kernel/security/integrity/ima/Kconfig, branch linux-5.1.yHosts the 0x221E linux distro kernel.https://universe.0xinfinity.dev/distro/kernel/atom?h=linux-5.1.y2018-12-11T12:13:41Zx86/ima: define arch_get_ima_policy() for x862018-12-11T12:13:41ZEric Richtererichte@linux.ibm.com2018-10-09T17:30:37Zurn:sha1:d958083a8f6408e76850bc7394976050d7e43173
On x86, there are two methods of verifying a kexec'ed kernel image
signature being loaded via the kexec_file_load syscall - an architecture
specific implementaton or a IMA KEXEC_KERNEL_CHECK appraisal rule. Neither
of these methods verify the kexec'ed kernel image signature being loaded
via the kexec_load syscall.
Secure boot enabled systems require kexec images to be signed. Therefore,
this patch loads an IMA KEXEC_KERNEL_CHECK policy rule on secure boot
enabled systems not configured with CONFIG_KEXEC_VERIFY_SIG enabled.
When IMA_APPRAISE_BOOTPARAM is configured, different IMA appraise modes
(eg. fix, log) can be specified on the boot command line, allowing unsigned
or invalidly signed kernel images to be kexec'ed. This patch permits
enabling IMA_APPRAISE_BOOTPARAM or IMA_ARCH_POLICY, but not both.
Signed-off-by: Eric Richter <erichte@linux.ibm.com>
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Eric Biederman <ebiederm@xmission.com>
Cc: Peter Jones <pjones@redhat.com>
Cc: Vivek Goyal <vgoyal@redhat.com>
Cc: Dave Young <dyoung@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
ima: Do not audit if CONFIG_INTEGRITY_AUDIT is not set2018-07-18T11:27:22ZStefan Bergerstefanb@linux.vnet.ibm.com2018-06-04T20:54:54Zurn:sha1:2afd020aaeeefacb7711b47e3afb0cfb50db3f13
If Integrity is not auditing, IMA shouldn't audit, either.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
ima: add build time policy2018-07-16T19:31:57ZMimi Zoharzohar@linux.vnet.ibm.com2018-07-13T18:06:01Zurn:sha1:ef96837b0de4af47732e2a8ebf5c18e8a885ded6
IMA by default does not measure, appraise or audit files, but can be
enabled at runtime by specifying a builtin policy on the boot command line
or by loading a custom policy.
This patch defines a build time policy, which verifies kernel modules,
firmware, kexec image, and/or the IMA policy signatures. This build time
policy is automatically enabled at runtime and persists after loading a
custom policy.
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <james.morris@microsoft.com>
ima: Fix Kconfig to select TPM 2.0 CRB interface2018-03-25T11:24:31ZJiandi Ananjiandi@codeaurora.org2018-03-07T05:26:26Zurn:sha1:fac37c628fd5d68fd7298d9b57ae8601ee1b4723
TPM_CRB driver provides TPM CRB 2.0 support. If it is built as a
module, the TPM chip is registered after IMA init. tpm_pcr_read() in
IMA fails and displays the following message even though eventually
there is a TPM chip on the system.
ima: No TPM chip found, activating TPM-bypass! (rc=-19)
Fix IMA Kconfig to select TPM_CRB so TPM_CRB driver is built in the kernel
and initializes before IMA.
Signed-off-by: Jiandi An <anjiandi@codeaurora.org>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
IMA: Correct Kconfig dependencies for hash selection2017-06-21T18:37:12ZBen Hutchingsben@decadent.org.uk2017-05-02T18:27:00Zurn:sha1:38d192684e8b1811c352c208447d565f8f0a309f
IMA uses the hash algorithm too early to be able to use a module.
Require the selected hash algorithm to be built-in.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
ima: define Kconfig IMA_APPRAISE_BOOTPARAM option2017-06-21T18:37:12ZMimi Zoharzohar@linux.vnet.ibm.com2017-04-25T02:06:49Zurn:sha1:e1f5e01f4b035ced1c71b40866e4e5c0508fbb0b
Permit enabling the different "ima_appraise=" modes (eg. log, fix)
from the boot command line.
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
ima: maintain memory size needed for serializing the measurement list2016-12-20T17:48:44ZMimi Zoharzohar@linux.vnet.ibm.com2016-12-20T00:22:42Zurn:sha1:d158847ae89a25615f3d8757ad8c6f50fc816db5
In preparation for serializing the binary_runtime_measurements, this
patch maintains the amount of memory required.
Link: http://lkml.kernel.org/r/1480554346-29071-5-git-send-email-zohar@linux.vnet.ibm.com
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Cc: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Andreas Steffen <andreas.steffen@strongswan.org>
Cc: Josh Sklar <sklar@linux.vnet.ibm.com>
Cc: Dave Young <dyoung@redhat.com>
Cc: Vivek Goyal <vgoyal@redhat.com>
Cc: Baoquan He <bhe@redhat.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Stewart Smith <stewart@linux.vnet.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
IMA: Use the the system trusted keyrings instead of .ima_mok2016-04-11T21:49:15ZDavid Howellsdhowells@redhat.com2016-04-07T08:45:23Zurn:sha1:56104cf2b8d20eed32c14eac8ac574c35377ab38
Add a config option (IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY)
that, when enabled, allows keys to be added to the IMA keyrings by
userspace - with the restriction that each must be signed by a key in the
system trusted keyrings.
EPERM will be returned if this option is disabled, ENOKEY will be returned if
no authoritative key can be found and EKEYREJECTED will be returned if the
signature doesn't match. Other errors such as ENOPKG may also be returned.
If this new option is enabled, the builtin system keyring is searched, as is
the secondary system keyring if that is also enabled. Intermediate keys
between the builtin system keyring and the key being added can be added to
the secondary keyring (which replaces .ima_mok) to form a trust chain -
provided they are also validly signed by a key in one of the trusted keyrings.
The .ima_mok keyring is then removed and the IMA blacklist keyring gets its
own config option (IMA_BLACKLIST_KEYRING).
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
IMA: allow reading back the current IMA policy2015-12-15T15:01:43ZPetko Manolovpetkan@mip-labs.com2015-12-02T15:47:56Zurn:sha1:80eae209d63ac6361c7b445f7e7e41f39c044772
It is often useful to be able to read back the IMA policy. It is
even more important after introducing CONFIG_IMA_WRITE_POLICY.
This option allows the root user to see the current policy rules.
Signed-off-by: Zbigniew Jasinski <z.jasinski@samsung.com>
Signed-off-by: Petko Manolov <petkan@mip-labs.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
IMA: create machine owner and blacklist keyrings2015-12-15T15:01:43ZPetko Manolovpetkan@mip-labs.com2015-12-02T15:47:55Zurn:sha1:41c89b64d7184a780f12f2cccdabe65cb2408893
This option creates IMA MOK and blacklist keyrings. IMA MOK is an
intermediate keyring that sits between .system and .ima keyrings,
effectively forming a simple CA hierarchy. To successfully import a key
into .ima_mok it must be signed by a key which CA is in .system keyring.
On turn any key that needs to go in .ima keyring must be signed by CA in
either .system or .ima_mok keyrings. IMA MOK is empty at kernel boot.
IMA blacklist keyring contains all revoked IMA keys. It is consulted
before any other keyring. If the search is successful the requested
operation is rejected and error is returned to the caller.
Signed-off-by: Petko Manolov <petkan@mip-labs.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>