Hi Mimi,
On 2020-07-28 11:48 a.m., Mimi Zohar wrote:
On Mon, 2020-07-27 at 12:18 -0700, Scott Branden wrote:
Hi Mimi/Kees,
On 2020-07-27 4:16 a.m., Mimi Zohar wrote:
On Fri, 2020-07-24 at 14:36 -0700, Kees Cook wrote:
v3:
- add reviews/acks
- add "IMA: Add support for file reads without contents" patch
- trim CC list, in case that's why vger ignored v2
v2: [missing from lkml archives! (CC list too long?) repeating changes
here]
- fix issues in firmware test suite
- add firmware partial read patches
- various bug fixes/cleanups
v1:
https://lore.kernel.org/lkml/20200717174309.1164575-1-keescook@chromium.org/
Hi,
Here's my tree for adding partial read support in kernel_read_file(), which fixes a number of issues along the way. It's got Scott's firmware and IMA patches ported and everything tests cleanly for me (even with CONFIG_IMA_APPRAISE=y).
Thanks, Kees. Other than my comments on the new security_kernel_post_load_data() hook, the patch set is really nice.
In addition to compiling with CONFIG_IMA_APPRAISE enabled, have you booted the kernel with the ima_policy=tcb? The tcb policy will add measurements to the IMA measurement list and extend the TPM with the file or buffer data digest. Are you seeing the firmware measurements, in particular the partial read measurement?
I booted the kernel with ima_policy=tcb.
Unfortunately after enabling the following, fw_run_tests.sh does not run.
mkdir /sys/kernel/security mount -t securityfs securityfs /sys/kernel/security echo "measure func=FIRMWARE_CHECK" > /sys/kernel/security/ima/policy echo "appraise func=FIRMWARE_CHECK appraise_type=imasig" > /sys/kernel/security/ima/policy ./fw_run_tests.sh
[ 1296.258052] test_firmware: loading 'test-firmware.bin' [ 1296.263903] misc test_firmware: loading /lib/firmware/test-firmware.bin failed with error -13 [ 1296.263905] audit: type=1800 audit(1595905754.266:9): pid=5696 uid=0 auid=4294967295 ses=4294967295 subj=kernel op=appraise_data cause=IMA- signature-required comm="fw_namespace" name="/lib/firmware/test-firmware.bin" dev="tmpfs" ino=4592 res=0 [ 1296.297085] misc test_firmware: Direct firmware load for test-firmware.bin failed with error -13 [ 1296.305947] test_firmware: load of 'test-firmware.bin' failed: -13
The "appraise" rule verifies the IMA signature. Unless you signed the firmware (evmctl) and load the public key on the IMA keyring, that's to be expected. I assume you are seeing firmware measurements in the IMA measuremenet log.
Yes, I see the firmware measurements in the IMA measurement log. I have not signed the firmware nor loaded a public key on the IMA keyring. Therefore everything is working as expected.
Mimi
Thanks, Scott