[Bug 1877955] Re: Fix for secure boot rules in IMA arch policy on powerpc

bugproxy Wed, 17 Jun 2020 08:56:22 -0700

------- Comment From naynj...@ibm.com 2020-06-17 11:42 EDT-------
Thanks !! This is exactly what I needed.


I am now able to boot the signed kernel both in "secure and trusted
enabled" and "only secure enabled" case. The earlier patch was missing
the fix for "only secure enabled" case. This patch took care of both.

It works fine and here are the test results:

1. Kernel booted fine both with secure boot enabled/disabled and only
"secure boot" enabled.

2. With trusted boot disabled, here is the IMA rules:

ubuntu@ltc-wspoon13:~$ ls /proc/device-tree/ibm,secureboot/
compatible  hw-key-hash  hw-key-hash-size  ibm,cvc  name  
os-secureboot-enforcing  phandle  secure-enabled
ubuntu@ltc-wspoon13:~$ sudo cat /sys/kernel/security/ima/policy
appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig 
appraise_flag=check_blacklist

2. With both secure and trusted boot enabled, here how the IMA rules
looks like:

ubuntu@ltc-wspoon13:~$ ls /proc/device-tree/ibm,secureboot/
compatible  hw-key-hash  hw-key-hash-size  ibm,cvc  name  
os-secureboot-enforcing  phandle  secure-enabled  trusted-enabled
ubuntu@ltc-wspoon13:~$ sudo cat /sys/kernel/security/ima/policy
[sudo] password for ubuntu:
measure func=KEXEC_KERNEL_CHECK template=ima-modsig
measure func=MODULE_CHECK template=ima-modsig
appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig 
appraise_flag=check_blacklist

And the config file has CONFIG_MODULE_SIG enabled, on which the powerpc IMA 
arch policies #ifdef are dependent.
ubuntu@ltc-wspoon13:~$ grep -i MODULE_SIG /boot/config-5.4.0-38-generic
CONFIG_MODULE_SIG_FORMAT=y
CONFIG_MODULE_SIG=y
# CONFIG_MODULE_SIG_FORCE is not set
CONFIG_MODULE_SIG_ALL=y
# CONFIG_MODULE_SIG_SHA1 is not set
# CONFIG_MODULE_SIG_SHA224 is not set
# CONFIG_MODULE_SIG_SHA256 is not set
# CONFIG_MODULE_SIG_SHA384 is not set
CONFIG_MODULE_SIG_SHA512=y
CONFIG_MODULE_SIG_HASH="sha512"
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"

Thanks & Regards,
- Nayna

** Tags removed: verification-needed-focal
** Tags added: verification-done-focal

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1877955

Title:
  Fix for secure boot rules in IMA arch policy on powerpc

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1877955/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1877955] Re: Fix for secure boot rules in IMA arch policy on powerpc

Reply via email to