------- Comment From naynj...@ibm.com 2020-06-17 11:42 EDT------- Thanks !! This is exactly what I needed.
I am now able to boot the signed kernel both in "secure and trusted enabled" and "only secure enabled" case. The earlier patch was missing the fix for "only secure enabled" case. This patch took care of both. It works fine and here are the test results: 1. Kernel booted fine both with secure boot enabled/disabled and only "secure boot" enabled. 2. With trusted boot disabled, here is the IMA rules: ubuntu@ltc-wspoon13:~$ ls /proc/device-tree/ibm,secureboot/ compatible hw-key-hash hw-key-hash-size ibm,cvc name os-secureboot-enforcing phandle secure-enabled ubuntu@ltc-wspoon13:~$ sudo cat /sys/kernel/security/ima/policy appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig appraise_flag=check_blacklist 2. With both secure and trusted boot enabled, here how the IMA rules looks like: ubuntu@ltc-wspoon13:~$ ls /proc/device-tree/ibm,secureboot/ compatible hw-key-hash hw-key-hash-size ibm,cvc name os-secureboot-enforcing phandle secure-enabled trusted-enabled ubuntu@ltc-wspoon13:~$ sudo cat /sys/kernel/security/ima/policy [sudo] password for ubuntu: measure func=KEXEC_KERNEL_CHECK template=ima-modsig measure func=MODULE_CHECK template=ima-modsig appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig appraise_flag=check_blacklist And the config file has CONFIG_MODULE_SIG enabled, on which the powerpc IMA arch policies #ifdef are dependent. ubuntu@ltc-wspoon13:~$ grep -i MODULE_SIG /boot/config-5.4.0-38-generic CONFIG_MODULE_SIG_FORMAT=y CONFIG_MODULE_SIG=y # CONFIG_MODULE_SIG_FORCE is not set CONFIG_MODULE_SIG_ALL=y # CONFIG_MODULE_SIG_SHA1 is not set # CONFIG_MODULE_SIG_SHA224 is not set # CONFIG_MODULE_SIG_SHA256 is not set # CONFIG_MODULE_SIG_SHA384 is not set CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" Thanks & Regards, - Nayna ** Tags removed: verification-needed-focal ** Tags added: verification-done-focal -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1877955 Title: Fix for secure boot rules in IMA arch policy on powerpc Status in The Ubuntu-power-systems project: Fix Committed Status in linux package in Ubuntu: In Progress Status in linux source package in Focal: Fix Committed Status in linux source package in Groovy: In Progress Bug description: SRU Justification: ================== [Impact] * Currently the kernel module appended signature is verified twice (finit_module) - once by the module_sig_check() and again by IMA. * To prevent this the powerpc secure boot rules define an IMA architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is not enabled. * But this doesn't take the ability into account of enabling "sig_enforce" at the boot command line (module.sig_enforce=1). * Including the IMA module appraise rule results in failing the finit_module syscall, unless the module signing public key is loaded onto the IMA keyring. * This patch fixes secure boot policy rules to be based on CONFIG_MODULE_SIG instead. [Fix] * fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima: Fix secure boot rules in ima arch policy" [Test Case] * Perform a secure boot on a powerpc system with 'module.sig_enforce=1' set at the boot command. * If the IMA module appraise rule is included, the finit_module syscall will fail (unless the module signing public key got loaded onto the IMA keyring) without having the patch in place. * The verification needs to be done by the IBM Power team. [Regression Potential] * There is (always) a certain regression risk with having code changes, especially in the secure boot area. * But this patch is limited to the powerpc platform and will not affect any other architecture. * It got discussed at https://lore.kernel.org/r/1588342612-14532-1-git-send-email-na...@linux.ibm.com before it became finally upstream accepted with kernel 5.7-rc7. * The secure boot code itself wasn't really touched, rather than it's basis for execution. The IMA policy rule for module appraisal is now added only if 'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_MODULE_SIG_FORCE). Hence the change is very limited and straightforward. [Other] * Since the patch got upstream with 5.7-rc7, it is already in groovy, hence this SRU is for focal only. __________ == Comment: #0 - Michael Ranweiler <mranw...@us.ibm.com> - 2020-04-22 14:44:31 == +++ This bug was initially created as a clone of Bug #184073 +++ This bug is a follow on to LP 1866909 to address a missing piece - only half the following patch was included in 5.4.0-24.28. The upstream patch has an additional fix but it?s not critical for GA. It can get included as part of bug fixes. It also affects only power. The patch("powerpc/ima: fix secure boot rules in ima arch policy") is posted to linux-integrity and linuxppc-dev mailing list (https://lore.kernel.org/linux-integrity/1586549618-6106-1-git-send- email-na...@linux.ibm.com/T/#u) If there are any issues identified during further testing, they will get opened as separate issue to be addressed later. Thanks & Regards, - Nayna == Comment: #4 - Michael Ranweiler <mranw...@us.ibm.com> - 2020-05-11 02:23:35 == Updated posting: https://lore.kernel.org/linux-integrity/1588342612-14532-1-git-send- email-na...@linux.ibm.com/T/#u To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1877955/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
