On Fri, 2020-06-05 at 16:31 -0700, Scott Branden wrote:
Hi Mimi,
On 2020-06-05 4:19 p.m., Mimi Zohar wrote:
Hi Scott,
On Fri, 2020-06-05 at 15:59 -0700, Scott Branden wrote:
@@ -648,6 +667,9 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, enum ima_hooks func; u32 secid;
- if (!file && read_id == READING_FIRMWARE_PARTIAL_READ)
return 0;The file should be measured on the pre security hook, not here on the post security hook. Here, whether "file" is defined or not, is irrelevant. The test should just check "read_id".
OK, will remove the !file from here.
thanks!
Have you tested measuring the firmware by booting a system with "ima_policy=tcb" specified on the boot command line and compared the measurement entry in the IMA measurement list with the file hash (eg. sha1sum, sha256sum)?
Yes, I enabled IMA in my kernel and added ima_policy=tsb to the boot command line,
Here are the entries from /sys/kernel/security/ima/ascii_runtime_measurements of the files I am accessing. Please let me know if I am doing anything incorrectly.
10 4612bce355b2dbc45ecd95e17001636be8832c7f ima-ng sha1:fddd9a28c2b15acf3b0fc9ec0cf187cb2153d7f2 /lib/firmware/vk-boot1-bcm958401m2.ecdsa.bin 10 4c0eb0fc30eb7ac3a30a27f05c1d2a8d28d6a9ec ima-ng sha1:b16d343dd63352d10309690c71b110762a9444c3 /lib/firmware/vk-boot2-bcm958401m2_a72.ecdsn
The sha1 sum matches: root@genericx86-64:/sys/kernel/security/ima# sha1sum /lib/firmware/vk-boot1-bcm958401m2.ecdsa.bin fddd9a28c2b15acf3b0fc9ec0cf187cb2153d7f2 /lib/firmware/vk-boot1-bcm958401m2.ecdsa.bin
root@genericx86-64:/sys/kernel/security/ima# sha1sum /lib/firmware/vk-boot2-bcm958401m2_a72.ecdsa.bin b16d343dd63352d10309690c71b110762a9444c3 /lib/firmware/vk-boot2-bcm958401m2_a72.ecdsa.bin
Looks good!
(FYI, a larger hash algorithm can be specified in the Kconfig or "ima_hash=" on the boot command line.)
Mimi