Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ef96837b authored by Mimi Zohar's avatar Mimi Zohar Committed by James Morris
Browse files

ima: add build time policy 



IMA by default does not measure, appraise or audit files, but can be
enabled at runtime by specifying a builtin policy on the boot command line
or by loading a custom policy.

This patch defines a build time policy, which verifies kernel modules,
firmware, kexec image, and/or the IMA policy signatures.  This build time
policy is automatically enabled at runtime and persists after loading a
custom policy.

Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
Reviewed-by: default avatarKees Cook <keescook@chromium.org>
Signed-off-by: default avatarJames Morris <james.morris@microsoft.com>
parent fed2512a

security/integrity/ima/Kconfig

+58 −0
Original line number Diff line number Diff line
@@ -156,6 +156,64 @@ config IMA_APPRAISE 
	  <http://linux-ima.sourceforge.net>

	  If unsure, say N.



config IMA_APPRAISE_BUILD_POLICY

	bool "IMA build time configured policy rules"

	depends on IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS

	default n

	help

	  This option defines an IMA appraisal policy at build time, which

	  is enforced at run time without having to specify a builtin

	  policy name on the boot command line.  The build time appraisal

	  policy rules persist after loading a custom policy.



	  Depending on the rules configured, this policy may require kernel

	  modules, firmware, the kexec kernel image, and/or the IMA policy

	  to be signed.  Unsigned files might prevent the system from

	  booting or applications from working properly.



config IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS

	bool "Appraise firmware signatures"

	depends on IMA_APPRAISE_BUILD_POLICY

	default n

	help

	  This option defines a policy requiring all firmware to be signed,

	  including the regulatory.db.  If both this option and

	  CFG80211_REQUIRE_SIGNED_REGDB are enabled, then both signature

	  verification methods are necessary.



config IMA_APPRAISE_REQUIRE_KEXEC_SIGS

	bool "Appraise kexec kernel image signatures"

	depends on IMA_APPRAISE_BUILD_POLICY

	default n

	help

	  Enabling this rule will require all kexec'ed kernel images to

	  be signed and verified by a public key on the trusted IMA

	  keyring.



	  Kernel image signatures can not be verified by the original

	  kexec_load syscall.  Enabling this rule will prevent its

	  usage.



config IMA_APPRAISE_REQUIRE_MODULE_SIGS

	bool "Appraise kernel modules signatures"

	depends on IMA_APPRAISE_BUILD_POLICY

	default n

	help

	  Enabling this rule will require all kernel modules to be signed

	  and verified by a public key on the trusted IMA keyring.



	  Kernel module signatures can only be verified by IMA-appraisal,

	  via the finit_module syscall. Enabling this rule will prevent

	  the usage of the init_module syscall.



config IMA_APPRAISE_REQUIRE_POLICY_SIGS

	bool "Appraise IMA policy signature"

	depends on IMA_APPRAISE_BUILD_POLICY

	default n

	help

	  Enabling this rule will require the IMA policy to be signed and

	  and verified by a key on the trusted IMA keyring.



config IMA_APPRAISE_BOOTPARAM

	bool "ima_appraise boot parameter"

	depends on IMA_APPRAISE

security/integrity/ima/ima_policy.c

+43 −3
Original line number Diff line number Diff line
@@ -49,6 +49,7 @@ 


int ima_policy_flag;

static int temp_ima_appraise;

static int build_ima_appraise __ro_after_init;



#define MAX_LSM_RULES 6

enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,
@@ -162,6 +163,25 @@ static struct ima_rule_entry default_appraise_rules[] __ro_after_init = { 
#endif

};



static struct ima_rule_entry build_appraise_rules[] __ro_after_init = {

#ifdef CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS

	{.action = APPRAISE, .func = MODULE_CHECK,

	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},

#endif

#ifdef CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS

	{.action = APPRAISE, .func = FIRMWARE_CHECK,

	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},

#endif

#ifdef CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS

	{.action = APPRAISE, .func = KEXEC_KERNEL_CHECK,

	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},

#endif

#ifdef CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS

	{.action = APPRAISE, .func = POLICY_CHECK,

	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},

#endif

};



static struct ima_rule_entry secure_boot_rules[] __ro_after_init = {

	{.action = APPRAISE, .func = MODULE_CHECK,

	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
@@ -435,7 +455,7 @@ void ima_update_policy_flag(void) 
			ima_policy_flag |= entry->action;

	}



	ima_appraise |= temp_ima_appraise;

	ima_appraise |= (build_ima_appraise | temp_ima_appraise);

	if (!ima_appraise)

		ima_policy_flag &= ~IMA_APPRAISE;

}
@@ -488,8 +508,8 @@ void __init ima_init_policy(void) 
	}



	/*

	 * Insert the appraise rules requiring file signatures, prior to

	 * any other appraise rules.

	 * Insert the builtin "secure_boot" policy rules requiring file

	 * signatures, prior to any other appraise rules.

	 */

	for (i = 0; i < secure_boot_entries; i++) {

		list_add_tail(&secure_boot_rules[i].list, &ima_default_rules);
@@ -497,6 +517,26 @@ void __init ima_init_policy(void) 
		    ima_appraise_flag(secure_boot_rules[i].func);

	}



	/*

	 * Insert the build time appraise rules requiring file signatures

	 * for both the initial and custom policies, prior to other appraise

	 * rules.

	 */

	for (i = 0; i < ARRAY_SIZE(build_appraise_rules); i++) {

		struct ima_rule_entry *entry;



		if (!secure_boot_entries)

			list_add_tail(&build_appraise_rules[i].list,

				      &ima_default_rules);



		entry = kmemdup(&build_appraise_rules[i], sizeof(*entry),

				GFP_KERNEL);

		if (entry)

			list_add_tail(&entry->list, &ima_policy_rules);

		build_ima_appraise |=

			ima_appraise_flag(build_appraise_rules[i].func);

	}



	for (i = 0; i < appraise_entries; i++) {

		list_add_tail(&default_appraise_rules[i].list,

			      &ima_default_rules);