mbox series

[meta-security,v2,0/8] Fix IMA and EVM support

Message ID 20230509133053.1032476-1-stefanb@linux.ibm.com
Headers show
Series Fix IMA and EVM support | expand

Message

Stefan Berger May 9, 2023, 1:30 p.m. UTC 
This series of patches fixes the current support for IMA and EVM
by removing outdated patches for example and adding kernel config
options. I have tried out these patches with OpenBMC where the
appraisal policy now enforces signed executables and libraries.

   Stefan

v2:
 - appended 'appraise_type=imasig' to IMA policy rules
 - removed CONFIG_SQUASHFS_XATTR from ima.cfg

Stefan Berger (8):
  ima: Document and replace keys and adapt scripts for EC keys
  ima: Fix the ima_policy_appraise_all to appraise executables &
    libraries
  ima: Fix the IMA kernel feature
  ima: Rename IMA_EVM_POLICY_SYSTEMD to IMA_EVM_POLICY
  ima: Sign all executables and the ima-policy in the root filesystem
  integrity: Update the README for IMA support
  linux: overlayfs: Add kernel patch resolving a file change
    notification issue
  ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch

 meta-integrity/README.md                      |  22 +--
 meta-integrity/classes/ima-evm-rootfs.bbclass |  34 ++++-
 meta-integrity/data/debug-keys/README.md      |  17 +++
 .../data/debug-keys/ima-local-ca.pem          |  15 ++
 .../data/debug-keys/ima-local-ca.priv         |   7 +
 .../data/debug-keys/privkey_ima.pem           |  17 +--
 meta-integrity/data/debug-keys/x509_ima.der   | Bin 707 -> 620 bytes
 .../0001-ima-fix-ima_inode_post_setattr.patch |  51 -------
 ...Increment-iversion-upon-file-changes.patch |  42 ++++++
 ...for-creating-files-using-the-mknodat.patch | 138 ------------------
 ...-file-hash-setting-by-user-to-fix-an.patch |  60 --------
 .../recipes-kernel/linux/linux/ima.cfg        |  45 ++++++
 .../recipes-kernel/linux/linux/ima.scc        |   4 +
 .../recipes-kernel/linux/linux_ima.inc        |  11 +-
 ...ation-using-ioctl-when-evm_portable-.patch |  35 +++++
 ...-evm-utils_1.4.bb => ima-evm-utils_1.5.bb} |   9 +-
 .../files/ima_policy_appraise_all             |   9 +-
 meta-integrity/scripts/ima-gen-CA-signed.sh   |   9 +-
 meta-integrity/scripts/ima-gen-local-ca.sh    |   6 +-
 meta-integrity/scripts/ima-gen-self-signed.sh |  41 ------
 20 files changed, 239 insertions(+), 333 deletions(-)
 create mode 100644 meta-integrity/data/debug-keys/README.md
 create mode 100644 meta-integrity/data/debug-keys/ima-local-ca.pem
 create mode 100644 meta-integrity/data/debug-keys/ima-local-ca.priv
 delete mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch
 create mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
 delete mode 100644 meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch
 delete mode 100644 meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch
 create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.cfg
 create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.scc
 create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
 rename meta-integrity/recipes-security/ima-evm-utils/{ima-evm-utils_1.4.bb => ima-evm-utils_1.5.bb} (71%)
 delete mode 100755 meta-integrity/scripts/ima-gen-self-signed.sh