ACK: [SRU][F][PATCH 0/1] Fix for secure boot rules in IMA arch policy on powerpc (LP: 1877955)
Kelsey Skunberg
kelsey.skunberg at canonical.com
Thu Jun 4 00:03:52 UTC 2020
On 2020-05-29 20:16:14 , frank.heimes at canonical.com wrote:
> Buglink: https://bugs.launchpad.net/bugs/1877955
>
> SRU Justification:
>
> [Impact]
>
> * Currently the kernel module appended signature is verified twice (finit_module) - once by the module_sig_check() and again by IMA.
>
> * To prevent this the powerpc secure boot rules define an IMA architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is not enabled.
>
> * But this doesn't take the ability into account of enabling "sig_enforce" at the boot command line (module.sig_enforce=1).
>
> * Including the IMA module appraise rule results in failing the finit_module syscall, unless the module signing public key is loaded onto the IMA keyring.
>
> * This patch fixes secure boot policy rules to be based on CONFIG_MODULE_SIG instead.
>
> [Fix]
>
> * fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima: Fix secure boot rules in ima arch policy"
>
> [Test Case]
>
> * Perform a secure boot on a powerpc system with 'module.sig_enforce=1' set at the boot command.
>
> * If the IMA module appraise rule is included, the finit_module syscall will fail (unless the module signing public key got loaded onto the IMA keyring) without having the patch in place.
>
> * Verification needs to be done by the IBM Power team.
>
> [Regression Potential]
>
> * There is (always) a certain regression risk with having code changes, especially in the secure boot area.
>
> * But this patch is limited to the powerpc platform and will not affect any other architecture.
>
> * It got discussed at https://lore.kernel.org/r/1588342612-14532-1-git-send-email-nayna@linux.ibm.com
> before it became finally upstream accepted with kernel 5.7-rc7.
>
> * The secure boot code itself wasn't really touched, rather than it's basis for execution.
> The IMA policy rule for module appraisal is now added only if 'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_MODULE_SIG_FORCE).
> Hence the change is very limited and straightforward.
>
> [Other]
>
> * Since the patch got upstream with 5.7-rc7, it is already in groovy, hence this SRU is for focal only.
>
> Nayna Jain (1):
> From: Nayna Jain <nayna at linux.ibm.com>
>
> arch/powerpc/kernel/ima_arch.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> --
> 2.25.1
>
>
Acked-by: Kelsey Skunberg <kelsey.skunberg at canonical.com>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list