From: Mimi Zohar <zohar@linux.ibm.com>
To: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
linux-integrity@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, keyrings@vger.kernel.org
Subject: Re: [PATCH v8 4/5] IMA: Add support to limit measuring keys
Date: Wed, 20 Nov 2019 23:19:17 +0000 [thread overview]
Message-ID: <1574291957.4793.144.camel@linux.ibm.com> (raw)
In-Reply-To: <20191118223818.3353-5-nramas@linux.microsoft.com>
On Mon, 2019-11-18 at 14:38 -0800, Lakshmi Ramasubramanian wrote:
> Limit measuring keys to those keys being loaded onto a given set of
> keyrings only.
>
> This patch defines a new IMA policy option namely "keyrings=" that
> can be used to specify a set of keyrings. If this option is specified
> in the policy for "measure func=KEY_CHECK" then only the keys
> loaded onto a keyring given in the "keyrings=" option are measured.
>
> Added a new parameter namely "keyring" (name of the keyring) to
> process_buffer_measurement(). The keyring name is passed to
> ima_get_action() to determine the required action.
> ima_match_rules() is updated to check keyring in the policy, if
> specified, for KEY_CHECK function.
>
> The following example illustrates how key measurement can be verified.
>
> Sample IMA Policy entry to measure keys
> (Added in the file /etc/ima/ima-policy):
> measure func=KEY_CHECK keyrings=.ima|.evm|.blacklist template=ima-buf
>
> Build the kernel with this patch set applied and reboot to that kernel.
>
> Ensure the IMA policy is applied:
>
> root@nramas:/home/nramas# cat /sys/kernel/security/ima/policy
> measure func=KEY_CHECK keyrings=.ima|.evm|.blacklist template=ima-buf
>
> View the initial IMA measurement log:
>
> root@nramas:/home/nramas# cat /sys/kernel/security/ima/ascii_runtime_measurements
> 10 67ec... ima-ng sha1:b5466c508583f0e633df83aa58fc7c5b67ccf667 boot_aggregate
>
> Now, add a certificate in DER format (for example, x509_ima.der) to
> the .ima keyring:
>
> root@nramas:/home/nramas# keyctl show %:.ima
> Keyring
> 547515640 ---lswrv 0 0 keyring: .ima
>
> root@nramas:/home/nramas# evmctl import x509_ima.der 547515640
>
> root@nramas:/home/nramas# keyctl show %:.ima
> Keyring
> 547515640 ---lswrv 0 0 keyring: .ima
> 809678766 --als--v 0 0 \_ asymmetric: hostname: whoami signing key: 052dd247dc3c36...
>
> View the updated IMA measurement log:
>
> root@nramas:/home/nramas# cat /sys/kernel/security/ima/ascii_runtime_measurements
> 10 67ec... ima-ng sha1:b5466c508583f0e633df83aa58fc7c5b67ccf667 boot_aggregate
> 10 3adf... ima-buf sha256:27c915b8ddb9fae7214cf0a8a7043cc3eeeaa7539bcb136f8427067b5f6c3b7b .ima 30818902818100ee96b264072a42888f78a2f9b8198467a3ad97d126f3d1cc1c24d23e7185cc743b04d4a54254ca16e1e11ed4450deb98b1f7bb4288424570fabcfc6d5aa93a2a14fa2b7835ac877cfea761e5ff414c6ee274eff26f8bd6c484312e56619299acf0dbd224b87c3883b66a9393d21af8962458663b0ac1706c63773cd50e8236270203010001
> root@nramas:/home/nramas#
>
> The public key of x509_ima.der certificate and the key's SHA-256 hash
> are included in the IMA log.
>
> For example, in the above IMA log entry the public key is the following:
>
> 30818902818100ee96b264072a42888f78a2f9b8198467a3ad97d126f3d1cc1c24d23e7185cc743b04d4a54254ca16e1e11ed4450deb98b1f7bb4288424570fabcfc6d5aa93a2a14fa2b7835ac877cfea761e5ff414c6ee274eff26f8bd6c484312e56619299acf0dbd224b87c3883b66a9393d21af8962458663b0ac1706c63773cd50e8236270203010001
>
> sha256:27c915b8ddb9fae7214cf0a8a7043cc3eeeaa7539bcb136f8427067b5f6c3b7b
>
> root@nramas:/home/nramas# cat /sys/kernel/security/ima/ascii_runtime_measurements |
> grep " .ima" | cut -d' ' -f 6 | xxd -r -p | sha256sum
> 27c915b8ddb9fae7214cf0a8a7043cc3eeeaa7539bcb136f8427067b5f6c3b7b
> root@nramas:/home/nramas#
>
> SHA-256 hash in the IMA log and the above output should match.
