On Fri, 2020-06-05 at 16:31 -0700, Scott Branden wrote: > Hi Mimi, > > On 2020-06-05 4:19 p.m., Mimi Zohar wrote: > > Hi Scott, > > > > On Fri, 2020-06-05 at 15:59 -0700, Scott Branden wrote: > >> @@ -648,6 +667,9 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, > >> enum ima_hooks func; > >> u32 secid; > >> > >> + if (!file && read_id == READING_FIRMWARE_PARTIAL_READ) > >> + return 0; > > The file should be measured on the pre security hook, not here on the > > post security hook. Here, whether "file" is defined or not, is > > irrelevant. The test should just check "read_id". > OK, will remove the !file from here. thanks! > > > > Have you tested measuring the firmware by booting a system with > > "ima_policy=tcb" specified on the boot command line and compared the > > measurement entry in the IMA measurement list with the file hash (eg. > > sha1sum, sha256sum)? > Yes, I enabled IMA in my kernel and added ima_policy=tsb to the boot > command line, > > Here are the entries from > /sys/kernel/security/ima/ascii_runtime_measurements of the files I am > accessing. > Please let me know if I am doing anything incorrectly. > > 10 4612bce355b2dbc45ecd95e17001636be8832c7f ima-ng > sha1:fddd9a28c2b15acf3b0fc9ec0cf187cb2153d7f2 > /lib/firmware/vk-boot1-bcm958401m2.ecdsa.bin > 10 4c0eb0fc30eb7ac3a30a27f05c1d2a8d28d6a9ec ima-ng > sha1:b16d343dd63352d10309690c71b110762a9444c3 > /lib/firmware/vk-boot2-bcm958401m2_a72.ecdsn > > The sha1 sum matches: > root@genericx86-64:/sys/kernel/security/ima# sha1sum > /lib/firmware/vk-boot1-bcm958401m2.ecdsa.bin > fddd9a28c2b15acf3b0fc9ec0cf187cb2153d7f2 > /lib/firmware/vk-boot1-bcm958401m2.ecdsa.bin > > root@genericx86-64:/sys/kernel/security/ima# sha1sum > /lib/firmware/vk-boot2-bcm958401m2_a72.ecdsa.bin > b16d343dd63352d10309690c71b110762a9444c3 > /lib/firmware/vk-boot2-bcm958401m2_a72.ecdsa.bin Looks good! (FYI, a larger hash algorithm can be specified in the Kconfig or "ima_hash=" on the boot command line.) Mimi
