user/sven/linux.git/include/linux/ima.h, branch v5.0.16

x86/ima: retry detecting secure boot mode

2018-12-11T12:19:45Z

The secure boot mode may not be detected on boot for some reason (eg. buggy firmware). This patch attempts one more time to detect the secure boot mode. Signed-off-by: Mimi Zohar

x86/ima: define arch_get_ima_policy() for x86

2018-12-11T12:13:41Z

On x86, there are two methods of verifying a kexec'ed kernel image signature being loaded via the kexec_file_load syscall - an architecture specific implementaton or a IMA KEXEC_KERNEL_CHECK appraisal rule. Neither of these methods verify the kexec'ed kernel image signature being loaded via the kexec_load syscall. Secure boot enabled systems require kexec images to be signed. Therefore, this patch loads an IMA KEXEC_KERNEL_CHECK policy rule on secure boot enabled systems not configured with CONFIG_KEXEC_VERIFY_SIG enabled. When IMA_APPRAISE_BOOTPARAM is configured, different IMA appraise modes (eg. fix, log) can be specified on the boot command line, allowing unsigned or invalidly signed kernel images to be kexec'ed. This patch permits enabling IMA_APPRAISE_BOOTPARAM or IMA_ARCH_POLICY, but not both. Signed-off-by: Eric Richter Signed-off-by: Nayna Jain Cc: David Howells Cc: Eric Biederman Cc: Peter Jones Cc: Vivek Goyal Cc: Dave Young Signed-off-by: Mimi Zohar

ima: add support for arch specific policies

2018-12-11T12:13:40Z

Builtin IMA policies can be enabled on the boot command line, and replaced with a custom policy, normally during early boot in the initramfs. Build time IMA policy rules were recently added. These rules are automatically enabled on boot and persist after loading a custom policy. There is a need for yet another type of policy, an architecture specific policy, which is derived at runtime during kernel boot, based on the runtime secure boot flags. Like the build time policy rules, these rules persist after loading a custom policy. This patch adds support for loading an architecture specific IMA policy. Signed-off-by: Nayna Jain Co-Developed-by: Mimi Zohar Signed-off-by: Mimi Zohar

x86/ima: define arch_ima_get_secureboot

2018-11-13T12:38:45Z

Distros are concerned about totally disabling the kexec_load syscall. As a compromise, the kexec_load syscall will only be disabled when CONFIG_KEXEC_VERIFY_SIG is configured and the system is booted with secureboot enabled. This patch defines the new arch specific function called arch_ima_get_secureboot() to retrieve the secureboot state of the system. Signed-off-by: Nayna Jain Suggested-by: Seth Forshee Cc: David Howells Cc: Eric Biederman Cc: Peter Jones Cc: Vivek Goyal Cc: Dave Young Signed-off-by: Mimi Zohar

Merge branch 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

2018-08-15T17:25:26Z

Pull security subsystem updates from James Morris: - kstrdup() return value fix from Eric Biggers - Add new security_load_data hook to differentiate security checking of kernel-loaded binaries in the case of there being no associated file descriptor, from Mimi Zohar. - Add ability to IMA to specify a policy at build-time, rather than just via command line params or by loading a custom policy, from Mimi. - Allow IMA and LSMs to prevent sysfs firmware load fallback (e.g. if using signed firmware), from Mimi. - Allow IMA to deny loading of kexec kernel images, as they cannot be measured by IMA, from Mimi. * 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: security: check for kstrdup() failure in lsm_append() security: export security_kernel_load_data function ima: based on policy warn about loading firmware (pre-allocated buffer) module: replace the existing LSM hook in init_module ima: add build time policy ima: based on policy require signed firmware (sysfs fallback) firmware: add call to LSM hook before firmware sysfs fallback ima: based on policy require signed kexec kernel images kexec: add call to LSM hook in original kexec_load syscall security: define new LSM hook named security_kernel_load_data MAINTAINERS: remove the outdated "LINUX SECURITY MODULE (LSM) FRAMEWORK" entry

ima: based on policy require signed kexec kernel images

2018-07-16T19:31:57Z

The original kexec_load syscall can not verify file signatures, nor can the kexec image be measured. Based on policy, deny the kexec_load syscall. Signed-off-by: Mimi Zohar Cc: Eric Biederman Cc: Kees Cook Reviewed-by: Kees Cook Signed-off-by: James Morris

IMA: don't propagate opened through the entire thing

2018-07-12T14:04:19Z

just check ->f_mode in ima_appraise_measurement() Acked-by: Linus Torvalds Signed-off-by: Al Viro

ima: define is_ima_appraise_enabled()

2017-06-21T18:37:12Z

Only return enabled if in enforcing mode, not fix or log modes. Signed-off-by: Mimi Zohar Changes: - Define is_ima_appraise_enabled() as a bool (Thiago Bauermann)

ima: on soft reboot, save the measurement list

2016-12-20T17:48:44Z

The TPM PCRs are only reset on a hard reboot. In order to validate a TPM's quote after a soft reboot (eg. kexec -e), the IMA measurement list of the running kernel must be saved and restored on boot. This patch uses the kexec buffer passing mechanism to pass the serialized IMA binary_runtime_measurements to the next kernel. Link: http://lkml.kernel.org/r/1480554346-29071-7-git-send-email-zohar@linux.vnet.ibm.com Signed-off-by: Thiago Jung Bauermann Signed-off-by: Mimi Zohar Acked-by: "Eric W. Biederman" Acked-by: Dmitry Kasatkin Cc: Andreas Steffen Cc: Josh Sklar Cc: Dave Young Cc: Vivek Goyal Cc: Baoquan He Cc: Michael Ellerman Cc: Benjamin Herrenschmidt Cc: Paul Mackerras Cc: Stewart Smith Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

ima: add support for creating files using the mknodat syscall

2016-05-01T13:23:52Z

Commit 3034a14 "ima: pass 'opened' flag to identify newly created files" stopped identifying empty files as new files. However new empty files can be created using the mknodat syscall. On systems with IMA-appraisal enabled, these empty files are not labeled with security.ima extended attributes properly, preventing them from subsequently being opened in order to write the file data contents. This patch defines a new hook named ima_post_path_mknod() to mark these empty files, created using mknodat, as new in order to allow the file data contents to be written. In addition, files with security.ima xattrs containing a file signature are considered "immutable" and can not be modified. The file contents need to be written, before signing the file. This patch relaxes this requirement for new files, allowing the file signature to be written before the file contents. Changelog: - defer identifying files with signatures stored as security.ima (based on Dmitry Rozhkov's comments) - removing tests (eg. dentry, dentry->d_inode, inode->i_size == 0) (based on Al's review) Signed-off-by: Mimi Zohar Cc: Al Viro < Tested-by: Dmitry Rozhkov