Add IMA feature to the kernel, add config for it

SPECS-SIGNED/kernel-signed-aarch64/kernel-signed-aarch64.spec

@@ -2,7 +2,7 @@
 Summary:        Signed Linux Kernel for aarch64 systems
 Name:           kernel-signed-aarch64
 Version:        5.4.51
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        GPLv2
 URL:            https://github.com/microsoft/WSL2-Linux-Kernel
 Group:          System Environment/Kernel
@@ -84,6 +84,8 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %config %{_localstatedir}/lib/initramfs/kernel/%{uname_r}
 
 %changelog
+*   Wed Sep 23 2020 Daniel McIlvaney <damcilva@microsoft.com> 5.4.51-6
+-   Update release number
 *   Thu Sep 03 2020 Daniel McIlvaney <damcilva@microsoft.com> 5.4.51-5
 -   Update release number
 *   Thu Sep 03 2020 Chris Co <chrco@microsoft.com> 5.4.51-4

SPECS-SIGNED/kernel-signed-x64/kernel-signed-x64.spec

@@ -2,7 +2,7 @@
 Summary:        Signed Linux Kernel for x86_64 systems
 Name:           kernel-signed-x64
 Version:        5.4.51
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        GPLv2
 URL:            https://github.com/microsoft/WSL2-Linux-Kernel
 Group:          System Environment/Kernel
@@ -84,6 +84,8 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %config %{_localstatedir}/lib/initramfs/kernel/%{uname_r}
 
 %changelog
+*   Wed Sep 23 2020 Daniel McIlvaney <damcilva@microsoft.com> 5.4.51-6
+-   Update release number
 *   Thu Sep 03 2020 Daniel McIlvaney <damcilva@microsoft.com> 5.4.51-5
 -   Update release number
 *   Thu Sep 03 2020 Chris Co <chrco@microsoft.com> 5.4.51-4

SPECS/kernel/config

@@ -2957,7 +2957,7 @@ CONFIG_IPMI_SI=m
 # CONFIG_IPMI_SSIF is not set
 CONFIG_IPMI_WATCHDOG=m
 CONFIG_IPMI_POWEROFF=m
-CONFIG_HW_RANDOM=m
+CONFIG_HW_RANDOM=y
 CONFIG_HW_RANDOM_TIMERIOMEM=m
 CONFIG_HW_RANDOM_INTEL=m
 CONFIG_HW_RANDOM_AMD=m
@@ -2972,18 +2972,18 @@ CONFIG_HPET=y
 CONFIG_HPET_MMAP=y
 CONFIG_HPET_MMAP_DEFAULT=y
 CONFIG_HANGCHECK_TIMER=m
-CONFIG_TCG_TPM=m
+CONFIG_TCG_TPM=y
 CONFIG_HW_RANDOM_TPM=y
-CONFIG_TCG_TIS_CORE=m
-CONFIG_TCG_TIS=m
+CONFIG_TCG_TIS_CORE=y
+CONFIG_TCG_TIS=y
 CONFIG_TCG_TIS_I2C_ATMEL=m
 CONFIG_TCG_TIS_I2C_INFINEON=m
 CONFIG_TCG_TIS_I2C_NUVOTON=m
 CONFIG_TCG_NSC=m
 CONFIG_TCG_ATMEL=m
 CONFIG_TCG_INFINEON=m
 CONFIG_TCG_XEN=m
-CONFIG_TCG_CRB=m
+CONFIG_TCG_CRB=y
 # CONFIG_TCG_VTPM_PROXY is not set
 # CONFIG_TCG_TIS_ST33ZP24_I2C is not set
 # CONFIG_TELCLOCK is not set
@@ -6027,7 +6027,22 @@ CONFIG_SECURITY_SAFESETID=y
 CONFIG_INTEGRITY=y
 # CONFIG_INTEGRITY_SIGNATURE is not set
 CONFIG_INTEGRITY_AUDIT=y
-# CONFIG_IMA is not set
+CONFIG_IMA=y
+CONFIG_IMA_MEASURE_PCR_IDX=10
+CONFIG_IMA_LSM_RULES=y
+# CONFIG_IMA_TEMPLATE is not set
+# CONFIG_IMA_NG_TEMPLATE is not set
+CONFIG_IMA_SIG_TEMPLATE=y
+CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig"
+# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
+# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
+CONFIG_IMA_DEFAULT_HASH="sha256"
+CONFIG_IMA_WRITE_POLICY=y
+CONFIG_IMA_READ_POLICY=y
+# CONFIG_IMA_APPRAISE is not set
+CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
+CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
 # CONFIG_EVM is not set
 # CONFIG_DEFAULT_SECURITY_SELINUX is not set
 # CONFIG_DEFAULT_SECURITY_SMACK is not set
@@ -6144,7 +6159,7 @@ CONFIG_CRYPTO_ESSIV=m
 # Hash modes
 #
 CONFIG_CRYPTO_CMAC=m
-CONFIG_CRYPTO_HMAC=m
+CONFIG_CRYPTO_HMAC=y
 # CONFIG_CRYPTO_XCBC is not set
 # CONFIG_CRYPTO_VMAC is not set
 

