From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: ltp@lists.linux.it
Subject: [LTP] [RFC PATCH 0/2] IMA: Rewrite tests into new API + fixes
Date: Mon, 29 Jan 2018 14:58:23 -0500 [thread overview]
Message-ID: <1517255903.29187.560.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <1517100440.29187.120.camel@linux.vnet.ibm.com>
On Sat, 2018-01-27 at 19:47 -0500, Mimi Zohar wrote:
> On Fri, 2018-01-26 at 18:51 +0100, Petr Vorel wrote:
> > > > > Originally IMA allowed a builtin policy to be replaced with a custom
> > > > > policy, by simply cat'ing a file into the securityfs IMA policy file.
> > > > > Currently, if new rules can be added to the custom policy (Kconfig
> > > > > IMA_WRITE_POLICY enabled), the policy file must be signed. Similarly,
> > > > > if the builtin "secure-boot" policy is defined on the boot command
> > > > > line, the custom policy must be signed. Test "ima01 ima_policy.sh"
> > > > > should first detect if the policy must be signed, before running the
> > > > > tests.
> >
> > > > Right, I'll check it. Is there other way how to detect it than reading
> > > > /boot/config-$(uname -r) or /proc/config.gz ? I'm asking because IMA might be using on
> > > > embedded devices (guessing from [2], [3]), which might not have either of them.
> > This is important. As Cyril agreed with me grepping /boot/config-$(uname -r) or
> > /proc/config.gz isn't good solution. I don't see any ioctl interface and
> > security/integrity/ima/ima_fs.c which handles IMA sysfs doesn't have this functionality.
> > Is it deliberate (security reason), that it's not exported to users?
>
> This isn't really an IMA issue, but a TPM one. The TPM device driver
> would need to export this information.
Sorry, that was an answer to the wrong question. In ima_tpm.sh,
there's the question:
# Would be nice to know where the PCRs are located. Is this safe?".
Commit 313d21e "tpm: device class for tpm" moved the TPM sysfs
location from /sys/class/misc/tpmX/device/ to
/sys/class/tpm/tpmX/device/. The pcrs are
To answer your question, if after writing the custom policy, the
policy file disappears, then you obviously can't extend the policy.
If the policy file doesn't disappear, you might not be able to extend
the policy, just view it. Sorry, there's no method of knowing apriori
whether the policy can be extended.
Mimi
next prev parent reply other threads:[~2018-01-29 19:58 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-11 20:28 [LTP] [RFC PATCH 0/2] IMA: Rewrite tests into new API + fixes Petr Vorel
2018-01-11 20:28 ` [LTP] [RFC PATCH 1/2] security/ima: " Petr Vorel
2018-01-26 13:09 ` Cyril Hrubis
2018-01-11 20:28 ` [LTP] [RFC PATCH 2/2] security/ima: Run measurements after policy Petr Vorel
2018-01-26 13:11 ` Cyril Hrubis
2018-01-26 18:03 ` Petr Vorel
2018-01-28 0:57 ` Mimi Zohar
2018-01-24 17:12 ` [LTP] [RFC PATCH 0/2] IMA: Rewrite tests into new API + fixes Petr Vorel
2018-01-24 17:36 ` Mimi Zohar
2018-01-25 20:30 ` Petr Vorel
2018-01-25 20:40 ` Petr Vorel
2018-01-25 22:29 ` Mimi Zohar
2018-01-26 17:51 ` Petr Vorel
2018-01-28 0:47 ` Mimi Zohar
2018-01-29 19:58 ` Mimi Zohar [this message]
2018-01-31 15:01 ` Nayna Jain
2018-01-26 13:16 ` Cyril Hrubis
2018-01-26 18:11 ` Petr Vorel
2018-02-06 13:19 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1517255903.29187.560.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=ltp@lists.linux.it \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox