From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.2 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,USER_AGENT_SANE_2 autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9C88FC433E1 for ; Fri, 10 Jul 2020 18:57:57 +0000 (UTC) Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 181A82076A for ; Fri, 10 Jul 2020 18:57:56 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 181A82076A Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=linux.ibm.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org Received: from bilbo.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 4B3MkC0x2MzDrNd for ; Sat, 11 Jul 2020 04:57:55 +1000 (AEST) Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=linux.ibm.com (client-ip=148.163.158.5; helo=mx0a-001b2d01.pphosted.com; envelope-from=zohar@linux.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=pass (p=none dis=none) header.from=linux.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4B3MhG1V0rzDrN9 for ; Sat, 11 Jul 2020 04:56:13 +1000 (AEST) Received: from pps.filterd (m0098414.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 06AIY8de004832; Fri, 10 Jul 2020 14:56:09 -0400 Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-001b2d01.pphosted.com with ESMTP id 326j81bkjn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Jul 2020 14:56:09 -0400 Received: from m0098414.ppops.net (m0098414.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 06AIpWFb056849; Fri, 10 Jul 2020 14:56:09 -0400 Received: from ppma02fra.de.ibm.com (47.49.7a9f.ip4.static.sl-reverse.com [159.122.73.71]) by mx0b-001b2d01.pphosted.com with ESMTP id 326j81bkhu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Jul 2020 14:56:09 -0400 Received: from pps.filterd (ppma02fra.de.ibm.com [127.0.0.1]) by ppma02fra.de.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 06AIZHcE031343; Fri, 10 Jul 2020 18:56:07 GMT Received: from b06avi18626390.portsmouth.uk.ibm.com (b06avi18626390.portsmouth.uk.ibm.com [9.149.26.192]) by ppma02fra.de.ibm.com with ESMTP id 326bcf0vu8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Jul 2020 18:56:07 +0000 Received: from d06av24.portsmouth.uk.ibm.com (d06av24.portsmouth.uk.ibm.com [9.149.105.60]) by b06avi18626390.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 06AIrRae459318 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 10 Jul 2020 18:53:27 GMT Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9F64442045; Fri, 10 Jul 2020 18:54:49 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A0DB442042; Fri, 10 Jul 2020 18:54:48 +0000 (GMT) Received: from localhost.localdomain (unknown [9.80.206.93]) by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP; Fri, 10 Jul 2020 18:54:48 +0000 (GMT) Message-ID: <1594407288.14405.36.camel@linux.ibm.com> Subject: Re: [PATCH v5] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime From: Mimi Zohar To: Bruno Meneguele Date: Fri, 10 Jul 2020 14:54:48 -0400 In-Reply-To: <20200710183420.GB10547@glitch> References: <20200709164647.45153-1-bmeneg@redhat.com> <1594401804.14405.8.camel@linux.ibm.com> <20200710180338.GA10547@glitch> <20200710183420.GB10547@glitch> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-07-10_14:2020-07-10, 2020-07-10 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=999 impostorscore=0 suspectscore=0 clxscore=1015 lowpriorityscore=0 malwarescore=0 mlxscore=0 spamscore=0 phishscore=0 adultscore=0 priorityscore=1501 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2007100121 X-BeenThere: linuxppc-dev@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-s390@vger.kernel.org, nayna@linux.ibm.com, erichte@linux.ibm.com, x86@kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, linux-integrity@vger.kernel.org, linuxppc-dev@lists.ozlabs.org Errors-To: linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org Sender: "Linuxppc-dev" On Fri, 2020-07-10 at 15:34 -0300, Bruno Meneguele wrote: > On Fri, Jul 10, 2020 at 03:03:38PM -0300, Bruno Meneguele wrote: > > On Fri, Jul 10, 2020 at 01:23:24PM -0400, Mimi Zohar wrote: > > > On Thu, 2020-07-09 at 13:46 -0300, Bruno Meneguele wrote: > > > > APPRAISE_BOOTPARAM has been marked as dependent on !ARCH_POLICY in compile > > > > time, enforcing the appraisal whenever the kernel had the arch policy option > > > > enabled. > > > > > > > However it breaks systems where the option is set but the system didn't > > > > boot in a "secure boot" platform. In this scenario, anytime an appraisal > > > > policy (i.e. ima_policy=appraisal_tcb) is used it will be forced, without > > > > giving the user the opportunity to label the filesystem, before enforcing > > > > integrity. > > > > > > > > Considering the ARCH_POLICY is only effective when secure boot is actually > > > > enabled this patch remove the compile time dependency and move it to a > > > > runtime decision, based on the secure boot state of that platform. > > > > > > Perhaps we could simplify this patch description a bit? > > > > > > The IMA_APPRAISE_BOOTPARAM config allows enabling different > > > "ima_appraise=" modes - log, fix, enforce - at run time, but not when > > > IMA architecture specific policies are enabled.  This prevents > > > properly labeling the filesystem on systems where secure boot is > > > supported, but not enabled on the platform.  Only when secure boot is > > > enabled, should these IMA appraise modes be disabled. > > > > > > This patch removes the compile time dependency and makes it a runtime > > > decision, based on the secure boot state of that platform. > > > > > > > Sounds good to me. > > > > > > > > > > > > diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c > > > > index a9649b04b9f1..884de471b38a 100644 > > > > --- a/security/integrity/ima/ima_appraise.c > > > > +++ b/security/integrity/ima/ima_appraise.c > > > > @@ -19,6 +19,11 @@ > > > > static int __init default_appraise_setup(c > > > > > > > har *str) > > > > { > > > > #ifdef CONFIG_IMA_APPRAISE_BOOTPARAM > > > > + if (arch_ima_get_secureboot()) { > > > > + pr_info("appraise boot param ignored: secure boot enabled"); > > > > > > Instead of a generic statement, is it possible to include the actual > > > option being denied?  Perhaps something like: "Secure boot enabled, > > > ignoring %s boot command line option" > > > > > > Mimi > > > > > > > Yes, sure. > > > > Btw, would it make sense to first make sure we have a valid "str" > option and not something random to print? > > diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c > index a9649b04b9f1..1f1175531d3e 100644 > --- a/security/integrity/ima/ima_appraise.c > +++ b/security/integrity/ima/ima_appraise.c > @@ -25,6 +25,16 @@ static int __init default_appraise_setup(char *str) > ima_appraise = IMA_APPRAISE_LOG; > else if (strncmp(str, "fix", 3) == 0) > ima_appraise = IMA_APPRAISE_FIX; > + else > + pr_info("invalid \"%s\" appraise option"); > + > + if (arch_ima_get_secureboot()) { > + if (!is_ima_appraise_enabled()) { > + pr_info("Secure boot enabled: ignoring ima_appraise=%s boot parameter option", > + str); > + ima_appraise = IMA_APPRAISE_ENFORCE; > + } > + } Providing feedback is probably a good idea.  However, the "arch_ima_get_secureboot" test can't come after setting "ima_appraise." Mimi > #endif > return 1; > } > > > The "else" there I think would make sense as well, at least to give the > user some feedback about a possible mispelling of him (as a separate > patch). > > And "if(!is_ima_appraise_enabled())" would avoid to print anything about > "ignoring the option" to the user in case he explicitly set "enforce", > which we know there isn't any real effect but is allowed and shown in > kernel-parameters.txt. > > > Thanks! > > > > > > + return 1; > > > > + } > > > > + > > > > if (strncmp(str, "off", 3) == 0) > > > > ima_appraise = 0; > > > > else if (strncmp(str, "log", 3) == 0) > > > > > > > -- > > bmeneg > > PGP Key: http://bmeneg.com/pubkey.txt > > >