From: Eric Snowberg <eric.snowberg@oracle.com>
To: zohar@linux.ibm.com
Cc: dmitry.kasatkin@gmail.com, jmorris@namei.org, serge@hallyn.com,
eric.snowberg@oracle.com, linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [PATCH] integrity: Allow ima_appraise bootparam to be set when SB is enabled
Date: Mon, 25 Apr 2022 18:21:20 -0400 [thread overview]
Message-ID: <20220425222120.1998888-1-eric.snowberg@oracle.com> (raw)
The IMA_APPRAISE_BOOTPARM config allows enabling different "ima_appraise="
modes (log, fix, enforce) to be configured at boot time. When booting
with Secure Boot enabled, all modes are ignored except enforce. To use
log or fix, Secure Boot must be disabled.
With a policy such as:
appraise func=BPRM_CHECK appraise_type=imasig
A user may just want to audit signature validation. Not all users
are interested in full enforcement and find the audit log appropriate
for their use case.
Add a new IMA_APPRAISE_SB_BOOTPARAM config allowing "ima_appraise="
to work when Secure Boot is enabled.
Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
security/integrity/ima/Kconfig | 9 +++++++++
security/integrity/ima/ima_appraise.c | 2 +-
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index f3a9cc201c8c..66d25345e478 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -237,6 +237,15 @@ config IMA_APPRAISE_BOOTPARAM
This option enables the different "ima_appraise=" modes
(eg. fix, log) from the boot command line.
+config IMA_APPRAISE_SB_BOOTPARAM
+ bool "ima_appraise secure boot parameter"
+ depends on IMA_APPRAISE_BOOTPARAM
+ default n
+ help
+ This option enables the different "ima_appraise=" modes
+ (eg. fix, log) from the boot command line when booting
+ with Secure Boot enabled.
+
config IMA_APPRAISE_MODSIG
bool "Support module-style signatures for appraisal"
depends on IMA_APPRAISE
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 17232bbfb9f9..a66b1e271806 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -43,7 +43,7 @@ void __init ima_appraise_parse_cmdline(void)
/* If appraisal state was changed, but secure boot is enabled,
* keep its default */
- if (sb_state) {
+ if (sb_state && !IS_ENABLED(CONFIG_IMA_APPRAISE_SB_BOOTPARAM)) {
if (!(appraisal_state & IMA_APPRAISE_ENFORCE))
pr_info("Secure boot enabled: ignoring ima_appraise=%s option",
str);
--
2.27.0
next reply other threads:[~2022-04-25 22:23 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-25 22:21 Eric Snowberg [this message]
2022-04-26 18:18 ` [PATCH] integrity: Allow ima_appraise bootparam to be set when SB is enabled Mimi Zohar
2022-04-27 16:12 ` Eric Snowberg
2022-04-27 21:21 ` Mimi Zohar
2022-04-28 22:08 ` Nayna
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220425222120.1998888-1-eric.snowberg@oracle.com \
--to=eric.snowberg@oracle.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=jmorris@namei.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).