Re: [PATCH v3 2/2] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime

[Mimi Zohar <zohar@linux.ibm.com>]

On Tue, 2020-06-23 at 17:26 -0300, Bruno Meneguele wrote:
<snip>

> diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
> index edde88dbe576..62dc11a5af01 100644
> --- a/security/integrity/ima/Kconfig
> +++ b/security/integrity/ima/Kconfig
> @@ -232,7 +232,7 @@ config IMA_APPRAISE_REQUIRE_POLICY_SIGS
>  
>  config IMA_APPRAISE_BOOTPARAM
>  	bool "ima_appraise boot parameter"
> -	depends on IMA_APPRAISE && !IMA_ARCH_POLICY
> +	depends on IMA_APPRAISE

Ok

>  	default y
>  	help
>  	  This option enables the different "ima_appraise=" modes
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index e493063a3c34..6742f86b6c60 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -732,12 +732,20 @@ void __init ima_init_policy(void)
>  	 * and custom policies, prior to other appraise rules.
>  	 * (Highest priority)
>  	 */
> -	arch_entries = ima_init_arch_policy();
> -	if (!arch_entries)
> -		pr_info("No architecture policies found\n");
> -	else
> -		add_rules(arch_policy_entry, arch_entries,
> -			  IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
> +	if (arch_ima_secure_or_trusted_boot()) {

Today only "measure" and "appraise" rules are included in the arch
specific policy, but someone might decide they want to include "audit"
rules as well.

I'm not if the "secure_boot" flag is available prior to calling
default_appraise_setup(), but if it is, you could modify the test
there to also check if the system is booted in secure boot mode (eg.
IS_ENABLED(CONFIG_IMA_APPRAISE_BOOTPARAM) &&
!arch_ima_get_secureboot())

> +		/* In secure and/or trusted boot the appraisal must be
> +		 * enforced, regardless kernel parameters, preventing
> +		 * runtime changes */

Only "appraise" rules are enforced.

Mimi