* [PATCH] ima: require signed IMA policy when UEFI secure boot is enabled @ 2023-07-03 11:54 Coiby Xu 2023-07-04 12:57 ` Mimi Zohar 2023-07-26 2:08 ` [PATCH v2] " Coiby Xu 0 siblings, 2 replies; 6+ messages in thread From: Coiby Xu @ 2023-07-03 11:54 UTC (permalink / raw) To: linux-integrity Cc: Mimi Zohar, Dmitry Kasatkin, Paul Moore, James Morris, Serge E. Hallyn, open list:SECURITY SUBSYSTEM, open list With the introduction of the .machine keyring for UEFI-based systems, users are able to add custom CAs keys via MOK. This allow users to sign their own IMA polices. For the sake of security, mandate signed IMA policy when UEFI secure boot is enabled. Suggested-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Coiby Xu <coxu@redhat.com> --- security/integrity/ima/ima_efi.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/security/integrity/ima/ima_efi.c b/security/integrity/ima/ima_efi.c index 9db66fe310d4..bb2881759505 100644 --- a/security/integrity/ima/ima_efi.c +++ b/security/integrity/ima/ima_efi.c @@ -58,6 +58,9 @@ static const char * const sb_arch_rules[] = { #if !IS_ENABLED(CONFIG_MODULE_SIG) "appraise func=MODULE_CHECK appraise_type=imasig", #endif +#if IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && IS_ENABLED(CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY) + "appraise func=POLICY_CHECK appraise_type=imasig", +#endif /* CONFIG_INTEGRITY_MACHINE_KEYRING && IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY */ "measure func=MODULE_CHECK", NULL }; -- 2.41.0 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] ima: require signed IMA policy when UEFI secure boot is enabled 2023-07-03 11:54 [PATCH] ima: require signed IMA policy when UEFI secure boot is enabled Coiby Xu @ 2023-07-04 12:57 ` Mimi Zohar 2023-07-14 1:29 ` Coiby Xu 2023-07-26 2:08 ` [PATCH v2] " Coiby Xu 1 sibling, 1 reply; 6+ messages in thread From: Mimi Zohar @ 2023-07-04 12:57 UTC (permalink / raw) To: Coiby Xu, linux-integrity Cc: Dmitry Kasatkin, Paul Moore, James Morris, Serge E. Hallyn, open list:SECURITY SUBSYSTEM, open list On Mon, 2023-07-03 at 19:54 +0800, Coiby Xu wrote: > With the introduction of the .machine keyring for UEFI-based systems, > users are able to add custom CAs keys via MOK. This allow users to sign > their own IMA polices. For the sake of security, mandate signed IMA > policy when UEFI secure boot is enabled. > > Suggested-by: Mimi Zohar <zohar@linux.ibm.com> > Signed-off-by: Coiby Xu <coxu@redhat.com> > --- > security/integrity/ima/ima_efi.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/security/integrity/ima/ima_efi.c b/security/integrity/ima/ima_efi.c > index 9db66fe310d4..bb2881759505 100644 > --- a/security/integrity/ima/ima_efi.c > +++ b/security/integrity/ima/ima_efi.c > @@ -58,6 +58,9 @@ static const char * const sb_arch_rules[] = { > #if !IS_ENABLED(CONFIG_MODULE_SIG) > "appraise func=MODULE_CHECK appraise_type=imasig", > #endif > +#if IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && IS_ENABLED(CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY) > + "appraise func=POLICY_CHECK appraise_type=imasig", > +#endif /* CONFIG_INTEGRITY_MACHINE_KEYRING && IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY */ > "measure func=MODULE_CHECK", > NULL > }; Thanks, Coiby. Using IS_ENABLED() is not wrong, but unnecessary. IS_BUILTIN() suffices. -- thanks, Mimi ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] ima: require signed IMA policy when UEFI secure boot is enabled 2023-07-04 12:57 ` Mimi Zohar @ 2023-07-14 1:29 ` Coiby Xu 2023-07-20 14:12 ` Mimi Zohar 0 siblings, 1 reply; 6+ messages in thread From: Coiby Xu @ 2023-07-14 1:29 UTC (permalink / raw) To: Mimi Zohar Cc: linux-integrity, Dmitry Kasatkin, Paul Moore, James Morris, Serge E. Hallyn, open list:SECURITY SUBSYSTEM, open list On Tue, Jul 04, 2023 at 08:57:10AM -0400, Mimi Zohar wrote: >On Mon, 2023-07-03 at 19:54 +0800, Coiby Xu wrote: >> With the introduction of the .machine keyring for UEFI-based systems, >> users are able to add custom CAs keys via MOK. This allow users to sign >> their own IMA polices. For the sake of security, mandate signed IMA >> policy when UEFI secure boot is enabled. >> >> Suggested-by: Mimi Zohar <zohar@linux.ibm.com> >> Signed-off-by: Coiby Xu <coxu@redhat.com> >> --- >> security/integrity/ima/ima_efi.c | 3 +++ >> 1 file changed, 3 insertions(+) >> >> diff --git a/security/integrity/ima/ima_efi.c b/security/integrity/ima/ima_efi.c >> index 9db66fe310d4..bb2881759505 100644 >> --- a/security/integrity/ima/ima_efi.c >> +++ b/security/integrity/ima/ima_efi.c >> @@ -58,6 +58,9 @@ static const char * const sb_arch_rules[] = { >> #if !IS_ENABLED(CONFIG_MODULE_SIG) >> "appraise func=MODULE_CHECK appraise_type=imasig", >> #endif >> +#if IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && IS_ENABLED(CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY) >> + "appraise func=POLICY_CHECK appraise_type=imasig", >> +#endif /* CONFIG_INTEGRITY_MACHINE_KEYRING && IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY */ >> "measure func=MODULE_CHECK", >> NULL >> }; > >Thanks, Coiby. You are welcome! > >Using IS_ENABLED() is not wrong, but unnecessary. IS_BUILTIN() >suffices. Thanks for the reminding! When I was going to apply this suggestion, I noticed ima_efi.c uses IS_ENABLED for all configuration items i.e. CONFIG_MODULE_SIG and CONFIG_KEXEC_SIG which are all of bool type. Would you like me to switch all IS_ENABLEs to IS_BUILTIN or still use IS_ENABLED? While IS_BUILTIN is exclusively for bool type, it's not as intuitive as IS_ENABLED. So it's not easy for me to make a choice. > >-- >thanks, > >Mimi > -- Best regards, Coiby ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] ima: require signed IMA policy when UEFI secure boot is enabled 2023-07-14 1:29 ` Coiby Xu @ 2023-07-20 14:12 ` Mimi Zohar 0 siblings, 0 replies; 6+ messages in thread From: Mimi Zohar @ 2023-07-20 14:12 UTC (permalink / raw) To: Coiby Xu Cc: linux-integrity, Dmitry Kasatkin, Paul Moore, James Morris, Serge E. Hallyn, open list:SECURITY SUBSYSTEM, open list On Fri, 2023-07-14 at 09:29 +0800, Coiby Xu wrote: > On Tue, Jul 04, 2023 at 08:57:10AM -0400, Mimi Zohar wrote: > >On Mon, 2023-07-03 at 19:54 +0800, Coiby Xu wrote: > >> With the introduction of the .machine keyring for UEFI-based systems, > >> users are able to add custom CAs keys via MOK. This allow users to sign > >> their own IMA polices. For the sake of security, mandate signed IMA > >> policy when UEFI secure boot is enabled. > >> > >> Suggested-by: Mimi Zohar <zohar@linux.ibm.com> > >> Signed-off-by: Coiby Xu <coxu@redhat.com> With commit 099f26f22f58 ("integrity: machine keyring CA configuration") it is now possible to require signed IMA policies without having to recompile the kernel. Please note this change might affect existing users/tests. > >> --- > >> security/integrity/ima/ima_efi.c | 3 +++ > >> 1 file changed, 3 insertions(+) > >> > >> diff --git a/security/integrity/ima/ima_efi.c b/security/integrity/ima/ima_efi.c > >> index 9db66fe310d4..bb2881759505 100644 > >> --- a/security/integrity/ima/ima_efi.c > >> +++ b/security/integrity/ima/ima_efi.c > >> @@ -58,6 +58,9 @@ static const char * const sb_arch_rules[] = { > >> #if !IS_ENABLED(CONFIG_MODULE_SIG) > >> "appraise func=MODULE_CHECK appraise_type=imasig", > >> #endif > >> +#if IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && IS_ENABLED(CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY) > >> + "appraise func=POLICY_CHECK appraise_type=imasig", > >> +#endif /* CONFIG_INTEGRITY_MACHINE_KEYRING && IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY */ > >> "measure func=MODULE_CHECK", > >> NULL > >> }; > > > >Thanks, Coiby. > > You are welcome! > > > > >Using IS_ENABLED() is not wrong, but unnecessary. IS_BUILTIN() > >suffices. > > Thanks for the reminding! When I was going to apply this suggestion, I > noticed ima_efi.c uses IS_ENABLED for all configuration items i.e. > CONFIG_MODULE_SIG and CONFIG_KEXEC_SIG which are all of bool type. Would > you like me to switch all IS_ENABLEs to IS_BUILTIN or still use > IS_ENABLED? While IS_BUILTIN is exclusively for bool type, it's not as > intuitive as IS_ENABLED. So it's not easy for me to make a choice. Sure, for consistency with the other rules IS_ENABLED is fine. thanks, Mimi ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH v2] ima: require signed IMA policy when UEFI secure boot is enabled 2023-07-03 11:54 [PATCH] ima: require signed IMA policy when UEFI secure boot is enabled Coiby Xu 2023-07-04 12:57 ` Mimi Zohar @ 2023-07-26 2:08 ` Coiby Xu 2023-07-27 17:38 ` Mimi Zohar 1 sibling, 1 reply; 6+ messages in thread From: Coiby Xu @ 2023-07-26 2:08 UTC (permalink / raw) To: linux-integrity Cc: Mimi Zohar, Dmitry Kasatkin, Paul Moore, James Morris, Serge E. Hallyn, open list:SECURITY SUBSYSTEM, open list With commit 099f26f22f58 ("integrity: machine keyring CA configuration"), users are able to add custom IMA CA keys via MOK. This allows users to sign their own IMA polices without recompiling the kernel. For the sake of security, mandate signed IMA policy when UEFI secure boot is enabled. Note this change may affect existing users/tests i.e users won't be able to load an unsigned IMA policy when the IMA architecture specific policy is configured and UEFI secure boot is enabled. Suggested-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Coiby Xu <coxu@redhat.com> --- v2 - improve commit message [Mimi] - explicitly mention the dependent commit - add a note that the change will affect user space - remove "/* CONFIG_INTEGRITY_MACHINE_KEYRING .. */" to improve code readability --- security/integrity/ima/ima_efi.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/security/integrity/ima/ima_efi.c b/security/integrity/ima/ima_efi.c index 9db66fe310d4..138029bfcce1 100644 --- a/security/integrity/ima/ima_efi.c +++ b/security/integrity/ima/ima_efi.c @@ -57,6 +57,9 @@ static const char * const sb_arch_rules[] = { "measure func=KEXEC_KERNEL_CHECK", #if !IS_ENABLED(CONFIG_MODULE_SIG) "appraise func=MODULE_CHECK appraise_type=imasig", +#endif +#if IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && IS_ENABLED(CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY) + "appraise func=POLICY_CHECK appraise_type=imasig", #endif "measure func=MODULE_CHECK", NULL -- 2.41.0 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH v2] ima: require signed IMA policy when UEFI secure boot is enabled 2023-07-26 2:08 ` [PATCH v2] " Coiby Xu @ 2023-07-27 17:38 ` Mimi Zohar 0 siblings, 0 replies; 6+ messages in thread From: Mimi Zohar @ 2023-07-27 17:38 UTC (permalink / raw) To: Coiby Xu, linux-integrity Cc: Dmitry Kasatkin, Paul Moore, James Morris, Serge E. Hallyn, open list:SECURITY SUBSYSTEM, open list On Wed, 2023-07-26 at 10:08 +0800, Coiby Xu wrote: > With commit 099f26f22f58 ("integrity: machine keyring CA > configuration"), users are able to add custom IMA CA keys via > MOK. This allows users to sign their own IMA polices without > recompiling the kernel. For the sake of security, mandate signed IMA > policy when UEFI secure boot is enabled. > > Note this change may affect existing users/tests i.e users won't be able > to load an unsigned IMA policy when the IMA architecture specific policy > is configured and UEFI secure boot is enabled. > > Suggested-by: Mimi Zohar <zohar@linux.ibm.com> > Signed-off-by: Coiby Xu <coxu@redhat.com> > --- > v2 > - improve commit message [Mimi] > - explicitly mention the dependent commit > - add a note that the change will affect user space > - remove "/* CONFIG_INTEGRITY_MACHINE_KEYRING .. */" to improve code > readability Thank you for updating the commit message. The patch is now queued in next-integrity-testing. -- thanks, Mimi ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-07-27 18:13 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2023-07-03 11:54 [PATCH] ima: require signed IMA policy when UEFI secure boot is enabled Coiby Xu 2023-07-04 12:57 ` Mimi Zohar 2023-07-14 1:29 ` Coiby Xu 2023-07-20 14:12 ` Mimi Zohar 2023-07-26 2:08 ` [PATCH v2] " Coiby Xu 2023-07-27 17:38 ` Mimi Zohar
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).