>
> Now run the following "openssl" command to display
> various fields of x509_ima.der certificate:
>
> Verify the "Modulus" and the "Exponent" with that
> in the public key data in the IMA log entry.
> Note that the "Modulus" in the IMA log entry follows
> the RSA Header (For example, 308189028181)
> The "Exponent" is the last 3 hex numbers in the IMA log
> (For example, 0x01 0x00 0x01)
>
> root@nramas:/home/nramas# openssl x509 -in x509_ima.der -inform der -noout -text
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> 5b:e0:23:4f:f3:ad:f0:50:34:9b:33:b8:94:65:a6:aa:b6:e3:39:f7
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: O = hostname, CN = whoami signing key, emailAddress = whoami@hostname
> Validity
> Not Before: Aug 22 02:29:02 2019 GMT
> Not After : Aug 21 02:29:02 2020 GMT
> Subject: O = hostname, CN = whoami signing key, emailAddress = whoami@hostname
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public-Key: (1024 bit)
> Modulus:
> 00:ee:96:b2:64:07:2a:42:88:8f:78:a2:f9:b8:19:
> 84:67:a3:ad:97:d1:26:f3:d1:cc:1c:24:d2:3e:71:
> 85:cc:74:3b:04:d4:a5:42:54:ca:16:e1:e1:1e:d4:
> 45:0d:eb:98:b1:f7:bb:42:88:42:45:70:fa:bc:fc:
> 6d:5a:a9:3a:2a:14:fa:2b:78:35:ac:87:7c:fe:a7:
> 61:e5:ff:41:4c:6e:e2:74:ef:f2:6f:8b:d6:c4:84:
> 31:2e:56:61:92:99:ac:f0:db:d2:24:b8:7c:38:83:
> b6:6a:93:93:d2:1a:f8:96:24:58:66:3b:0a:c1:70:
> 6c:63:77:3c:d5:0e:82:36:27
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Basic Constraints: critical
> CA:FALSE
> X509v3 Key Usage:
> Digital Signature
> X509v3 Subject Key Identifier:
> 05:2D:D2:47:DC:3C:36:D6:D6:06:75:FE:7A:E8:69:79:0B:E5:61:71
> X509v3 Authority Key Identifier:
> keyid:E3:67:10:F0:83:4C:97:3E:D9:4A:18:6F:BC:D2:23:75:B4:5E:24:54
>
> Signature Algorithm: sha256WithRSAEncryption
> b1:2f:ae:ff:1e:0e:39:0c:fd:5e:b7:14:0a:f3:b7:a6:53:cb:
> 49:c6:ab:0a:23:be:24:c0:35:33:1d:76:00:c8:f7:58:f9:df:
> 7f:df:c5:ee:b6:fe:c3:58:59:20:3e:ca:0e:4f:01:f9:a7:9a:
> 58:be:63:09:47:cb:95:9a:52:d3:f2:de:96:f2:10:d4:92:47:
> c3:3a:62:26:dc:2a:52:ee:54:10:69:ed:3c:62:1f:87:67:fd:
> 36:a0:61:e9:a6:1a:db:5d:1d:d3:44:99:d9:9a:1c:e6:ba:a4:
> 96:b4:f5:e2:26:8b:fc:52:c3:ee:a4:a6:b7:b5:18:1f:08:52:
> 4a:ee
> root@nramas:/home/nramas#
>
> An ima-sig entry for a kernel module, say, kheaders.ko
> from the IMA log entry is given below:
>
> 10 0c98... ima-sig
> sha256:3bc6ed4f0b4d6e31bc1dbc9ef844605abc7afdc6d81a57d77a1ec9407997c40
> 2 /usr/lib/modules/5.4.0-rc3+/kernel/kernel/kheaders.ko
> 03020BE561710100abcde...
>
> In the above 0BE56171 is the Key ID of the key used to verify
> the IMA signature. This Key ID is the last 4 hex digits of
> the subject key identifier displayed in openssl output
> for the certificate x509_ima.der (Which is the IMA certificate
> used to sign the kernel module).
