mbox series

[v4,0/3] wire up IMA secure boot for arm64

Message ID 20201102223800.12181-1-ardb@kernel.org (mailing list archive)
Headers show
Series wire up IMA secure boot for arm64 | expand

Message

Ard Biesheuvel Nov. 2, 2020, 10:37 p.m. UTC
This is a follow-up to Chester's series [0] to enable IMA to the secure
boot state of arm64 platforms, which is EFI based.

This v4 implements the changes I suggested to Chester, in particular:
- disregard MokSbState when factoring out secure boot mode discovery
- turn the x86 IMA arch code into shared code for all architectures.

This reduces the final patch to a one liner enabling a Kconfig option
for arm64 when EFI is enabled.

Build tested only.

[0] https://lore.kernel.org/linux-arm-kernel/20201030060840.1810-1-clin@suse.com/

Cc: zohar@linux.ibm.com
Cc: jmorris@namei.org
Cc: serge@hallyn.com
Cc: dmitry.kasatkin@gmail.com
Cc: catalin.marinas@arm.com
Cc: will@kernel.org
Cc: clin@suse.com
Cc: x86@kernel.org
Cc: jlee@suse.com
Cc: linux-integrity@vger.kernel.org,
Cc: linux-arm-kernel@lists.infradead.org
  
Chester Lin (3):
  efi: generalize efi_get_secureboot
  ima: generalize x86/EFI arch glue for other EFI architectures
  arm64/ima: add ima_arch support

 arch/arm64/Kconfig                            |  1 +
 arch/x86/boot/compressed/Makefile             |  2 +-
 arch/x86/include/asm/efi.h                    |  3 ++
 arch/x86/kernel/Makefile                      |  2 -
 drivers/firmware/efi/libstub/efistub.h        |  2 +
 drivers/firmware/efi/libstub/secureboot.c     | 41 +++++++----------
 include/linux/efi.h                           | 23 +++++++++-
 security/integrity/ima/Makefile               |  4 ++
 .../integrity/ima/ima_efi.c                   | 45 +++++--------------
 9 files changed, 60 insertions(+), 63 deletions(-)
 rename arch/x86/kernel/ima_arch.c => security/integrity/ima/ima_efi.c (60%)

Comments

Mimi Zohar Nov. 4, 2020, 6:20 p.m. UTC | #1
Hi Ard, Chester,

On Mon, 2020-11-02 at 23:37 +0100, Ard Biesheuvel wrote:
> This is a follow-up to Chester's series [0] to enable IMA to the secure
> boot state of arm64 platforms, which is EFI based.
> 
> This v4 implements the changes I suggested to Chester, in particular:
> - disregard MokSbState when factoring out secure boot mode discovery
> - turn the x86 IMA arch code into shared code for all architectures.
> 
> This reduces the final patch to a one liner enabling a Kconfig option
> for arm64 when EFI is enabled.
> 
> Build tested only.

Thank you!  This patch set is now queued in the linux-integrity next-
integrity-testing branch.

Mimi
Ard Biesheuvel Nov. 4, 2020, 6:50 p.m. UTC | #2
On Wed, 4 Nov 2020 at 19:20, Mimi Zohar <zohar@linux.ibm.com> wrote:
>
> Hi Ard, Chester,
>
> On Mon, 2020-11-02 at 23:37 +0100, Ard Biesheuvel wrote:
> > This is a follow-up to Chester's series [0] to enable IMA to the secure
> > boot state of arm64 platforms, which is EFI based.
> >
> > This v4 implements the changes I suggested to Chester, in particular:
> > - disregard MokSbState when factoring out secure boot mode discovery
> > - turn the x86 IMA arch code into shared code for all architectures.
> >
> > This reduces the final patch to a one liner enabling a Kconfig option
> > for arm64 when EFI is enabled.
> >
> > Build tested only.
>
> Thank you!  This patch set is now queued in the linux-integrity next-
> integrity-testing branch.
>

I don't mind per se, but this touches a number of different trees,
including x86 and arm64, and nobody has acked it yet.