SPECS/kernel/config_aarch64

@@ -2879,7 +2879,7 @@ CONFIG_IPMI_SI=m
 CONFIG_IPMI_WATCHDOG=m
 CONFIG_IPMI_POWEROFF=m
 # CONFIG_IPMB_DEVICE_INTERFACE is not set
-CONFIG_HW_RANDOM=m
+CONFIG_HW_RANDOM=y
 CONFIG_HW_RANDOM_TIMERIOMEM=m
 CONFIG_HW_RANDOM_BCM2835=m
 CONFIG_HW_RANDOM_IPROC_RNG200=m
@@ -2894,18 +2894,18 @@ CONFIG_HW_RANDOM_CAVIUM=m
 # CONFIG_APPLICOM is not set
 CONFIG_RAW_DRIVER=m
 CONFIG_MAX_RAW_DEVS=8192
-CONFIG_TCG_TPM=m
+CONFIG_TCG_TPM=y
 CONFIG_HW_RANDOM_TPM=y
-CONFIG_TCG_TIS_CORE=m
-CONFIG_TCG_TIS=m
+CONFIG_TCG_TIS_CORE=y
+CONFIG_TCG_TIS=y
 CONFIG_TCG_TIS_SPI=m
 CONFIG_TCG_TIS_I2C_ATMEL=m
 CONFIG_TCG_TIS_I2C_INFINEON=m
 CONFIG_TCG_TIS_I2C_NUVOTON=m
 CONFIG_TCG_ATMEL=m
 CONFIG_TCG_INFINEON=m
 CONFIG_TCG_XEN=m
-# CONFIG_TCG_CRB is not set
+CONFIG_TCG_CRB=y
 # CONFIG_TCG_VTPM_PROXY is not set
 # CONFIG_TCG_TIS_ST33ZP24_I2C is not set
 # CONFIG_TCG_TIS_ST33ZP24_SPI is not set
@@ -6290,7 +6290,22 @@ CONFIG_SECURITY_SAFESETID=y
 CONFIG_INTEGRITY=y
 # CONFIG_INTEGRITY_SIGNATURE is not set
 CONFIG_INTEGRITY_AUDIT=y
-# CONFIG_IMA is not set
+CONFIG_IMA=y
+CONFIG_IMA_MEASURE_PCR_IDX=10
+CONFIG_IMA_LSM_RULES=y
+# CONFIG_IMA_TEMPLATE is not set
+# CONFIG_IMA_NG_TEMPLATE is not set
+CONFIG_IMA_SIG_TEMPLATE=y
+CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig"
+# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
+# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
+CONFIG_IMA_DEFAULT_HASH="sha256"
+CONFIG_IMA_WRITE_POLICY=y
+CONFIG_IMA_READ_POLICY=y
+# CONFIG_IMA_APPRAISE is not set
+CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
+CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
 # CONFIG_EVM is not set
 # CONFIG_DEFAULT_SECURITY_SELINUX is not set
 # CONFIG_DEFAULT_SECURITY_SMACK is not set
@@ -6399,7 +6414,7 @@ CONFIG_CRYPTO_ESSIV=m
 # Hash modes
 #
 CONFIG_CRYPTO_CMAC=m
-CONFIG_CRYPTO_HMAC=m
+CONFIG_CRYPTO_HMAC=y
 # CONFIG_CRYPTO_XCBC is not set
 # CONFIG_CRYPTO_VMAC is not set
 
@@ -6420,8 +6435,8 @@ CONFIG_CRYPTO_MD5=y
 # CONFIG_CRYPTO_RMD256 is not set
 # CONFIG_CRYPTO_RMD320 is not set
 CONFIG_CRYPTO_SHA1=y
-CONFIG_CRYPTO_LIB_SHA256=m
-CONFIG_CRYPTO_SHA256=m
+CONFIG_CRYPTO_LIB_SHA256=y
+CONFIG_CRYPTO_SHA256=y
 CONFIG_CRYPTO_SHA512=y
 # CONFIG_CRYPTO_SHA3 is not set
 # CONFIG_CRYPTO_SM3 is not set

