On Wed, 2024-02-14 at 15:35 +0100, Roberto Sassu wrote: > From: Roberto Sassu <roberto.sassu@xxxxxxxxxx> > > Specify the 'digest_cache_measure' boot-time policy with 'ima_policy=' in > the kernel command line The 'built-in' policies may be specified on the boot command line. Please update Subject line, to user the term "built-in" as well as here. > to add the following rule at the beginning of the > IMA policy, before other rules: Comments below... > > measure func=DIGEST_LIST_CHECK pcr=12 > > which will measure digest lists into PCR 12 (or the value in > CONFIG_IMA_DIGEST_CACHE_MEASURE_PCR_IDX). > > 'digest_cache_measure' also adds 'digest_cache=content pcr=12' to the other > measure rules, if they have a compatible IMA hook. The PCR value still > comes from CONFIG_IMA_DIGEST_CACHE_MEASURE_PCR_IDX. > > Specify 'digest_cache_appraise' to add the following rule at the beginning, > before other rules: > > appraise func=DIGEST_LIST_CHECK appraise_type=imasig|modsig > > which will appraise digest lists with IMA signatures or module-style > appended signatures. > > 'digest_cache_appraise' also adds 'digest_cache=content' to the other > appraise rules, if they have a compatible IMA hook. > > Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx> > --- > .../admin-guide/kernel-parameters.txt | 15 ++++++- > security/integrity/ima/Kconfig | 10 +++++ > security/integrity/ima/ima_policy.c | 45 +++++++++++++++++++ > 3 files changed, 69 insertions(+), 1 deletion(-) [...] > @@ -971,6 +1006,16 @@ void __init ima_init_policy(void) > { > int build_appraise_entries, arch_entries; > > + /* > + * We need to load digest cache rules at the beginning, to avoid dont_ > + * rules causing ours to not be reached. > + */ "lockdown" trusts IMA to measure and appraise kernel modules, if the rule exists. Placing the digest_cache first breaks this trust. >From a trusted and secure boot perspective, the architecture specific policy rules should not be ignored. Putting the digest_cache before any other rules will limit others from being able to use digest_cache. Instead of putting the digest_cache_{measure,appraise} built-in policies first, skip loading the dont_measure_rules. Mimi > + if (ima_digest_cache_measure) > + add_rules(&measure_digest_cache_rule, 1, IMA_DEFAULT_POLICY); > + > + if (ima_digest_cache_appraise) > + add_rules(&appraise_digest_cache_rule, 1, IMA_DEFAULT_POLICY); > + > /* if !ima_policy, we load NO default rules */ > if (ima_policy) > add_rules(dont_measure_rules, ARRAY_SIZE(dont_measure_rules),