On Mon, 2020-07-27 at 12:18 -0700, Scott Branden wrote: > Hi Mimi/Kees, > > On 2020-07-27 4:16 a.m., Mimi Zohar wrote: > > On Fri, 2020-07-24 at 14:36 -0700, Kees Cook wrote: > >> v3: > >> - add reviews/acks > >> - add "IMA: Add support for file reads without contents" patch > >> - trim CC list, in case that's why vger ignored v2 > >> v2: [missing from lkml archives! (CC list too long?) repeating changes > here] > >> - fix issues in firmware test suite > >> - add firmware partial read patches > >> - various bug fixes/cleanups > >> v1: > https://lore.kernel.org/lkml/20200717174309.1164575-1-keescook@xxxxxxxxxxxx/ > >> > >> Hi, > >> > >> Here's my tree for adding partial read support in kernel_read_file(), > >> which fixes a number of issues along the way. It's got Scott's firmware > >> and IMA patches ported and everything tests cleanly for me (even with > >> CONFIG_IMA_APPRAISE=y). > > Thanks, Kees. Other than my comments on the new > > security_kernel_post_load_data() hook, the patch set is really nice. > > > > In addition to compiling with CONFIG_IMA_APPRAISE enabled, have you > > booted the kernel with the ima_policy=tcb? The tcb policy will add > > measurements to the IMA measurement list and extend the TPM with the > > file or buffer data digest. Are you seeing the firmware measurements, > > in particular the partial read measurement? > I booted the kernel with ima_policy=tcb. > > Unfortunately after enabling the following, fw_run_tests.sh does not run. > > mkdir /sys/kernel/security > mount -t securityfs securityfs /sys/kernel/security > echo "measure func=FIRMWARE_CHECK" > /sys/kernel/security/ima/policy > echo "appraise func=FIRMWARE_CHECK appraise_type=imasig" > > /sys/kernel/security/ima/policy > ./fw_run_tests.sh > > [ 1296.258052] test_firmware: loading 'test-firmware.bin' > [ 1296.263903] misc test_firmware: loading /lib/firmware/test-firmware.bin > failed with error -13 > [ 1296.263905] audit: type=1800 audit(1595905754.266:9): pid=5696 uid=0 > auid=4294967295 ses=4294967295 subj=kernel op=appraise_data cause=IMA- > signature-required comm="fw_namespace" name="/lib/firmware/test-firmware.bin" > dev="tmpfs" ino=4592 res=0 > [ 1296.297085] misc test_firmware: Direct firmware load for test-firmware.bin > failed with error -13 > [ 1296.305947] test_firmware: load of 'test-firmware.bin' failed: -13 The "appraise" rule verifies the IMA signature. Unless you signed the firmware (evmctl) and load the public key on the IMA keyring, that's to be expected. I assume you are seeing firmware measurements in the IMA measuremenet log. Mimi
