From patchwork Fri Apr 28 12:23:09 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 23141 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B7D26C7EE26 for ; Fri, 28 Apr 2023 12:23:28 +0000 (UTC) Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by mx.groups.io with SMTP id smtpd.web11.18021.1682684603540406317 for ; Fri, 28 Apr 2023 05:23:23 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@ibm.com header.s=pp1 header.b=GleLNtiO; spf=pass (domain: linux.ibm.com, ip: 148.163.158.5, mailfrom: stefanb@linux.ibm.com) Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 33SC8O15017416 for ; Fri, 28 Apr 2023 12:23:22 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : mime-version; s=pp1; bh=elpPD1kM3GuO6qEbSsZnSVYHdgZDQLM/qQ7QmyuZONU=; b=GleLNtiOjo5Lh24i5hhhpSxagiL+LHjzzzXd4MAygzxwewr/0mY7mEgeV2F8Ep5ujo+N MWPXG2LiGZGUahzRumffjYPbOnE5Nt9wZtS6OlPioZYQxt0nR4MHQtF5kwqnJyysJXSN N1nZrQmaBTt3s4s/E9U6ywRukIdSdfvJex+j0hzxHNmUg+AP7AIQXOIoLBRsd32p0Ho3 r08x9clfLvLv+siVJs/j93WLsuVBhpn6qg/MGk/prs2TIhqVUQ3aPOuShGjxuaPmSqYL c2bdrTj/4qxnBn/HOSVJLT16kCj29LuJUxwFWDP+x2AtdJN9Dkyb0v2k04oIGWWLv3/T kw== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3q8d9mhpm4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 28 Apr 2023 12:23:22 +0000 Received: from m0356516.ppops.net (m0356516.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 33SCKRgO016712 for ; Fri, 28 Apr 2023 12:23:21 GMT Received: from ppma04dal.us.ibm.com (7a.29.35a9.ip4.static.sl-reverse.com [169.53.41.122]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3q8d9mhpkk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 28 Apr 2023 12:23:21 +0000 Received: from pps.filterd (ppma04dal.us.ibm.com [127.0.0.1]) by ppma04dal.us.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 33SAF3Dx018373; Fri, 28 Apr 2023 12:23:21 GMT Received: from smtprelay05.wdc07v.mail.ibm.com ([9.208.129.117]) by ppma04dal.us.ibm.com (PPS) with ESMTPS id 3q4778ycs7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 28 Apr 2023 12:23:21 +0000 Received: from smtpav03.dal12v.mail.ibm.com (smtpav03.dal12v.mail.ibm.com [10.241.53.102]) by smtprelay05.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 33SCNIWV26673828 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 28 Apr 2023 12:23:19 GMT Received: from smtpav03.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D2BE958060; Fri, 28 Apr 2023 12:23:18 +0000 (GMT) Received: from smtpav03.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8EACA5803F; Fri, 28 Apr 2023 12:23:18 +0000 (GMT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by smtpav03.dal12v.mail.ibm.com (Postfix) with ESMTP; Fri, 28 Apr 2023 12:23:18 +0000 (GMT) From: Stefan Berger To: yocto@lists.yoctoproject.org Cc: akuster808@gmail.com, Stefan Berger Subject: [meta-security][PATCH 1/8] ima: Document and replace keys and adapt scripts for EC keys Date: Fri, 28 Apr 2023 08:23:09 -0400 Message-Id: <20230428122316.521800-2-stefanb@linux.ibm.com> X-Mailer: git-send-email 2.39.1 In-Reply-To: <20230428122316.521800-1-stefanb@linux.ibm.com> References: <20230428122316.521800-1-stefanb@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: oapEUriB6NfhgylyZtQRwGGKdzdFFqZZ X-Proofpoint-GUID: rYb_QAGUzjb_uYiQdi1rMMdI-ZdHsTHG X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-04-28_04,2023-04-27_01,2023-02-09_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 clxscore=1015 adultscore=0 impostorscore=0 lowpriorityscore=0 mlxlogscore=999 bulkscore=0 phishscore=0 spamscore=0 mlxscore=0 suspectscore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2303200000 definitions=main-2304280098 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 28 Apr 2023 12:23:28 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto/message/59798 For shorted file signatures use EC keys rather than RSA keys. Document the debug keys and their purpose. Adapt the scripts for creating these types of keys to now create EC keys. Signed-off-by: Stefan Berger --- meta-integrity/data/debug-keys/README.md | 17 ++++++++ .../data/debug-keys/ima-local-ca.pem | 15 +++++++ .../data/debug-keys/ima-local-ca.priv | 7 +++ .../data/debug-keys/privkey_ima.pem | 17 ++------ meta-integrity/data/debug-keys/x509_ima.der | Bin 707 -> 620 bytes meta-integrity/scripts/ima-gen-CA-signed.sh | 9 ++-- meta-integrity/scripts/ima-gen-local-ca.sh | 6 +-- meta-integrity/scripts/ima-gen-self-signed.sh | 41 ------------------ 8 files changed, 50 insertions(+), 62 deletions(-) create mode 100644 meta-integrity/data/debug-keys/README.md create mode 100644 meta-integrity/data/debug-keys/ima-local-ca.pem create mode 100644 meta-integrity/data/debug-keys/ima-local-ca.priv delete mode 100755 meta-integrity/scripts/ima-gen-self-signed.sh diff --git a/meta-integrity/data/debug-keys/README.md b/meta-integrity/data/debug-keys/README.md new file mode 100644 index 0000000..e613968 --- /dev/null +++ b/meta-integrity/data/debug-keys/README.md @@ -0,0 +1,17 @@ +# EVM & IMA keys + +The following IMA & EVM debug/test keys are in this directory + +- ima-local-ca.priv: The CA's private key (password: 1234) +- ima-local-ca.pem: The CA's self-signed certificate +- privkey_ima.pem: IMA & EVM private key used for signing files +- x509_ima.der: Certificate containing public key (of privkey_ima.pem) to verify signatures + +The CA's (self-signed) certificate can be used to verify the validity of +the x509_ima.der certificate. Since the CA certificate will be built into +the Linux kernel, any key (x509_ima.der) loaded onto the .ima keyring must +pass this test: + +``` + openssl verify -CAfile ima-local-ca.pem x509_ima.der +```` diff --git a/meta-integrity/data/debug-keys/ima-local-ca.pem b/meta-integrity/data/debug-keys/ima-local-ca.pem new file mode 100644 index 0000000..4b48be4 --- /dev/null +++ b/meta-integrity/data/debug-keys/ima-local-ca.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICWzCCAgCgAwIBAgITYMKT7/z5qI+hLfNC6Jy6hhBCWDAKBggqhkjOPQQDAjB9 +MRQwEgYDVQQKDAtleGFtcGxlLmNvbTFAMD4GA1UEAww3bWV0YS1pbnRlbC1pb3Qt +c2VjdXJpdHkgZXhhbXBsZSBjZXJ0aWZpY2F0ZSBzaWduaW5nIGtleTEjMCEGCSqG +SIb3DQEJARYUam9obi5kb2VAZXhhbXBsZS5jb20wIBcNMjMwNDI2MTYyNjExWhgP +MjEyMzA0MDIxNjI2MTFaMH0xFDASBgNVBAoMC2V4YW1wbGUuY29tMUAwPgYDVQQD +DDdtZXRhLWludGVsLWlvdC1zZWN1cml0eSBleGFtcGxlIGNlcnRpZmljYXRlIHNp +Z25pbmcga2V5MSMwIQYJKoZIhvcNAQkBFhRqb2huLmRvZUBleGFtcGxlLmNvbTBZ +MBMGByqGSM49AgEGCCqGSM49AwEHA0IABCiC+YIbCoOhyLy63lOGbiK+DPkW7gMU +rmfVLIb4oTmKxZS5/L8VE6hjKDcLa7OauyuW2nd4fnFAautFxpw/Q0yjXTBbMAwG +A1UdEwQFMAMBAf8wHQYDVR0OBBYEFL/PiFFjjlzVtExXMb2uXOfIgeIEMB8GA1Ud +IwQYMBaAFL/PiFFjjlzVtExXMb2uXOfIgeIEMAsGA1UdDwQEAwIBBjAKBggqhkjO +PQQDAgNJADBGAiEA0HOxloLMr87yDoH3CljWDWb7M2zLA+BQFXLN511qDl0CIQDu +clewWaJHw4Wq8IN3JsrNDDw2GfrN3sx4hfWUK/0SPw== +-----END CERTIFICATE----- diff --git a/meta-integrity/data/debug-keys/ima-local-ca.priv b/meta-integrity/data/debug-keys/ima-local-ca.priv new file mode 100644 index 0000000..e13de23 --- /dev/null +++ b/meta-integrity/data/debug-keys/ima-local-ca.priv @@ -0,0 +1,7 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIHjME4GCSqGSIb3DQEFDTBBMCkGCSqGSIb3DQEFDDAcBAhinM5KnV2x5wICCAAw +DAYIKoZIhvcNAgkFADAUBggqhkiG9w0DBwQI4Xbw/W1pgH0EgZCiurgCTUEIDbiK +x5kw3/Rg1/ZLwk5TEiMoIa9CmXEyuSRUla/Ta4o/rZEzKAp6vwkcupviirtWYems +lZNfggfzITWNEWtkU6BrhZgJ7kaeZrIbuAO7YUJy6Z2MQfgaKI9BE2EEgKJ+X5gY +LjkobSAtEqDjuheLgaXIMQ7/qT0MGmi6LmzwMEhu8ZXlNGg8udw= +-----END ENCRYPTED PRIVATE KEY----- diff --git a/meta-integrity/data/debug-keys/privkey_ima.pem b/meta-integrity/data/debug-keys/privkey_ima.pem index 502a0b6..8362cfe 100644 --- a/meta-integrity/data/debug-keys/privkey_ima.pem +++ b/meta-integrity/data/debug-keys/privkey_ima.pem @@ -1,16 +1,5 @@ -----BEGIN PRIVATE KEY----- -MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAJw2G3d0fM36rcQU -Bt8V/SapJe0lxWJ+CY+HcMx8AhWY9XQ66AXcqBsRHiUnYCaFGXFI35VKGC6d/Gs6 -IWlHgI0tcTyzy5eul+BKRLy/3PNjkK2jJETlbetQy+gE6gUtg4RmPV5ALGksK74p -OrAfKnahoMi82NVIiBitwmRimms1AgMBAAECgYBTxciRFU1hAVBy2PKebKJoO0n1 -lc329fSWnmHlp5NOlcr8XCLWEfGtIk7ySd2MitCMKjKNU0EIrv0RXAlS9l9/gBYW -HY+eEaa6l80sp8q4aPKImSi0pb3LVNqWKXJg8qr4AZ45/TEL/fzILFv5QcY8xDjV -aj6DOlEnNDjlBlBbQQJBAMyYDlKItes/Rnmtp9roXj3XUfiBDHTLY2HVgDBe87sA -TOSnbgIv+6urd1h9XvBmJlRYH7YKJmBSZWcSlfdC6XkCQQDDdfkUMxQZo9PC/Eue -WYzytx4xUm3ItWcuKILtFgcNh3c4s4dMx4X/WhQj5/H/nVOIWDioQ0mrW3ap/qcb -SBydAkAf/gb/UPFhf9t9W3JMANn7wZfHzCYufT9lJQWOisqCC2H6v1Osc+Rey8k1 -xST7Yn3L4pvS03N8zGWe4IEi0QvBAkAWdTWbNos2rvYjzy05Enz5XkTf0eK/Tuh+ -CzWP3BoPWeM+5pHDJqGkx0rNHVdW0VLJtak83A5Y2/d0bMfygISZAkBFGui4HW+Q -1BlpmDeslsE11wm5jSmm6Ti12a2dVKGFo9QLQcSj4bfgxtqU2dQaYRmajXtSBrGQ -3vVaxg2EfqB1 +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgmbPxV5LYZ530IfGm +SMpfPQFgoIkKPMRuNWLyVn+wiAOhRANCAAQ31W5ZQZdcwidgpyls2oO5rSsHLlqj +cKYaDF2fveMN5L/wBwEi84ubzz2+MkM9q7RaOSC4TPYHnhVvYcH+SsFv -----END PRIVATE KEY----- diff --git a/meta-integrity/data/debug-keys/x509_ima.der b/meta-integrity/data/debug-keys/x509_ima.der index 087ca6bea53c172e7eb9a269183a32b3ecbd3aaa..3f6f24e61373912cf39598a427fba09c75e74592 100644 GIT binary patch delta 420 zcmX@i`i8~Opou91hlmxF;F8*?ZNGmrVi`wCpisYNB3X_?81B@_P|D=3Kb8W|gy7?~NG8JU?_ zL`m=)8G-~1j35FNcbC>j8VIwogNQzBPE|cYtyQwn2h{MMs#v)Q%T$8e2$NAsBg}3FLd+H7cC8Z`C$b+PnStJa^8n7s+ z2dY2~IA);7CE4|y8dgPru-Va-?r`+w*M{B4Qk8-~RJ~DstJG$5*M+C#eBA$qBA?IQ zi#XD!^?xaMa-hvFpF;7>h^4<)8&z1mFsnIzMy+W^{27zLSGM&o2WzB{WS3ukm~v04 seSbc0i;m3fSIP33d0S_T-F&dflIgem)LYJa+g7k1Pdm)DaOKh($ diff --git a/meta-integrity/scripts/ima-gen-CA-signed.sh b/meta-integrity/scripts/ima-gen-CA-signed.sh index 5f3a728..b10b1ba 100755 --- a/meta-integrity/scripts/ima-gen-CA-signed.sh +++ b/meta-integrity/scripts/ima-gen-CA-signed.sh @@ -20,7 +20,6 @@ CAKEY=${2:-ima-local-ca.priv} cat << __EOF__ >$GENKEY [ req ] -default_bits = 1024 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only @@ -36,13 +35,15 @@ basicConstraints=critical,CA:FALSE #basicConstraints=CA:FALSE keyUsage=digitalSignature #keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage=critical,codeSigning subjectKeyIdentifier=hash authorityKeyIdentifier=keyid #authorityKeyIdentifier=keyid,issuer __EOF__ -openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \ - -out csr_ima.pem -keyout privkey_ima.pem -openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \ +openssl req -new -nodes -utf8 -sha256 -days 36500 -batch -config $GENKEY \ + -out csr_ima.pem -keyout privkey_ima.pem \ + -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 +openssl x509 -req -in csr_ima.pem -days 36500 -extfile $GENKEY -extensions v3_usr \ -CA $CA -CAkey $CAKEY -CAcreateserial \ -outform DER -out x509_ima.der diff --git a/meta-integrity/scripts/ima-gen-local-ca.sh b/meta-integrity/scripts/ima-gen-local-ca.sh index b600761..339d3e3 100755 --- a/meta-integrity/scripts/ima-gen-local-ca.sh +++ b/meta-integrity/scripts/ima-gen-local-ca.sh @@ -18,7 +18,6 @@ GENKEY=ima-local-ca.genkey cat << __EOF__ >$GENKEY [ req ] -default_bits = 2048 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only @@ -33,10 +32,11 @@ emailAddress = john.doe@example.com basicConstraints=CA:TRUE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer -# keyUsage = cRLSign, keyCertSign +keyUsage = cRLSign, keyCertSign __EOF__ -openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \ +openssl req -new -x509 -utf8 -sha256 -days 36500 -batch -config $GENKEY \ + -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 \ -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem diff --git a/meta-integrity/scripts/ima-gen-self-signed.sh b/meta-integrity/scripts/ima-gen-self-signed.sh deleted file mode 100755 index 5ee876c..0000000 --- a/meta-integrity/scripts/ima-gen-self-signed.sh +++ /dev/null @@ -1,41 +0,0 @@ -#!/bin/sh -# -# Copied from ima-evm-utils. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# version 2 as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -GENKEY=ima.genkey - -cat << __EOF__ >$GENKEY -[ req ] -default_bits = 1024 -distinguished_name = req_distinguished_name -prompt = no -string_mask = utf8only -x509_extensions = myexts - -[ req_distinguished_name ] -O = example.com -CN = meta-intel-iot-security example signing key -emailAddress = john.doe@example.com - -[ myexts ] -basicConstraints=critical,CA:FALSE -keyUsage=digitalSignature -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid -__EOF__ - -openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \ - -x509 -config $GENKEY \ - -outform DER -out x509_ima.der -keyout privkey_ima.pem From patchwork Fri Apr 28 12:23:10 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 23137 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7E900C77B61 for ; Fri, 28 Apr 2023 12:23:28 +0000 (UTC) Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by mx.groups.io with SMTP id smtpd.web10.18041.1682684606994121261 for ; Fri, 28 Apr 2023 05:23:27 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@ibm.com header.s=pp1 header.b=BSnfRmMy; spf=pass (domain: linux.ibm.com, ip: 148.163.156.1, mailfrom: stefanb@linux.ibm.com) Received: from pps.filterd (m0353727.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 33SCMYgn027675 for ; Fri, 28 Apr 2023 12:23:26 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=uCixy1rigqhG9yk1LQ8Bz/tek4y3xHf8/dGE8pLyVvM=; b=BSnfRmMySRNBKxNrZaZmifllWVbJiB9GzX8FPSrDoNtLzT+75dqTulV7G+Z+x3lxSE2G dabm9khhzXVvVp/q1clqBCIC+hKngGlAWgxEmQbpq8Aql6+pdOz2SgAAZGHQ8V/t3ZaE 7rFdg0e7ZlBsn0L//xJ03HzzmQ5KwYLXCLx8fCKD7z2EwsEjwDizKzBzG0vrSvVnld4N qGDx4VvXNC69dEqGqzjgOoZ21gQg4E3WdVtvvaXDJeT0h6KeRfqEYfF94Kx7vgkekmch ccJxzjCzOGMPbU/Vk4eZh/QzPJCWVixycRSiS08wSAMQmsjT8dfPVWFRJE3j/5fFI5rW +g== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3q8cde3774-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 28 Apr 2023 12:23:25 +0000 Received: from m0353727.ppops.net (m0353727.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 33SC8Wug015762 for ; Fri, 28 Apr 2023 12:23:22 GMT Received: from ppma04dal.us.ibm.com (7a.29.35a9.ip4.static.sl-reverse.com [169.53.41.122]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3q8cde376s-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 28 Apr 2023 12:23:22 +0000 Received: from pps.filterd (ppma04dal.us.ibm.com [127.0.0.1]) by ppma04dal.us.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 33SAfuL2018445; Fri, 28 Apr 2023 12:23:21 GMT Received: from smtprelay06.wdc07v.mail.ibm.com ([9.208.129.118]) by ppma04dal.us.ibm.com (PPS) with ESMTPS id 3q4778ycs8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 28 Apr 2023 12:23:21 +0000 Received: from smtpav03.dal12v.mail.ibm.com (smtpav03.dal12v.mail.ibm.com [10.241.53.102]) by smtprelay06.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 33SCNJ9751839480 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 28 Apr 2023 12:23:19 GMT Received: from smtpav03.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 435C858063; Fri, 28 Apr 2023 12:23:19 +0000 (GMT) Received: from smtpav03.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id EA3235803F; Fri, 28 Apr 2023 12:23:18 +0000 (GMT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by smtpav03.dal12v.mail.ibm.com (Postfix) with ESMTP; Fri, 28 Apr 2023 12:23:18 +0000 (GMT) From: Stefan Berger To: yocto@lists.yoctoproject.org Cc: akuster808@gmail.com, Stefan Berger Subject: [meta-security][PATCH 2/8] ima: Fix the ima_policy_appraise_all to appraise executables & libraries Date: Fri, 28 Apr 2023 08:23:10 -0400 Message-Id: <20230428122316.521800-3-stefanb@linux.ibm.com> X-Mailer: git-send-email 2.39.1 In-Reply-To: <20230428122316.521800-1-stefanb@linux.ibm.com> References: <20230428122316.521800-1-stefanb@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: 1YjQ7m88WFymQENV8etajrENProzxTzQ X-Proofpoint-GUID: M7NU9bVvopA1DncebyxiOsVHJq1eQEhq X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-04-28_04,2023-04-27_01,2023-02-09_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 phishscore=0 impostorscore=0 bulkscore=0 spamscore=0 adultscore=0 clxscore=1015 mlxlogscore=999 suspectscore=0 malwarescore=0 priorityscore=1501 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2303200000 definitions=main-2304280098 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 28 Apr 2023 12:23:28 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto/message/59805 Fix the ima_policy_appraise_all policy to appraise all executables and libraries. Also update the list of files that are not appraised to not appraise cgroup related files. Signed-off-by: Stefan