[SRU][F][PATCH 0/1] Fix for secure boot rules in IMA arch policy on powerpc (LP: 1877955)

frank.heimes at canonical.com frank.heimes at canonical.com
Fri May 29 18:16:14 UTC 2020 

Buglink: https://bugs.launchpad.net/bugs/1877955

SRU Justification:

[Impact]

* Currently the kernel module appended signature is verified twice (finit_module) - once by the module_sig_check() and again by IMA.

* To prevent this the powerpc secure boot rules define an IMA architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is not enabled.

* But this doesn't take the ability into account of enabling "sig_enforce" at the boot command line (module.sig_enforce=1).

* Including the IMA module appraise rule results in failing the finit_module syscall, unless the module signing public key is loaded onto the IMA keyring.

* This patch fixes secure boot policy rules to be based on CONFIG_MODULE_SIG instead.

[Fix]

* fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima: Fix secure boot rules in ima arch policy"

[Test Case]

* Perform a secure boot on a powerpc system with 'module.sig_enforce=1' set at the boot command.

* If the IMA module appraise rule is included, the finit_module syscall will fail (unless the module signing public key got loaded onto the IMA keyring) without having the patch in place.

* Verification needs to be done by the IBM Power team.

[Regression Potential]

* There is (always) a certain regression risk with having code changes, especially in the secure boot area.

* But this patch is limited to the powerpc platform and will not affect any other architecture.

* It got discussed at https://lore.kernel.org/r/1588342612-14532-1-git-send-email-nayna@linux.ibm.com
  before it became finally upstream accepted with kernel 5.7-rc7.

* The secure boot code itself wasn't really touched, rather than it's basis for execution.
  The IMA policy rule for module appraisal is now added only if 'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_MODULE_SIG_FORCE).
  Hence the change is very limited and straightforward.

[Other]

* Since the patch got upstream with 5.7-rc7, it is already in groovy, hence this SRU is for focal only.

Nayna Jain (1):
  From: Nayna Jain <nayna at linux.ibm.com>

 arch/powerpc/kernel/ima_arch.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

-- 
2.25.1

More information about the kernel-team mailing list