From patchwork Tue May 9 13:30:46 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 23693 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C7FD5C77B7C for ; Tue, 9 May 2023 13:31:12 +0000 (UTC) Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by mx.groups.io with SMTP id smtpd.web10.32530.1683639062273474665 for ; Tue, 09 May 2023 06:31:02 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@ibm.com header.s=pp1 header.b=aiGVAmA1; spf=pass (domain: linux.ibm.com, ip: 148.163.158.5, mailfrom: stefanb@linux.ibm.com) Received: from pps.filterd (m0353723.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 349DAbHF011614 for ; Tue, 9 May 2023 13:31:01 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : mime-version; s=pp1; bh=elpPD1kM3GuO6qEbSsZnSVYHdgZDQLM/qQ7QmyuZONU=; b=aiGVAmA1olfG5txbMDcf7FOHoi1F597nHnr5KpNni+3IAu1HwC3mI0GHclMBMQXEXyBA uurq3eLzc0j+FVwWZ+CFjOcJjFhbq7c3vS0s+5fxAU2o9B7Q4dzIpCFYZJIgfFJzVLry 7CpVuEna4JZzBsDRS4AMDB7PEJhEwKOU+lJnphUQyRsAgiILFKnPZGuTryH5G5cRv+9i DmCcmN4wFff2Yf9srSy3wXG+ZR5bDRf0swdu109ghwP2Znl8cezJunxt9+QkXq7d4EDd nEU53OmdPzBa010xRgC0IJhHClPPP367l0O8eCo1fAXXj4qswA1q9h4p0fZ2C/wTwPfy 2w== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3qfeqn7eaf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 09 May 2023 13:31:01 +0000 Received: from m0353723.ppops.net (m0353723.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 349DBpC9019800 for ; Tue, 9 May 2023 13:31:00 GMT Received: from ppma02wdc.us.ibm.com (aa.5b.37a9.ip4.static.sl-reverse.com [169.55.91.170]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3qfeqn7ea1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 09 May 2023 13:31:00 +0000 Received: from pps.filterd (ppma02wdc.us.ibm.com [127.0.0.1]) by ppma02wdc.us.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 349Cs2CU014481; Tue, 9 May 2023 13:31:00 GMT Received: from smtprelay02.wdc07v.mail.ibm.com ([9.208.129.120]) by ppma02wdc.us.ibm.com (PPS) with ESMTPS id 3qf7ey3njk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 09 May 2023 13:31:00 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay02.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 349DUwtI54788434 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 9 May 2023 13:30:58 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 229C658064; Tue, 9 May 2023 13:30:58 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D617258068; Tue, 9 May 2023 13:30:57 +0000 (GMT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Tue, 9 May 2023 13:30:57 +0000 (GMT) From: Stefan Berger To: yocto@lists.yoctoproject.org Cc: akuster808@gmail.com, Stefan Berger Subject: [meta-security][PATCH v2 1/8] ima: Document and replace keys and adapt scripts for EC keys Date: Tue, 9 May 2023 09:30:46 -0400 Message-Id: <20230509133053.1032476-2-stefanb@linux.ibm.com> X-Mailer: git-send-email 2.39.1 In-Reply-To: <20230509133053.1032476-1-stefanb@linux.ibm.com> References: <20230509133053.1032476-1-stefanb@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: wCpQIAQ1RJnRYz9p0QSflqsiz1vtDN0y X-Proofpoint-GUID: lKFltpUVhs83EhVIrcVU4R8_cgpzjb5Y X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-05-09_08,2023-05-05_01,2023-02-09_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 priorityscore=1501 malwarescore=0 bulkscore=0 suspectscore=0 lowpriorityscore=0 phishscore=0 spamscore=0 mlxscore=0 impostorscore=0 clxscore=1015 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2304280000 definitions=main-2305090106 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 May 2023 13:31:12 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto/message/59918 For shorted file signatures use EC keys rather than RSA keys. Document the debug keys and their purpose. Adapt the scripts for creating these types of keys to now create EC keys. Signed-off-by: Stefan Berger --- meta-integrity/data/debug-keys/README.md | 17 ++++++++ .../data/debug-keys/ima-local-ca.pem | 15 +++++++ .../data/debug-keys/ima-local-ca.priv | 7 +++ .../data/debug-keys/privkey_ima.pem | 17 ++------ meta-integrity/data/debug-keys/x509_ima.der | Bin 707 -> 620 bytes meta-integrity/scripts/ima-gen-CA-signed.sh | 9 ++-- meta-integrity/scripts/ima-gen-local-ca.sh | 6 +-- meta-integrity/scripts/ima-gen-self-signed.sh | 41 ------------------ 8 files changed, 50 insertions(+), 62 deletions(-) create mode 100644 meta-integrity/data/debug-keys/README.md create mode 100644 meta-integrity/data/debug-keys/ima-local-ca.pem create mode 100644 meta-integrity/data/debug-keys/ima-local-ca.priv delete mode 100755 meta-integrity/scripts/ima-gen-self-signed.sh diff --git a/meta-integrity/data/debug-keys/README.md b/meta-integrity/data/debug-keys/README.md new file mode 100644 index 0000000..e613968 --- /dev/null +++ b/meta-integrity/data/debug-keys/README.md @@ -0,0 +1,17 @@ +# EVM & IMA keys + +The following IMA & EVM debug/test keys are in this directory + +- ima-local-ca.priv: The CA's private key (password: 1234) +- ima-local-ca.pem: The CA's self-signed certificate +- privkey_ima.pem: IMA & EVM private key used for signing files +- x509_ima.der: Certificate containing public key (of privkey_ima.pem) to verify signatures + +The CA's (self-signed) certificate can be used to verify the validity of +the x509_ima.der certificate. Since the CA certificate will be built into +the Linux kernel, any key (x509_ima.der) loaded onto the .ima keyring must +pass this test: + +``` + openssl verify -CAfile ima-local-ca.pem x509_ima.der +```` diff --git a/meta-integrity/data/debug-keys/ima-local-ca.pem b/meta-integrity/data/debug-keys/ima-local-ca.pem new file mode 100644 index 0000000..4b48be4 --- /dev/null +++ b/meta-integrity/data/debug-keys/ima-local-ca.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICWzCCAgCgAwIBAgITYMKT7/z5qI+hLfNC6Jy6hhBCWDAKBggqhkjOPQQDAjB9 +MRQwEgYDVQQKDAtleGFtcGxlLmNvbTFAMD4GA1UEAww3bWV0YS1pbnRlbC1pb3Qt +c2VjdXJpdHkgZXhhbXBsZSBjZXJ0aWZpY2F0ZSBzaWduaW5nIGtleTEjMCEGCSqG +SIb3DQEJARYUam9obi5kb2VAZXhhbXBsZS5jb20wIBcNMjMwNDI2MTYyNjExWhgP +MjEyMzA0MDIxNjI2MTFaMH0xFDASBgNVBAoMC2V4YW1wbGUuY29tMUAwPgYDVQQD +DDdtZXRhLWludGVsLWlvdC1zZWN1cml0eSBleGFtcGxlIGNlcnRpZmljYXRlIHNp +Z25pbmcga2V5MSMwIQYJKoZIhvcNAQkBFhRqb2huLmRvZUBleGFtcGxlLmNvbTBZ +MBMGByqGSM49AgEGCCqGSM49AwEHA0IABCiC+YIbCoOhyLy63lOGbiK+DPkW7gMU +rmfVLIb4oTmKxZS5/L8VE6hjKDcLa7OauyuW2nd4fnFAautFxpw/Q0yjXTBbMAwG +A1UdEwQFMAMBAf8wHQYDVR0OBBYEFL/PiFFjjlzVtExXMb2uXOfIgeIEMB8GA1Ud +IwQYMBaAFL/PiFFjjlzVtExXMb2uXOfIgeIEMAsGA1UdDwQEAwIBBjAKBggqhkjO +PQQDAgNJADBGAiEA0HOxloLMr87yDoH3CljWDWb7M2zLA+BQFXLN511qDl0CIQDu +clewWaJHw4Wq8IN3JsrNDDw2GfrN3sx4hfWUK/0SPw== +-----END CERTIFICATE----- diff --git a/meta-integrity/data/debug-keys/ima-local-ca.priv b/meta-integrity/data/debug-keys/ima-local-ca.priv new file mode 100644 index 0000000..e13de23 --- /dev/null +++ b/meta-integrity/data/debug-keys/ima-local-ca.priv @@ -0,0 +1,7 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIHjME4GCSqGSIb3DQEFDTBBMCkGCSqGSIb3DQEFDDAcBAhinM5KnV2x5wICCAAw +DAYIKoZIhvcNAgkFADAUBggqhkiG9w0DBwQI4Xbw/W1pgH0EgZCiurgCTUEIDbiK +x5kw3/Rg1/ZLwk5TEiMoIa9CmXEyuSRUla/Ta4o/rZEzKAp6vwkcupviirtWYems +lZNfggfzITWNEWtkU6BrhZgJ7kaeZrIbuAO7YUJy6Z2MQfgaKI9BE2EEgKJ+X5gY +LjkobSAtEqDjuheLgaXIMQ7/qT0MGmi6LmzwMEhu8ZXlNGg8udw= +-----END ENCRYPTED PRIVATE KEY----- diff --git a/meta-integrity/data/debug-keys/privkey_ima.pem b/meta-integrity/data/debug-keys/privkey_ima.pem index 502a0b6..8362cfe 100644 --- a/meta-integrity/data/debug-keys/privkey_ima.pem +++ b/meta-integrity/data/debug-keys/privkey_ima.pem @@ -1,16 +1,5 @@ -----BEGIN PRIVATE KEY----- -MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAJw2G3d0fM36rcQU -Bt8V/SapJe0lxWJ+CY+HcMx8AhWY9XQ66AXcqBsRHiUnYCaFGXFI35VKGC6d/Gs6 -IWlHgI0tcTyzy5eul+BKRLy/3PNjkK2jJETlbetQy+gE6gUtg4RmPV5ALGksK74p -OrAfKnahoMi82NVIiBitwmRimms1AgMBAAECgYBTxciRFU1hAVBy2PKebKJoO0n1 -lc329fSWnmHlp5NOlcr8XCLWEfGtIk7ySd2MitCMKjKNU0EIrv0RXAlS9l9/gBYW -HY+eEaa6l80sp8q4aPKImSi0pb3LVNqWKXJg8qr4AZ45/TEL/fzILFv5QcY8xDjV -aj6DOlEnNDjlBlBbQQJBAMyYDlKItes/Rnmtp9roXj3XUfiBDHTLY2HVgDBe87sA -TOSnbgIv+6urd1h9XvBmJlRYH7YKJmBSZWcSlfdC6XkCQQDDdfkUMxQZo9PC/Eue -WYzytx4xUm3ItWcuKILtFgcNh3c4s4dMx4X/WhQj5/H/nVOIWDioQ0mrW3ap/qcb -SBydAkAf/gb/UPFhf9t9W3JMANn7wZfHzCYufT9lJQWOisqCC2H6v1Osc+Rey8k1 -xST7Yn3L4pvS03N8zGWe4IEi0QvBAkAWdTWbNos2rvYjzy05Enz5XkTf0eK/Tuh+ -CzWP3BoPWeM+5pHDJqGkx0rNHVdW0VLJtak83A5Y2/d0bMfygISZAkBFGui4HW+Q -1BlpmDeslsE11wm5jSmm6Ti12a2dVKGFo9QLQcSj4bfgxtqU2dQaYRmajXtSBrGQ -3vVaxg2EfqB1 +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgmbPxV5LYZ530IfGm +SMpfPQFgoIkKPMRuNWLyVn+wiAOhRANCAAQ31W5ZQZdcwidgpyls2oO5rSsHLlqj +cKYaDF2fveMN5L/wBwEi84ubzz2+MkM9q7RaOSC4TPYHnhVvYcH+SsFv -----END PRIVATE KEY----- diff --git a/meta-integrity/data/debug-keys/x509_ima.der b/meta-integrity/data/debug-keys/x509_ima.der index 087ca6bea53c172e7eb9a269183a32b3ecbd3aaa..3f6f24e61373912cf39598a427fba09c75e74592 100644 GIT binary patch delta 420 zcmX@i`i8~Opou91hlmxF;F8*?ZNGmrVi`wCpisYNB3X_?81B@_P|D=3Kb8W|gy7?~NG8JU?_ zL`m=)8G-~1j35FNcbC>j8VIwogNQzBPE|cYtyQwn2h{MMs#v)Q%T$8e2$NAsBg}3FLd+H7cC8Z`C$b+PnStJa^8n7s+ z2dY2~IA);7CE4|y8dgPru-Va-?r`+w*M{B4Qk8-~RJ~DstJG$5*M+C#eBA$qBA?IQ zi#XD!^?xaMa-hvFpF;7>h^4<)8&z1mFsnIzMy+W^{27zLSGM&o2WzB{WS3ukm~v04 seSbc0i;m3fSIP33d0S_T-F&dflIgem)LYJa+g7k1Pdm)DaOKh($ diff --git a/meta-integrity/scripts/ima-gen-CA-signed.sh b/meta-integrity/scripts/ima-gen-CA-signed.sh index 5f3a728..b10b1ba 100755 --- a/meta-integrity/scripts/ima-gen-CA-signed.sh +++ b/meta-integrity/scripts/ima-gen-CA-signed.sh @@ -20,7 +20,6 @@ CAKEY=${2:-ima-local-ca.priv} cat << __EOF__ >$GENKEY [ req ] -default_bits = 1024 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only @@ -36,13 +35,15 @@ basicConstraints=critical,CA:FALSE #basicConstraints=CA:FALSE keyUsage=digitalSignature #keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage=critical,codeSigning subjectKeyIdentifier=hash authorityKeyIdentifier=keyid #authorityKeyIdentifier=keyid,issuer __EOF__ -openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \ - -out csr_ima.pem -keyout privkey_ima.pem -openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \ +openssl req -new -nodes -utf8 -sha256 -days 36500 -batch -config $GENKEY \ + -out csr_ima.pem -keyout privkey_ima.pem \ + -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 +openssl x509 -req -in csr_ima.pem -days 36500 -extfile $GENKEY -extensions v3_usr \ -CA $CA -CAkey $CAKEY -CAcreateserial \ -outform DER -out x509_ima.der diff --git a/meta-integrity/scripts/ima-gen-local-ca.sh b/meta-integrity/scripts/ima-gen-local-ca.sh index b600761..339d3e3 100755 --- a/meta-integrity/scripts/ima-gen-local-ca.sh +++ b/meta-integrity/scripts/ima-gen-local-ca.sh @@ -18,7 +18,6 @@ GENKEY=ima-local-ca.genkey cat << __EOF__ >$GENKEY [ req ] -default_bits = 2048 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only @@ -33,10 +32,11 @@ emailAddress = john.doe@example.com basicConstraints=CA:TRUE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer -# keyUsage = cRLSign, keyCertSign +keyUsage = cRLSign, keyCertSign __EOF__ -openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \ +openssl req -new -x509 -utf8 -sha256 -days 36500 -batch -config $GENKEY \ + -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 \ -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem diff --git a/meta-integrity/scripts/ima-gen-self-signed.sh b/meta-integrity/scripts/ima-gen-self-signed.sh deleted file mode 100755 index 5ee876c..0000000 --- a/meta-integrity/scripts/ima-gen-self-signed.sh +++ /dev/null @@ -1,41 +0,0 @@ -#!/bin/sh -# -# Copied from ima-evm-utils. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# version 2 as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -GENKEY=ima.genkey - -cat << __EOF__ >$GENKEY -[ req ] -default_bits = 1024 -distinguished_name = req_distinguished_name -prompt = no -string_mask = utf8only -x509_extensions = myexts - -[ req_distinguished_name ] -O = example.com -CN = meta-intel-iot-security example signing key -emailAddress = john.doe@example.com - -[ myexts ] -basicConstraints=critical,CA:FALSE -keyUsage=digitalSignature -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid -__EOF__ - -openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \ - -x509 -config $GENKEY \ - -outform DER -out x509_ima.der -keyout privkey_ima.pem From patchwork Tue May 9 13:30:47 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 23696 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0605CC77B75 for ; Tue, 9 May 2023 13:33:23 +0000 (UTC) Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by mx.groups.io with SMTP id smtpd.web11.32541.1683639194625016242 for ; Tue, 09 May 2023 06:33:14 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@ibm.com header.s=pp1 header.b=MqqYMeYu; spf=pass (domain: linux.ibm.com, ip: 148.163.156.1, mailfrom: stefanb@linux.ibm.com) Received: from pps.filterd (m0353728.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 349D8ZIT024421 for ; Tue, 9 May 2023 13:33:14 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=q7CcALdxWRc3P+rVCBTABFyATTM7c+9+6hKPBrWKs1w=; b=MqqYMeYuMaGdHsyoQ6pA2YGnze5tT/RvrD7v/gHnzMfNbE8HxrosU+i/Jf0kUAte5BQw rNQ3OQ4KD7xLcmsZJLrXM9GDNeTa5OVZgzbtTweXd5RqMU8feDuUVSrD448GO7MrEvkH mMw7dEDqw6drrLc98uOHpUCU56CPPfzsvSPtywcPJ3E+trjg7e6evHU0NkV5eJ5YY3w9 +Ka8MrsDCBp5jftk9bIQGgKy5aiuEQJrPFctxmizFENjXbp7rIEkxK0DK2HpWxwoHtEB Rn9u3hgOdimcYQ0cVU596nwc5/6qCML9p2HzIAyvY8MTX/3IpPestdF7934yvAtQGrna Kg== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3qfkth6s18-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 09 May 2023 13:33:10 +0000 Received: from m0353728.ppops.net (m0353728.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 349DMWKN016510 for ; Tue, 9 May 2023 13:33:02 GMT Received: from ppma01dal.us.ibm.com (83.d6.3fa9.ip4.static.sl-reverse.com [169.63.214.131]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3qfkth6qs5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 09 May 2023 13:33:01 +0000 Received: from pps.filterd (ppma01dal.us.ibm.com [127.0.0.1]) by ppma01dal.us.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 349DAih7019495; Tue, 9 May 2023 13:31:00 GMT Received: from smtprelay02.wdc07v.mail.ibm.com ([9.208.129.120]) by ppma01dal.us.ibm.com (PPS) with ESMTPS id 3qf7njmgm6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 09 May 2023 13:31:00 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay02.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 349DUwRp59965740 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 9 May 2023 13:30:59 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9AA2658061; Tue, 9 May 2023 13:30:58 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4697358068; Tue, 9 May 2023 13:30:58 +0000 (GMT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Tue, 9 May 2023 13:30:58 +0000 (GMT) From: Stefan Berger To: yocto@lists.yoctoproject.org Cc: akuster808@gmail.com, Stefan Berger Subject: [meta-security][PATCH v2 2/8] ima: Fix the ima_policy_appraise_all to appraise executables & libraries Date: Tue, 9 May 2023 09:30:47 -0400 Message-Id: <20230509133053.1032476-3-stefanb@linux.ibm.com> X-Mailer: git-send-email 2.39.1 In-Reply-To: <20230509133053.1032476-1-stefanb@linux.ibm.com> References: <20230509133053.1032476-1-stefanb@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: 1Cxol9HdtLYZpAkuzZdU2Xe5ADUCqwrT X-Proofpoint-GUID: peD-EnrUwP5MpMP6sdQtf4hxePWSokVO X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-05-09_08,2023-05-05_01,2023-02-09_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 clxscore=1015 priorityscore=1501 impostorscore=0 lowpriorityscore=0 bulkscore=0 malwarescore=0 spamscore=0 adultscore=0 phishscore=0 suspectscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2304280000 definitions=main-2305090111 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 May 2023 13:33:23 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto/message/59925 Fix the ima_policy_appraise_all policy to appraise all executables and libraries. Also update the list of files that are not appraised to not appraise cgroup related files. Signed-off-by: Stefan Berger --- .../files/ima_policy_appraise_all | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all b/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all index 36e71a7..3387edc 100644 --- a/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all +++ b/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all @@ -25,5 +25,12 @@ dont_appraise fsmagic=0xf97cff8c dont_appraise fsmagic=0x6e736673 # EFIVARFS_MAGIC dont_appraise fsmagic=0xde5e81e4 +# Cgroup +dont_appraise fsmagic=0x27e0eb +# Cgroup2 +dont_appraise fsmagic=0x63677270 -appraise +# Appraise libraries +appraise func=MMAP_CHECK mask=MAY_EXEC appraise_type=imasig +# Appraise executables +appraise func=BPRM_CHECK appraise_type=imasig From patchwork Tue May 9 13:30:48 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 23701 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0511DC77B7C for ; Tue, 9 May 2023 13:36:03 +0000 (UTC) Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by mx.groups.io with SMTP id smtpd.web11.32623.1683639357984336413 for ; Tue, 09 May 2023 06:35:58 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@ibm.com header.s=pp1 header.b=odq31/qg; spf=pass (domain: linux.ibm.com, ip: 148.163.156.1, mailfrom: stefanb@linux.ibm.com) Received: from pps.filterd (m0356517.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 349DZV8t009617 for ; Tue, 9 May 2023 13:35:57 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : mime-version; s=pp1; bh=7J97bwyYfbBNSQn92aKkYBvlgEdoKU7f5vQ32YyAndg=; b=odq31/qgJYoJuHB+svQLh2/vLel6pHx6O/1vBuzMid0d/v7+yCF0fDsS/IPKD2NTTMXG eR0BtSmqjVNcoa7QCk9Vg91VSSyj9CGG6SkNU4GZ7Stst4moN/MpfFtf2i9URzbzTD1/ ZVtsQyBh0CzA2rkiwZRlLwB99YZSKPUhe3iS7dpirlQ98CnU+jappbdLhwlPpF4i/te8 foh7lWLzwrivJWPqY9ikiFSDNoOXxsMQKE+0djhT+vaptPM0zbFq1SKApyZ2OD1RGExo VRayz5VMEcgWXSVxGeVeybO/blrvAF+QjUpOifomUgg8We0oVWkzQ2/fKpUF7u2GSRaj fQ== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3qfq0egbbj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 09 May 2023 13:35:57 +0000 Received: from m0356517.ppops.net (m0356517.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 349DZc5c010070 for ; Tue, 9 May 2023 13:35:48 GMT Received: from ppma01wdc.us.ibm.com (fd.55.37a9.ip4.static.sl-reverse.com [169.55.85.253]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3qfq0eg9n9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 09 May 2023 13:35:48 +0000 Received: from pps.filterd (ppma01wdc.us.ibm.com [127.0.0.1]) by ppma01wdc.us.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 349D8B1r014991; Tue, 9 May 2023 13:31:01 GMT Received: from smtprelay03.wdc07v.mail.ibm.com ([9.208.129.113]) by ppma01wdc.us.ibm.com (PPS) with ESMTPS id 3qf7ptkkwj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 09 May 2023 13:31:01 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay03.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 349DUxJd2425486 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 9 May 2023 13:30:59 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 19EF358058; Tue, 9 May 2023 13:30:59 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B634858062; Tue, 9 May 2023 13:30:58 +0000 (GMT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Tue, 9 May 2023 13:30:58 +0000 (GMT) From: Stefan Berger To: yocto@lists.yoctoproject.org Cc: akuster808@gmail.com, Stefan Berger Subject: [meta-security][PATCH v2 3/8] ima: Fix the IMA kernel feature Date: Tue, 9 May 2023 09:30:48 -0400 Message-Id: <20230509133053.1032476-4-stefanb@linux.ibm.com> X-Mailer: git-send-email 2.39.1 In-Reply-To: <20230509133053.1032476-1-stefanb@linux.ibm.com> References: <20230509133053.1032476-1-stefanb@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-GUID: 5Ulm7MFeVZrilpbk06zGlRlKXKkyny0N X-Proofpoint-ORIG-GUID: QsIxX3a_7X_SBGaFyCNSlRnK4GRaFIZm X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-05-09_08,2023-05-05_01,2023-02-09_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 mlxscore=0 bulkscore=0 spamscore=0 clxscore=1015 mlxlogscore=999 lowpriorityscore=0 suspectscore=0 phishscore=0 priorityscore=1501 adultscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2304280000 definitions=main-2305090111 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 May 2023 13:36:03 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto/message/59926 Fix the IMA kernel feature. Remove outdated patches and add ima.cfg holding kernel configuration options for IMA and EVM. Signed-off-by: Stefan Berger --- meta-integrity/classes/ima-evm-rootfs.bbclass | 5 +- .../0001-ima-fix-ima_inode_post_setattr.patch | 51 ------- ...for-creating-files-using-the-mknodat.patch | 138 ------------------ ...-file-hash-setting-by-user-to-fix-an.patch | 60 -------- .../recipes-kernel/linux/linux/ima.cfg | 45 ++++++ .../recipes-kernel/linux/linux/ima.scc | 4 + .../recipes-kernel/linux/linux_ima.inc | 10 +- 7 files changed, 62 insertions(+), 251 deletions(-) delete mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch delete mode 100644 meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch delete mode 100644 meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.cfg create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.scc diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass index 57de2f6..3cb0d07 100644 --- a/meta-integrity/classes/ima-evm-rootfs.bbclass +++ b/meta-integrity/classes/ima-evm-rootfs.bbclass @@ -17,7 +17,7 @@ IMA_EVM_X509 ?= "${IMA_EVM_KEY_DIR}/x509_ima.der" # with a .x509 suffix. See linux-%.bbappend for details. # # ima-local-ca.x509 is what ima-gen-local-ca.sh creates. -IMA_EVM_ROOT_CA ?= "" +IMA_EVM_ROOT_CA ?= "${IMA_EVM_KEY_DIR}/ima-local-ca.pem" # Sign all regular files by default. IMA_EVM_ROOTFS_SIGNED ?= ". -type f" @@ -31,6 +31,9 @@ IMA_EVM_ROOTFS_IVERSION ?= "" # Avoid re-generating fstab when ima is enabled. WIC_CREATE_EXTRA_ARGS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' --no-fstab-update', '', d)}" +# Add necessary tools (e.g., keyctl) to image +IMAGE_INSTALL:append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' ima-evm-utils', '', d)}" + ima_evm_sign_rootfs () { cd ${IMAGE_ROOTFS} diff --git a/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch b/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch deleted file mode 100644 index 64016dd..0000000 --- a/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 45ea681ebc0dd44aaec5d3cc4143b9722070d3ac Mon Sep 17 00:00:00 2001 -From: Mimi Zohar -Date: Tue, 8 Mar 2016 16:43:55 -0500 -Subject: [PATCH] ima: fix ima_inode_post_setattr - -Changing file metadata (eg. uid, guid) could result in having to -re-appraise a file's integrity, but does not change the "new file" -status nor the security.ima xattr. The IMA_PERMIT_DIRECTIO and -IMA_DIGSIG_REQUIRED flags are policy rule specific. This patch -only resets these flags, not the IMA_NEW_FILE or IMA_DIGSIG flags. - -With this patch, changing the file timestamp will not remove the -file signature on new files. - -Upstream-Status: Accepted [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_appraise.c?id=42a4c603198f0d45b7aa936d3ac6ba1b8bd14a1b] - -Reported-by: Dmitry Rozhkov -Signed-off-by: Mimi Zohar ---- - security/integrity/ima/ima_appraise.c | 2 +- - security/integrity/integrity.h | 1 + - 2 files changed, 2 insertions(+), 1 deletion(-) - -diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c -index 4df493e..a384ba1 100644 ---- a/security/integrity/ima/ima_appraise.c -+++ b/security/integrity/ima/ima_appraise.c -@@ -327,7 +327,7 @@ void ima_inode_post_setattr(struct dentry *dentry) - if (iint) { - iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED | - IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK | -- IMA_ACTION_FLAGS); -+ IMA_ACTION_RULE_FLAGS); - if (must_appraise) - iint->flags |= IMA_APPRAISE; - } -diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h -index 0fc9519..f9decae 100644 ---- a/security/integrity/integrity.h -+++ b/security/integrity/integrity.h -@@ -28,6 +28,7 @@ - - /* iint cache