Berger --- .../files/ima_policy_appraise_all | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all b/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all index 36e71a7..3498025 100644 --- a/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all +++ b/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all @@ -25,5 +25,12 @@ dont_appraise fsmagic=0xf97cff8c dont_appraise fsmagic=0x6e736673 # EFIVARFS_MAGIC dont_appraise fsmagic=0xde5e81e4 +# Cgroup +dont_appraise fsmagic=0x27e0eb +# Cgroup2 +dont_appraise fsmagic=0x63677270 -appraise +# Appraise libraries +appraise func=MMAP_CHECK mask=MAY_EXEC +# Appraise executables +appraise func=BPRM_CHECK From patchwork Fri Apr 28 12:23:11 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 23140 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B6690C7EE25 for ; Fri, 28 Apr 2023 12:23:28 +0000 (UTC) Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by mx.groups.io with SMTP id smtpd.web10.18039.1682684605790979896 for ; Fri, 28 Apr 2023 05:23:25 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@ibm.com header.s=pp1 header.b=c9aDSZ9b; spf=pass (domain: linux.ibm.com, ip: 148.163.156.1, mailfrom: stefanb@linux.ibm.com) Received: from pps.filterd (m0353726.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 33SCMbPT021876 for ; Fri, 28 Apr 2023 12:23:25 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : mime-version; s=pp1; bh=SKFWpfqel9gdTtxKxnqDaLiQViKLapUgvC85Mwsfh/I=; b=c9aDSZ9bLf0T4jxFJURq7Clznxt8hwvaQEVWW8JCuti2/xBFE2yARAUQrp0DzsJyLdcZ QAbc8jhLV/7x2HK2wcGBOkCi2yRvOrvLeKkZvZ35SqIHN1LjrOt6d2nJXS9qAmCRrJ81 jWxC0BTS1+GuxEYRfhVE0dhiEpCuKL7mVxmmFP8Eb0Cb3Djtc4Hl92SRFhoX8EU1/a+/ Yplv4UzCp5g8r5SWeZiGLfb1R+a2NLFlY3bktRT/JFSjCmKnPUlSKGk7i9x+pH74lP/a NJN8fK2OTxTwQiQ2cyQg8y3xvLQD1bGbaRQI1m7liS4FCVs572n8y+QJ99/+ti3ho2et Bw== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3q89qnfxnm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 28 Apr 2023 12:23:25 +0000 Received: from m0353726.ppops.net (m0353726.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 33SC9SjE027063 for ; Fri, 28 Apr 2023 12:23:22 GMT Received: from ppma01wdc.us.ibm.com (fd.55.37a9.ip4.static.sl-reverse.com [169.55.85.253]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3q89qnfxn8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 28 Apr 2023 12:23:22 +0000 Received: from pps.filterd (ppma01wdc.us.ibm.com [127.0.0.1]) by ppma01wdc.us.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 33SA1JbW013008; Fri, 28 Apr 2023 12:23:21 GMT Received: from smtprelay06.wdc07v.mail.ibm.com ([9.208.129.118]) by ppma01wdc.us.ibm.com (PPS) with ESMTPS id 3q4778fgps-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 28 Apr 2023 12:23:21 +0000 Received: from smtpav03.dal12v.mail.ibm.com (smtpav03.dal12v.mail.ibm.com [10.241.53.102]) by smtprelay06.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 33SCNJHV7995908 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 28 Apr 2023 12:23:20 GMT Received: from smtpav03.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id AB74058068; Fri, 28 Apr 2023 12:23:19 +0000 (GMT) Received: from smtpav03.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 5B4E95806E; Fri, 28 Apr 2023 12:23:19 +0000 (GMT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by smtpav03.dal12v.mail.ibm.com (Postfix) with ESMTP; Fri, 28 Apr 2023 12:23:19 +0000 (GMT) From: Stefan Berger To: yocto@lists.yoctoproject.org Cc: akuster808@gmail.com, Stefan Berger Subject: [meta-security][PATCH 3/8] ima: Fix the IMA kernel feature Date: Fri, 28 Apr 2023 08:23:11 -0400 Message-Id: <20230428122316.521800-4-stefanb@linux.ibm.com> X-Mailer: git-send-email 2.39.1 In-Reply-To: <20230428122316.521800-1-stefanb@linux.ibm.com> References: <20230428122316.521800-1-stefanb@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: ahHGIfGQG_dFIs_YkgVO32ls7jpU5FVR X-Proofpoint-GUID: RGfftzQGVK-3l7at-j-fJIZqIosFOXKW X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-04-28_04,2023-04-27_01,2023-02-09_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 mlxlogscore=999 lowpriorityscore=0 malwarescore=0 phishscore=0 adultscore=0 priorityscore=1501 impostorscore=0 mlxscore=0 spamscore=0 clxscore=1015 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2303200000 definitions=main-2304280098 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 28 Apr 2023 12:23:28 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto/message/59804 Fix the IMA kernel feature. Remove outdated patches and add ima.cfg holding kernel configuration options for IMA and EVM. Signed-off-by: Stefan Berger --- meta-integrity/classes/ima-evm-rootfs.bbclass | 5 +- .../0001-ima-fix-ima_inode_post_setattr.patch | 51 ------- ...for-creating-files-using-the-mknodat.patch | 138 ------------------ ...-file-hash-setting-by-user-to-fix-an.patch | 60 -------- .../recipes-kernel/linux/linux/ima.cfg | 46 ++++++ .../recipes-kernel/linux/linux/ima.scc | 4 + .../recipes-kernel/linux/linux_ima.inc | 10 +- 7 files changed, 63 insertions(+), 251 deletions(-) delete mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch delete mode 100644 meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch delete mode 100644 meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.cfg create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.scc diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass index 57de2f6..3cb0d07 100644 --- a/meta-integrity/classes/ima-evm-rootfs.bbclass +++ b/meta-integrity/classes/ima-evm-rootfs.bbclass @@ -17,7 +17,7 @@ IMA_EVM_X509 ?= "${IMA_EVM_KEY_DIR}/x509_ima.der" # with a .x509 suffix. See linux-%.bbappend for details. # # ima-local-ca.x509 is what ima-gen-local-ca.sh creates. -IMA_EVM_ROOT_CA ?= "" +IMA_EVM_ROOT_CA ?= "${IMA_EVM_KEY_DIR}/ima-local-ca.pem" # Sign all regular files by default. IMA_EVM_ROOTFS_SIGNED ?= ". -type f" @@ -31,6 +31,9 @@ IMA_EVM_ROOTFS_IVERSION ?= "" # Avoid re-generating fstab when ima is enabled. WIC_CREATE_EXTRA_ARGS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' --no-fstab-update', '', d)}" +# Add necessary tools (e.g., keyctl) to image +IMAGE_INSTALL:append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' ima-evm-utils', '', d)}" + ima_evm_sign_rootfs () { cd ${IMAGE_ROOTFS} diff --git a/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch b/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch deleted file mode 100644 index 64016dd..0000000 --- a/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 45ea681ebc0dd44aaec5d3cc4143b9722070d3ac Mon Sep 17 00:00:00 2001 -From: Mimi Zohar -Date: Tue, 8 Mar 2016 16:43:55 -0500 -Subject: [PATCH] ima: fix ima_inode_post_setattr - -Changing file metadata (eg. uid, guid) could result in having to -re-appraise a file's integrity, but does not change the "new file" -status nor the security.ima xattr. The IMA_PERMIT_DIRECTIO and -IMA_DIGSIG_REQUIRED flags are policy rule specific. This patch -only resets these flags, not the IMA_NEW_FILE or IMA_DIGSIG flags. - -With this patch, changing the file timestamp will not remove the -file signature on new files. - -Upstream-Status: Accepted [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_appraise.c?id=42a4c603198f0d45b7aa936d3ac6ba1b8bd14a1b] - -Reported-by: Dmitry Rozhkov -Signed-off-by: Mimi Zohar ---- - security/integrity/ima/ima_appraise.c | 2 +- - security/integrity/integrity.h | 1 + - 2 files changed, 2 insertions(+), 1 deletion(-) - -diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c -index 4df493e..a384ba1 100644 ---- a/security/integrity/ima/ima_appraise.c -+++ b/security/integrity/ima/ima_appraise.c -@@ -327,7 +327,7 @@ void ima_inode_post_setattr(struct dentry *dentry) - if (iint) { - iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED | - IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK | -- IMA_ACTION_FLAGS); -+ IMA_ACTION_RULE_FLAGS); - if (must_appraise) - iint->flags |= IMA_APPRAISE; - } -diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h -index 0fc9519..f9decae 100644 ---- a/security/integrity/integrity.h -+++ b/security/integrity/integrity.h -@@ -28,6 +28,7 @@ - - /* iint cache flags */ - #define IMA_ACTION_FLAGS 0xff000000 -+#define IMA_ACTION_RULE_FLAGS 