renegade-project/linux-next
2
0
Fork 0
mirror of https://github.com/edk2-porting/linux-next.git synced 2024-12-21 11:44:01 +08:00
Code

IMA: define a builtin critical data measurement policy

Browse Source 
Define a new critical data builtin policy to allow measuring
early kernel integrity critical data before a custom IMA policy
is loaded.

Update the documentation on kernel parameters to document
the new critical data builtin policy.

Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
Reviewed-by: Tyler Hicks <tyhicks@linux.microsoft.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This commit is contained in:
Lakshmi Ramasubramanian 2021-01-07 20:07:07 -08:00 committed by Mimi Zohar
parent 9f5d7d23cc
commit 03cee16836
2 changed files with 16 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Documentation/admin-guide/kernel-parameters.txt
View File

@ -1746,7 +1746,7 @@
ima_policy= [IMA] ima_policy= [IMA]
The builtin policies to load during IMA setup. The builtin policies to load during IMA setup.
Format: "tcb | appraise_tcb | secure_boot | Format: "tcb | appraise_tcb | secure_boot |
fail_securely" fail_securely | critical_data"
The "tcb" policy measures all programs exec'd, files The "tcb" policy measures all programs exec'd, files
mmap'd for exec, and all files opened with the read mmap'd for exec, and all files opened with the read
@ -1765,6 +1765,9 @@
filesystems with the SB_I_UNVERIFIABLE_SIGNATURE filesystems with the SB_I_UNVERIFIABLE_SIGNATURE
flag. flag.
The "critical_data" policy measures kernel integrity
critical data.
ima_tcb [IMA] Deprecated. Use ima_policy= instead. ima_tcb [IMA] Deprecated. Use ima_policy= instead.
Load a policy which meets the needs of the Trusted Load a policy which meets the needs of the Trusted
Computing Base. This means IMA will measure all Computing Base. This means IMA will measure all

12
security/integrity/ima/ima_policy.c
View File

@ -206,6 +206,10 @@ static struct ima_rule_entry secure_boot_rules[] __ro_after_init = {
.flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
}; };
static struct ima_rule_entry critical_data_rules[] __ro_after_init = {
{.action = MEASURE, .func = CRITICAL_DATA, .flags = IMA_FUNC},
};
/* An array of architecture specific rules */ /* An array of architecture specific rules */
static struct ima_rule_entry *arch_policy_entry __ro_after_init; static struct ima_rule_entry *arch_policy_entry __ro_after_init;
@ -228,6 +232,7 @@ __setup("ima_tcb", default_measure_policy_setup);
static bool ima_use_appraise_tcb __initdata; static bool ima_use_appraise_tcb __initdata;
static bool ima_use_secure_boot __initdata; static bool ima_use_secure_boot __initdata;
static bool ima_use_critical_data __initdata;
static bool ima_fail_unverifiable_sigs __ro_after_init; static bool ima_fail_unverifiable_sigs __ro_after_init;
static int __init policy_setup(char *str) static int __init policy_setup(char *str)
{ {
@ -242,6 +247,8 @@ static int __init policy_setup(char *str)
ima_use_appraise_tcb = true; ima_use_appraise_tcb = true;
else if (strcmp(p, "secure_boot") == 0) else if (strcmp(p, "secure_boot") == 0)
ima_use_secure_boot = true; ima_use_secure_boot = true;
else if (strcmp(p, "critical_data") == 0)
ima_use_critical_data = true;
else if (strcmp(p, "fail_securely") == 0) else if (strcmp(p, "fail_securely") == 0)
ima_fail_unverifiable_sigs = true; ima_fail_unverifiable_sigs = true;
else else
@ -871,6 +878,11 @@ void __init ima_init_policy(void)
ARRAY_SIZE(default_appraise_rules), ARRAY_SIZE(default_appraise_rules),
IMA_DEFAULT_POLICY); IMA_DEFAULT_POLICY);
if (ima_use_critical_data)
add_rules(critical_data_rules,
ARRAY_SIZE(critical_data_rules),
IMA_DEFAULT_POLICY);
ima_update_policy_flag(); ima_update_policy_flag();
} }