flags */ - #define IMA_ACTION_FLAGS 0xff000000 -+#define IMA_ACTION_RULE_FLAGS 0x06000000 - #define IMA_DIGSIG 0x01000000 - #define IMA_DIGSIG_REQUIRED 0x02000000 - #define IMA_PERMIT_DIRECTIO 0x04000000 --- -2.5.0 - diff --git a/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch b/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch deleted file mode 100644 index 6ab7ce2..0000000 --- a/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch +++ /dev/null @@ -1,138 +0,0 @@ -From baaec960e9e7be0b526eaf831b079ddfe5c15124 Mon Sep 17 00:00:00 2001 -From: Mimi Zohar -Date: Thu, 10 Mar 2016 18:19:20 +0200 -Subject: [PATCH] ima: add support for creating files using the mknodat - syscall - -Commit 3034a14 "ima: pass 'opened' flag to identify newly created files" -stopped identifying empty files as new files. However new empty files -can be created using the mknodat syscall. On systems with IMA-appraisal -enabled, these empty files are not labeled with security.ima extended -attributes properly, preventing them from subsequently being opened in -order to write the file data contents. This patch marks these empty -files, created using mknodat, as new in order to allow the file data -contents to be written. - -Files with security.ima xattrs containing a file signature are considered -"immutable" and can not be modified. The file contents need to be -written, before signing the file. This patch relaxes this requirement -for new files, allowing the file signature to be written before the file -contents. - -Upstream-Status: Accepted [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_appraise.c?id=05d1a717ec0430c916a749b94eb90ab74bbfa356] - -Signed-off-by: Mimi Zohar ---- - fs/namei.c | 2 ++ - include/linux/ima.h | 7 ++++++- - security/integrity/ima/ima_appraise.c | 3 +++ - security/integrity/ima/ima_main.c | 32 +++++++++++++++++++++++++++++++- - 4 files changed, 42 insertions(+), 2 deletions(-) - -diff --git a/fs/namei.c b/fs/namei.c -index ccd7f98..19502da 100644 ---- a/fs/namei.c -+++ b/fs/namei.c -@@ -3526,6 +3526,8 @@ retry: - switch (mode & S_IFMT) { - case 0: case S_IFREG: - error = vfs_create(path.dentry->d_inode,dentry,mode,true); -+ if (!error) -+ ima_post_path_mknod(dentry); - break; - case S_IFCHR: case S_IFBLK: - error = vfs_mknod(path.dentry->d_inode,dentry,mode, -diff --git a/include/linux/ima.h b/include/linux/ima.h -index 120ccc5..7f51971 100644 ---- a/include/linux/ima.h -+++ b/include/linux/ima.h -@@ -20,7 +20,7 @@ extern void ima_file_free(struct file *file); - extern int ima_file_mmap(struct file *file, unsigned long prot); - extern int ima_module_check(struct file *file); - extern int ima_fw_from_file(struct file *file, char *buf, size_t size); -- -+extern void ima_post_path_mknod(struct dentry *dentry); - #else - static inline int ima_bprm_check(struct linux_binprm *bprm) - { -@@ -52,6 +52,11 @@ static inline int ima_fw_from_file(struct file *file, char *buf, size_t size) - return 0; - } - -+static inline void ima_post_path_mknod(struct dentry *dentry) -+{ -+ return; -+} -+ - #endif /* CONFIG_IMA */ - - #ifdef CONFIG_IMA_APPRAISE -diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c -index 4df493e..20806ea 100644 ---- a/security/integrity/ima/ima_appraise.c -+++ b/security/integrity/ima/ima_appraise.c -@@ -274,6 +274,11 @@ out: - xattr_value->type != EVM_IMA_XATTR_DIGSIG)) { - if (!ima_fix_xattr(dentry, iint)) - status = INTEGRITY_PASS; -+ } else if ((inode->i_size == 0) && -+ (iint->flags & IMA_NEW_FILE) && -+ (xattr_value && -+ xattr_value->type == EVM_IMA_XATTR_DIGSIG)) { -+ status = INTEGRITY_PASS; - } - integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename, - op, cause, rc, 0); -diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c -index eeee00dc..705bf78 100644 ---- a/security/integrity/ima/ima_main.c -+++ b/security/integrity/ima/ima_main.c -@@ -242,7 +242,8 @@ static int process_measurement(struct file *file, int mask, int function, - ima_audit_measurement(iint, pathname); - - out_digsig: -- if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG)) -+ if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG) && -+ !(iint->flags & IMA_NEW_FILE)) - rc = -EACCES; - kfree(xattr_value); - out_free: -@@ -310,6 +311,35 @@ int ima_file_check(struct file *file, int mask, int opened) - EXPORT_SYMBOL_GPL(ima_file_check); - - /** -+ * ima_post_path_mknod - mark as a new inode -+ * @dentry: newly created dentry -+ * -+ * Mark files created via the mknodat syscall as new, so that the -+ * file data can be written later. -+ */ -+void ima_post_path_mknod(struct dentry *dentry) -+{ -+ struct integrity_iint_cache *iint; -+ struct inode *inode; -+ int must_appraise; -+ -+ if (!dentry || !dentry->d_inode) -+ return; -+ -+ inode = dentry->d_inode; -+ if (inode->i_size != 0) -+ return; -+ -+ must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK); -+ if (!must_appraise) -+ return; -+ -+ iint = integrity_inode_get(inode); -+ if (iint) -+ iint->flags |= IMA_NEW_FILE; -+} -+ -+/** - * ima_module_check - based on policy, collect/store/appraise measurement. - * @file: pointer to the file to be measured/appraised - * --- -2.5.0 - diff --git a/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch b/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch deleted file mode 100644 index 157c007..0000000 --- a/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch +++ /dev/null @@ -1,60 +0,0 @@ -From a34d61850b680c152e1dcc958ee83c3ab3261c3d Mon Sep 17 00:00:00 2001 -From: Patrick Ohly -Date: Tue, 15 Nov 2016 10:10:23 +0100 -Subject: [PATCH] Revert "ima: limit file hash setting by user to fix and log - modes" - -This reverts commit c68ed80c97d9720f51ef31fe91560fdd1e121533. - -The original motivation was security hardening ("File hashes are -automatically set and updated and should not be manually set.") - -However, that hardening ignores and breaks some valid use cases: -- File hashes might not be set because the file is currently - outside of the policy and therefore have to be set by the - creator. Examples: - - Booting into an initramfs with an IMA-enabled kernel but - without setting an IMA policy, then installing - the OS onto the target partition by unpacking a rootfs archive - which has the file hashes pre-computed. - - Unpacking a file into a staging area with meta data (like owner) - that leaves the file outside of the current policy, then changing - the meta data such that it becomes part of the current policy. -- "should not be set manually" implies that the creator is aware - of IMA semantic, the current system's configuration, and then - skips setting file hashes in security.ima if (and only if) the - kernel would prevent it. That's not the case for standard, unmodified - tools. Example: unpacking an archive with security.ima xattrs with - bsdtar or GNU tar. - -Upstream-Status: Submitted [https://sourceforge.net/p/linux-ima/mailman/message/35492824/] - -Signed-off-by: Patrick Ohly ---- - security/integrity/ima/ima_appraise.c | 8 ++------ - 1 file changed, 2 insertions(+), 6 deletions(-) - -diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c -index 4b9b4a4..b8b2dd9 100644 ---- a/security/integrity/ima/ima_appraise.c -+++ b/security/integrity/ima/ima_appraise.c -@@ -385,14 +385,10 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, - result = ima_protect_xattr(dentry, xattr_name, xattr_value, - xattr_value_len); - if (result == 1) { -- bool digsig; -- - if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST)) - return -EINVAL; -- digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG); -- if (!digsig && (ima_appraise & IMA_APPRAISE_ENFORCE)) -- return -EPERM; -- ima_reset_appraise_flags(d_backing_inode(dentry), digsig); -+ ima_reset_appraise_flags(d_backing_inode(dentry), -+ (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0); - result = 0; - } - return result; --- -2.1.4 - diff --git a/meta-integrity/recipes-kernel/linux/linux/ima.cfg b/meta-integrity/recipes-kernel/linux/linux/ima.cfg new file mode 100644 