SPECS/kernel/kernel.signatures.json

@@ -1,7 +1,7 @@
 {
  "Signatures": {
-  "config": "cb99faaac82f05b84539e4b99633b5a444de5b2db01ed37946afa0360d1f94f0",
-  "config_aarch64": "98bcf0f9c9fa02e11ad255ae352461b8ef7d53daf02c707a8a9b53f9bfb32db3",
+  "config": "ac1f71bde2b05e417e5d4fe4a72ffa5b0376ac53136e61e7e080e4f2a97ef31c",
+  "config_aarch64": "5405f228f0da37ad2460047c83930f89d76f7697fd3835848ef2092587d78104",
   "linux-msft-5.4.51.tar.gz": "3bcd6b09e952fac4f708614658b508ce80c8e25c04780b6b44a481b1479a08e7"
  }
 }

SPECS/kernel/kernel.spec

@@ -2,7 +2,7 @@
 Summary:        Linux Kernel
 Name:           kernel
 Version:        5.4.51
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        GPLv2
 URL:            https://github.com/microsoft/WSL2-Linux-Kernel
 Group:          System Environment/Kernel
@@ -332,6 +332,8 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %{_libdir}/perf/include/bpf/*
 
 %changelog
+*   Wed Sep 23 2020 Daniel McIlvaney <damcilva@microsoft.com> 5.4.51-6
+-   Enable CONFIG_IMA (measurement only) and associated configs
 *   Thu Sep 03 2020 Daniel McIlvaney <damcilva@microsoft.com> 5.4.51-5
 -   Add code to check for missing config flags in the checked in configs
 *   Thu Sep 03 2020 Chris Co <chrco@microsoft.com> 5.4.51-4

