[meta-security,dunfell,3/3] initramfs-framework-ima: introduce IMA_FORCE

Submitted by Ming Liu on April 19, 2021, 6:41 a.m. | Patch ID: 179659

Details

Message ID 20210419064159.12487-4-liu.ming50@gmail.com
State New
Headers show

Commit Message

Ming Liu April 19, 2021, 6:41 a.m.
From: Ming Liu <liu.ming50@gmail.com>

Introduce IMA_FORCE to allow the IMA policy be applied forcely even
'no_ima' boot parameter is available.

This ensures the end users have a way to disable 'no_ima' support if
they want to, because it may expose a security risk if an attacker can
find a way to change kernel arguments, it will easily bypass rootfs
authenticity checks.

Signed-off-by: Sergio Prado <sergio.prado@toradex.com>
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../initrdscripts/initramfs-framework-ima.bb             | 5 +++++
 .../initrdscripts/initramfs-framework-ima/ima            | 9 +++++++--
 2 files changed, 12 insertions(+), 2 deletions(-)

Patch hide | download patch | download mbox

diff --git a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
index 77f6f7c..6471c53 100644
--- a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
+++ b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
@@ -14,6 +14,9 @@  LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384
 # to this recipe can just point towards one of its own files.
 IMA_POLICY ?= "ima-policy-hashed"
 
+# Force proceed IMA procedure even 'no_ima' boot parameter is available.
+IMA_FORCE ?= "false"
+
 SRC_URI = " file://ima"
 
 inherit features_check
@@ -23,6 +26,8 @@  do_install () {
     install -d ${D}/${sysconfdir}/ima
     install -d ${D}/init.d
     install ${WORKDIR}/ima  ${D}/init.d/20-ima
+
+    sed -i "s/@@FORCE_IMA@@/${IMA_FORCE}/g" ${D}/init.d/20-ima
 }
 
 FILES_${PN} = "/init.d ${sysconfdir}"
diff --git a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima
index cff26a3..8971494 100644
--- a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima
+++ b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima
@@ -2,11 +2,16 @@ 
 #
 # Loads IMA policy into the kernel.
 
+force_ima=@@FORCE_IMA@@
+
 ima_enabled() {
-    if [ "$bootparam_no_ima" = "true" ]; then
+    if [ "$force_ima" = "true" ]; then
+        return 0
+    elif [ "$bootparam_no_ima" = "true" ]; then
         return 1
+    else
+        return 0
     fi
-    return 0
 }
 
 ima_run() {