index 0000000..d7d80a6 --- /dev/null +++ b/meta-integrity/recipes-kernel/linux/linux/ima.cfg @@ -0,0 +1,45 @@ +CONFIG_KEYS=y +CONFIG_ASYMMETRIC_KEY_TYPE=y +CONFIG_SYSTEM_TRUSTED_KEYRING=y +CONFIG_SYSTEM_TRUSTED_KEYS="${IMA_EVM_ROOT_CA}" +CONFIG_SECONDARY_TRUSTED_KEYRING=y +CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y +CONFIG_X509_CERTIFICATE_PARSER=y +CONFIG_PKCS8_PRIVATE_KEY_PARSER=y +CONFIG_CRYPTO_ECDSA=y +CONFIG_SECURITY=y +CONFIG_SECURITYFS=y +CONFIG_INTEGRITY=y +CONFIG_INTEGRITY_SIGNATURE=y +CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y +CONFIG_INTEGRITY_TRUSTED_KEYRING=y +CONFIG_IMA=y +CONFIG_IMA_MEASURE_PCR_IDX=10 +CONFIG_IMA_LSM_RULES=y +# CONFIG_IMA_TEMPLATE is not set +# CONFIG_IMA_NG_TEMPLATE is not set +CONFIG_IMA_SIG_TEMPLATE=y +CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig" +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set +CONFIG_IMA_DEFAULT_HASH_SHA256=y +# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set +CONFIG_IMA_DEFAULT_HASH="sha256" +CONFIG_IMA_WRITE_POLICY=y +CONFIG_IMA_READ_POLICY=y +CONFIG_IMA_APPRAISE=y +CONFIG_IMA_ARCH_POLICY=y +CONFIG_IMA_APPRAISE_BUILD_POLICY=y +CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS=y +# CONFIG_IMA_APPRAISE_BOOTPARAM is not set +# CONFIG_IMA_APPRAISE_MODSIG is not set +CONFIG_IMA_TRUSTED_KEYRING=y +CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y +# CONFIG_IMA_BLACKLIST_KEYRING is not set +# CONFIG_IMA_LOAD_X509 is not set +CONFIG_IMA_APPRAISE_SIGNED_INIT=y +CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y +CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y +CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y +# CONFIG_IMA_DISABLE_HTABLE is not set +CONFIG_EVM=y +# CONFIG_EVM_LOAD_X509 is not set diff --git a/meta-integrity/recipes-kernel/linux/linux/ima.scc b/meta-integrity/recipes-kernel/linux/linux/ima.scc new file mode 100644 index 0000000..6eb84b0 --- /dev/null +++ b/meta-integrity/recipes-kernel/linux/linux/ima.scc @@ -0,0 +1,4 @@ +define KFEATURE_DESCRIPTION "Enable IMA" + +kconf non-hardware ima.cfg + diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc index 3ab53e5..0b6f530 100644 --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc @@ -1,4 +1,12 @@ -KERNEL_FEATURES:append = " ${@bb.utils.contains("DISTRO_FEATURES", "ima", " features/ima/ima.scc", "" ,d)}" +FILESEXTRAPATHS:append := "${THISDIR}/linux:" + +SRC_URI += " \ + ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \ +" + +do_configure() { + sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" .config +} KERNEL_FEATURES:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}" From patchwork Tue May 9 13:30:49 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 23692 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E02ABC7EE26 for ; Tue, 9 May 2023 13:31:12 +0000 (UTC) Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by mx.groups.io with SMTP id smtpd.web10.32532.1683639063939284718 for ; Tue, 09 May 2023 06:31:04 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@ibm.com header.s=pp1 header.b=RW2mAqd9; spf=pass (domain: linux.ibm.com, ip: 148.163.158.5, mailfrom: stefanb@linux.ibm.com) Received: from pps.filterd (m0353724.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 349DHIDh003050 for ; Tue, 9 May 2023 13:31:03 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=fAeN74BRvp/a7hkOQyVdXqp+OG/BP1V/YJr3VX/5itc=; b=RW2mAqd9Vlvu5s5OQqNuBsmnANnKVeWBTzqpehBnmyQUZRrFVwD0JI9SvBZkO4rTxymp EZ0rJbWo4Eu4x/dOkqXFj/wrkfzWOFaJEICUAaJwGfDoOAP46U53UlLV2ILY5ly0fiZ7 /wqORYTehULgTDwvPzI23KjnD3i6ijQ1at/gkG5d+FCb9vvJI+dJQ3mnvIDK2hYv8lnL /dVoJoalx2RK3f7hBzGH3WnFf7uj6uBsvg5a5hjbBCXneQUPEybf+0xtmbWX1LKvC812 FZKibNNax2RGXdur37SresdTE+AIj6xxMUe9sivGwvSU6pmrqIxU4mQJ2mOYezZ3D04R Sw== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3qfpa62414-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 09 May 2023 13:31:02 +0000 Received: from m0353724.ppops.net (m0353724.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 349DNTbv029926 for ; Tue, 9 May 2023 13:31:02 GMT Received: from ppma04wdc.us.ibm.com (1a.90.2fa9.ip4.static.sl-reverse.com [169.47.144.26]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3qfpa6240p-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 09 May 2023 13:31:02 +0000 Received: from pps.filterd (ppma04wdc.us.ibm.com [127.0.0.1]) by ppma04wdc.us.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 349CooC4031532; Tue, 9 May 2023 13:31:01 GMT Received: from smtprelay03.wdc07v.mail.ibm.com ([9.208.129.113]) by ppma04wdc.us.ibm.com (PPS) with ESMTPS id 3qf7dkbntm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 09 May 2023 13:31:01 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay03.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 349DUxPB62325236 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 9 May 2023 13:30:59 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7F3DE58064; Tue, 9 May 2023 13:30:59 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 349B158061; Tue, 9 May 2023 13:30:59 +0000 (GMT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Tue, 9 May 2023 13:30:59 +0000 (GMT) From: Stefan Berger To: yocto@lists.yoctoproject.org Cc: akuster808@gmail.com, Stefan Berger Subject: [meta-security][PATCH v2 4/8] ima: Rename IMA_EVM_POLICY_SYSTEMD to IMA_EVM_POLICY Date: Tue, 9 May 2023 09:30:49 -0400 Message-Id: <20230509133053.1032476-5-stefanb@linux.ibm.com> X-Mailer: git-send-email 2.39.1 In-Reply-To: <20230509133053.1032476-1-stefanb@linux.ibm.com> References: <20230509133053.1032476-1-stefanb@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: fs4dRI4A8EgNJrGK7c_tU9JVU24clN1w X-Proofpoint-ORIG-GUID: hGGHpZR-4ggSpiLGSScnxGQtl9199TTH X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-05-09_08,2023-05-05_01,2023-02-09_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=999 adultscore=0 clxscore=1015 malwarescore=0 bulkscore=0 suspectscore=0 priorityscore=1501 lowpriorityscore=0 phishscore=0 mlxscore=0 impostorscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2304280000 definitions=main-2305090106 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 May 2023 13:31:12 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto/message/59920 The IMA policy will be specified using the IMA_EVM_POLICY variable since systemd will not be involved in loading the policy but the init script will load it. Signed-off-by: Stefan Berger --- meta-integrity/README.md | 2 +- meta-integrity/classes/ima-evm-rootfs.bbclass | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/meta-integrity/README.md b/meta-integrity/README.md index eae1c57..816b40d 100644 --- a/meta-integrity/README.md +++ b/meta-integrity/README.md @@ -187,7 +187,7 @@ IMA policy loading became broken in systemd 2.18. The modified systemd changes. To activate policy loading via systemd, place a policy file in `/etc/ima/ima-policy`, for example with: - IMA_EVM_POLICY_SYSTEMD = "${INTEGRITY_BASE}/data/ima_policy_simple" + IMA_EVM_POLICY = "${INTEGRITY_BASE}/data/ima_policy_simple" To check that measuring works, look at `/sys/kernel/security/ima/ascii_runtime_measurements` diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass index 3cb0d07..6902d69 100644 --- a/meta-integrity/classes/ima-evm-rootfs.bbclass +++ b/meta-integrity/classes/ima-evm-rootfs.bbclass @@ -69,10 +69,10 @@ ima_evm_sign_rootfs () { find ${IMA_EVM_ROOTFS_HASHED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_hash # Optionally install custom policy for loading by systemd. - if [ "${IMA_EVM_POLICY_SYSTEMD}" ]; then + if [ "${IMA_EVM_POLICY}" ]; then install -d ./${sysconfdir}/ima rm -f ./${sysconfdir}/ima/ima-policy - install "${IMA_EVM_POLICY_SYSTEMD}" ./${sysconfdir}/ima/ima-policy + install "${IMA_EVM_POLICY}" ./${sysconfdir}/ima/ima-policy fi } From patchwork Tue May 9 13:30:50 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 23695 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EC559C77B7C for ; Tue, 9 May 2023 13:31:52 +0000 (UTC) Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by mx.groups.io with SMTP id smtpd.web11.32494.1683639105664114506 for ; Tue, 09 May 2023 06:31:45 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@ibm.com header.s=pp1 header.b=Fd2tbZm9; spf=pass (domain: linux.ibm.com, ip: 148.163.156.1, mailfrom: stefanb@linux.ibm.com) Received: from pps.filterd (m0353726.