>
> X509v3 Subject Key Identifier:
> 05:2D:D2:47:DC:3C:36:D6:D6:06:75:FE:7A:E8:69:79:0B:E5:61:71
>
> The ima-modsig entry for the same kernel module is:
>
> 10 82aa... ima-modsig
> sha256:3bc6ed4f0b4d6e31bc1dbc9ef844605abc7afdc6d81a57d77a1ec9407997c40
> 2 /usr/lib/modules/5.4.0rc3+/kernel/kernel/kheaders.ko
> sha256:77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3
> 30818902818100ee96b264072a42888f78a2f9b8198467a3ad97d126f3d1cc1c24d23e7185cc743b04d4a54254ca16e1e11ed4450deb98b1f7bb4288424570fabcfc6d5aa93a2a14fa2b7835ac877cfea761e5ff414c6ee274eff26f8bd6c484312e56619299acf0dbd224b87c3883b66a9393d21af8962458663b0ac1706c63773cd50e8236270203010001
>
> If the kernel module was signed by x509_ima.der certificate then
> the public key entry in the ima-modsig should match the public key
> for the key measurement for x509_ima.der.
>
> The above can be used to correlate the key measurement IMA entry,
> ima-sig and ima-modsig entries using the same key.
True, but associating the public key measurement with the file
signature requires information from the certificate (e.g. issuer,
serial number, and/or subject, subject keyid).
For a regression test, it would be nice if the key measurement,
itself, contained everything needed in order to validate the file
signatures in the measurement list.
Mimi
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
linux-integrity@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, keyrings@vger.kernel.org
Subject: Re: [PATCH v8 4/5] IMA: Add support to limit measuring keys
Date: Wed, 20 Nov 2019 18:19:17 -0500 [thread overview]
Message-ID: <1574291957.4793.144.camel@linux.ibm.com> (raw)
In-Reply-To: <20191118223818.3353-5-nramas@linux.microsoft.com>
On Mon, 2019-11-18 at 14:38 -0800, Lakshmi Ramasubramanian wrote:
> Limit measuring keys to those keys being loaded onto a given set of
> keyrings only.
>
> This patch defines a new IMA policy option namely "keyrings=" that
> can be used to specify a set of keyrings. If this option is specified
> in the policy for "measure func=KEY_CHECK" then only the keys
> loaded onto a keyring given in the "keyrings=" option are measured.
>
> Added a new parameter namely "keyring" (name of the keyring) to
> process_buffer_measurement(). The keyring name is passed to
> ima_get_action() to determine the required action.
> ima_match_rules() is updated to check keyring in the policy, if
> specified, for KEY_CHECK function.
>
> The following example illustrates how key measurement can be verified.
>
> Sample IMA Policy entry to measure keys
> (Added in the file /etc/ima/ima-policy):
> measure func=KEY_CHECK keyrings=.ima|.evm|.blacklist template=ima-buf
>
> Build the kernel with this patch set applied and reboot to that kernel.
>
> Ensure the IMA policy is applied:
>
> root@nramas:/home/nramas# cat /sys/kernel/security/ima/policy
> measure func=KEY_CHECK keyrings=.ima|.evm|.blacklist template=ima-buf
>
> View the initial IMA measurement log:
>
> root@nramas:/home/nramas# cat /sys/kernel/security/ima/ascii_runtime_measurements
> 10 67ec... ima-ng sha1:b5466c508583f0e633df83aa58fc7c5b67ccf667 boot_aggregate
>
> Now, add a certificate in DER format (for example, x509_ima.der) to
> the .ima keyring:
>
> root@nramas:/home/nramas# keyctl show %:.ima
> Keyring
> 547515640 ---lswrv 0 0 keyring: .ima
>
> root@nramas:/home/nramas# evmctl import x509_ima.der 547515640
>
> root@nramas:/home/nramas# keyctl show %:.ima
> Keyring
> 547515640 ---lswrv 0 0 keyring: .ima
> 809678766 --als--v 0 0 \_ asymmetric: hostname: whoami signing key: 052dd247dc3c36...
>
> View the updated IMA measurement log:
>
> root@nramas:/home/nramas# cat /sys/kernel/security/ima/ascii_runtime_measurements
> 10 67ec... ima-ng sha1:b5466c508583f0e633df83aa58fc7c5b67ccf667 boot_aggregate
> 10 3adf... ima-buf sha256:27c915b8ddb9fae7214cf0a8a7043cc3eeeaa7539bcb136f8427067b5f6c3b7b .ima 30818902818100ee96b264072a42888f78a2f9b8198467a3ad97d126f3d1cc1c24d23e7185cc743b04d4a54254ca16e1e11ed4450deb98b1f7bb4288424570fabcfc6d5aa93a2a14fa2b7835ac877cfea761e5ff414c6ee274eff26f8bd6c484312e56619299acf0dbd224b87c3883b66a9393d21af8962458663b0ac1706c63773cd50e8236270203010001
> root@nramas:/home/nramas#
>
> The public key of x509_ima.der certificate and the key's SHA-256 hash
> are included in the IMA log.
