From 5087fd9e80e539d2163accd045b73da64de7de95 Mon Sep 17 00:00:00 2001 From: Nayna Jain Date: Tue, 11 Jul 2023 12:44:47 -0400 Subject: ima: Remove deprecated IMA_TRUSTED_KEYRING Kconfig Time to remove "IMA_TRUSTED_KEYRING". Fixes: f4dc37785e9b ("integrity: define '.evm' as a builtin 'trusted' keyring") # v4.5+ Signed-off-by: Nayna Jain Signed-off-by: Mimi Zohar --- security/integrity/ima/Kconfig | 12 ------------ 1 file changed, 12 deletions(-) (limited to 'security') diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index 60a511c6b583..c17660bf5f34 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -248,18 +248,6 @@ config IMA_APPRAISE_MODSIG The modsig keyword can be used in the IMA policy to allow a hook to accept such signatures. -config IMA_TRUSTED_KEYRING - bool "Require all keys on the .ima keyring be signed (deprecated)" - depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING - depends on INTEGRITY_ASYMMETRIC_KEYS - select INTEGRITY_TRUSTED_KEYRING - default y - help - This option requires that all keys added to the .ima - keyring be signed by a key on the system trusted keyring. - - This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING - config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)" depends on SYSTEM_TRUSTED_KEYRING -- cgit v1.2.3-70-g09d2 From f20765fdfdc2c8f47b41cb08489fdad3194a8465 Mon Sep 17 00:00:00 2001 From: Eric Snowberg Date: Wed, 26 Jul 2023 17:17:25 -0400 Subject: integrity: Always reference the blacklist keyring with appraisal Commit 273df864cf746 ("ima: Check against blacklisted hashes for files with modsig") introduced an appraise_flag option for referencing the blacklist keyring. Any matching binary found on this keyring fails signature validation. This flag only works with module appended signatures. An important part of a PKI infrastructure is to have the ability to do revocation at a later time should a vulnerability be found. Expand the revocation flag usage to all appraisal functions. The flag is now enabled by default. Setting the flag with an IMA policy has been deprecated. Without a revocation capability like this in place, only authenticity can be maintained. With this change, integrity can now be achieved with digital signature based IMA appraisal. Signed-off-by: Eric Snowberg Reviewed-by: Nayna Jain Signed-off-by: Mimi Zohar --- Documentation/ABI/testing/ima_policy | 6 +++--- arch/powerpc/kernel/ima_arch.c | 8 ++++---- security/integrity/ima/ima_appraise.c | 12 +++++++----- security/integrity/ima/ima_policy.c | 17 +++++------------ 4 files changed, 19 insertions(+), 24 deletions(-) (limited to 'security') diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy index 49db0ff288e5..c2385183826c 100644 --- a/Documentation/ABI/testing/ima_policy +++ b/Documentation/ABI/testing/ima_policy @@ -57,9 +57,9 @@ Description: stored in security.ima xattr. Requires specifying "digest_type=verity" first.) - appraise_flag:= [check_blacklist] - Currently, blacklist check is only for files signed with appended - signature. + appraise_flag:= [check_blacklist] (deprecated) + Setting the check_blacklist flag is no longer necessary. + All appraisal functions set it by default. digest_type:= verity Require fs-verity's file digest instead of the regular IMA file hash. diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c index 957abd592075..b7029beed847 100644 --- a/arch/powerpc/kernel/ima_arch.c +++ b/arch/powerpc/kernel/ima_arch.c @@ -23,9 +23,9 @@ bool arch_ima_get_secureboot(void) * is not enabled. */ static const char *const secure_rules[] = { - "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig", + "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig", #ifndef CONFIG_MODULE_SIG - "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig", + "appraise func=MODULE_CHECK appraise_type=imasig|modsig", #endif NULL }; @@ -49,9 +49,9 @@ static const char *const trusted_rules[] = { static const char *const secure_and_trusted_rules[] = { "measure func=KEXEC_KERNEL_CHECK template=ima-modsig", "measure func=MODULE_CHECK template=ima-modsig", - "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig", + "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig", #ifndef CONFIG_MODULE_SIG - "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig", + "appraise func=MODULE_CHECK appraise_type=imasig|modsig", #endif NULL }; diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 491c1aca0b1c..870dde67707b 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -458,11 +458,13 @@ int ima_check_blacklist(struct integrity_iint_cache *iint, ima_get_modsig_digest(modsig, &hash_algo, &digest, &digestsize); rc = is_binary_blacklisted(digest, digestsize); - if ((rc == -EPERM) && (iint->flags & IMA_MEASURE)) - process_buffer_measurement(&nop_mnt_idmap, NULL, digest, digestsize, - "blacklisted-hash", NONE, - pcr, NULL, false, NULL, 0); - } + } else if (iint->flags & IMA_DIGSIG_REQUIRED && iint->ima_hash) + rc = is_binary_blacklisted(iint->ima_hash->digest, iint->ima_hash->length); + + if ((rc == -EPERM) && (iint->flags & IMA_MEASURE)) + process_buffer_measurement(&nop_mnt_idmap, NULL, digest, digestsize, + "blacklisted-hash", NONE, + pcr, NULL, false, NULL, 0); return rc; } diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index c9b3bd8f1bb9..69452b79686b 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -1280,7 +1280,7 @@ static bool ima_validate_rule(struct ima_rule_entry *entry) IMA_FSNAME | IMA_GID | IMA_EGID | IMA_FGROUP | IMA_DIGSIG_REQUIRED | IMA_PERMIT_DIRECTIO | IMA_VALIDATE_ALGOS | - IMA_VERITY_REQUIRED)) + IMA_CHECK_BLACKLIST | IMA_VERITY_REQUIRED)) return false; break; @@ -1355,7 +1355,7 @@ static bool ima_validate_rule(struct ima_rule_entry *entry) /* Ensure that combinations of flags are compatible with each other */ if (entry->flags & IMA_CHECK_BLACKLIST && - !