Thread (51 messages) 51 messages, 7 authors, 2020-07-29

Re: [PATCH v3 00/19] Introduce partial kernel_read_file() support

From: Scott Branden <scott.branden@broadcom.com>
Date: 2020-07-28 19:56:35
Also in: linux-efi, linux-integrity, linux-kselftest, lkml, selinux 

Hi Mimi,

On 2020-07-28 11:48 a.m., Mimi Zohar wrote:
On Mon, 2020-07-27 at 12:18 -0700, Scott Branden wrote:
quoted
Hi Mimi/Kees,

On 2020-07-27 4:16 a.m., Mimi Zohar wrote:
quoted
On Fri, 2020-07-24 at 14:36 -0700, Kees Cook wrote:
quoted
v3:
- add reviews/acks
- add "IMA: Add support for file reads without contents" patch
- trim CC list, in case that's why vger ignored v2
v2: [missing from lkml archives! (CC list too long?) repeating changes
here]
quoted
quoted
- fix issues in firmware test suite
- add firmware partial read patches
- various bug fixes/cleanups
v1: 
https://lore.kernel.org/lkml/20200717174309.1164575-1-keescook@chromium.org/ (local)
quoted
quoted
Hi,

Here's my tree for adding partial read support in kernel_read_file(),
which fixes a number of issues along the way. It's got Scott's firmware
and IMA patches ported and everything tests cleanly for me (even with
CONFIG_IMA_APPRAISE=y).
Thanks, Kees.  Other than my comments on the new
security_kernel_post_load_data() hook, the patch set is really nice.

In addition to compiling with CONFIG_IMA_APPRAISE enabled, have you
booted the kernel with the ima_policy=tcb?  The tcb policy will add
measurements to the IMA measurement list and extend the TPM with the
file or buffer data digest.  Are you seeing the firmware measurements,
in particular the partial read measurement?
I booted the kernel with ima_policy=tcb.

Unfortunately after enabling the following, fw_run_tests.sh does not run.

mkdir /sys/kernel/security
mount -t securityfs securityfs /sys/kernel/security
echo "measure func=FIRMWARE_CHECK" > /sys/kernel/security/ima/policy
echo "appraise func=FIRMWARE_CHECK appraise_type=imasig" >
/sys/kernel/security/ima/policy
./fw_run_tests.sh

[ 1296.258052] test_firmware: loading 'test-firmware.bin'
[ 1296.263903] misc test_firmware: loading /lib/firmware/test-firmware.bin
failed with error -13
[ 1296.263905] audit: type=1800 audit(1595905754.266:9): pid=5696 uid=0
auid=4294967295 ses=4294967295 subj=kernel op=appraise_data cause=IMA-
signature-required comm="fw_namespace" name="/lib/firmware/test-firmware.bin"
dev="tmpfs" ino=4592 res=0
[ 1296.297085] misc test_firmware: Direct firmware load for test-firmware.bin
failed with error -13
[ 1296.305947] test_firmware: load of 'test-firmware.bin' failed: -13
The "appraise" rule verifies the IMA signature.  Unless you signed the firmware
(evmctl) and load the public key on the IMA keyring, that's to be expected.  I
assume you are seeing firmware measurements in the IMA measuremenet log.
Yes, I see the firmware measurements in the IMA measurement log.
I have not signed the firmware nor loaded a public key on the IMA keyring.
Therefore everything is working as expected.
Mimi
Thanks,
 Scott
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help