* IMA secure_boot rules and the kernel_lockdown manpage @ 2017-11-10 11:38 David Howells 2017-11-10 13:10 ` Mimi Zohar 2017-11-10 14:31 ` David Howells 0 siblings, 2 replies; 4+ messages in thread From: David Howells @ 2017-11-10 11:38 UTC (permalink / raw) To: Mimi Zohar; +Cc: dhowells, linux-integrity Hi Mimi, I need to add a statement about the IMA secure_boot rules to the kernel_lockdown manual page. Is this enough: IMA requires the addition of the "secure_boot" rules to the policy, whether or not they are specified on the command line, for both the builtin and custom policies in secure boot lockdown mode. I don't know what this actually does/achieves. David ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: IMA secure_boot rules and the kernel_lockdown manpage 2017-11-10 11:38 IMA secure_boot rules and the kernel_lockdown manpage David Howells @ 2017-11-10 13:10 ` Mimi Zohar 2017-11-10 14:31 ` David Howells 1 sibling, 0 replies; 4+ messages in thread From: Mimi Zohar @ 2017-11-10 13:10 UTC (permalink / raw) To: David Howells; +Cc: linux-integrity On Fri, 2017-11-10 at 11:38 +0000, David Howells wrote: > Hi Mimi, > > I need to add a statement about the IMA secure_boot rules to the > kernel_lockdown manual page. Is this enough: > > IMA requires the addition of the "secure_boot" rules to the policy, > whether or not they are specified on the command line, for both the > builtin and custom policies in secure boot lockdown mode. Please add: This initially enforces kernel modules, firmware, the kernel kexec image, and the IMA policy itself are signed. > > I don't know what this actually does/achieves. Like other policies (eg. tcb, appraise_tcb) the "secure_boot" policy can be specified on the boot command line (eg. ima_policy="secure_boot|tcb|appraise_tcb"). Currently the builtin "secure_boot" policy is defined as: static struct ima_rule_entry secure_boot_rules[] __ro_after_init = { {.action = APPRAISE, .func = MODULE_CHECK, .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, {.action = APPRAISE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, {.action = APPRAISE, .func = KEXEC_KERNEL_CHECK, .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, {.action = APPRAISE, .func = POLICY_CHECK, .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, }; These policies can be replaced at runtime with a custom policy. "lockdown" mode includes these rules in the custom policy, before any of the custom rules. On a system with "CONFIG_IMA_READ_POLICY" enabled and commit 2068626d1345 "ima: don't remove the securityfs policy file" in James' next-testing branch, the current policy can be seen by cat'ing <securityfs>/ima/policy. Mimi ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: IMA secure_boot rules and the kernel_lockdown manpage 2017-11-10 11:38 IMA secure_boot rules and the kernel_lockdown manpage David Howells 2017-11-10 13:10 ` Mimi Zohar @ 2017-11-10 14:31 ` David Howells 2017-11-10 14:43 ` Mimi Zohar 1 sibling, 1 reply; 4+ messages in thread From: David Howells @ 2017-11-10 14:31 UTC (permalink / raw) To: Mimi Zohar; +Cc: dhowells, linux-integrity Mimi Zohar <zohar@linux.vnet.ibm.com> wrote: > This initially enforces kernel modules, firmware, the kernel kexec > image, and the IMA policy itself are signed. "Initially" meaning that this can be changed? David ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: IMA secure_boot rules and the kernel_lockdown manpage 2017-11-10 14:31 ` David Howells @ 2017-11-10 14:43 ` Mimi Zohar 0 siblings, 0 replies; 4+ messages in thread From: Mimi Zohar @ 2017-11-10 14:43 UTC (permalink / raw) To: David Howells; +Cc: linux-integrity, Thiago Jung Bauermann On Fri, 2017-11-10 at 14:31 +0000, David Howells wrote: > Mimi Zohar <zohar@linux.vnet.ibm.com> wrote: > > > This initially enforces kernel modules, firmware, the kernel kexec > > image, and the IMA policy itself are signed. > > "Initially" meaning that this can be changed? No, I was intending to allow the meaning of the "secure_boot" policy to change over time. There's already support for the initramfs to be signed. With Thiago Baurmann's "Appended signatures support for IMA appraisal", which is initially meant for the kexec'ed kernel image, the initramfs can be signed with an appended signature as well. Once IMA support for appended signatures is upstreamed, we could extend the "secure_boot" policy to require the initramfs to be signed as well. Mimi ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-11-10 14:43 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-11-10 11:38 IMA secure_boot rules and the kernel_lockdown manpage David Howells 2017-11-10 13:10 ` Mimi Zohar 2017-11-10 14:31 ` David Howells 2017-11-10 14:43 ` Mimi Zohar
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).