[RFC PATCH 2/2] ima: Change default secure_boot policy to include appended signatures

[RFC PATCH 0/2] ima: uncompressed module appraisal support · Eric Snowberg <eric.snowberg@oracle.com> · 2020-02-06
[RFC PATCH 2/2] ima: Change default secure_boot policy to include appended signatures · Eric Snowberg <eric.snowberg@oracle.com> · 2020-02-06
[RFC PATCH 1/2] ima: Implement support for uncompressed module appended signatures · Eric Snowberg <eric.snowberg@oracle.com> · 2020-02-06
Re: [RFC PATCH 1/2] ima: Implement support for uncompressed module appended signatures · Lakshmi Ramasubramanian <hidden> · 2020-02-06
Re: [RFC PATCH 1/2] ima: Implement support for uncompressed module appended signatures · Eric Snowberg <eric.snowberg@oracle.com> · 2020-02-06
Re: [RFC PATCH 1/2] ima: Implement support for uncompressed module appended signatures · Mimi Zohar <zohar@linux.ibm.com> · 2020-02-06
Re: [RFC PATCH 1/2] ima: Implement support for uncompressed module appended signatures · Eric Snowberg <eric.snowberg@oracle.com> · 2020-02-06
Re: [RFC PATCH 1/2] ima: Implement support for uncompressed module appended signatures · Mimi Zohar <zohar@linux.ibm.com> · 2020-02-06
Re: [RFC PATCH 0/2] ima: uncompressed module appraisal support · Nayna <hidden> · 2020-02-06
Re: [RFC PATCH 0/2] ima: uncompressed module appraisal support · Eric Snowberg <eric.snowberg@oracle.com> · 2020-02-06
Re: [RFC PATCH 0/2] ima: uncompressed module appraisal support · Mimi Zohar <zohar@linux.ibm.com> · 2020-02-07
Re: [RFC PATCH 0/2] ima: uncompressed module appraisal support · Eric Snowberg <eric.snowberg@oracle.com> · 2020-02-07
Re: [RFC PATCH 0/2] ima: uncompressed module appraisal support · Mimi Zohar <zohar@linux.ibm.com> · 2020-02-07
Re: [RFC PATCH 0/2] ima: uncompressed module appraisal support · Eric Snowberg <eric.snowberg@oracle.com> · 2020-02-07
Re: [RFC PATCH 0/2] ima: uncompressed module appraisal support · Mimi Zohar <zohar@linux.ibm.com> · 2020-02-07
Re: [RFC PATCH 0/2] ima: uncompressed module appraisal support · Eric Snowberg <eric.snowberg@oracle.com> · 2020-02-07
Re: [RFC PATCH 0/2] ima: uncompressed module appraisal support · Mimi Zohar <zohar@linux.ibm.com> · 2020-02-07
Re: [RFC PATCH 0/2] ima: uncompressed module appraisal support · Eric Snowberg <eric.snowberg@oracle.com> · 2020-02-07
Re: [RFC PATCH 0/2] ima: uncompressed module appraisal support · Mimi Zohar <zohar@linux.ibm.com> · 2020-02-08
Re: [RFC PATCH 0/2] ima: uncompressed module appraisal support · Eric Snowberg <eric.snowberg@oracle.com> · 2020-02-10
Re: [RFC PATCH 0/2] ima: uncompressed module appraisal support · Mimi Zohar <zohar@linux.ibm.com> · 2020-02-10
Re: [RFC PATCH 0/2] ima: uncompressed module appraisal support · Eric Snowberg <eric.snowberg@oracle.com> · 2020-02-10
Re: [RFC PATCH 0/2] ima: uncompressed module appraisal support · Mimi Zohar <zohar@linux.ibm.com> · 2020-02-10
Re: [RFC PATCH 0/2] ima: uncompressed module appraisal support · Eric Snowberg <eric.snowberg@oracle.com> · 2020-02-11
Re: [RFC PATCH 0/2] ima: uncompressed module appraisal support · Nayna <hidden> · 2020-02-12
Re: [RFC PATCH 0/2] ima: uncompressed module appraisal support · Eric Snowberg <eric.snowberg@oracle.com> · 2020-02-13

STALE2297d

From: Eric Snowberg <eric.snowberg@oracle.com>
Date: 2020-02-06 16:45:12
Also in: linux-integrity, lkml
Subsystem: extended verification module (evm), integrity measurement architecture (ima), security subsystem, the rest · Maintainers: Mimi Zohar, Roberto Sassu, Dmitry Kasatkin, Paul Moore, James Morris, "Serge E. Hallyn", Linus Torvalds

Change the default secure_boot policy from:

appraise func=MODULE_CHECK appraise_type=imasig
appraise func=FIRMWARE_CHECK appraise_type=imasig
appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig
appraise func=POLICY_CHECK appraise_type=imasig

to

appraise func=MODULE_CHECK appraise_type=imasig|modsig
appraise func=FIRMWARE_CHECK appraise_type=imasig
appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig
appraise func=POLICY_CHECK appraise_type=imasig

This will allow appended signatures to work with the default
secure_boot policy.

Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
 security/integrity/ima/ima_policy.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index ef8dfd47c7e3..5d835715b472 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c

@@ -189,11 +189,11 @@ static struct ima_rule_entry build_appraise_rules[] __ro_after_init = {
 
 static struct ima_rule_entry secure_boot_rules[] __ro_after_init = {
 	{.action = APPRAISE, .func = MODULE_CHECK,
-	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
+	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED},
 	{.action = APPRAISE, .func = FIRMWARE_CHECK,
 	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 	{.action = APPRAISE, .func = KEXEC_KERNEL_CHECK,
-	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
+	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED},
 	{.action = APPRAISE, .func = POLICY_CHECK,
 	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 };

-- 
2.18.1

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help