Message ID | 20230428122316.521800-1-stefanb@linux.ibm.com |
---|---|
Headers | show |
Series | Fix IMA and EVM support | expand |
Stefan, On 4/28/23 8:23 AM, Stefan Berger wrote: > This series of patches fixes the current support for IMA and EVM > by removing outdated patches for example and adding kernel config > options. I have tried out these patches with OpenBMC where the > appraisal policy now enforces signed executables and libraries. > > Stefan Thanks for the patches. Its nice to have a Content expert contribute. There is a test suite I am using to double check things and its not passing. I think it needs to be adapted to some of these changes. see: meta-integrity/lib/oeqa/runtime/cases/ima.py This is adding a delay on merging until I get the test sorted out on my end. I do have a question regarding the Kernel config changes. Do we really need "CONFIG_SQUASHFS_XATTR=y" ? BR, Armin > > Stefan Berger (8): > ima: Document and replace keys and adapt scripts for EC keys > ima: Fix the ima_policy_appraise_all to appraise executables & > libraries > ima: Fix the IMA kernel feature > ima: Rename IMA_EVM_POLICY_SYSTEMD to IMA_EVM_POLICY > ima: Sign all executables and the ima-policy in the root filesystem > integrity: Update the README for IMA support > linux: overlayfs: Add kernel patch resolving a file change > notification issue > ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch > > meta-integrity/README.md | 22 +-- > meta-integrity/classes/ima-evm-rootfs.bbclass | 34 ++++- > meta-integrity/data/debug-keys/README.md | 17 +++ > .../data/debug-keys/ima-local-ca.pem | 15 ++ > .../data/debug-keys/ima-local-ca.priv | 7 + > .../data/debug-keys/privkey_ima.pem | 17 +-- > meta-integrity/data/debug-keys/x509_ima.der | Bin 707 -> 620 bytes > .../0001-ima-fix-ima_inode_post_setattr.patch | 51 ------- > ...Increment-iversion-upon-file-changes.patch | 42 ++++++ > ...for-creating-files-using-the-mknodat.patch | 138 ------------------ > ...-file-hash-setting-by-user-to-fix-an.patch | 60 -------- > .../recipes-kernel/linux/linux/ima.cfg | 46 ++++++ > .../recipes-kernel/linux/linux/ima.scc | 4 + > .../recipes-kernel/linux/linux_ima.inc | 11 +- > ...ation-using-ioctl-when-evm_portable-.patch | 35 +++++ > ...-evm-utils_1.4.bb => ima-evm-utils_1.5.bb} | 9 +- > .../files/ima_policy_appraise_all | 9 +- > meta-integrity/scripts/ima-gen-CA-signed.sh | 9 +- > meta-integrity/scripts/ima-gen-local-ca.sh | 6 +- > meta-integrity/scripts/ima-gen-self-signed.sh | 41 ------ > 20 files changed, 240 insertions(+), 333 deletions(-) > create mode 100644 meta-integrity/data/debug-keys/README.md > create mode 100644 meta-integrity/data/debug-keys/ima-local-ca.pem > create mode 100644 meta-integrity/data/debug-keys/ima-local-ca.priv > delete mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch > create mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch > delete mode 100644 meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch > delete mode 100644 meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch > create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.cfg > create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.scc > create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch > rename meta-integrity/recipes-security/ima-evm-utils/{ima-evm-utils_1.4.bb => ima-evm-utils_1.5.bb} (71%) > delete mode 100755 meta-integrity/scripts/ima-gen-self-signed.sh >
On 4/30/23 10:16, Armin Kuster wrote: > > Stefan, > > On 4/28/23 8:23 AM, Stefan Berger wrote: >> This series of patches fixes the current support for IMA and EVM >> by removing outdated patches for example and adding kernel config >> options. I have tried out these patches with OpenBMC where the >> appraisal policy now enforces signed executables and libraries. >> >> Stefan > > Thanks for the patches. Its nice to have a Content expert contribute. > > There is a test suite I am using to double check things and its not passing. I think it needs to be adapted to some of these changes. > > see: meta-integrity/lib/oeqa/runtime/cases/ima.py How does one run the test suite? I have so far only used the changes with a build of OpenBMC. I had seen the tests, though, and saw they assumed IMA was going to start before systemd. In the OpenBMC log I see this here: [ 0.984195] ima: No TPM chip found, activating TPM-bypass! [ 0.985167] ima: Allocated hash algorithm: sha256 [ 0.991810] ima: No architecture policies found These are easy... This one is due to me adding IMA policy load support into an init script: Activated EVM: 2 [ activated with 0x80000002 ] [ 2.248222] ima: policy update completed My patches for OpenBMC are here: https://gerrit.openbmc.org/c/openbmc/openbmc/+/62933 This one has the init script changes: https://gerrit.openbmc.org/c/openbmc/openbmc/+/62929/1 > > > This is adding a delay on merging until I get the test sorted out on my end. > > I do have a question regarding the Kernel config changes. Do we really need "CONFIG_SQUASHFS_XATTR=y" ? I added this because of OpenBMC using squashfs and we need the xattr support for security.ima and .evm. Regards, Stefan > > BR, > Armin > > >> >> Stefan Berger (8): >> ima: Document and replace keys and adapt scripts for EC keys >> ima: Fix the ima_policy_appraise_all to appraise executables & >> libraries >> ima: Fix the IMA kernel feature >> ima: Rename IMA_EVM_POLICY_SYSTEMD to IMA_EVM_POLICY >> ima: Sign all executables and the ima-policy in the root filesystem >> integrity: Update the README for IMA support >> linux: overlayfs: Add kernel patch resolving a file change >> notification issue >> ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch >> >> meta-integrity/README.md | 22 +-- >> meta-integrity/classes/ima-evm-rootfs.bbclass | 34 ++++- >> meta-integrity/data/debug-keys/README.md | 17 +++ >> .../data/debug-keys/ima-local-ca.pem | 15 ++ >> .../data/debug-keys/ima-local-ca.priv | 7 + >> .../data/debug-keys/privkey_ima.pem | 17 +-- >> meta-integrity/data/debug-keys/x509_ima.der | Bin 707 -> 620 bytes >> .../0001-ima-fix-ima_inode_post_setattr.patch | 51 ------- >> ...Increment-iversion-upon-file-changes.patch | 42 ++++++ >> ...for-creating-files-using-the-mknodat.patch | 138 ------------------ >> ...-file-hash-setting-by-user-to-fix-an.patch | 60 -------- >> .../recipes-kernel/linux/linux/ima.cfg | 46 ++++++ >> .../recipes-kernel/linux/linux/ima.scc | 4 + >> .../recipes-kernel/linux/linux_ima.inc | 11 +- >> ...ation-using-ioctl-when-evm_portable-.patch | 35 +++++ >> ...-evm-utils_1.4.bb => ima-evm-utils_1.5.bb} | 9 +- >> .../files/ima_policy_appraise_all | 9 +- >> meta-integrity/scripts/ima-gen-CA-signed.sh | 9 +- >> meta-integrity/scripts/ima-gen-local-ca.sh | 6 +- >> meta-integrity/scripts/ima-gen-self-signed.sh | 41 ------ >> 20 files changed, 240 insertions(+), 333 deletions(-) >> create mode 100644 meta-integrity/data/debug-keys/README.md >> create mode 100644 meta-integrity/data/debug-keys/ima-local-ca.pem >> create mode 100644 meta-integrity/data/debug-keys/ima-local-ca.priv >> delete mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch >> create mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch >> delete mode 100644 meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch >> delete mode 100644 meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch >> create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.cfg >> create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.scc >> create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch >> rename meta-integrity/recipes-security/ima-evm-utils/{ima-evm-utils_1.4.bb => ima-evm-utils_1.5.bb} (71%) >> delete mode 100755 meta-integrity/scripts/ima-gen-self-signed.sh >> > > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#59823): https://lists.yoctoproject.org/g/yocto/message/59823 > Mute This Topic: https://lists.yoctoproject.org/mt/98557294/1792208 > Group Owner: yocto+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [stefanb@linux.ibm.