0x06000000 - #define IMA_DIGSIG 0x01000000 - #define IMA_DIGSIG_REQUIRED 0x02000000 - #define IMA_PERMIT_DIRECTIO 0x04000000 --- -2.5.0 - diff --git a/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch b/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch deleted file mode 100644 index 6ab7ce2..0000000 --- a/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch +++ /dev/null @@ -1,138 +0,0 @@ -From baaec960e9e7be0b526eaf831b079ddfe5c15124 Mon Sep 17 00:00:00 2001 -From: Mimi Zohar -Date: Thu, 10 Mar 2016 18:19:20 +0200 -Subject: [PATCH] ima: add support for creating files using the mknodat - syscall - -Commit 3034a14 "ima: pass 'opened' flag to identify newly created files" -stopped identifying empty files as new files. However new empty files -can be created using the mknodat syscall. On systems with IMA-appraisal -enabled, these empty files are not labeled with security.ima extended -attributes properly, preventing them from subsequently being opened in -order to write the file data contents. This patch marks these empty -files, created using mknodat, as new in order to allow the file data -contents to be written. - -Files with security.ima xattrs containing a file signature are considered -"immutable" and can not be modified. The file contents need to be -written, before signing the file. This patch relaxes this requirement -for new files, allowing the file signature to be written before the file -contents. - -Upstream-Status: Accepted [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_appraise.c?id=05d1a717ec0430c916a749b94eb90ab74bbfa356] - -Signed-off-by: Mimi Zohar ---- - fs/namei.c | 2 ++ - include/linux/ima.h | 7 ++++++- - security/integrity/ima/ima_appraise.c | 3 +++ - security/integrity/ima/ima_main.c | 32 +++++++++++++++++++++++++++++++- - 4 files changed, 42 insertions(+), 2 deletions(-) - -diff --git a/fs/namei.c b/fs/namei.c -index ccd7f98..19502da 100644 ---- a/fs/namei.c -+++ b/fs/namei.c -@@ -3526,6 +3526,8 @@ retry: - switch (mode & S_IFMT) { - case 0: case S_IFREG: - error = vfs_create(path.dentry->d_inode,dentry,mode,true); -+ if (!error) -+ ima_post_path_mknod(dentry); - break; - case S_IFCHR: case S_IFBLK: - error = vfs_mknod(path.dentry->d_inode,dentry,mode, -diff --git a/include/linux/ima.h b/include/linux/ima.h -index 120ccc5..7f51971 100644 ---- a/include/linux/ima.h -+++ b/include/linux/ima.h -@@ -20,7 +20,7 @@ extern void ima_file_free(struct file *file); - extern int ima_file_mmap(struct file *file, unsigned long prot); - extern int ima_module_check(struct file *file); - extern int ima_fw_from_file(struct file *file, char *buf, size_t size); -- -+extern void ima_post_path_mknod(struct dentry *dentry); - #else - static inline int ima_bprm_check(struct linux_binprm *bprm) - { -@@ -52,6 +52,11 @@ static inline int ima_fw_from_file(struct file *file, char *buf, size_t size) - return 0; - } - -+static inline void ima_post_path_mknod(struct dentry *dentry) -+{ -+ return; -+} -+ - #endif /* CONFIG_IMA */ - - #ifdef CONFIG_IMA_APPRAISE -diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c -index 4df493e..20806ea 100644 ---- a/security/integrity/ima/ima_appraise.c -+++ b/security/integrity/ima/ima_appraise.c -@@ -274,6 +274,11 @@ out: - xattr_value->type != EVM_IMA_XATTR_DIGSIG)) { - if (!ima_fix_xattr(dentry, iint)) - status = INTEGRITY_PASS; -+ } else if ((inode->i_size == 0) && -+ (iint->flags & IMA_NEW_FILE) && -+ (xattr_value && -+ xattr_value->type == EVM_IMA_XATTR_DIGSIG)) { -+ status = INTEGRITY_PASS; - } - integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename, - op, cause, rc, 0); -diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c -index eeee00dc..705bf78 100644 ---- a/security/integrity/ima/ima_main.c -+++ b/security/integrity/ima/ima_main.c -@@ -242,7 +242,8 @@ static int process_measurement(struct file *file, int mask, int function, - ima_audit_measurement(iint, pathname); - - out_digsig: -- if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG)) -+ if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG) && -+ !(iint->flags & IMA_NEW_FILE)) - rc = -EACCES; - kfree(xattr_value); - out_free: -@@ -310,6 +311,35 @@ int ima_file_check(struct file *file, int mask, int opened) - EXPORT_SYMBOL_GPL(ima_file_check); - - /** -+ * ima_post_path_mknod - mark as a new inode -+ * @dentry: newly created dentry -+ * -+ * Mark files created via the mknodat syscall as new, so that the -+ * file data can be written later. -+ */ -+void ima_post_path_mknod(struct dentry *dentry) -+{ -+ struct integrity_iint_cache *iint; -+ struct inode *inode; -+ int must_appraise; -+ -+ if (!dentry || !dentry->d_inode) -+ return; -+ -+ inode = dentry->d_inode; -+ if (inode->i_size != 0) -+ return; -+ -+ must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK); -+ if (!must_appraise) -+ return; -+ -+ iint = integrity_inode_get(inode); -+ if (iint) -+ iint->flags |= IMA_NEW_FILE; -+} -+ -+/** - * ima_module_check - based on policy, collect/store/appraise measurement. - * @file: pointer to the file to be measured/appraised - * --- -2.5.0 - diff --git a/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch b/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch deleted file mode 100644 index 157c007..0000000 --- a/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch +++ /dev/null @@ -1,60 +0,0 @@ -From a34d61850b680c152e1dcc958ee83c3ab3261c3d Mon Sep 17 00:00:00 2001 -From: Patrick Ohly -Date: Tue, 15 Nov 2016 10:10:23 +0100 -Subject: [PATCH] Revert "ima: limit file hash setting by user to fix and log - modes" - -This reverts commit c68ed80c97d9720f51ef31fe91560fdd1e121533. - -The original motivation was security hardening ("File hashes are -automatically set and updated and should not be manually set.") - -However, that hardening ignores and breaks some valid use cases: -- File hashes might not be set because the file is currently - outside of the policy and therefore have to be set by the - creator. Examples: - - Booting into an initramfs with an IMA-enabled kernel but - without setting an IMA policy, then installing - the OS onto the target partition by unpacking a rootfs archive - which has the file hashes pre-computed. - - Unpacking a file into a staging area with meta data (like owner) - that leaves the file outside of the current policy, then changing - the meta data such that it becomes part of the current policy. -- "should not be set manually" implies that the creator is aware - of IMA semantic, the current system's configuration, and then - skips setting file hashes in security.ima if (and only if) the - kernel would prevent it. That's not the case for standard, unmodified - tools. Example: unpacking an archive with security.ima xattrs with - bsdtar or GNU tar. - -Upstream-Status: Submitted [https://sourceforge.net/p/linux-ima/mailman/message/35492824/] - -Signed-off-by: Patrick Ohly ---- - security/integrity/ima/ima_appraise.c | 8 ++------ - 1 file changed, 2 insertions(+), 6 deletions(-) - -diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c -index 4b9b4a4..b8b2dd9 100644 ---- a/security/integrity/ima/ima_appraise.c -+++ b/security/integrity/ima/ima_appraise.c -@@ -385,14 +385,10 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, - result = ima_protect_xattr(dentry, xattr_name, xattr_value, - xattr_value_len); - if (result == 1) { -- bool digsig; -- - if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST)) - return -EINVAL; -- digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG); -- if (!digsig && (ima_appraise & IMA_APPRAISE_ENFORCE)) -- return -EPERM; -- ima_reset_appraise_flags(d_backing_inode(dentry), digsig); -+ ima_reset_appraise_flags(d_backing_inode(dentry), -+ (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0); - result = 0; - } - return result; --- -2.1.4 - diff --git a/meta-integrity/recipes-kernel/linux/linux/ima.cfg b/meta-integrity/recipes-kernel/linux/linux/ima.cfg new file mode 100644 index 0000000..86fb3aa --- /dev/null +++ b/meta-integrity/recipes-kernel/linux/linux/ima.cfg @@ -0,0 +1,46 @@ +CONFIG_SQUASHFS_XATTR=y +CONFIG_KEYS=y +CONFIG_ASYMMETRIC_KEY_TYPE=y +CONFIG_SYSTEM_TRUSTED_KEYRING=y +CONFIG_SYSTEM_TRUSTED_KEYS="${IMA_EVM_ROOT_CA}" +CONFIG_SECONDARY_TRUSTED_KEYRING=y +CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y +CONFIG_X509_CERTIFICATE_PARSER=y +CONFIG_PKCS8_PRIVATE_KEY_PARSER=y +CONFIG_CRYPTO_ECDSA=y +CONFIG_SECURITY=y +CONFIG_SECURITYFS=y +CONFIG_INTEGRITY=y +CONFIG_INTEGRITY_SIGNATURE=y +CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y +CONFIG_INTEGRITY_TRUSTED_KEYRING=y +CONFIG_IMA=y +CONFIG_IMA_MEASURE_PCR_IDX=10 +CONFIG_IMA_LSM_RULES=y +# CONFIG_IMA_TEMPLATE is not set +# CONFIG_IMA_NG_TEMPLATE is not set +CONFIG_IMA_SIG_TEMPLATE=y +CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig" +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set +CONFIG_IMA_DEFAULT_HASH_SHA256=y +# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set +CONFIG_IMA_DEFAULT_HASH="sha256" +CONFIG_IMA_WRITE_POLICY=y +CONFIG_IMA_READ_POLICY=y +CONFIG_IMA_APPRAISE=y +CONFIG_IMA_ARCH_POLICY=y +CONFIG_IMA_APPRAISE_BUILD_POLICY=y +CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS=y +# CONFIG_IMA_APPRAISE_BOOTPARAM is not set +# CONFIG_IMA_APPRAISE_MODSIG is not set +CONFIG_IMA_TRUSTED_KEYRING=y +CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y +# CONFIG_IMA_BLACKLIST_KEYRING is not set +# CONFIG_IMA_LOAD_X509 is not set +CONFIG_IMA_APPRAISE_SIGNED_INIT=y +CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y +CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y +CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y +# CONFIG_IMA_DISABLE_HTABLE is not set +CONFIG_EVM=y +# CONFIG_EVM_LOAD_X509 is not set diff --git a/meta-integrity/recipes-kernel/linux/linux/ima.scc b/meta-integrity/recipes-kernel/linux/linux/ima.scc new file mode 100644 index 0000000..6eb84b0 --- /dev/null +++ b/meta-integrity/recipes-kernel/linux/linux/ima.scc @@ -0,0 +1,4 @@ +define KFEATURE_DESCRIPTION "Enable IMA" + +kconf non-hardware ima.cfg + diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc index 3ab53e5..0b6f530 100644 --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc @@ -1,4 +1,12 @@ -KERNEL_FEATURES:append = " ${@bb.utils.contains("DISTRO_FEATURES", "ima", " features/ima/ima.scc", "" ,d)}" +FILESEXTRAPATHS:append := "${THISDIR}/linux:" + +SRC_URI += " \ + ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \ +" + +do_configure() { + sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" .config +} KERNEL_FEATURES:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}" From patchwork Fri Apr 28 12:23:12 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 23142 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BAF42C7EE2A for ; Fri, 28 Apr 2023 12:23:28 +0000 (UTC) Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by mx.groups.io with SMTP id smtpd.web10.18035.1682684604306667055 for ; Fri, 28 Apr 2023 05:23:24 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@ibm.com header.s=pp1 header.b=lusFCn9/; spf=pass (domain: linux.ibm.com, ip: 148.163.156.1, mailfrom: stefanb@linux.ibm.com) Received: from pps.filterd (m0353728.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 33SCFSPd016467 for ; Fri, 28 Apr 2023 12:23:23 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=fAeN74BRvp/a7hkOQyVdXqp+OG/BP1V/YJr3VX/5itc=; b=lusFCn9/vdtvK5ngBSVSwoFVCA1RCY0Z4Qj4Id9RH1qF3DuFA5utX28RIFosHurhIGP9 Q1FcesiSGes0dsebSkBruFubBmH3U0xvoD6aNeP8LodjAreKmkZm5BPjiSQex+p/m80e FQPhEZM0jNoGC2CLllWdtX+U8adU4whlwA55K0m82gYQyRolnuSjLFZs1R3Ic8b3bPnz ZpMTJJ0Q1IwD1Y5EBsd7Q8Kt8UnkVkFKOZj09u1ewu0t0ROxSyurBJqWgKm+tlBiaYaV Og+pyO7L9VwEZF63+8DPqeRfsycx11bZN7c3rMNWC8I7PqGlY7KCMjCX8wFa26YEPtTy eg== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3q8c9jb4bd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 28 Apr 2023 12:23:23 +0000 Received: from m0353728.ppops.net (m0353728.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 33SCAEoA021942 for ; Fri, 28 Apr 2023 12:23:23 GMT Received: from ppma02dal.us.ibm.com (a.bd.3ea9.ip4.static.sl-reverse.com [169.62.189.10]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3q8c9jb4b2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 28 Apr 2023 12:23:23 +0000 Received: from pps.filterd (ppma02dal.us.ibm.com [127.0.0.1]) by ppma02dal.us.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 33SB05Hk015440; Fri, 28 Apr 2023 12:23:22 GMT Received: from smtprelay07.wdc07v.mail.ibm.com ([9.208.129.116]) by ppma02dal.us.ibm.com (PPS) with ESMTPS id 3q4778qajn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 28 Apr 2023 12:23:22 +0000 Received: from smtpav03.dal12v.mail.ibm.com (smtpav03.dal12v.mail.ibm.com [10.241.53.102]) by smtprelay07.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 33SCNKWv54460924 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 28 Apr 2023 12:23:20 GMT Received: from smtpav03.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 123045806A; Fri, 28 Apr 2023 12:23:20 +0000 (GMT) Received: from smtpav03.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C24CF5803F; Fri, 28 Apr 2023 12:23:19 +0000 (GMT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by smtpav03.dal12v.mail.ibm.com (Postfix) with ESMTP; Fri, 28 Apr 2023 12:23:19 +0000 (GMT) From: Stefan Berger To: yocto@lists.yoctoproject.org Cc: akuster808@gmail.com, Stefan Berger Subject: [meta-security][PATCH 4/8] ima: Rename IMA_EVM_POLICY_SYSTEMD to IMA_EVM_POLICY Date: Fri, 28 Apr 2023 08:23:12 -0400 Message-Id: <20230428122316.521800-5-stefanb@linux.ibm.com> X-Mailer: git-send-email 2.39.1 In-Reply-To: <20230428122316.521800-1-stefanb@linux.ibm.com> References: <20230428122316.521800-1-stefanb@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: amGW8kzIkzAel6EGo8f85aDnlRTCsBma X-Proofpoint-ORIG-GUID: ihh4aVR0R5rLz4rQN4FVvN-uED1n8BvU X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-04-28_04,2023-04-27_01,2023-02-09_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 mlxlogscore=999 malwarescore=0 phishscore=0 bulkscore=0 mlxscore=0 impostorscore=0 suspectscore=0 priorityscore=1501 spamscore=0 adultscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2303200000 definitions=main-2304280098 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 28 Apr 2023 12:23:28 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto/message/59799 The IMA policy will be specified using the IMA_EVM_POLICY variable since systemd will not be involved in loading the policy but the init script will load it. Signed-off-by: Stefan Berger --- meta-integrity/README.md | 2 +- meta-integrity/classes/ima-evm-rootfs.bbclass | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/meta-integrity/README.md b/meta-integrity/README.md index eae1c57..816b40d 100644 --- a/meta-integrity/README.md +++ b/meta-integrity/README.md @@ -187,7 +187,7 @@ IMA policy loading became broken in systemd 2.18. The modified systemd changes. To activate policy loading via systemd, place a policy file in `/etc/ima/ima-policy`, for example with: - IMA_EVM_POLICY_SYSTEMD = "${INTEGRITY_BASE}/data/ima_policy_simple" + IMA_EVM_POLICY = "${INTEGRITY_BASE}/data/ima_policy_simple" To check that measuring works, look at `/sys/kernel/security/ima/ascii_runtime_measurements` diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass index 3cb0d07..6902d69 100644 --- a/meta-integrity/classes/ima-evm-rootfs.bbclass +++ b/meta-integrity/classes/ima-evm-rootfs.bbclass @@ -69,10 +69,10 @@ ima_evm_sign_rootfs () { find ${IMA_EVM_ROOTFS_HASHED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_hash # Optionally install custom policy for loading by systemd. - if [ "${IMA_EVM_POLICY_SYSTEMD}" ]; then + if [ "${IMA_EVM_POLICY}" ]; then install -d ./${sysconfdir}/ima rm -f ./${sysconfdir}/ima/ima-policy - install "${IMA_EVM_POLICY_SYSTEMD}" ./${sysconfdir}/ima/ima-policy + install "${IMA_EVM_POLICY}" ./${sysconfdir}/ima/ima-policy fi } From patchwork Fri Apr 28 12:23:13 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 23135 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 93547C77B60 for ; Fri, 28 Apr 2023 12:23:28 +0000 (UTC) Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by mx.groups.io with SMTP id smtpd.web11.18023.1682684605310091152 for ; Fri, 28 Apr 2023 05:23:25 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@ibm.com header.s=pp1 header.b=j4mFLvD9; spf=pass (domain: linux.ibm.com, ip: 148.163.156.1, mailfrom: stefanb@linux.ibm.com) Received: from pps.filterd (m0353727.