toolkit/docs/formats/imageconfig.md

@@ -141,6 +141,23 @@ A sample KernelOptions specifying a default kernel and a specialized kernel for
 },
 ```
 
+### KernelCommandLine
+
+KernelCommandLine is an optional key which allows additional parameters to be passed to the kernel when it is launched from Grub.
+
+ImaPolicy is a list of Integrity Measurement Architecture (IMA) policies to enable, they may be any combination of `tcb`, `appraise_tcb`, `secure_boot`.
+
+ExtraCommandLine is a string which will be appended to the end of the kernel command line and may contain any additional parameters desired. The `` ` `` character is reserved and may not be used.
+
+A sample KernelCommandLine enabling a basic IMA mode and passing two additional parameters:
+
+``` json
+"KernelCommandLine": {
+    "ImaPolicy": ["tcb"],
+    "ExtraCommandLine": "my_first_param=foo my_second_param=\"bar baz\""
+},
+```
+
 # Sample image configuration
 
 A sample image configuration, producing a VHDX disk image:
@@ -200,6 +217,10 @@ A sample image configuration, producing a VHDX disk image:
             "KernelOptions": {
                 "default": "kernel"
             },
+            "KernelCommandLine": {
+                "ImaPolicy": ["tcb"],
+                "ExtraCommandLine": "my_first_param=foo my_second_param=\"bar baz\""
+            },
             "Hostname": "cbl-mariner"
         }
     ]

toolkit/resources/assets/grub2/grub.cfg

@@ -11,7 +11,7 @@ fi
 set rootdevice={{.RootPartition}}
 
 menuentry "CBL-Mariner" {
-	linux /boot/$mariner_linux {{.LuksUUID}} {{.LVM}} rd.auto=1 root=$rootdevice $mariner_cmdline $systemd_cmdline
+	linux /boot/$mariner_linux {{.LuksUUID}} {{.LVM}} {{.IMAPolicy}} rd.auto=1 root=$rootdevice $mariner_cmdline $systemd_cmdline {{.ExtraCommandLine}}
 	if [ -f /boot/$mariner_initrd ]; then
 		initrd /boot/$mariner_initrd
 	fi

toolkit/tools/imagegen/configuration/imapolicy.go

@@ -0,0 +1,67 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+// Parser for the image builder's configuration schemas.
+
+package configuration
+
+import (
+	"encoding/json"
+	"fmt"
+)
+
+// ImaPolicy sets the ima_policy kernel command line option
+type ImaPolicy string
+
+const (
+	// ImaPolicyTcb selects the tcb IMA policy
+	ImaPolicyTcb ImaPolicy = "tcb"
+	// ImaPolicyAppraiseTcb selects the appraise_tcb IMA policy
+	ImaPolicyAppraiseTcb ImaPolicy = "appraise_tcb"
+	// ImaPolicySecureBoot selects the secure_boot IMA policy
+	ImaPolicySecureBoot ImaPolicy = "secure_boot"
+	// ImaPolicyNone selects no IMA policy
+	ImaPolicyNone ImaPolicy = ""
+)
+
+func (i ImaPolicy) String() string {
+	return fmt.Sprint(string(i))
+}
+
+// GetValidImaPolicies returns a list of all the supported
+// disk partition types
+func (i *ImaPolicy) GetValidImaPolicies() (types []ImaPolicy) {
+	return []ImaPolicy{
+		ImaPolicyTcb,
+		ImaPolicyAppraiseTcb,
+		ImaPolicySecureBoot,
+		ImaPolicyNone,
+	}
+}
+
+// IsValid returns an error if the ImaPolicy is not valid
+func (i *ImaPolicy) IsValid() (err error) {
+	for _, valid := range i.GetValidImaPolicies() {
+		if *i == valid {
+			return
+		}
+	}
+	return fmt.Errorf("invalid value for ImaPolicy (%s)", i)
+}
+
+// UnmarshalJSON Unmarshals an ImaPolicy entry
+func (i *ImaPolicy) UnmarshalJSON(b []byte) (err error) {
+	// Use an intermediate type which will use the default JSON unmarshal implementation
+	type IntermediateTypeImaPolicy ImaPolicy
+	err = json.Unmarshal(b, (*IntermediateTypeImaPolicy)(i))
+	if err != nil {
+		return fmt.Errorf("failed to parse [ImaPolicy]: %w", err)
+	}
+
+	// Now validate the resulting unmarshaled object
+	err = i.IsValid()
+	if err != nil {
+		return fmt.Errorf("failed to parse [ImaPolicy]: %w", err)
+	}
+	return
+}

toolkit/tools/imagegen/configuration/imapolicy_test.go

@@ -0,0 +1,78 @@
+// Copyright Microsoft Corporation.
+// Licensed under the MIT License.
+
+package configuration
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+// TestMain found in configuration_test.go.
+
+var (
+	validImaPolicies = []ImaPolicy{
+		ImaPolicy("tcb"),
+		ImaPolicy("appraise_tcb"),
+		ImaPolicy("secure_boot"),
+		ImaPolicy(""),
+	}
+	invalidImaPolicy = ImaPolicy("not_a_policy")
+	validImaJSON     = `"tcb"`
+	invalidImaJSON   = `1234`
+)
+
+func TestShouldSucceedValidImaPoliciesMatch_ImaPolicy(t *testing.T) {
+	var ima ImaPolicy
+	assert.Equal(t, len(validImaPolicies), len(ima.GetValidImaPolicies()))
+
+	for _, imaPolicy := range validImaPolicies {
+		found := false
+		for _, validImaPolicy := range ima.GetValidImaPolicies() {
+			if imaPolicy == validImaPolicy {
+				found = true
+			}
+		}
+		assert.True(t, found)
+	}
+}
+
+func TestShouldSucceedParsingValidPolicies_ImaPolicy(t *testing.T) {
+	for _, validPolicy := range validImaPolicies {
+		var checkedPolicy ImaPolicy
+
+		assert.NoError(t, validPolicy.IsValid())
+		err := remarshalJSON(validPolicy, &checkedPolicy)
+		assert.NoError(t, err)
+		assert.Equal(t, validPolicy, checkedPolicy)
+	}
+}
+
+func TestShouldFailParsingInvalidPolicy_ImaPolicy(t *testing.T) {
+	var checkedPolicy ImaPolicy
+
+	err := invalidImaPolicy.IsValid()
+	assert.Error(t, err)
+	assert.Equal(t, "invalid value for ImaPolicy (not_a_policy)", err.Error())
+
+	err = remarshalJSON(invalidImaPolicy, &checkedPolicy)
+	assert.Error(t, err)
+	assert.Equal(t, "failed to parse [ImaPolicy]: invalid value for ImaPolicy (not_a_policy)", err.Error())
+}
+
+func TestShouldSucceedParsingValidJSON_ImaPolicy(t *testing.T) {
+	var checkedPolicy ImaPolicy
+
+	err := marshalJSONString(validImaJSON, &checkedPolicy)
+	assert.NoError(t, err)
+	assert.Equal(t, validImaPolicies[0], checkedPolicy)
+}
+
+func TestShouldFailParsingInvalidJSON_ImaPolicy(t *testing.T) {
+	var checkedPolicy ImaPolicy
+
+	err := marshalJSONString(invalidImaJSON, &checkedPolicy)
+	assert.Error(t, err)
+	assert.Equal(t, "failed to parse [ImaPolicy]: json: cannot unmarshal number into Go value of type configuration.IntermediateTypeImaPolicy", err.Error())
+}