On Fri, 2017-11-10 at 11:38 +0000, David Howells wrote:
> Hi Mimi,
>
> I need to add a statement about the IMA secure_boot rules to the
> kernel_lockdown manual page. Is this enough:
>
> IMA requires the addition of the "secure_boot" rules to the policy,
> whether or not they are specified on the command line, for both the
> builtin and custom policies in secure boot lockdown mode.
Please add:
This initially enforces kernel modules, firmware, the kernel kexec
image, and the IMA policy itself are signed.
>
> I don't know what this actually does/achieves.
Like other policies (eg. tcb, appraise_tcb) the "secure_boot" policy
can be specified on the boot command line (eg.
ima_policy="secure_boot|tcb|appraise_tcb").
Currently the builtin "secure_boot" policy is defined as:
static struct ima_rule_entry secure_boot_rules[] __ro_after_init = {
{.action = APPRAISE, .func = MODULE_CHECK,
.flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
{.action = APPRAISE, .func = FIRMWARE_CHECK,
.flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
{.action = APPRAISE, .func = KEXEC_KERNEL_CHECK,
.flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
{.action = APPRAISE, .func = POLICY_CHECK,
.flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
};
These policies can be replaced at runtime with a custom policy.
"lockdown" mode includes these rules in the custom policy, before any
of the custom rules.
On a system with "CONFIG_IMA_READ_POLICY" enabled and commit
2068626d1345 "ima: don't remove the securityfs policy file" in James'
next-testing branch, the current policy can be seen by cat'ing
<securityfs>/ima/policy.
Mimi
