[RFC PATCH 3/3] ima: Enable IMA SB Policy if MokIMAPolicy found

Eric Snowberg eric.snowberg at oracle.com
Mon May 17 22:57:14 UTC 2021


A new MOK variable called MokIMAPolicy has been introduced in shim.
When this UEFI variable is set, it indicates the end-user has made
the decision that they wish to use the built-in kernel IMA architecture
specific policy base on the run time secure boot flags.

By default, this new MOK variable is not defined.  This causes the
IMA architecture specific secure boot policy to be disabled. Since
this changes the current behavior, a new Kconfig option called
IMA_UEFI_ARCH_POLICY has been added.

Signed-off-by: Eric Snowberg <eric.snowberg at oracle.com>
---
 security/integrity/ima/Kconfig   |  8 ++++++++
 security/integrity/ima/ima_efi.c | 24 ++++++++++++++++++++++++
 2 files changed, 32 insertions(+)

diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 12e9250c1bec..3773d2d1ddc4 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -172,6 +172,14 @@ config IMA_ARCH_POLICY
           This option enables loading an IMA architecture specific policy
           based on run time secure boot flags.
 
+config IMA_UEFI_ARCH_POLICY
+	bool "Enable IMA archecture specific policy thru a UEFI variable"
+	depends on IMA_ARCH_POLICY
+	default n
+	help
+	  This option allows the IMA archecture specific policy to be
+	  enabled or disabled thru a UEFI variable setup thru the shim.
+
 config IMA_APPRAISE_BUILD_POLICY
 	bool "IMA build time configured policy rules"
 	depends on IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS
diff --git a/security/integrity/ima/ima_efi.c b/security/integrity/ima/ima_efi.c
index 71786d01946f..46873a94c934 100644
--- a/security/integrity/ima/ima_efi.c
+++ b/security/integrity/ima/ima_efi.c
@@ -62,8 +62,32 @@ static const char * const sb_arch_rules[] = {
 	NULL
 };
 
+static __init int is_uefi_arch_policy_enabled(void)
+{
+	efi_status_t status;
+	unsigned int enabled = 0;
+	unsigned long size = sizeof(enabled);
+	efi_guid_t guid = EFI_SHIM_LOCK_GUID;
+	u32 attr;
+
+	status = efi.get_variable(L"MokIMAPolicy", &guid, &attr, &size, &enabled);
+
+	/*
+	 * The EFI_VARIABLE_NON_VOLATILE check is to verify MokIMAPolicy
+	 * was set thru the shim mirrioring and not by a user from the host os.
+	 * According to the UEFI spec, once EBS is performed, only variables
+	 * that have EFI_VARIABLE_RUNTIME_ACCESS & EFI_VARIABLE_NON_VOLATILE
+	 * set can be set with SetVariable().
+	 */
+	return (status == EFI_SUCCESS && (!(attr & EFI_VARIABLE_NON_VOLATILE)));
+}
+
 const char * const *arch_get_ima_policy(void)
 {
+	if (IS_ENABLED(CONFIG_IMA_UEFI_ARCH_POLICY))
+		if (!is_uefi_arch_policy_enabled())
+			return NULL;
+
 	if (IS_ENABLED(CONFIG_IMA_ARCH_POLICY) && arch_ima_get_secureboot()) {
 		if (IS_ENABLED(CONFIG_MODULE_SIG))
 			set_module_sig_enforced();
-- 
2.18.4



More information about the Linux-security-module-archive mailing list