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On 4/30/23 8:33 PM, Stefan Berger wrote: > > > On 4/30/23 10:16, Armin Kuster wrote: >> >> Stefan, >> >> On 4/28/23 8:23 AM, Stefan Berger wrote: >>> This series of patches fixes the current support for IMA and EVM >>> by removing outdated patches for example and adding kernel config >>> options. I have tried out these patches with OpenBMC where the >>> appraisal policy now enforces signed executables and libraries. >>> >>> Stefan >> >> Thanks for the patches. Its nice to have a Content expert contribute. >> >> There is a test suite I am using to double check things and its not >> passing. I think it needs to be adapted to some of these changes. >> >> see: meta-integrity/lib/oeqa/runtime/cases/ima.py > > How does one run the test suite? There is an image unique to most the meta-security sub layers used to building & testing. In this IMA case its "integrity-image-minimal" To run the test suite, add to your local.conf: ##################### DISTRO_FEATURES:append = " systemd integrity ima " TEST_SUITES = "ssh ping ima" IMAGE_CLASSES += "testimage" ##################### Then build and test: bitbake integrity-image-minimal; bitbake integrity-image-minimal -c testimage It will print the test results when completed, looking like this. RESULTS: RESULTS - ping.PingTest.test_ping: PASSED (0.05s) RESULTS - ssh.SSHTest.test_ssh: PASSED (2.85s) RESULTS - ima.IMACheck.test_ima_before_systemd: PASSED (2.56s) RESULTS - ima.IMACheck.test_ima_enabled: PASSED (1.38s) RESULTS - ima.IMACheck.test_ima_hash: PASSED (5.65s) RESULTS - ima.IMACheck.test_ima_overwrite: PASSED (267.05s) RESULTS - ima.IMACheck.test_ima_signature: PASSED (145.66s) SUMMARY: integrity-image-minimal () - Ran 7 tests in 427.742s integrity-image-minimal - OK - All required tests passed (successes=7, skipped=0, failures=0, errors=0) I just posted the changes needed to get the tests passing again. > I have so far only used the changes with a build of OpenBMC. > I had seen the tests, though, and saw they assumed IMA was going to > start before systemd. > In the OpenBMC log I see this here: > > [ 0.984195] ima: No TPM chip found, activating TPM-bypass! > [ 0.985167] ima: Allocated hash algorithm: sha256 > [ 0.991810] ima: No architecture policies found > > These are easy... > > This one is due to me adding IMA policy load support into an init script: > > Activated EVM: 2 [ activated with 0x80000002 ] > [ 2.248222] ima: policy update completed > > My patches for OpenBMC are here: > > https://gerrit.openbmc.org/c/openbmc/openbmc/+/62933 > > This one has the init script changes: > https://gerrit.openbmc.org/c/openbmc/openbmc/+/62929/1 Thanks for the links, I will take a look. > >> >> >> This is adding a delay on merging until I get the test sorted out on >> my end. >> >> I do have a question regarding the Kernel config changes. Do we >> really need "CONFIG_SQUASHFS_XATTR=y" ? > > I added this because of OpenBMC using squashfs and we need the xattr > support for security.ima and .evm. ok, BR, Armin > > > > Regards, > Stefan > >> >> BR, >> Armin >> >> >>> >>> Stefan Berger (8): >>> ima: Document and replace keys and adapt scripts for EC keys >>> ima: Fix the ima_policy_appraise_all to appraise executables & >>> libraries >>> ima: Fix the IMA kernel feature >>> ima: Rename IMA_EVM_POLICY_SYSTEMD to IMA_EVM_POLICY >>> ima: Sign all executables and the ima-policy in the root filesystem >>> integrity: Update the README for IMA support >>> linux: overlayfs: Add kernel patch resolving a file change >>> notification issue >>> ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch >>> >>> meta-integrity/README.md | 22 +-- >>> meta-integrity/classes/ima-evm-rootfs.bbclass | 34 ++++- >>> meta-integrity/data/debug-keys/README.md | 17 +++ >>> .../data/debug-keys/ima-local-ca.pem | 15 ++ >>> .../data/debug-keys/ima-local-ca.priv | 7 + >>> .../data/debug-keys/privkey_ima.pem | 17 +-- >>> meta-integrity/data/debug-keys/x509_ima.der | Bin 707 -> 620 bytes >>> .../0001-ima-fix-ima_inode_post_setattr.patch | 51 ------- >>> ...Increment-iversion-upon-file-changes.patch | 42 ++++++ >>> ...for-creating-files-using-the-mknodat.patch | 138 >>> ------------------ >>> ...-file-hash-setting-by-user-to-fix-an.patch | 60 -------- >>> .../recipes-kernel/linux/linux/ima.cfg | 46 ++++++ >>> .../recipes-kernel/linux/linux/ima.scc | 4 + >>> .../recipes-kernel/linux/linux_ima.inc | 11 +- >>> ...ation-using-ioctl-when-evm_portable-.patch | 35 +++++ >>> ...