ima: fail signature verification based on policy (9e67028e) · Commits · e / devices / android_kernel_fairphone_FP4

Documentation/admin-guide/kernel-parameters.txt

+7 −1

Original line number	Diff line number	Diff line
		@@ -1525,7 +1525,8 @@

		ima_policy= [IMA]
		The builtin policies to load during IMA setup.
		Format: "tcb \| appraise_tcb \| secure_boot"
		Format: "tcb \| appraise_tcb \| secure_boot \|
		fail_securely"

		The "tcb" policy measures all programs exec'd, files
		mmap'd for exec, and all files opened with the read
		@@ -1540,6 +1541,11 @@
		of files (eg. kexec kernel image, kernel modules,
		firmware, policy, etc) based on file signatures.

		The "fail_securely" policy forces file signature
		verification failure also on privileged mounted
		filesystems with the SB_I_UNVERIFIABLE_SIGNATURE
		flag.

		ima_tcb [IMA] Deprecated. Use ima_policy= instead.
		Load a policy which meets the needs of the Trusted
		Computing Base. This means IMA will measure all

+6 −5

Original line number	Diff line number	Diff line
		@@ -304,12 +304,13 @@ int ima_appraise_measurement(enum ima_hooks func,
		out:
		/*
		* File signatures on some filesystems can not be properly verified.
		* On these filesytems, that are mounted by an untrusted mounter,
		* fail the file signature verification.
		* When such filesystems are mounted by an untrusted mounter or on a
		* system not willing to accept such a risk, fail the file signature
		* verification.
		*/
		if ((inode->i_sb->s_iflags &
		(SB_I_IMA_UNVERIFIABLE_SIGNATURE \| SB_I_UNTRUSTED_MOUNTER)) ==
		(SB_I_IMA_UNVERIFIABLE_SIGNATURE \| SB_I_UNTRUSTED_MOUNTER)) {
		if ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) &&
		((inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) \|\|
		(iint->flags & IMA_FAIL_UNVERIFIABLE_SIGS))) {
		status = INTEGRITY_FAIL;
		cause = "unverifiable-signature";
		integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,

+2 −1

Original line number	Diff line number	Diff line
		@@ -238,7 +238,8 @@ static int process_measurement(struct file file, const struct cred cred,
		*/
		if (test_and_clear_bit(IMA_CHANGE_XATTR, &iint->atomic_flags) \|\|
		((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) &&
		!(inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER))) {
		!(inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) &&
		!(action & IMA_FAIL_UNVERIFIABLE_SIGS))) {
		iint->flags &= ~IMA_DONE_MASK;
		iint->measured_pcrs = 0;
		}

+5 −0

Original line number	Diff line number	Diff line
		@@ -188,6 +188,7 @@ __setup("ima_tcb", default_measure_policy_setup);

		static bool ima_use_appraise_tcb __initdata;
		static bool ima_use_secure_boot __initdata;
		static bool ima_fail_unverifiable_sigs __ro_after_init;
		static int __init policy_setup(char *str)
		{
		char *p;
		@@ -201,6 +202,8 @@ static int __init policy_setup(char *str)
		ima_use_appraise_tcb = true;
		else if (strcmp(p, "secure_boot") == 0)
		ima_use_secure_boot = true;
		else if (strcmp(p, "fail_securely") == 0)
		ima_fail_unverifiable_sigs = true;
		}

		return 1;
		@@ -390,6 +393,8 @@ int ima_match_policy(struct inode inode, const struct cred cred, u32 secid,
		if (entry->action & IMA_APPRAISE) {
		action \|= get_subaction(entry, func);
		action &= ~IMA_HASH;
		if (ima_fail_unverifiable_sigs)
		action \|= IMA_FAIL_UNVERIFIABLE_SIGS;
		}

		if (entry->action & IMA_DO_MASK)

+1 −0

Original line number	Diff line number	Diff line
		@@ -35,6 +35,7 @@
		#define IMA_PERMIT_DIRECTIO 0x02000000
		#define IMA_NEW_FILE 0x04000000
		#define EVM_IMMUTABLE_DIGSIG 0x08000000
		#define IMA_FAIL_UNVERIFIABLE_SIGS 0x10000000

		#define IMA_DO_MASK (IMA_MEASURE \| IMA_APPRAISE \| IMA_AUDIT \| \
		IMA_HASH \| IMA_APPRAISE_SUBMASK)