------- Comment From naynj...@ibm.com 2020-06-17 11:42 EDT-------
Thanks !! This is exactly what I needed.

I am now able to boot the signed kernel both in "secure and trusted
enabled" and "only secure enabled" case. The earlier patch was missing
the fix for "only secure enabled" case. This patch took care of both.

It works fine and here are the test results:

1. Kernel booted fine both with secure boot enabled/disabled and only
"secure boot" enabled.

2. With trusted boot disabled, here is the IMA rules:

ubuntu@ltc-wspoon13:~$ ls /proc/device-tree/ibm,secureboot/
compatible  hw-key-hash  hw-key-hash-size  ibm,cvc  name  
os-secureboot-enforcing  phandle  secure-enabled
ubuntu@ltc-wspoon13:~$ sudo cat /sys/kernel/security/ima/policy
appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig 

2. With both secure and trusted boot enabled, here how the IMA rules
looks like:

ubuntu@ltc-wspoon13:~$ ls /proc/device-tree/ibm,secureboot/
compatible  hw-key-hash  hw-key-hash-size  ibm,cvc  name  
os-secureboot-enforcing  phandle  secure-enabled  trusted-enabled
ubuntu@ltc-wspoon13:~$ sudo cat /sys/kernel/security/ima/policy
[sudo] password for ubuntu:
measure func=KEXEC_KERNEL_CHECK template=ima-modsig
measure func=MODULE_CHECK template=ima-modsig
appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig 

And the config file has CONFIG_MODULE_SIG enabled, on which the powerpc IMA 
arch policies #ifdef are dependent.
ubuntu@ltc-wspoon13:~$ grep -i MODULE_SIG /boot/config-5.4.0-38-generic
# CONFIG_MODULE_SIG_SHA224 is not set
# CONFIG_MODULE_SIG_SHA256 is not set
# CONFIG_MODULE_SIG_SHA384 is not set

Thanks & Regards,
- Nayna

** Tags removed: verification-needed-focal
** Tags added: verification-done-focal

You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.

  Fix for secure boot rules in IMA arch policy on powerpc

Status in The Ubuntu-power-systems project:
  Fix Committed
Status in linux package in Ubuntu:
  In Progress
Status in linux source package in Focal:
  Fix Committed
Status in linux source package in Groovy:
  In Progress

Bug description:
  SRU Justification:


  * Currently the kernel module appended signature is verified twice
  (finit_module) - once by the module_sig_check() and again by IMA.

  * To prevent this the powerpc secure boot rules define an IMA
  architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is
  not enabled.

  * But this doesn't take the ability into account of enabling
  "sig_enforce" at the boot command line (module.sig_enforce=1).

  * Including the IMA module appraise rule results in failing the
  finit_module syscall, unless the module signing public key is loaded
  onto the IMA keyring.

  * This patch fixes secure boot policy rules to be based on


  * fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima:
  Fix secure boot rules in ima arch policy"

  [Test Case]

  * Perform a secure boot on a powerpc system with
  'module.sig_enforce=1' set at the boot command.

  * If the IMA module appraise rule is included, the finit_module
  syscall will fail (unless the module signing public key got loaded
  onto the IMA keyring) without having the patch in place.

  * The verification needs to be done by the IBM Power team.

  [Regression Potential]

  * There is (always) a certain regression risk with having code
  changes, especially in the secure boot area.

  * But this patch is limited to the powerpc platform and will not
  affect any other architecture.

  * It got discussed at 
    before it became finally upstream accepted with kernel 5.7-rc7.

  * The secure boot code itself wasn't really touched, rather than it's basis 
for execution.
    The IMA policy rule for module appraisal is now added only if 
'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_MODULE_SIG_FORCE).
    Hence the change is very limited and straightforward.


  * Since the patch got upstream with 5.7-rc7, it is already in groovy, hence 
this SRU is for focal only.

  == Comment: #0 - Michael Ranweiler <mranw...@us.ibm.com> - 2020-04-22 
14:44:31 ==
  +++ This bug was initially created as a clone of Bug #184073 +++

  This bug is a follow on to LP 1866909 to address a missing piece -
  only half the following patch was included in 5.4.0-24.28.

  The upstream patch has an additional fix but it?s not critical for GA.
  It can get included as part of bug fixes. It also affects only power.
  The patch("powerpc/ima: fix secure boot rules in ima arch policy") is
  posted to linux-integrity and linuxppc-dev mailing list

  If there are any issues identified during further testing, they will
  get opened as separate issue to be addressed later.

  Thanks & Regards,
     - Nayna

  == Comment: #4 - Michael Ranweiler <mranw...@us.ibm.com> - 2020-05-11 
02:23:35 ==
  Updated posting:


To manage notifications about this bug go to:

Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to