From: Ming Liu <[email protected]> Introduce IMA_FORCE to allow the IMA policy be applied forcely even 'no_ima' boot parameter is available.
This ensures the end users have a way to disable 'no_ima' support if they want to, because it may expose a security risk if an attacker can find a way to change kernel arguments, it will easily bypass rootfs authenticity checks. Signed-off-by: Sergio Prado <[email protected]> Signed-off-by: Ming Liu <[email protected]> Signed-off-by: Armin Kuster <[email protected]> --- .../initrdscripts/initramfs-framework-ima.bb | 5 +++++ .../initrdscripts/initramfs-framework-ima/ima | 9 +++++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb index 77f6f7c..6471c53 100644 --- a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb +++ b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb @@ -14,6 +14,9 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384 # to this recipe can just point towards one of its own files. IMA_POLICY ?= "ima-policy-hashed" +# Force proceed IMA procedure even 'no_ima' boot parameter is available. +IMA_FORCE ?= "false" + SRC_URI = " file://ima" inherit features_check @@ -23,6 +26,8 @@ do_install () { install -d ${D}/${sysconfdir}/ima install -d ${D}/init.d install ${WORKDIR}/ima ${D}/init.d/20-ima + + sed -i "s/@@FORCE_IMA@@/${IMA_FORCE}/g" ${D}/init.d/20-ima } FILES_${PN} = "/init.d ${sysconfdir}" diff --git a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima index cff26a3..8971494 100644 --- a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima +++ b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima @@ -2,11 +2,16 @@ # # Loads IMA policy into the kernel. +force_ima=@@FORCE_IMA@@ + ima_enabled() { - if [ "$bootparam_no_ima" = "true" ]; then + if [ "$force_ima" = "true" ]; then + return 0 + elif [ "$bootparam_no_ima" = "true" ]; then return 1 + else + return 0 fi - return 0 } ima_run() { -- 2.29.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#53166): https://lists.yoctoproject.org/g/yocto/message/53166 Mute This Topic: https://lists.yoctoproject.org/mt/82203047/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