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 33SCHFgX007453 for ; Fri, 28 Apr 2023 12:23:25 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=h1SLIqgOGg2aXlfz6C2p6oVWCs387TjVc1bE9wYLQUw=; b=j4mFLvD9j9PtnWiBBFcvFgOI7mh/uzdDKtldFnI0h7EkyXo7sElawmOtbVeuC4Hm6bHS IeBy16ghmo4tA/N51pL1qa+UyRJRibU/7lSOh8btmLN1VD9XY08fXOQtTt1DiycTQLIP 2ppAerpXevd4KOuNsUqH9nADzt5ZE25JPssfIw8O+Yx2Xjeq/kpgwY79NpnQYpxmdkk+ UaRkGtWKjSWnl/3w8eq+/t/Em7t8mzXC1XnAN84fvOOHaK6V1EKCWuwnpEQI5UkXttUZ BDxBlaFjIQN8xeif6SkdJ9XIOQz3qsgc0CcBPbmIUAPMAGaIOtwwcv9Gr88L81NTeS9W IA== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3q8cde377t-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 28 Apr 2023 12:23:24 +0000 Received: from m0353727.ppops.net (m0353727.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 33SCMgik028741 for ; Fri, 28 Apr 2023 12:23:23 GMT Received: from ppma01wdc.us.ibm.com (fd.55.37a9.ip4.static.sl-reverse.com [169.55.85.253]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3q8cde3779-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 28 Apr 2023 12:23:23 +0000 Received: from pps.filterd (ppma01wdc.us.ibm.com [127.0.0.1]) by ppma01wdc.us.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 33SA0NQU012999; Fri, 28 Apr 2023 12:23:22 GMT Received: from smtprelay07.wdc07v.mail.ibm.com ([9.208.129.116]) by ppma01wdc.us.ibm.com (PPS) with ESMTPS id 3q4778fgpu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 28 Apr 2023 12:23:22 +0000 Received: from smtpav03.dal12v.mail.ibm.com (smtpav03.dal12v.mail.ibm.com [10.241.53.102]) by smtprelay07.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 33SCNKa816515594 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 28 Apr 2023 12:23:21 GMT Received: from smtpav03.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6D5625805A; Fri, 28 Apr 2023 12:23:20 +0000 (GMT) Received: from smtpav03.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 29CC858056; Fri, 28 Apr 2023 12:23:20 +0000 (GMT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by smtpav03.dal12v.mail.ibm.com (Postfix) with ESMTP; Fri, 28 Apr 2023 12:23:20 +0000 (GMT) From: Stefan Berger To: yocto@lists.yoctoproject.org Cc: akuster808@gmail.com, Stefan Berger Subject: [meta-security][PATCH 5/8] ima: Sign all executables and the ima-policy in the root filesystem Date: Fri, 28 Apr 2023 08:23:13 -0400 Message-Id: <20230428122316.521800-6-stefanb@linux.ibm.com> X-Mailer: git-send-email 2.39.1 In-Reply-To: <20230428122316.521800-1-stefanb@linux.ibm.com> References: <20230428122316.521800-1-stefanb@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: 3Mwmvv07Fs8-eGGiLuVjF7XOAwivLCa7 X-Proofpoint-GUID: _oz4muPmEIrjKbjy5zkUOYDl6cqzvVXr X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-04-28_04,2023-04-27_01,2023-02-09_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 phishscore=0 impostorscore=0 bulkscore=0 spamscore=0 adultscore=0 clxscore=1015 mlxlogscore=999 suspectscore=0 malwarescore=0 priorityscore=1501 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2303200000 definitions=main-2304280098 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 28 Apr 2023 12:23:28 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto/message/59802 Signed-off-by: Stefan Berger --- meta-integrity/classes/ima-evm-rootfs.bbclass | 25 +++++++++++++++---- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass index 6902d69..98c4bc1 100644 --- a/meta-integrity/classes/ima-evm-rootfs.bbclass +++ b/meta-integrity/classes/ima-evm-rootfs.bbclass @@ -62,17 +62,32 @@ ima_evm_sign_rootfs () { perl -pi -e 's;(\S+)(\s+)(${@"|".join((d.getVar("IMA_EVM_ROOTFS_IVERSION", True) or "no-such-mount-point").split())})(\s+)(\S+)(\s+)(\S+);\1\2\3\4\5\6\7,iversion;; s/(,iversion)+/,iversion/;' etc/fstab fi - # Sign file with private IMA key. EVM not supported at the moment. - bbnote "IMA/EVM: signing files 'find ${IMA_EVM_ROOTFS_SIGNED}' with private key '${IMA_EVM_PRIVKEY}'" - find ${IMA_EVM_ROOTFS_SIGNED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_sign --key ${IMA_EVM_PRIVKEY} - bbnote "IMA/EVM: hashing files 'find ${IMA_EVM_ROOTFS_HASHED}'" - find ${IMA_EVM_ROOTFS_HASHED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_hash + # Detect 32bit target to pass --m32 to evmctl by looking at libc + tmp="$(file "${IMAGE_ROOTFS}/lib/libc.so.6" | grep -o 'ELF .*-bit')" + if [ "${tmp}" = "ELF 32-bit" ]; then + evmctl_param="--m32" + elif [ "${tmp}" = "ELF 64-bit" ]; then + evmctl_param="" + else + bberror "Unknown target architecture bitness: '${tmp}'" >&2 + exit 1 + fi + + bbnote "IMA/EVM: Signing root filesystem at ${IMAGE_ROOTFS} with key ${IMA_EVM_PRIVKEY}" + evmctl sign --imasig ${evmctl_param} --portable -a sha256 --key ${IMA_EVM_PRIVKEY} -r "${IMAGE_ROOTFS}" + + # check signing key and signature verification key + evmctl ima_verify ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1 + evmctl verify ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1 # Optionally install custom policy for loading by systemd. if [ "${IMA_EVM_POLICY}" ]; then install -d ./${sysconfdir}/ima rm -f ./${sysconfdir}/ima/ima-policy install "${IMA_EVM_POLICY}" ./${sysconfdir}/ima/ima-policy + + bbnote "IMA/EVM: Signing IMA policy with key ${IMA_EVM_PRIVKEY}" + evmctl sign --imasig ${evmctl_param} --portable -a sha256 --key "${IMA_EVM_PRIVKEY}" "${IMAGE_ROOTFS}/etc/ima/ima-policy" fi } From patchwork Fri Apr 28 12:23:14 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 23136 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 97383C7EE24 for ; Fri, 28 Apr 2023 12:23:28 +0000 (UTC) Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by mx.groups.io with SMTP id smtpd.web10.18038.1682684605473189075 for ; Fri, 28 Apr 2023 05:23:25 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@ibm.com header.s=pp1 header.b=VDyatbr4; spf=pass (domain: linux.ibm.com, ip: 148.163.156.1, mailfrom: stefanb@linux.ibm.com) Received: from pps.filterd (m0353726.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 33SCLfTC019318 for ; Fri, 28 Apr 2023 12:23:25 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=UDGr255lc5+HFNbFxLptWvW0Ucz1U8jN9vXUjU7t44M=; b=VDyatbr4wFe7VKKay0VPa96vnYrcl9kvPanqpvN772BwRfaA3H0MHw6/J4wqq5qmCAr+ Iudy2ZMgRXkj1MvGH38Q8wpvPqnwL66ax5phZ78Wws7rkM7b2X+35AuJ+9rd2H2aTKoK KeZRDeQaNMRufFXs2Zi77ZJoZ7cmuRRt71M4U5jzLpAi03gLE+ZrqoZVurM/yzF61XFy Sooj2JBtXWDMCEBoIKUx0KpOvnhYuzFwwfBMVWcBEIawkNNyB4MEoYdchMG4RZZhxs99 MvgW+NiIji8pCn7GdvQA7dMN2Kw/XNSAKG+na9IBbyuzunfu03UdOy5q9OlW+Bvxh+Br 2A== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3q89qnfxp7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 28 Apr 2023 12:23:24 +0000 Received: from m0353726.ppops.net (m0353726.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 33SCLnvP019722 for ; Fri, 28 Apr 2023 12:23:24 GMT Received: from ppma04wdc.us.ibm.com (1a.90.2fa9.ip4.static.sl-reverse.com [169.47.144.26]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3q89qnfxnj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 28 Apr 2023 12:23:24 +0000 Received: from pps.filterd (ppma04wdc.us.ibm.com [127.0.0.1]) by ppma04wdc.us.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 33SA05xk032076; Fri, 28 Apr 2023 12:23:22 GMT Received: from smtprelay07.wdc07v.mail.ibm.com ([9.208.129.116]) by ppma04wdc.us.ibm.com (PPS) with ESMTPS id 3q47787hks-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 28 Apr 2023 12:23:22 +0000 Received: from smtpav03.dal12v.mail.ibm.com (smtpav03.dal12v.mail.ibm.com [10.241.53.102]) by smtprelay07.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 33SCNKhB53346722 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 28 Apr 2023 12:23:21 GMT Received: from smtpav03.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C93775803F; Fri, 28 Apr 2023 12:23:20 +0000 (GMT) Received: from smtpav03.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8547758056; Fri, 28 Apr 2023 12:23:20 +0000 (GMT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by smtpav03.dal12v.mail.ibm.com (Postfix) with ESMTP; Fri, 28 Apr 2023 12:23:20 +0000 (GMT) From: Stefan Berger To: yocto@lists.yoctoproject.org Cc: akuster808@gmail.com, Stefan Berger Subject: [meta-security][PATCH 6/8] integrity: Update the README for IMA support Date: Fri, 28 Apr 2023 08:23:14 -0400 Message-Id: <20230428122316.521800-7-stefanb@linux.ibm.com> X-Mailer: git-send-email 2.39.1 In-Reply-To: <20230428122316.521800-1-stefanb@linux.ibm.com> References: <20230428122316.521800-1-stefanb@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: 7nPc5rV4ZIVRAo1RtMMs0v3fwpYNB5Ob X-Proofpoint-GUID: Kx1gF72EdPOqF1mqtVJZN9H7Etv8EtHF X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-04-28_04,2023-04-27_01,2023-02-09_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 mlxlogscore=824 lowpriorityscore=0 malwarescore=0 phishscore=0 adultscore=0 priorityscore=1501 impostorscore=0 mlxscore=0 spamscore=0 clxscore=1015 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2303200000 definitions=main-2304280098 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 28 Apr 2023 12:23:28 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto/message/59803 Update the README describing how IMA support can be used. Signed-off-by: Stefan Berger --- meta-integrity/README.md | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/meta-integrity/README.md b/meta-integrity/README.md index 816b40d..1a37280 100644 --- a/meta-integrity/README.md +++ b/meta-integrity/README.md @@ -76,7 +76,7 @@ other layers needed. e.g.: It has some dependencies on a suitable BSP; in particular the kernel must have a recent enough IMA/EVM subsystem. The layer was tested with -Linux 3.19 and uses some features (like loading X509 certificates +Linux 6.1 and uses some features (like loading X509 certificates directly from the kernel) which were added in that release. Your mileage may vary with older kernels. @@ -89,10 +89,17 @@ Adding the layer only enables IMA (see below regarding EVM) during compilation of the Linux kernel. To also activate it when building the image, enable image signing in the local.conf like this: + DISTRO_FEATURES:append = " integrity ima" + IMAGE_CLASSES += "ima-evm-rootfs" + IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" IMA_EVM_PRIVKEY = "${IMA_EVM_KEY_DIR}/privkey_ima.pem" IMA_EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_ima.der" + IMA_EVM_ROOT_CA = "${IMA_EVM_KEY_DIR}/ima-local-ca.pem" + + # The following policy enforces IMA & EVM signatures + IMA_EVM_POLICY = "${INTEGRITY_BASE}/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all" This uses the default keys provided in the "data" directory of the layer. Because everyone has access to these private keys, such an image @@ -113,10 +120,7 @@ for that are included in the layer. This is also how the cd $IMA_EVM_KEY_DIR # In that shell, create the keys. Several options exist: - # 1. Self-signed keys. - $INTEGRITY_BASE/scripts/ima-gen-self-signed.sh - - # 2. Keys signed by a new CA. + # 1. Keys signed by a new CA. # When asked for a PEM passphrase, that will be for the root CA. # Signing images then will not require entering that passphrase, # only creating new certificates does. Most likely the default @@ -125,13 +129,11 @@ for that are included in the layer. This is also how the # $INTEGRITY_BASE/scripts/ima-gen-local-ca.sh # $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh - # 3. Keys signed by an existing CA. + # 2. Keys signed by an existing CA. # $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh exit -When using ``ima-self-signed.sh`` as described above, self-signed keys -are created. Alternatively, one can also use keys signed by a CA. The -``ima-gen-local-ca.sh`` and ``ima-gen.sh`` scripts create a root CA +The ``ima-gen-local-ca.sh`` and ``ima-gen.sh`` scripts create a root CA and sign the signing keys with it. The ``ima-evm-rootfs.bbclass`` then supports adding tha CA's public key to the kernel's system keyring by compiling it directly into the kernel. Because it is unknown whether From patchwork Fri Apr 28 12:23:15 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 23138 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 823A7C77B7C for ; Fri, 28 Apr 2023 12:23:28 +0000 (UTC) Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by mx.groups.io with SMTP id smtpd.web11.18022.1682684604584152779 for ; Fri, 28 Apr 2023 05:23:24 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@ibm.com header.s=pp1 header.b=KJUG4vR8; spf=pass (domain: linux.ibm.com, ip: 148.163.156.1, mailfrom: stefanb@linux.ibm.com) Received: from pps.filterd (m0353726.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 33SCFaHN028817 for ; Fri, 28 Apr 2023 12:23:24 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : mime-version; s=pp1; bh=88122QIG8C9Qwn4xdL0q5rJxo6SwsY7+7zwanQE70rI=; b=KJUG4vR8VUE51+LcFKcu+/kTLwlrsDXlBOALZ6wOEKoWeg/E/sQCYk5zcpOBQ6IOWt6b 8e9n3RPItwSE35j/QrH+zfTy8PwofxFXuXG6VJWyE09u+GKHVWiIcMBQ2mLc+0miwA6Z pwpnV9Li8wR/1ihWogi/EfO9WxDguJXR2QFqBn2bNAEkY4DhR74OzZm3XRgqhKXG14wN q15yVig/OhCbgvafwj7c6C1T/wAB4lTIVRMmyFaWIGwDFEjI7KZGtBz7upTZNXdLUNLG ykKGPKM1L2a3nCcNFr1ALpxcec1nb0JYUeD9NdOJqrJf5RhsTF5/W/rP9UTRLdL76ImJ ig== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3q89qnfxnr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 28 Apr 2023 12:23:23 +0000 Received: from m0353726.ppops.net (m0353726.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 33SCLnvL019722 for ; Fri, 28 Apr 2023 12:23:23 GMT Received: from ppma04dal.us.ibm.com (7a.29.35a9.ip4.static.sl-reverse.com [169.53.41.122]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3q89qnfxnf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 28 Apr 2023 12:23:23 +0000 Received: from pps.filterd (ppma04dal.us.ibm.com [127.0.0.1]) by ppma04dal.us.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 33SAF3E0018373; Fri, 28 Apr 2023 12:23:22 GMT Received: from smtprelay03.dal12v.mail.ibm.com ([9.208.130.98]) by ppma04dal.us.ibm.com (PPS) with ESMTPS id 3q4778ycse-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 28 Apr 2023 12:23:22 +0000 Received: from smtpav03.dal12v.mail.ibm.com (smtpav03.dal12v.mail.ibm.com [10.241.53.102]) by smtprelay03.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 33SCNLxn40042854 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 28 Apr 2023 12:23:21 GMT Received: from smtpav03.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 3049E5805A; Fri, 28 Apr 2023 12:23:21 +0000 (GMT) Received: from smtpav03.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E0D4658064; Fri, 28 Apr 2023 12:23:20 +0000 (GMT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by smtpav03.dal12v.mail.ibm.com (Postfix) with ESMTP; Fri, 28 Apr 2023 12:23:20 +0000 (GMT) From: Stefan Berger To: yocto@lists.yoctoproject.org Cc: akuster808@gmail.com, Stefan Berger Subject: [meta-security][PATCH 7/8] linux: overlayfs: Add kernel patch resolving a file change notification issue Date: Fri, 28 Apr 2023 08:23:15 -0400 Message-Id: <20230428122316.521800-8-stefanb@linux.ibm.com> X-Mailer: git-send-email 2.39.1 In-Reply-To: <20230428122316.521800-1-stefanb@linux.ibm.com> References: <20230428122316.521800-1-stefanb@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: HlxTxudb1R4hIE3NFj-AFlEYMzTvNLMO X-Proofpoint-GUID: dHckihoQIvCOkF4ZRNWlBxrtPS3vYslw X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-04-28_04,2023-04-27_01,2023-02-09_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 mlxlogscore=999 lowpriorityscore=0 malwarescore=0 phishscore=0 adultscore=0 priorityscore=1501 impostorscore=0 mlxscore=0 spamscore=0 clxscore=1015 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2303200000 definitions=main-2304280098 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 28 Apr 2023 12:23:28 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto/message/59800 Add a temporary patch that resolves a file change notification issue with overlayfs where IMA did not become aware of the file changes since the 'lower' inode's i_version had not changed. The issue will be resolved in later kernels with the following patch that builds on newly addd feature (support for STATX_CHANGE_COOKIE) in v6.3-rc1: https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 Signed-off-by: Stefan Berger --- ...Increment-iversion-upon-file-changes.patch | 42 +++++++++++++++++++ .../recipes-kernel/linux/linux_ima.inc | 1 + 2 files changed, 43 insertions(+) create mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch diff --git a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch new file mode 100644 index 0000000..d2b5c28 --- /dev/null +++ b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch @@ -0,0 +1,42 @@ +From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Thu, 6 Apr 2023 11:27:29 -0400 +Subject: [PATCH] ovl: Increment iversion upon file changes + +This is a temporary patch for kernels that do not implement +STATX_CHANGE_COOKIE (<= 6.2). The successor patch will be this one: + +https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 + +Increment the lower inode's iversion for IMA to be able to recognize +changes to the file. + +Signed-off-by: Stefan Berger +--- + fs/overlayfs/file.