38 IMA secure_boot rules and the kernel_lockdown manpage David Howells
2017-11-10 13:10 ` Mimi Zohar [this message]
2017-11-10 14:31 ` David Howells
2017-11-10 14:43 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1510319414.3359.27.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=dhowells@redhat.com \
--cc=linux-integrity@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).