initramfs-framework-ima: introduce IMA_FORCE

Introduce IMA_FORCE to allow the IMA policy be applied forcely even
'no_ima' boot parameter is available.

This ensures the end users have a way to disable 'no_ima' support if
they want to, because it may expose a security risk if an attacker can
find a way to change kernel arguments, it will easily bypass rootfs
authenticity checks.

Signed-off-by: Sergio Prado <sergio.prado@toradex.com>
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb

@@ -14,6 +14,9 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384
 # to this recipe can just point towards one of its own files.
 IMA_POLICY ?= "ima-policy-hashed"
 
+# Force proceed IMA procedure even 'no_ima' boot parameter is available.
+IMA_FORCE ?= "false"
+
 SRC_URI = " file://ima"
 
 inherit features_check
@@ -23,6 +26,8 @@ do_install () {
     install -d ${D}/${sysconfdir}/ima
     install -d ${D}/init.d
     install ${WORKDIR}/ima  ${D}/init.d/20-ima
+
+    sed -i "s/@@FORCE_IMA@@/${IMA_FORCE}/g" ${D}/init.d/20-ima
 }
 
 FILES_${PN} = "/init.d ${sysconfdir}"

meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima

@@ -2,11 +2,16 @@
 #
 # Loads IMA policy into the kernel.
 
+force_ima=@@FORCE_IMA@@
+
 ima_enabled() {
-    if [ "$bootparam_no_ima" = "true" ]; then
+    if [ "$force_ima" = "true" ]; then
+        return 0
+    elif [ "$bootparam_no_ima" = "true" ]; then
         return 1
+    else
+        return 0
     fi
-    return 0
 }
 
 ima_run() {