Commit 03cee168 authored by Lakshmi Ramasubramanian's avatar Lakshmi Ramasubramanian Committed by Mimi Zohar

IMA: define a builtin critical data measurement policy

Define a new critical data builtin policy to allow measuring
early kernel integrity critical data before a custom IMA policy
is loaded.

Update the documentation on kernel parameters to document
the new critical data builtin policy.
Signed-off-by: default avatarLakshmi Ramasubramanian <nramas@linux.microsoft.com>
Reviewed-by: default avatarTyler Hicks <tyhicks@linux.microsoft.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
parent 9f5d7d23
...@@ -1746,7 +1746,7 @@ ...@@ -1746,7 +1746,7 @@
ima_policy= [IMA] ima_policy= [IMA]
The builtin policies to load during IMA setup. The builtin policies to load during IMA setup.
Format: "tcb | appraise_tcb | secure_boot | Format: "tcb | appraise_tcb | secure_boot |
fail_securely" fail_securely | critical_data"
The "tcb" policy measures all programs exec'd, files The "tcb" policy measures all programs exec'd, files
mmap'd for exec, and all files opened with the read mmap'd for exec, and all files opened with the read
...@@ -1765,6 +1765,9 @@ ...@@ -1765,6 +1765,9 @@
filesystems with the SB_I_UNVERIFIABLE_SIGNATURE filesystems with the SB_I_UNVERIFIABLE_SIGNATURE
flag. flag.
The "critical_data" policy measures kernel integrity
critical data.
ima_tcb [IMA] Deprecated. Use ima_policy= instead. ima_tcb [IMA] Deprecated. Use ima_policy= instead.
Load a policy which meets the needs of the Trusted Load a policy which meets the needs of the Trusted
Computing Base. This means IMA will measure all Computing Base. This means IMA will measure all
......
...@@ -206,6 +206,10 @@ static struct ima_rule_entry secure_boot_rules[] __ro_after_init = { ...@@ -206,6 +206,10 @@ static struct ima_rule_entry secure_boot_rules[] __ro_after_init = {
.flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
}; };
static struct ima_rule_entry critical_data_rules[] __ro_after_init = {
{.action = MEASURE, .func = CRITICAL_DATA, .flags = IMA_FUNC},
};
/* An array of architecture specific rules */ /* An array of architecture specific rules */
static struct ima_rule_entry *arch_policy_entry __ro_after_init; static struct ima_rule_entry *arch_policy_entry __ro_after_init;
...@@ -228,6 +232,7 @@ __setup("ima_tcb", default_measure_policy_setup); ...@@ -228,6 +232,7 @@ __setup("ima_tcb", default_measure_policy_setup);
static bool ima_use_appraise_tcb __initdata; static bool ima_use_appraise_tcb __initdata;
static bool ima_use_secure_boot __initdata; static bool ima_use_secure_boot __initdata;
static bool ima_use_critical_data __initdata;
static bool ima_fail_unverifiable_sigs __ro_after_init; static bool ima_fail_unverifiable_sigs __ro_after_init;
static int __init policy_setup(char *str) static int __init policy_setup(char *str)
{ {
...@@ -242,6 +247,8 @@ static int __init policy_setup(char *str) ...@@ -242,6 +247,8 @@ static int __init policy_setup(char *str)
ima_use_appraise_tcb = true; ima_use_appraise_tcb = true;
else if (strcmp(p, "secure_boot") == 0) else if (strcmp(p, "secure_boot") == 0)
ima_use_secure_boot = true; ima_use_secure_boot = true;
else if (strcmp(p, "critical_data") == 0)
ima_use_critical_data = true;
else if (strcmp(p, "fail_securely") == 0) else if (strcmp(p, "fail_securely") == 0)
ima_fail_unverifiable_sigs = true; ima_fail_unverifiable_sigs = true;
else else
...@@ -871,6 +878,11 @@ void __init ima_init_policy(void) ...@@ -871,6 +878,11 @@ void __init ima_init_policy(void)
ARRAY_SIZE(default_appraise_rules), ARRAY_SIZE(default_appraise_rules),
IMA_DEFAULT_POLICY); IMA_DEFAULT_POLICY);
if (ima_use_critical_data)
add_rules(critical_data_rules,
ARRAY_SIZE(critical_data_rules),
IMA_DEFAULT_POLICY);
ima_update_policy_flag(); ima_update_policy_flag();
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment