mirrors/meta-security
1
0
Fork 0
mirror of https://git.yoctoproject.org/meta-security synced 2026-05-08 05:09:48 +00:00
Code Issues Projects Releases Wiki Activity

initramfs-framework-ima: introduce IMA_FORCE

Browse Source 
Introduce IMA_FORCE to allow the IMA policy be applied forcely even
'no_ima' boot parameter is available.

This ensures the end users have a way to disable 'no_ima' support if
they want to, because it may expose a security risk if an attacker can
find a way to change kernel arguments, it will easily bypass rootfs
authenticity checks.

Signed-off-by: Sergio Prado <sergio.prado@toradex.com>
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
Ming Liu
2021-04-08 20:38:14 +02:00
committed by Armin Kuster
parent 269cd6a9a2
commit 076e75d5cc
2 changed files with 12 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima
+7 -2
View File
@@ -2,11 +2,16 @@
#
# Loads IMA policy into the kernel.
force_ima=@@FORCE_IMA@@
ima_enabled() {
if [ "$bootparam_no_ima" = "true" ]; then
if [ "$force_ima" = "true" ]; then
return 0
elif [ "$bootparam_no_ima" = "true" ]; then
return 1
else
return 0
fi
return 0
}
ima_run() {