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 349D8od6003447 for ; Tue, 9 May 2023 13:31:45 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=h1SLIqgOGg2aXlfz6C2p6oVWCs387TjVc1bE9wYLQUw=; b=Fd2tbZm9QakHdFXc+pqF8OmC5eXBzlMRlqkm6udgyvsnkIrs7DZ7P7KNpEEQNUyjf2k3 yYwPIlS9xrsvaoCCX75HD2qSFLuhtCifkI1Dzg6xs7GKN1u9xmaRI3jTWlV/RVAFj3X8 8gQv0E5ZNST/EP7zs15RJh2gm19J/jERihgTd2/EeqEh5hgVcHH5hvBA4oUi5zsmLi/s Z9oG7feHvqcNtd8snpka45CZO8DdKVeK78W1iWsGrxmbWcrvTqqbKI8WOH59wPhrHBWb T2C0ijEqHEpnljK1UeH4LF3XEv69ytgfJ3HMk3KnP6Va+SJKj/1qyCM40M45zlsJ+7B8 jA== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3qfjnhh4vs-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 09 May 2023 13:31:44 +0000 Received: from m0353726.ppops.net (m0353726.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 349D99EM006037 for ; Tue, 9 May 2023 13:31:39 GMT Received: from ppma04dal.us.ibm.com (7a.29.35a9.ip4.static.sl-reverse.com [169.53.41.122]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3qfjnhh44h-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 09 May 2023 13:31:38 +0000 Received: from pps.filterd (ppma04dal.us.ibm.com [127.0.0.1]) by ppma04dal.us.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 349DBVLd032593; Tue, 9 May 2023 13:31:02 GMT Received: from smtprelay03.wdc07v.mail.ibm.com ([9.208.129.113]) by ppma04dal.us.ibm.com (PPS) with ESMTPS id 3qf7s6mg40-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 09 May 2023 13:31:02 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay03.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 349DV0Fl62325238 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 9 May 2023 13:31:00 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E43F05805D; Tue, 9 May 2023 13:30:59 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9A0A458065; Tue, 9 May 2023 13:30:59 +0000 (GMT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Tue, 9 May 2023 13:30:59 +0000 (GMT) From: Stefan Berger To: yocto@lists.yoctoproject.org Cc: akuster808@gmail.com, Stefan Berger Subject: [meta-security][PATCH v2 5/8] ima: Sign all executables and the ima-policy in the root filesystem Date: Tue, 9 May 2023 09:30:50 -0400 Message-Id: <20230509133053.1032476-6-stefanb@linux.ibm.com> X-Mailer: git-send-email 2.39.1 In-Reply-To: <20230509133053.1032476-1-stefanb@linux.ibm.com> References: <20230509133053.1032476-1-stefanb@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: n10YKi2L8qvuUjeDLAyYoA7Qo8ldzHPA X-Proofpoint-ORIG-GUID: 1nAxTvl9hqIh9xrrVjZSW7YnRVF5uVuF X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-05-09_08,2023-05-05_01,2023-02-09_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 malwarescore=0 clxscore=1015 adultscore=0 mlxlogscore=999 suspectscore=0 phishscore=0 priorityscore=1501 lowpriorityscore=0 mlxscore=0 spamscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2304280000 definitions=main-2305090111 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 May 2023 13:31:52 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto/message/59924 Signed-off-by: Stefan Berger --- meta-integrity/classes/ima-evm-rootfs.bbclass | 25 +++++++++++++++---- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass index 6902d69..98c4bc1 100644 --- a/meta-integrity/classes/ima-evm-rootfs.bbclass +++ b/meta-integrity/classes/ima-evm-rootfs.bbclass @@ -62,17 +62,32 @@ ima_evm_sign_rootfs () { perl -pi -e 's;(\S+)(\s+)(${@"|".join((d.getVar("IMA_EVM_ROOTFS_IVERSION", True) or "no-such-mount-point").split())})(\s+)(\S+)(\s+)(\S+);\1\2\3\4\5\6\7,iversion;; s/(,iversion)+/,iversion/;' etc/fstab fi - # Sign file with private IMA key. EVM not supported at the moment. - bbnote "IMA/EVM: signing files 'find ${IMA_EVM_ROOTFS_SIGNED}' with private key '${IMA_EVM_PRIVKEY}'" - find ${IMA_EVM_ROOTFS_SIGNED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_sign --key ${IMA_EVM_PRIVKEY} - bbnote "IMA/EVM: hashing files 'find ${IMA_EVM_ROOTFS_HASHED}'" - find ${IMA_EVM_ROOTFS_HASHED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_hash + # Detect 32bit target to pass --m32 to evmctl by looking at libc + tmp="$(file "${IMAGE_ROOTFS}/lib/libc.so.6" | grep -o 'ELF .*-bit')" + if [ "${tmp}" = "ELF 32-bit" ]; then + evmctl_param="--m32" + elif [ "${tmp}" = "ELF 64-bit" ]; then + evmctl_param="" + else + bberror "Unknown target architecture bitness: '${tmp}'" >&2 + exit 1 + fi + + bbnote "IMA/EVM: Signing root filesystem at ${IMAGE_ROOTFS} with key ${IMA_EVM_PRIVKEY}" + evmctl sign --imasig ${evmctl_param} --portable -a sha256 --key ${IMA_EVM_PRIVKEY} -r "${IMAGE_ROOTFS}" + + # check signing key and signature verification key + evmctl ima_verify ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1 + evmctl verify ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1 # Optionally install custom policy for loading by systemd. if [ "${IMA_EVM_POLICY}" ]; then install -d ./${sysconfdir}/ima rm -f ./${sysconfdir}/ima/ima-policy install "${IMA_EVM_POLICY}" ./${sysconfdir}/ima/ima-policy + + bbnote "IMA/EVM: Signing IMA policy with key ${IMA_EVM_PRIVKEY}" + evmctl sign --imasig ${evmctl_param} --portable -a sha256 --key "${IMA_EVM_PRIVKEY}" "${IMAGE_ROOTFS}/etc/ima/ima-policy" fi } From patchwork Tue May 9 13:30:51 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 23694 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D66C3C7EE2D for ; Tue, 9 May 2023 13:31:12 +0000 (UTC) Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by mx.groups.io with SMTP id smtpd.web11.32477.1683639063934250510 for ; Tue, 09 May 2023 06:31:04 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@ibm.com header.s=pp1 header.b=Db8mi4fU; spf=pass (domain: linux.ibm.com, ip: 148.163.158.5, mailfrom: stefanb@linux.ibm.com) Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 349DAWa1027234 for ; Tue, 9 May 2023 13:31:03 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=UDGr255lc5+HFNbFxLptWvW0Ucz1U8jN9vXUjU7t44M=; b=Db8mi4fU0xj84oBg8rX9GWbOjavod+gnIqDyAKDFc8OfNwsWjcZ7tJPCbVCevJMroivk jqz6N/Y8yhKF6Tglqs9H3AzD9TOFux6AullQ21T0qLNchZskN/UIZJORHwJiqGEz1Jh7 QAJxoBl0QiNjdWOH8Zi6iTzKTY2iwfGCFRARBW6eXRFJwsGniQqD7HpgVPhhrxAJpbUD 3pVr4LGicLZ8+w1ZYemx4eubd7ui+znbsYs2uw+ZnCj4xfsbcquygVguroAWUKe2hQMG kJmQSZK2F7oh3jsr41nmKnGRmztvwq0vz/gsHDXbNnTQjvL71aCkW6Vd10AcVV6EeM8I uQ== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3qfjvs7rxy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 09 May 2023 13:31:02 +0000 Received: from m0356516.ppops.net (m0356516.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 349DU9WY022668 for ; Tue, 9 May 2023 13:31:02 GMT Received: from ppma02dal.us.ibm.com (a.bd.3ea9.ip4.static.sl-reverse.com [169.62.189.10]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3qfjvs7rxg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 09 May 2023 13:31:02 +0000 Received: from pps.filterd (ppma02dal.us.ibm.com [127.0.0.1]) by ppma02dal.us.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 349DIfe0011460; Tue, 9 May 2023 13:31:01 GMT Received: from smtprelay02.dal12v.mail.ibm.com ([9.208.130.97]) by ppma02dal.us.ibm.com (PPS) with ESMTPS id 3qf7wdveh5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 09 May 2023 13:31:01 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay02.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 349DV0wE28967434 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 9 May 2023 13:31:00 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 5645A5806B; Tue, 9 May 2023 13:31:00 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0B0E158062; Tue, 9 May 2023 13:31:00 +0000 (GMT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Tue, 9 May 2023 13:30:59 +0000 (GMT) From: Stefan Berger To: yocto@lists.yoctoproject.org Cc: akuster808@gmail.com, Stefan Berger Subject: [meta-security][PATCH v2 6/8] integrity: Update the README for IMA support Date: Tue, 9 May 2023 09:30:51 -0400 Message-Id: <20230509133053.1032476-7-stefanb@linux.ibm.com> X-Mailer: git-send-email 2.39.1 In-Reply-To: <20230509133053.1032476-1-stefanb@linux.ibm.com> References: <20230509133053.1032476-1-stefanb@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: 8ve1eNHNSei-XZTvOmGSESRPjp75axuX X-Proofpoint-ORIG-GUID: zPYIePxKC9d1rlYsH3Y_qNwD-dk498z7 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-05-09_08,2023-05-05_01,2023-02-09_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 clxscore=1015 spamscore=0 priorityscore=1501 mlxlogscore=819 phishscore=0 adultscore=0 bulkscore=0 lowpriorityscore=0 malwarescore=0 suspectscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2304280000 definitions=main-2305090106 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 May 2023 13:31:12 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto/message/59921 Update the README describing how IMA support can be used. Signed-off-by: Stefan Berger --- meta-integrity/README.md | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/meta-integrity/README.md b/meta-integrity/README.md index 816b40d..1a37280 100644 --- a/meta-integrity/README.md +++ b/meta-integrity/README.md @@ -76,7 +76,7 @@ other layers needed. e.g.: It has some dependencies on a suitable BSP; in particular the kernel must have a recent enough IMA/EVM subsystem. The layer was tested with -Linux 3.19 and uses some features (like loading X509 certificates +Linux 6.1 and uses some features (like loading X509 certificates directly from the kernel) which were added in that release. Your mileage may vary with older kernels. @@ -89,10 +89,17 @@ Adding the layer only enables IMA (see below regarding EVM) during compilation of the Linux kernel. To also activate it when building the image, enable image signing in the local.conf like this: + DISTRO_FEATURES:append = " integrity ima" + IMAGE_CLASSES += "ima-evm-rootfs" + IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" IMA_EVM_PRIVKEY = "${IMA_EVM_KEY_DIR}/privkey_ima.pem" IMA_EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_ima.der" + IMA_EVM_ROOT_CA = "${IMA_EVM_KEY_DIR}/ima-local-ca.pem" + + # The following policy enforces IMA & EVM signatures + IMA_EVM_POLICY = "${INTEGRITY_BASE}/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all" This uses the default keys provided in the "data" directory of the layer. Because everyone has access to these private keys, such an image @@ -113,10 +120,7 @@ for that are included in the layer. This is also how the cd $IMA_EVM_KEY_DIR # In that shell, create the keys. Several options exist: - # 1. Self-signed keys. - $INTEGRITY_BASE/scripts/ima-gen-self-signed.sh - - # 2. Keys signed by a new CA. + # 1. Keys signed by a new CA. # When asked for a PEM passphrase, that will be for the root CA. # Signing images then will not require entering that passphrase, # only creating new certificates does. Most likely the default @@ -125,13 +129,11 @@ for that are included in the layer. This is also how the # $INTEGRITY_BASE/scripts/ima-gen-local-ca.sh # $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh - # 3. Keys signed by an existing CA. + # 2. Keys signed by an existing CA. # $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh exit -When using ``ima-self-signed.sh`` as described above, self-signed keys -are created. Alternatively, one can also use keys signed by a CA. The -``ima-gen-local-ca.sh`` and ``ima-gen.sh`` scripts create a root CA +The ``ima-gen-local-ca.sh`` and ``ima-gen.sh`` scripts create a root CA and sign the signing keys with it. The ``ima-evm-rootfs.bbclass`` then supports adding tha CA's public key to the kernel's system keyring by compiling it directly into the kernel. Because it is unknown whether From patchwork Tue May 9 13:30:52 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 23691 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D5581C7EE24 for ; Tue, 9 May 2023 13:31:12 +0000 (UTC) Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by mx.groups.io with SMTP id smtpd.web10.32533.1683639065578851115 for ; Tue, 09 May 2023 06:31:05 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@ibm.com header.s=pp1 header.b=ElFln3HD; spf=pass (domain: linux.ibm.com, ip: 148.163.158.5, mailfrom: stefanb@linux.ibm.com) Received: from pps.filterd (m0353725.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 349DADxS017578 for ; Tue, 9 May 2023 13:31:04 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : mime-version; s=pp1; bh=88122QIG8C9Qwn4xdL0q5rJxo6SwsY7+7zwanQE70rI=; b=ElFln3HDZQu+z6h6X86xVuBREcoDfRBhth0vUnzA2oLSEg3b3ZRnVWXC64nxNLOcxZ1N cHDGw27LuDXJgaxrFI2EhB7yziZ1DNY3qQlAAFlzu+p55XUuxgWPTBN7oUYIXrBZg69s LdqgpiSPyYHBVAuwRcjuzsa61MRQBEXxelWqvyfzjz4A+B5+4GS2xak6B2tu2A0CAxA5 ZudDdn31A/c//5ZcEvhO5Fg0M7KjGRrM+qgoBJ4QhVVHdAzuwl5kxR9uiDDmxKHpI60e t5XwCMce1a33gbBrR1jmbRcF4K+2+dXEslNxbq23A1beNwAAyzcDePFc3ZOFMgis0sqA qg== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3qfnn4k596-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 09 May 2023 13:31:03 +0000 Received: from m0353725.ppops.net (m0353725.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 349DKXaQ027240 for ; Tue, 9 May 2023 13:31:03 GMT Received: from ppma04dal.us.ibm.com (7a.29.35a9.ip4.static.sl-reverse.com [169.53.41.122]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3qfnn4k58b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 09 May 2023 13:31:03 +0000 Received: from pps.filterd (ppma04dal.us.ibm.com [127.0.0.1]) by ppma04dal.us.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 349DClHh032601; Tue, 9 May 2023 13:31:02 GMT Received: from smtprelay02.dal12v.mail.ibm.com ([9.208.130.97]) by ppma04dal.us.ibm.com (PPS) with ESMTPS id 3qf7s6mg41-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 09 May 2023 13:31:02 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay02.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 349DV0hP37356002 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 9 May 2023 13:31:00 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id BCEB65805D; Tue, 9 May 2023 13:31:00 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7193858058; Tue, 9 May 2023 13:31:00 +0000 (GMT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Tue, 9 May 2023 13:31:00 +0000 (GMT) From: Stefan Berger To: yocto@lists.yoctoproject.org Cc: akuster808@gmail.com, Stefan Berger Subject: [meta-security][PATCH v2 7/8] linux: overlayfs: Add kernel patch resolving a file change notification issue Date: Tue, 9 May 2023 09:30:52 -0400 Message-Id: <20230509133053.1032476-8-stefanb@linux.ibm.com> X-Mailer: git-send-email 2.39.1 In-Reply-To: <20230509133053.1032476-1-stefanb@linux.ibm.com> References: <20230509133053.1032476-1-stefanb@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-GUID: 3UAElN8sxrvMh4yFwpqyMAqavtyEqufZ X-Proofpoint-ORIG-GUID: YZnLjleI2cSyMlXCigFPotjcinWFedbT X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-05-09_08,2023-05-05_01,2023-02-09_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 clxscore=1015 mlxlogscore=999 mlxscore=0 adultscore=0 priorityscore=1501 spamscore=0 phishscore=0 suspectscore=0 lowpriorityscore=0 bulkscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2304280000 definitions=main-2305090106 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 May 2023 13:31:12 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto/message/59923 Add a temporary patch that resolves a file change notification issue with overlayfs where IMA did not become aware of the file changes since the 'lower' inode's i_version had not changed. The issue will be resolved in later kernels with the following patch that builds on newly addd feature (support for STATX_CHANGE_COOKIE) in v6.3-rc1: https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 Signed-off-by: Stefan Berger --- ...Increment-iversion-upon-file-changes.patch | 42 +++++++++++++++++++ .../recipes-kernel/linux/linux_ima.inc | 1 + 2 files changed, 43 insertions(+) create mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch diff --git a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch new file mode 100644 index 0000000..d2b5c28 --- /dev/null +++ b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch @@ -0,0 +1,42 @@ +From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Thu, 6 Apr 2023 11:27:29 -0400 +Subject: [PATCH] ovl: Increment iversion upon file changes + +This is a temporary patch for kernels that do not implement +STATX_CHANGE_COOKIE (<= 6.2). The successor patch will be this one: + +https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 + +Increment the lower inode's iversion for IMA to be able to recognize +changes to the file. + +Signed-off-by: Stefan Berger +--- + fs/overlayfs/file.