| Message ID | 20231101171317.643420-1-stefanb@linux.ibm.com |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-security] ima,evm: Add two variables to write filenames and signatures into | expand |
merged. thanks, Armin On 11/1/23 1:13 PM, Stefan Berger wrote: > Add two variables IMA_FILE_SIGNATURES_FILE and EVM_FILE_SIGNATURES_FILE > for filenames where the ima_evm_sign_rootfs script can write the names > of files and their IMA or EVM signatures into. Both variables are > optional. The content of the file with IMA signatures may look like > this: > > /usr/bin/gpiodetect ima:0x0302046730eefd... > /usr/bin/pwscore ima:0x0302046730eefd004... > > Having the filenames along with their signatures is useful for signing > files in the initrd when the initrd is running out of a tmpfs filesystem > that has support for xattrs. This allows to enable an IMA appraisal > policy already in the initrd where files must be signed as soon as the > policy becomes active. > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > --- > meta-integrity/classes/ima-evm-rootfs.bbclass | 12 ++++++++++++ > 1 file changed, 12 insertions(+) > > diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass > index 98c4bc1..7b73373 100644 > --- a/meta-integrity/classes/ima-evm-rootfs.bbclass > +++ b/meta-integrity/classes/ima-evm-rootfs.bbclass > @@ -89,6 +89,18 @@ ima_evm_sign_rootfs () { > bbnote "IMA/EVM: Signing IMA policy with key ${IMA_EVM_PRIVKEY}" > evmctl sign --imasig ${evmctl_param} --portable -a sha256 --key "${IMA_EVM_PRIVKEY}" "${IMAGE_ROOTFS}/etc/ima/ima-policy" > fi > + > + # Optionally write the file names and ima and evm signatures into files > + if [ "${IMA_FILE_SIGNATURES_FILE}" ]; then > + getfattr -R -m security.ima --e hex --dump ./ 2>/dev/null | \ > + sed -n -e 's|# file: |/|p' -e 's|security.ima=|ima:|p' | \ > + sed '$!N;s/\n/ /' > ./${IMA_FILE_SIGNATURES_FILE} > + fi > + if [ "${EVM_FILE_SIGNATURES_FILE}" ]; then > + getfattr -R -m security.evm --e hex --dump ./ 2>/dev/null | \ > + sed -n -e 's|# file: |/|p' -e 's|security.evm=|evm:|p' | \ > + sed '$!N;s/\n/ /' > ./${EVM_FILE_SIGNATURES_FILE} > + fi > } > > # Signing must run as late as possible in the do_rootfs task.
diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass index 98c4bc1..7b73373 100644 --- a/meta-integrity/classes/ima-evm-rootfs.bbclass +++ b/meta-integrity/classes/ima-evm-rootfs.bbclass @@ -89,6 +89,18 @@ ima_evm_sign_rootfs () { bbnote "IMA/EVM: Signing IMA policy with key ${IMA_EVM_PRIVKEY}" evmctl sign --imasig ${evmctl_param} --portable -a sha256 --key "${IMA_EVM_PRIVKEY}" "${IMAGE_ROOTFS}/etc/ima/ima-policy" fi + + # Optionally write the file names and ima and evm signatures into files + if [ "${IMA_FILE_SIGNATURES_FILE}" ]; then + getfattr -R -m security.ima --e hex --dump ./ 2>/dev/null | \ + sed -n -e 's|# file: |/|p' -e 's|security.ima=|ima:|p' | \ + sed '$!N;s/\n/ /' > ./${IMA_FILE_SIGNATURES_FILE} + fi + if [ "${EVM_FILE_SIGNATURES_FILE}" ]; then + getfattr -R -m security.evm --e hex --dump ./ 2>/dev/null | \ + sed -n -e 's|# file: |/|p' -e 's|security.evm=|evm:|p' | \ + sed '$!N;s/\n/ /' > ./${EVM_FILE_SIGNATURES_FILE} + fi } # Signing must run as late as possible in the do_rootfs task.
Add two variables IMA_FILE_SIGNATURES_FILE and EVM_FILE_SIGNATURES_FILE for filenames where the ima_evm_sign_rootfs script can write the names of files and their IMA or EVM signatures into. Both variables are optional. The content of the file with IMA signatures may look like this: /usr/bin/gpiodetect ima:0x0302046730eefd... /usr/bin/pwscore ima:0x0302046730eefd004... Having the filenames along with their signatures is useful for signing files in the initrd when the initrd is running out of a tmpfs filesystem that has support for xattrs. This allows to enable an IMA appraisal policy already in the initrd where files must be signed as soon as the policy becomes active. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> --- meta-integrity/classes/ima-evm-rootfs.bbclass | 12 ++++++++++++ 1 file changed, 12 insertions(+)