** Changed in: ubuntu-power-systems
       Status: In Progress => Fix Committed

You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.

  Fix for secure boot rules in IMA arch policy on powerpc

Status in The Ubuntu-power-systems project:
  Fix Committed
Status in linux package in Ubuntu:
  In Progress
Status in linux source package in Focal:
  Fix Committed
Status in linux source package in Groovy:
  In Progress

Bug description:
  SRU Justification:


  * Currently the kernel module appended signature is verified twice
  (finit_module) - once by the module_sig_check() and again by IMA.

  * To prevent this the powerpc secure boot rules define an IMA
  architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is
  not enabled.

  * But this doesn't take the ability into account of enabling
  "sig_enforce" at the boot command line (module.sig_enforce=1).

  * Including the IMA module appraise rule results in failing the
  finit_module syscall, unless the module signing public key is loaded
  onto the IMA keyring.

  * This patch fixes secure boot policy rules to be based on


  * fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima:
  Fix secure boot rules in ima arch policy"

  [Test Case]

  * Perform a secure boot on a powerpc system with
  'module.sig_enforce=1' set at the boot command.

  * If the IMA module appraise rule is included, the finit_module
  syscall will fail (unless the module signing public key got loaded
  onto the IMA keyring) without having the patch in place.

  * The verification needs to be done by the IBM Power team.

  [Regression Potential]

  * There is (always) a certain regression risk with having code
  changes, especially in the secure boot area.

  * But this patch is limited to the powerpc platform and will not
  affect any other architecture.

  * It got discussed at 
    before it became finally upstream accepted with kernel 5.7-rc7.

  * The secure boot code itself wasn't really touched, rather than it's basis 
for execution.
    The IMA policy rule for module appraisal is now added only if 
'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_MODULE_SIG_FORCE).
    Hence the change is very limited and straightforward.


  * Since the patch got upstream with 5.7-rc7, it is already in groovy, hence 
this SRU is for focal only.

  == Comment: #0 - Michael Ranweiler <mranw...@us.ibm.com> - 2020-04-22 
14:44:31 ==
  +++ This bug was initially created as a clone of Bug #184073 +++

  This bug is a follow on to LP 1866909 to address a missing piece -
  only half the following patch was included in 5.4.0-24.28.

  The upstream patch has an additional fix but it?s not critical for GA.
  It can get included as part of bug fixes. It also affects only power.
  The patch("powerpc/ima: fix secure boot rules in ima arch policy") is
  posted to linux-integrity and linuxppc-dev mailing list

  If there are any issues identified during further testing, they will
  get opened as separate issue to be addressed later.

  Thanks & Regards,
     - Nayna

  == Comment: #4 - Michael Ranweiler <mranw...@us.ibm.com> - 2020-05-11 
02:23:35 ==
  Updated posting:


To manage notifications about this bug go to:

Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to