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c +index 6011f955436b..1dfe5e7bfe1c 100644 +--- a/fs/overlayfs/file.c ++++ b/fs/overlayfs/file.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + #include "overlayfs.h" + + struct ovl_aio_req { +@@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct kiocb *iocb, struct iov_iter *iter) + if (ret != -EIOCBQUEUED) + ovl_aio_cleanup_handler(aio_req); + } ++ if (ret > 0) ++ inode_maybe_inc_iversion(inode, false); + out: + revert_creds(old_cred); + out_fdput: +-- +2.34.1 + diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc index 0b6f530..9d48e5c 100644 --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc @@ -2,6 +2,7 @@ FILESEXTRAPATHS:append := "${THISDIR}/linux:" SRC_URI += " \ ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \ + file://0001-ovl-Increment-iversion-upon-file-changes.patch \ " do_configure() { From patchwork Tue May 9 13:30:53 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 23690 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CA2C9C77B75 for ; Tue, 9 May 2023 13:31:12 +0000 (UTC) Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by mx.groups.io with SMTP id smtpd.web11.32480.1683639065228841978 for ; Tue, 09 May 2023 06:31:05 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@ibm.com header.s=pp1 header.b=cMYuVejg; spf=pass (domain: linux.ibm.com, ip: 148.163.158.5, mailfrom: stefanb@linux.ibm.com) Received: from pps.filterd (m0353723.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 349DAWxw011483 for ; Tue, 9 May 2023 13:31:04 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : mime-version; s=pp1; bh=Ms6xe4vYkIsJhHIu4CP6qJMWXtqZ4Be6WNzGnQGOK1M=; b=cMYuVejgMQbHFR8NuY8QwL8xSYuDrpGZIg5a+lDQr1Ow7FoTeIg3jwBruFhB4M2Dc+Bd bY/38ZZkOW/3hS0JTHZ88SqTAfceDb2ZqCoypBKrKtE96uSM9W/Y0zl2tPE5RlwYcPb7 haZseq9iCKJquN9TPkbJWMaKaJjGLyn0LaLf4cxamRQS/Y9AG9uu5lCpBN23FiAoQJUu KlMLmrYGxebv2NVTPK7g6sepzBpuIkRqHFVER/dxbq+vFj/9Y5kaAWuHyCw3ovZTD9eK LSCA5ygg9NqQw1utDmUEvttD0BRho6A/8XHlPwPuWpGxCB51JEwU1MME/PVkVbTHQn26 1w== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3qfeqn7ecm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 09 May 2023 13:31:04 +0000 Received: from m0353723.ppops.net (m0353723.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 349DLfP7004680 for ; Tue, 9 May 2023 13:31:03 GMT Received: from ppma01wdc.us.ibm.com (fd.55.37a9.ip4.static.sl-reverse.com [169.55.85.253]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3qfeqn7ebj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 09 May 2023 13:31:03 +0000 Received: from pps.filterd (ppma01wdc.us.ibm.com [127.0.0.1]) by ppma01wdc.us.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 349DAZjH014983; Tue, 9 May 2023 13:31:02 GMT Received: from smtprelay03.dal12v.mail.ibm.com ([9.208.130.98]) by ppma01wdc.us.ibm.com (PPS) with ESMTPS id 3qf7ptkkwn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 09 May 2023 13:31:02 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay03.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 349DV1Q960359028 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 9 May 2023 13:31:01 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 261D258065; Tue, 9 May 2023 13:31:01 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D796058062; Tue, 9 May 2023 13:31:00 +0000 (GMT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Tue, 9 May 2023 13:31:00 +0000 (GMT) From: Stefan Berger To: yocto@lists.yoctoproject.org Cc: akuster808@gmail.com, Stefan Berger Subject: [meta-security][PATCH v2 8/8] ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch Date: Tue, 9 May 2023 09:30:53 -0400 Message-Id: <20230509133053.1032476-9-stefanb@linux.ibm.com> X-Mailer: git-send-email 2.39.1 In-Reply-To: <20230509133053.1032476-1-stefanb@linux.ibm.com> References: <20230509133053.1032476-1-stefanb@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: XoyM5Sf3R-XqqysdLzuDxa-MCNNfQ7sG X-Proofpoint-GUID: saZ-Ap_uvHU0Ck73x3IyMG6hpGqJ_-0H X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-05-09_08,2023-05-05_01,2023-02-09_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 priorityscore=1501 malwarescore=0 bulkscore=0 suspectscore=0 lowpriorityscore=0 phishscore=0 spamscore=0 mlxscore=0 impostorscore=0 clxscore=1015 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2304280000 definitions=main-2305090106 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 May 2023 13:31:12 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto/message/59922 Signed-off-by: Stefan Berger --- ...ation-using-ioctl-when-evm_portable-.patch | 35 +++++++++++++++++++ ...-evm-utils_1.4.bb => ima-evm-utils_1.5.bb} | 9 +++-- 2 files changed, 42 insertions(+), 2 deletions(-) create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch rename meta-integrity/recipes-security/ima-evm-utils/{ima-evm-utils_1.4.bb => ima-evm-utils_1.5.bb} (71%) diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch new file mode 100644 index 0000000..3624576 --- /dev/null +++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch @@ -0,0 +1,35 @@ +From 00ace817c5134d9844db387cadb9517ebad43808 Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Tue, 18 Apr 2023 11:43:55 -0400 +Subject: [PATCH] Do not get generation using ioctl when evm_portable is true + +If a signatures is detected as being portable do not attempt to read the +generation with the ioctl since in some cases this may not be supported +by the filesystem and is also not needed for computing a portable +signature. + +This avoids the current work-around of passing --generation 0 when the +ioctl is not supported by the filesystem. + +Signed-off-by: Stefan Berger +--- + src/evmctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/evmctl.c b/src/evmctl.c +index 6d2bb67..c35a28c 100644 +--- a/src/evmctl.c ++++ b/src/evmctl.c +@@ -376,7 +376,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) + if (mode_str) + st.st_mode = strtoul(mode_str, NULL, 10); + +- if (!evm_immutable) { ++ if (!evm_immutable && !evm_portable) { + if (S_ISREG(st.st_mode) && !generation_str) { + int fd = open(file, 0); + +--- +2.39.2 + + diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb similarity index 71% rename from meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb rename to meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb index 873aeeb..8ac080c 100644 --- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb +++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb @@ -6,8 +6,13 @@ DEPENDS += "openssl attr keyutils" DEPENDS:class-native += "openssl-native keyutils-native" -SRC_URI = "https://sourceforge.net/projects/linux-ima/files/${BPN}/${BP}.tar.gz" -SRC_URI[sha256sum] = "fcf85b31d6292051b3679e5f17ffa7f89b6898957aad0f59aa4e9878884b27d1" +FILESEXTRAPATHS:append := "${THISDIR}/${PN}:" + +SRC_URI = " \ + https://github.com/mimizohar/ima-evm-utils/releases/download/v${PV}/${BP}.tar.gz \ + file://0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch \ +" +SRC_URI[sha256sum] = "45f1caa3ad59ec59a1d6a74ea5df38c413488cd952ab62d98cf893c15e6f246d" inherit pkgconfig autotools features_check