(entry->flags & IMA_MODSIG_ALLOWED)) + !(entry->flags & IMA_DIGSIG_REQUIRED)) return false; /* @@ -1803,11 +1803,11 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) if (entry->flags & IMA_VERITY_REQUIRED) result = -EINVAL; else - entry->flags |= IMA_DIGSIG_REQUIRED; + entry->flags |= IMA_DIGSIG_REQUIRED | IMA_CHECK_BLACKLIST; } else if (strcmp(args[0].from, "sigv3") == 0) { /* Only fsverity supports sigv3 for now */ if (entry->flags & IMA_VERITY_REQUIRED) - entry->flags |= IMA_DIGSIG_REQUIRED; + entry->flags |= IMA_DIGSIG_REQUIRED | IMA_CHECK_BLACKLIST; else result = -EINVAL; } else if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) && @@ -1816,18 +1816,13 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) result = -EINVAL; else entry->flags |= IMA_DIGSIG_REQUIRED | - IMA_MODSIG_ALLOWED; + IMA_MODSIG_ALLOWED | IMA_CHECK_BLACKLIST; } else { result = -EINVAL; } break; case Opt_appraise_flag: ima_log_string(ab, "appraise_flag", args[0].from); - if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) && - strstr(args[0].from, "blacklist")) - entry->flags |= IMA_CHECK_BLACKLIST; - else - result = -EINVAL; break; case Opt_appraise_algos: ima_log_string(ab, "appraise_algos", args[0].from); @@ -2271,8 +2266,6 @@ int ima_policy_show(struct seq_file *m, void *v) } if (entry->flags & IMA_VERITY_REQUIRED) seq_puts(m, "digest_type=verity "); - if (entry->flags & IMA_CHECK_BLACKLIST) - seq_puts(m, "appraise_flag=check_blacklist "); if (entry->flags & IMA_PERMIT_DIRECTIO) seq_puts(m, "permit_directio "); rcu_read_unlock(); -- cgit v1.2.3-70-g09d2 From 56dc986a6b20b20aab1b76e0d8bff79954a00333 Mon Sep 17 00:00:00 2001 From: Coiby Xu Date: Wed, 26 Jul 2023 10:08:05 +0800 Subject: ima: require signed IMA policy when UEFI secure boot is enabled With commit 099f26f22f58 ("integrity: machine keyring CA configuration"), users are able to add custom IMA CA keys via MOK. This allows users to sign their own IMA polices without recompiling the kernel. For the sake of security, mandate signed IMA policy when UEFI secure boot is enabled. Note this change may affect existing users/tests i.e users won't be able to load an unsigned IMA policy when the IMA architecture specific policy is configured and UEFI secure boot is enabled. Suggested-by: Mimi Zohar Signed-off-by: Coiby Xu Signed-off-by: Mimi Zohar --- security/integrity/ima/ima_efi.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'security') diff --git a/security/integrity/ima/ima_efi.c b/security/integrity/ima/ima_efi.c index 9db66fe310d4..138029bfcce1 100644 --- a/security/integrity/ima/ima_efi.c +++ b/security/integrity/ima/ima_efi.c @@ -57,6 +57,9 @@ static const char * const sb_arch_rules[] = { "measure func=KEXEC_KERNEL_CHECK", #if !IS_ENABLED(CONFIG_MODULE_SIG) "appraise func=MODULE_CHECK appraise_type=imasig", +#endif +#if IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && IS_ENABLED(CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY) + "appraise func=POLICY_CHECK appraise_type=imasig", #endif "measure func=MODULE_CHECK", NULL -- cgit v1.2.3-70-g09d2 From 55e2b69649be38f1788b38755070875b96111d2f Mon Sep 17 00:00:00 2001 From: Wenyu Liu Date: Mon, 7 Aug 2023 10:52:06 +0800 Subject: kexec_lock: Replace kexec_mutex() by kexec_lock() in two comments kexec_mutex is replaced by an atomic variable in 05c6257433b (panic, kexec: make __crash_kexec() NMI safe). But there are still two comments that referenced kexec_mutex, replace them by kexec_lock. Signed-off-by: Wenyu Liu Acked-by: Baoquan He Acked-by: Paul Menzel Signed-off-by: Mimi Zohar --- kernel/kexec_file.c | 2 +- security/integrity/ima/ima_kexec.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'security') diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index 881ba0d1714c..b5bbb2fe0668 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -624,7 +624,7 @@ int kexec_locate_mem_hole(struct kexec_buf *kbuf) * kexec_add_buffer - place a buffer in a kexec segment * @kbuf: Buffer contents and memory parameters. * - * This function assumes that kexec_mutex is held. + * This function assumes that kexec_lock is held. * On successful return, @kbuf->mem will have the physical address of * the buffer in memory. * diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c index 419dc405c831..ad133fe120db 100644 --- a/security/integrity/ima/ima_kexec.c +++ b/security/integrity/ima/ima_kexec.c @@ -77,7 +77,7 @@ out: * Called during kexec_file_load so that IMA can add a segment to the kexec * image for the measurement list for the next kernel. * - * This function assumes that kexec_mutex is held. + * This function assumes that kexec_lock is held. */ void ima_add_kexec_buffer(struct kimage *image) { -- cgit v1.2.3-70-g09d2