------- Comment From naynj...@ibm.com 2020-04-06 11:23 EDT------- Tested the updated ppa kernel.
Everything looks good and here are the test results: secure boot is enabled as seen by device-tree entry "os-secure-enforcing" ubuntu@ltc-wspoon13:~$ ls /proc/device-tree/ibm,secureboot/ compatible ibm,cvc phandle hw-key-hash name secure-enabled hw-key-hash-size os-secureboot-enforcing trusted-enabled IMA policies are as below. It doesn't have MODULE_CHECK enabled now. root@ltc-wspoon13:/home/ubuntu# cat /sys/kernel/security/ima/policy measure func=KEXEC_KERNEL_CHECK template=ima-modsig measure func=MODULE_CHECK template=ima-modsig appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig appraise_flag=check_blacklist Platform keyring is loaded with db keys: root@ltc-wspoon13:/home/ubuntu# keyctl show %keyring:.platform Keyring 1002253804 ---lswrv 0 0 keyring: .platform 900087744 ---lswrv 0 0 \_ asymmetric: PPA sforshee lp1866909 Opal: d9be99d351bd1a2bdef604427612399dc47cb452 Build time generated key used for signing modules is: root@ltc-wspoon13:/home/ubuntu# keyctl show %keyring:.builtin_trusted_keys Keyring 929665685 ---lswrv 0 0 keyring: .builtin_trusted_keys 110783576 ---lswrv 0 0 \_ asymmetric: Build time autogenerated kernel key: d80d11780f22b0a033c0a787e075d0f0eb784d2c sysfs interface is enabled: root@ltc-wspoon13:/home/ubuntu# ls /sys/firmware/secvar/vars/ db dbx KEK PK TS kexec load is disabled: root@ltc-wspoon13:/boot# kexec -l /boot/vmlinux-5.4.0-21-generic -i /boot/initrd.img-5.4.0-21-generic Warning: append= option is not passed. Using the first kernel root partition Modified cmdline:root=UUID=49d000cb-dba2-4d70-809e-38f2b31d0f09 [ 1150.964096] ima: impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall. kexec_load failed: Permission denied entry = 0x39f0600 flags = 0x150000 nr_segments = 3 segment[0].buf = 0x76a989590010 segment[0].bufsz = 0x1aca0d8 segment[0].mem = 0x1d00000 segment[0].memsz = 0x1cf0000 segment[1].buf = 0xac9705e7260 segment[1].bufsz = 0x38c0 segment[1].mem = 0x39f0000 segment[1].memsz = 0x10000 segment[2].buf = 0x76a989430010 segment[2].bufsz = 0x648dc segment[2].mem = 0x2ff90000 segment[2].memsz = 0x70000 kexec_file_load failed when trying for a kernel signed with a different key. The key for this kernel is not present in .platform keyring. It says "invalid-signature" in the audit log. root@ltc-wspoon13:/boot# kexec -s -l /boot/vmlinux-5.4.27signpatch.signed kexec_file_load failed: Permission denied-l /boot/vmlinux-5.4.27signpatch.signed And here is the audit log message for it: Apr 6 10:12:52 ltc-wspoon13 kernel: [ 233.996642] audit: type=1800 audit(158611 85972.332:16): pid=3385 uid=0 auid=1000 ses=1 op=appraise_data cause=invalid-sigg nature comm="kexec" name="/boot/vmlinux-5.4.27signpatch.signed" dev="sdb6" ino=22 017357 res=0 Next tried to load the signed kernel whose key is present in .platform keyring. root@ltc-wspoon13:/home/ubuntu# kexec -s -l /boot/vmlinux-5.4.0-21-generic root@ltc-wspoon13:/home/ubuntu# dmesg | tail [ 9.127873] Console: switching to colour frame buffer device 128x48 [ 233.996640] kauditd_printk_skb: 1 callbacks suppressed [ 233.996642] audit: type=1800 audit(1586185972.332:16): pid=3385 uid=0 auid=1000 ses=1 op=appraise_data cause=invalid-signature comm="kexec" name="/boot/vmlinux-5.4.27signpatch.signed" dev="sdb6" ino=2017357 res=0 [ 762.188842] ima dump: 01 00 00 00 00 00 00 00 8f 38 00 00 00 00 00 00 .........8...... [ 762.188844] ima dump: 4a 00 00 00 00 00 00 00 0a 00 00 00 bc b0 e5 18 J............... [ 762.188845] ima dump: b7 9d e0 d7 f2 cd 20 b8 a2 9a 70 92 e6 5d b7 ef ...... ...p..].. [ 762.188846] ima dump: 07 00 00 00 69 6d 61 2d 73 69 67 35 00 00 00 1a ....ima-sig5.... [ 762.188847] ima dump: 00 00 00 73 68 61 31 3a 00 00 00 00 00 00 00 00 ...sha1:........ [ 762.188847] ima dump: 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 00 ................ [ 762.188848] ima dump: 00 62 6f 6f .boo root@ltc-wspoon13:/home/ubuntu# Thanks to Canonical for including the patch and respining the new kernel for testing. Thanks to Michael for installing the latest kernel and setting up the system and helping throughout the testing. Thanks to Mimi for helping with the fix to resolve the issue. Thanks & Regards, - Nayna -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1866909 Title: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot Status in The Ubuntu-power-systems project: Incomplete Status in linux package in Ubuntu: Incomplete Bug description: == Comment: #0 - George C. Wilson <gcwil...@us.ibm.com> - 2020-02-25 18:40:44 == - sysfs enablement: TBD - ima: arch specific policy support 6191706246de - platform keyring changes for powerpc: TBD - Appended signatures support for IMA appraisal 39b07096364a42c516415d5f841069e885234e61 - integrity: Define a trusted platform keyring: 9dc92c45177a - ima: Support platform keyring for kernel appraisal: d7cecb676dd3 - TPM 2.0 Multibank extend support: c1f92b4b04ad - TPM 2.0 Eventlog support: 4d23cc323cdb - ima: carry the measurement list across kexec: d68a6fe9fccf - kexec_file_load system call support: 500c7ab1a9db To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1866909/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