-evm-utils_1.4.bb => ima-evm-utils_1.5.bb} | 9 +- >>> .../files/ima_policy_appraise_all | 9 +- >>> meta-integrity/scripts/ima-gen-CA-signed.sh | 9 +- >>> meta-integrity/scripts/ima-gen-local-ca.sh | 6 +- >>> meta-integrity/scripts/ima-gen-self-signed.sh | 41 ------ >>> 20 files changed, 240 insertions(+), 333 deletions(-) >>> create mode 100644 meta-integrity/data/debug-keys/README.md >>> create mode 100644 meta-integrity/data/debug-keys/ima-local-ca.pem >>> create mode 100644 meta-integrity/data/debug-keys/ima-local-ca.priv >>> delete mode 100644 >>> meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch >>> create mode 100644 >>> meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch >>> delete mode 100644 >>> meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch >>> delete mode 100644 >>> meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch >>> create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.cfg >>> create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.scc >>> create mode 100644 >>> meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch >>> rename >>> meta-integrity/recipes-security/ima-evm-utils/{ima-evm-utils_1.4.bb >>> => ima-evm-utils_1.5.bb} (71%) >>> delete mode 100755 meta-integrity/scripts/ima-gen-self-signed.sh >>> >> >> >> >> -=-=-=-=-=-=-=-=-=-=-=- >> Links: You receive all messages sent to this group. >> View/Reply Online (#59823): >> https://lists.yoctoproject.org/g/yocto/message/59823 >> Mute This Topic: https://lists.yoctoproject.org/mt/98557294/1792208 >> Group Owner: yocto+owner@lists.yoctoproject.org >> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub >> [stefanb@linux.ibm.com] >> -=-=-=-=-=-=-=-=-=-=-=- >>
On 4/30/23 10:16, akuster808 wrote: > > This is adding a delay on merging until I get the test sorted out on my end. > > I do have a question regarding the Kernel config changes. Do we really need "CONFIG_SQUASHFS_XATTR=y" ? I will remove this and make this an OpenBMC-specific option. Stefan > > BR, > Armin > > >> >> Stefan Berger (8): >> ima: Document and replace keys and adapt scripts for EC keys >> ima: Fix the ima_policy_appraise_all to appraise executables & >> libraries >> ima: Fix the IMA kernel feature >> ima: Rename IMA_EVM_POLICY_SYSTEMD to IMA_EVM_POLICY >> ima: Sign all executables and the ima-policy in the root filesystem >> integrity: Update the README for IMA support >> linux: overlayfs: Add kernel patch resolving a file change >> notification issue >> ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch >> >> meta-integrity/README.md | 22 +-- >> meta-integrity/classes/ima-evm-rootfs.bbclass | 34 ++++- >> meta-integrity/data/debug-keys/README.md | 17 +++ >> .../data/debug-keys/ima-local-ca.pem | 15 ++ >> .../data/debug-keys/ima-local-ca.priv | 7 + >> .../data/debug-keys/privkey_ima.pem | 17 +-- >> meta-integrity/data/debug-keys/x509_ima.der | Bin 707 -> 620 bytes >> .../0001-ima-fix-ima_inode_post_setattr.patch | 51 ------- >> ...Increment-iversion-upon-file-changes.patch | 42 ++++++ >> ...for-creating-files-using-the-mknodat.patch | 138 ------------------ >> ...-file-hash-setting-by-user-to-fix-an.patch | 60 -------- >> .../recipes-kernel/linux/linux/ima.cfg | 46 ++++++ >> .../recipes-kernel/linux/linux/ima.scc | 4 + >> .../recipes-kernel/linux/linux_ima.inc | 11 +- >> ...ation-using-ioctl-when-evm_portable-.patch | 35 +++++ >> ...-evm-utils_1.4.bb => ima-evm-utils_1.5.bb} | 9 +- >> .../files/ima_policy_appraise_all | 9 +- >> meta-integrity/scripts/ima-gen-CA-signed.sh | 9 +- >> meta-integrity/scripts/ima-gen-local-ca.sh | 6 +- >> meta-integrity/scripts/ima-gen-self-signed.sh | 41 ------ >> 20 files changed, 240 insertions(+), 333 deletions(-) >> create mode 100644 meta-integrity/data/debug-keys/README.md >> create mode 100644 meta-integrity/data/debug-keys/ima-local-ca.pem >> create mode 100644 meta-integrity/data/debug-keys/ima-local-ca.priv >> delete mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch >> create mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch >> delete mode 100644 meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch >> delete mode 100644 meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch >> create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.cfg >> create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.scc >> create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch >> rename meta-integrity/recipes-security/ima-evm-utils/{ima-evm-utils_1.4.bb => ima-evm-utils_1.5.bb} (71%) >> delete mode 100755 meta-integrity/scripts/ima-gen-self-signed.sh >> >