------- Comment From <email address hidden> 2020-06-17 11:42 EDT-------
Thanks !! This is exactly what I needed.
I am now able to boot the signed kernel both in "secure and trusted enabled" and "only secure enabled" case. The earlier patch was missing the fix for "only secure enabled" case. This patch took care of both.
It works fine and here are the test results:
1. Kernel booted fine both with secure boot enabled/disabled and only "secure boot" enabled.
2. With trusted boot disabled, here is the IMA rules:
ubuntu@ltc-wspoon13:~$ ls /proc/device-tree/ibm,secureboot/
compatible hw-key-hash hw-key-hash-size ibm,cvc name os-secureboot-enforcing phandle secure-enabled
ubuntu@ltc-wspoon13:~$ sudo cat /sys/kernel/security/ima/policy
appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig appraise_flag=check_blacklist
2. With both secure and trusted boot enabled, here how the IMA rules looks like:
ubuntu@ltc-wspoon13:~$ ls /proc/device-tree/ibm,secureboot/
compatible hw-key-hash hw-key-hash-size ibm,cvc name os-secureboot-enforcing phandle secure-enabled trusted-enabled
ubuntu@ltc-wspoon13:~$ sudo cat /sys/kernel/security/ima/policy
[sudo] password for ubuntu:
measure func=KEXEC_KERNEL_CHECK template=ima-modsig
measure func=MODULE_CHECK template=ima-modsig
appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig appraise_flag=check_blacklist
And the config file has CONFIG_MODULE_SIG enabled, on which the powerpc IMA arch policies #ifdef are dependent.
ubuntu@ltc-wspoon13:~$ grep -i MODULE_SIG /boot/config-5.4.0-38-generic
CONFIG_MODULE_SIG_FORMAT=y
CONFIG_MODULE_SIG=y
# CONFIG_MODULE_SIG_FORCE is not set
CONFIG_MODULE_SIG_ALL=y
# CONFIG_MODULE_SIG_SHA1 is not set
# CONFIG_MODULE_SIG_SHA224 is not set
# CONFIG_MODULE_SIG_SHA256 is not set
# CONFIG_MODULE_SIG_SHA384 is not set
CONFIG_MODULE_SIG_SHA512=y
CONFIG_MODULE_SIG_HASH="sha512"
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
------- Comment From <email address hidden> 2020-06-17 11:42 EDT-------
Thanks !! This is exactly what I needed.
I am now able to boot the signed kernel both in "secure and trusted enabled" and "only secure enabled" case. The earlier patch was missing the fix for "only secure enabled" case. This patch took care of both.
It works fine and here are the test results:
1. Kernel booted fine both with secure boot enabled/disabled and only "secure boot" enabled.
2. With trusted boot disabled, here is the IMA rules:
ubuntu@ ltc-wspoon13: ~$ ls /proc/device- tree/ibm, secureboot/ enforcing phandle secure-enabled ltc-wspoon13: ~$ sudo cat /sys/kernel/ security/ ima/policy KERNEL_ CHECK appraise_ type=imasig| modsig appraise_ flag=check_ blacklist
compatible hw-key-hash hw-key-hash-size ibm,cvc name os-secureboot-
ubuntu@
appraise func=KEXEC_
2. With both secure and trusted boot enabled, here how the IMA rules looks like:
ubuntu@ ltc-wspoon13: ~$ ls /proc/device- tree/ibm, secureboot/ enforcing phandle secure-enabled trusted-enabled ltc-wspoon13: ~$ sudo cat /sys/kernel/ security/ ima/policy KERNEL_ CHECK template=ima-modsig KERNEL_ CHECK appraise_ type=imasig| modsig appraise_ flag=check_ blacklist
compatible hw-key-hash hw-key-hash-size ibm,cvc name os-secureboot-
ubuntu@
[sudo] password for ubuntu:
measure func=KEXEC_
measure func=MODULE_CHECK template=ima-modsig
appraise func=KEXEC_
And the config file has CONFIG_MODULE_SIG enabled, on which the powerpc IMA arch policies #ifdef are dependent. ltc-wspoon13: ~$ grep -i MODULE_SIG /boot/config- 5.4.0-38- generic MODULE_ SIG_FORMAT= y MODULE_ SIG_FORCE is not set MODULE_ SIG_ALL= y MODULE_ SIG_SHA1 is not set MODULE_ SIG_SHA224 is not set MODULE_ SIG_SHA256 is not set MODULE_ SIG_SHA384 is not set MODULE_ SIG_SHA512= y MODULE_ SIG_HASH= "sha512" MODULE_ SIG_KEY= "certs/ signing_ key.pem"
ubuntu@
CONFIG_
CONFIG_MODULE_SIG=y
# CONFIG_
CONFIG_
# CONFIG_
# CONFIG_
# CONFIG_
# CONFIG_
CONFIG_
CONFIG_
CONFIG_
Thanks & Regards,
- Nayna