Fix for secure boot rules in IMA arch policy on powerpc
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
The Ubuntu-power-systems project |
Fix Released
|
Medium
|
Canonical Kernel Team | ||
linux (Ubuntu) |
Fix Released
|
Undecided
|
Ubuntu on IBM Power Systems Bug Triage | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Groovy |
Fix Released
|
Undecided
|
Ubuntu on IBM Power Systems Bug Triage |
Bug Description
SRU Justification:
==================
[Impact]
* Currently the kernel module appended signature is verified twice (finit_module) - once by the module_sig_check() and again by IMA.
* To prevent this the powerpc secure boot rules define an IMA architecture specific policy rule only if CONFIG_
* But this doesn't take the ability into account of enabling "sig_enforce" at the boot command line (module.
* Including the IMA module appraise rule results in failing the finit_module syscall, unless the module signing public key is loaded onto the IMA keyring.
* This patch fixes secure boot policy rules to be based on CONFIG_MODULE_SIG instead.
[Fix]
* fa4f3f56ccd28ac
[Test Case]
* Perform a secure boot on a powerpc system with 'module.
* If the IMA module appraise rule is included, the finit_module syscall will fail (unless the module signing public key got loaded onto the IMA keyring) without having the patch in place.
* The verification needs to be done by the IBM Power team.
[Regression Potential]
* There is (always) a certain regression risk with having code changes, especially in the secure boot area.
* But this patch is limited to the powerpc platform and will not affect any other architecture.
* It got discussed at https://<email address hidden>
before it became finally upstream accepted with kernel 5.7-rc7.
* The secure boot code itself wasn't really touched, rather than it's basis for execution.
The IMA policy rule for module appraisal is now added only if 'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_
Hence the change is very limited and straightforward.
[Other]
* Since the patch got upstream with 5.7-rc7, it is already in groovy, hence this SRU is for focal only.
__________
== Comment: #0 - Michael Ranweiler <email address hidden> - 2020-04-22 14:44:31 ==
+++ This bug was initially created as a clone of Bug #184073 +++
This bug is a follow on to LP 1866909 to address a missing piece - only half the following patch was included in 5.4.0-24.28.
The upstream patch has an additional fix but it?s not critical for GA. It can get included as part of bug fixes. It also affects only power. The patch("powerpc/ima: fix secure boot rules in ima arch policy") is posted to linux-integrity and linuxppc-dev mailing list (https:/
If there are any issues identified during further testing, they will get opened as separate issue to be addressed later.
Thanks & Regards,
- Nayna
== Comment: #4 - Michael Ranweiler <email address hidden> - 2020-05-11 02:23:35 ==
Updated posting:
https:/
CVE References
tags: | added: architecture-ppc64le bugnameltc-185515 severity-medium targetmilestone-inin2004 |
Changed in ubuntu: | |
assignee: | nobody → Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage) |
affects: | ubuntu → linux (Ubuntu) |
Changed in ubuntu-power-systems: | |
importance: | Undecided → Medium |
assignee: | nobody → Canonical Kernel Team (canonical-kernel-team) |
description: | updated |
description: | updated |
description: | updated |
Changed in linux (Ubuntu): | |
status: | Incomplete → Triaged |
Changed in ubuntu-power-systems: | |
status: | Incomplete → Triaged |
Changed in linux (Ubuntu Focal): | |
status: | New → In Progress |
Changed in linux (Ubuntu Focal): | |
status: | In Progress → Fix Committed |
Changed in ubuntu-power-systems: | |
status: | In Progress → Fix Committed |
Changed in ubuntu-power-systems: | |
status: | Fix Committed → Fix Released |
Thx for creating this separate bug.
I just need to set it to Incomplete until the patch got upstream accepted and is available for example from 'linux-next' (which is not yet the case, but probably soon).
In preparation for the SRU process I changed the bug title.