As far as the EFI tree is concerned, it looks like I should be able to
avoid any conflicts with other stuff that is in flight, and if not, we
can always use your branch up until the last patch in this serires as
a shared tag (assuming you won't rebase it).
Mimi Zohar Nov. 4, 2020, 7:03 p.m. UTC | #3
On Wed, 2020-11-04 at 19:50 +0100, Ard Biesheuvel wrote:
> On Wed, 4 Nov 2020 at 19:20, Mimi Zohar <zohar@linux.ibm.com> wrote:
> >
> > Hi Ard, Chester,
> >
> > On Mon, 2020-11-02 at 23:37 +0100, Ard Biesheuvel wrote:
> > > This is a follow-up to Chester's series [0] to enable IMA to the secure
> > > boot state of arm64 platforms, which is EFI based.
> > >
> > > This v4 implements the changes I suggested to Chester, in particular:
> > > - disregard MokSbState when factoring out secure boot mode discovery
> > > - turn the x86 IMA arch code into shared code for all architectures.
> > >
> > > This reduces the final patch to a one liner enabling a Kconfig option
> > > for arm64 when EFI is enabled.
> > >
> > > Build tested only.
> >
> > Thank you!  This patch set is now queued in the linux-integrity next-
> > integrity-testing branch.
> >
> 
> I don't mind per se, but this touches a number of different trees,
> including x86 and arm64, and nobody has acked it yet.
> 
> As far as the EFI tree is concerned, it looks like I should be able to
> avoid any conflicts with other stuff that is in flight, and if not, we
> can always use your branch up until the last patch in this serires as
> a shared tag (assuming you won't rebase it).

The next-integrity-testing branch is just a place holder waiting for
additional tags.  I've reviewed and tested the patch set on x86.  Based
on the secure boot status and how the kernel is configured, the
appropriate policy rules are enabled.   Similarly the IMA appraise mode
(ima_appraise=) is working properly.  I have not tested on arm64.

I do not have a problem with this patch set being upstream via EFI.

thanks,

Mimi
Ard Biesheuvel Nov. 4, 2020, 7:12 p.m. UTC | #4
On Wed, 4 Nov 2020 at 20:03, Mimi Zohar <zohar@linux.ibm.com> wrote:
>
> On Wed, 2020-11-04 at 19:50 +0100, Ard Biesheuvel wrote:
> > On Wed, 4 Nov 2020 at 19:20, Mimi Zohar <zohar@linux.ibm.com> wrote:
> > >
> > > Hi Ard, Chester,
> > >
> > > On Mon, 2020-11-02 at 23:37 +0100, Ard Biesheuvel wrote:
> > > > This is a follow-up to Chester's series [0] to enable IMA to the secure
> > > > boot state of arm64 platforms, which is EFI based.
> > > >
> > > > This v4 implements the changes I suggested to Chester, in particular:
> > > > - disregard MokSbState when factoring out secure boot mode discovery
> > > > - turn the x86 IMA arch code into shared code for all architectures.
> > > >
> > > > This reduces the final patch to a one liner enabling a Kconfig option
> > > > for arm64 when EFI is enabled.
> > > >
> > > > Build tested only.
> > >
> > > Thank you!  This patch set is now queued in the linux-integrity next-
> > > integrity-testing branch.
> > >
> >
> > I don't mind per se, but this touches a number of different trees,
> > including x86 and arm64, and nobody has acked it yet.
> >
> > As far as the EFI tree is concerned, it looks like I should be able to
> > avoid any conflicts with other stuff that is in flight, and if not, we
> > can always use your branch up until the last patch in this serires as
> > a shared tag (assuming you won't rebase it).
>
> The next-integrity-testing branch is just a place holder waiting for
> additional tags.  I've reviewed and tested the patch set on x86.  Based
> on the secure boot status and how the kernel is configured, the
> appropriate policy rules are enabled.   Similarly the IMA appraise mode
> (ima_appraise=) is working properly.  I have not tested on arm64.
>
> I do not have a problem with this patch set being upstream via EFI.
>

Ah right. That is probably better, as EFI goes via the x86 tree, and I
work closely with the arm64 maintainers on other things as well.

Please let me know once you are ready to ack this from IMA pov, and I
will carry it further.
Mimi Zohar Nov. 4, 2020, 7:55 p.m. UTC | #5
On Wed, 2020-11-04 at 20:12 +0100, Ard Biesheuvel wrote:

> > I do not have a problem with this patch set being upstream via EFI.
> >
> 
> Ah right. That is probably better, as EFI goes via the x86 tree, and I
> work closely with the arm64 maintainers on other things as well.
> 
> Please let me know once you are ready to ack this from IMA pov, and I
> will carry it further.

thanks,

Acked-by: Mimi Zohar <zohar@linux.ibm.com>
Ard Biesheuvel Nov. 5, 2020, 7:55 a.m. UTC | #6
On Wed, 4 Nov 2020 at 20:55, Mimi Zohar <zohar@linux.ibm.com> wrote:
>
> On Wed, 2020-11-04 at 20:12 +0100, Ard Biesheuvel wrote:
>
> > > I do not have a problem with this patch set being upstream via EFI.
> > >
> >
> > Ah right. That is probably better, as EFI goes via the x86 tree, and I
> > work closely with the arm64 maintainers on other things as well.
> >
> > Please let me know once you are ready to ack this from IMA pov, and I
> > will carry it further.
>
> thanks,
>
> Acked-by: Mimi Zohar <zohar@linux.ibm.com>
>

Thanks Mimi