merged, Thanks On 4/8/21 11:38 AM, Ming Liu wrote: > From: Ming Liu <[email protected]> > > Introduce IMA_FORCE to allow the IMA policy be applied forcely even > 'no_ima' boot parameter is available. > > This ensures the end users have a way to disable 'no_ima' support if > they want to, because it may expose a security risk if an attacker can > find a way to change kernel arguments, it will easily bypass rootfs > authenticity checks. > > Signed-off-by: Sergio Prado <[email protected]> > Signed-off-by: Ming Liu <[email protected]> > --- > .../initrdscripts/initramfs-framework-ima.bb | 5 +++++ > .../initrdscripts/initramfs-framework-ima/ima | 9 +++++++-- > 2 files changed, 12 insertions(+), 2 deletions(-) > > diff --git > a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb > b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb > index 77f6f7c..6471c53 100644 > --- a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb > +++ b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb > @@ -14,6 +14,9 @@ LIC_FILES_CHKSUM = > "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384 > # to this recipe can just point towards one of its own files. > IMA_POLICY ?= "ima-policy-hashed" > > +# Force proceed IMA procedure even 'no_ima' boot parameter is available. > +IMA_FORCE ?= "false" > + > SRC_URI = " file://ima" > > inherit features_check > @@ -23,6 +26,8 @@ do_install () { > install -d ${D}/${sysconfdir}/ima > install -d ${D}/init.d > install ${WORKDIR}/ima ${D}/init.d/20-ima > + > + sed -i "s/@@FORCE_IMA@@/${IMA_FORCE}/g" ${D}/init.d/20-ima > } > > FILES_${PN} = "/init.d ${sysconfdir}" > diff --git > a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima > b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima > index cff26a3..8971494 100644 > --- a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima > +++ b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima > @@ -2,11 +2,16 @@ > # > # Loads IMA policy into the kernel. > > +force_ima=@@FORCE_IMA@@ > + > ima_enabled() { > - if [ "$bootparam_no_ima" = "true" ]; then > + if [ "$force_ima" = "true" ]; then > + return 0 > + elif [ "$bootparam_no_ima" = "true" ]; then > return 1 > + else > + return 0 > fi > - return 0 > } > > ima_run() { > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#53127): https://lists.yoctoproject.org/g/yocto/message/53127 Mute This Topic: https://lists.yoctoproject.org/mt/81950278/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