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c +index 6011f955436b..1dfe5e7bfe1c 100644 +--- a/fs/overlayfs/file.c ++++ b/fs/overlayfs/file.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + #include "overlayfs.h" + + struct ovl_aio_req { +@@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct kiocb *iocb, struct iov_iter *iter) + if (ret != -EIOCBQUEUED) + ovl_aio_cleanup_handler(aio_req); + } ++ if (ret > 0) ++ inode_maybe_inc_iversion(inode, false); + out: + revert_creds(old_cred); + out_fdput: +-- +2.34.1 + diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc index 0b6f530..9d48e5c 100644 --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc @@ -2,6 +2,7 @@ FILESEXTRAPATHS:append := "${THISDIR}/linux:" SRC_URI += " \ ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \ + file://0001-ovl-Increment-iversion-upon-file-changes.patch \ " do_configure() { From patchwork Fri Apr 28 12:23:16 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 23139 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 97C4BC7EE22 for ; Fri, 28 Apr 2023 12:23:28 +0000 (UTC) Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by mx.groups.io with SMTP id smtpd.web10.18037.1682684605289151298 for ; Fri, 28 Apr 2023 05:23:25 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@ibm.com header.s=pp1 header.b=N8Exrt3j; spf=pass (domain: linux.ibm.com, ip: 148.163.156.1, mailfrom: stefanb@linux.ibm.com) Received: from pps.filterd (m0353726.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 33SCLfTB019318 for ; Fri, 28 Apr 2023 12:23:25 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : mime-version; s=pp1; bh=Ms6xe4vYkIsJhHIu4CP6qJMWXtqZ4Be6WNzGnQGOK1M=; b=N8Exrt3jzGo57VzeTUBCE1vIkBEYtTY4kaOmUkRiFMGp0rNcxlWosDXZVLqSYZrIe198 yvIQiGTZz396KC3OFAd6tT4sKPi5Pfp+DuSKuhuTJM/HU6ywjDwqpD73HDmeXuNUEOE1 DpNv5ocs63mIE2jTjkPhRVD5RXV2EefLzxSgatTHMtRFqI0OedJepkCYp2LomF0stUnm /keuB58xM9t3ZP+rIC8itrW40v8pbgAfsKrjIL8SIcb9KdSuj85BaDBlQPGWlAKIhVaS 0/viJZ0OCf8KiBV4S+wzaAEuH9YE6yYQr4Mz/DeZatzk4T6GEOi08FrwZR24Tm1oZzLI pw== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3q89qnfxp4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 28 Apr 2023 12:23:24 +0000 Received: from m0353726.ppops.net (m0353726.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 33SCLnvN019722 for ; Fri, 28 Apr 2023 12:23:24 GMT Received: from ppma04wdc.us.ibm.com (1a.90.2fa9.ip4.static.sl-reverse.com [169.47.144.26]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3q89qnfxng-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 28 Apr 2023 12:23:24 +0000 Received: from pps.filterd (ppma04wdc.us.ibm.com [127.0.0.1]) by ppma04wdc.us.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 33S9cgWr032079; Fri, 28 Apr 2023 12:23:22 GMT Received: from smtprelay03.dal12v.mail.ibm.com ([9.208.130.98]) by ppma04wdc.us.ibm.com (PPS) with ESMTPS id 3q47787hkt-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 28 Apr 2023 12:23:22 +0000 Received: from smtpav03.dal12v.mail.ibm.com (smtpav03.dal12v.mail.ibm.com [10.241.53.102]) by smtprelay03.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 33SCNLDC42271048 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 28 Apr 2023 12:23:21 GMT Received: from smtpav03.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8C92358060; Fri, 28 Apr 2023 12:23:21 +0000 (GMT) Received: from smtpav03.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4815F5803F; Fri, 28 Apr 2023 12:23:21 +0000 (GMT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by smtpav03.dal12v.mail.ibm.com (Postfix) with ESMTP; Fri, 28 Apr 2023 12:23:21 +0000 (GMT) From: Stefan Berger To: yocto@lists.yoctoproject.org Cc: akuster808@gmail.com, Stefan Berger Subject: [meta-security][PATCH 8/8] ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch Date: Fri, 28 Apr 2023 08:23:16 -0400 Message-Id: <20230428122316.521800-9-stefanb@linux.ibm.com> X-Mailer: git-send-email 2.39.1 In-Reply-To: <20230428122316.521800-1-stefanb@linux.ibm.com> References: <20230428122316.521800-1-stefanb@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: iGLGAWRdX2o5EgCBa2faEI-6Yu1ua0T8 X-Proofpoint-GUID: 7BjtY5JzojkFV24UbSh6QaixrizaqUC5 X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-04-28_04,2023-04-27_01,2023-02-09_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 mlxlogscore=999 lowpriorityscore=0 malwarescore=0 phishscore=0 adultscore=0 priorityscore=1501 impostorscore=0 mlxscore=0 spamscore=0 clxscore=1015 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2303200000 definitions=main-2304280098 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 28 Apr 2023 12:23:28 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto/message/59801 Signed-off-by: Stefan Berger --- ...ation-using-ioctl-when-evm_portable-.patch | 35 +++++++++++++++++++ ...-evm-utils_1.4.bb => ima-evm-utils_1.5.bb} | 9 +++-- 2 files changed, 42 insertions(+), 2 deletions(-) create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch rename meta-integrity/recipes-security/ima-evm-utils/{ima-evm-utils_1.4.bb => ima-evm-utils_1.5.bb} (71%) diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch new file mode 100644 index 0000000..3624576 --- /dev/null +++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch @@ -0,0 +1,35 @@ +From 00ace817c5134d9844db387cadb9517ebad43808 Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Tue, 18 Apr 2023 11:43:55 -0400 +Subject: [PATCH] Do not get generation using ioctl when evm_portable is true + +If a signatures is detected as being portable do not attempt to read the +generation with the ioctl since in some cases this may not be supported +by the filesystem and is also not needed for computing a portable +signature. + +This avoids the current work-around of passing --generation 0 when the +ioctl is not supported by the filesystem. + +Signed-off-by: Stefan Berger +--- + src/evmctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/evmctl.c b/src/evmctl.c +index 6d2bb67..c35a28c 100644 +--- a/src/evmctl.c ++++ b/src/evmctl.c +@@ -376,7 +376,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) + if (mode_str) + st.st_mode = strtoul(mode_str, NULL, 10); + +- if (!evm_immutable) { ++ if (!evm_immutable && !evm_portable) { + if (S_ISREG(st.st_mode) && !generation_str) { + int fd = open(file, 0); + +--- +2.39.2 + + diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb similarity index 71% rename from meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb rename to meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb index 873aeeb..8ac080c 100644 --- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb +++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb @@ -6,8 +6,13 @@ DEPENDS += "openssl attr keyutils" DEPENDS:class-native += "openssl-native keyutils-native" -SRC_URI = "https://sourceforge.net/projects/linux-ima/files/${BPN}/${BP}.tar.gz" -SRC_URI[sha256sum] = "fcf85b31d6292051b3679e5f17ffa7f89b6898957aad0f59aa4e9878884b27d1" +FILESEXTRAPATHS:append := "${THISDIR}/${PN}:" + +SRC_URI = " \ + https://github.com/mimizohar/ima-evm-utils/releases/download/v${PV}/${BP}.tar.gz \ + file://0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch \ +" +SRC_URI[sha256sum] = "45f1caa3ad59ec59a1d6a74ea5df38c413488cd952ab62d98cf893c15e6f246d" inherit pkgconfig autotools features_check