>
> For example, in the above IMA log entry the public key is the following:
>
> 30818902818100ee96b264072a42888f78a2f9b8198467a3ad97d126f3d1cc1c24d23e7185cc743b04d4a54254ca16e1e11ed4450deb98b1f7bb4288424570fabcfc6d5aa93a2a14fa2b7835ac877cfea761e5ff414c6ee274eff26f8bd6c484312e56619299acf0dbd224b87c3883b66a9393d21af8962458663b0ac1706c63773cd50e8236270203010001
>
> sha256:27c915b8ddb9fae7214cf0a8a7043cc3eeeaa7539bcb136f8427067b5f6c3b7b
>
> root@nramas:/home/nramas# cat /sys/kernel/security/ima/ascii_runtime_measurements |
> grep " .ima" | cut -d' ' -f 6 | xxd -r -p | sha256sum
> 27c915b8ddb9fae7214cf0a8a7043cc3eeeaa7539bcb136f8427067b5f6c3b7b
> root@nramas:/home/nramas#
>
> SHA-256 hash in the IMA log and the above output should match.
>
> Now run the following "openssl" command to display
> various fields of x509_ima.der certificate:
>
> Verify the "Modulus" and the "Exponent" with that
> in the public key data in the IMA log entry.
> Note that the "Modulus" in the IMA log entry follows
> the RSA Header (For example, 308189028181)
> The "Exponent" is the last 3 hex numbers in the IMA log
> (For example, 0x01 0x00 0x01)
>
> root@nramas:/home/nramas# openssl x509 -in x509_ima.der -inform der -noout -text
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> 5b:e0:23:4f:f3:ad:f0:50:34:9b:33:b8:94:65:a6:aa:b6:e3:39:f7
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: O = hostname, CN = whoami signing key, emailAddress = whoami@hostname
> Validity
> Not Before: Aug 22 02:29:02 2019 GMT
> Not After : Aug 21 02:29:02 2020 GMT
> Subject: O = hostname, CN = whoami signing key, emailAddress = whoami@hostname
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public-Key: (1024 bit)
> Modulus:
> 00:ee:96:b2:64:07:2a:42:88:8f:78:a2:f9:b8:19:
> 84:67:a3:ad:97:d1:26:f3:d1:cc:1c:24:d2:3e:71:
> 85:cc:74:3b:04:d4:a5:42:54:ca:16:e1:e1:1e:d4:
> 45:0d:eb:98:b1:f7:bb:42:88:42:45:70:fa:bc:fc:
> 6d:5a:a9:3a:2a:14:fa:2b:78:35:ac:87:7c:fe:a7:
> 61:e5:ff:41:4c:6e:e2:74:ef:f2:6f:8b:d6:c4:84:
> 31:2e:56:61:92:99:ac:f0:db:d2:24:b8:7c:38:83:
> b6:6a:93:93:d2:1a:f8:96:24:58:66:3b:0a:c1:70:
> 6c:63:77:3c:d5:0e:82:36:27
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Basic Constraints: critical
> CA:FALSE
> X509v3 Key Usage:
> Digital Signature
> X509v3 Subject Key Identifier:
> 05:2D:D2:47:DC:3C:36:D6:D6:06:75:FE:7A:E8:69:79:0B:E5:61:71
> X509v3 Authority Key Identifier:
> keyid:E3:67:10:F0:83:4C:97:3E:D9:4A:18:6F:BC:D2:23:75:B4:5E:24:54
>
> Signature Algorithm: sha256WithRSAEncryption
> b1:2f:ae:ff:1e:0e:39:0c:fd:5e:b7:14:0a:f3:b7:a6:53:cb:
> 49:c6:ab:0a:23:be:24:c0:35:33:1d:76:00:c8:f7:58:f9:df:
> 7f:df:c5:ee:b6:fe:c3:58:59:20:3e:ca:0e:4f:01:f9:a7:9a:
> 58:be:63:09:47:cb:95:9a:52:d3:f2:de:96:f2:10:d4:92:47:
> c3:3a:62:26:dc:2a:52:ee:54:10:69:ed:3c:62:1f:87:67:fd:
> 36:a0:61:e9:a6:1a:db:5d:1d:d3:44:99:d9:9a:1c:e6:ba:a4:
> 96:b4:f5:e2:26:8b:fc:52:c3:ee:a4:a6:b7:b5:18:1f:08:52:
> 4a:ee
> root@nramas:/home/nramas#
>
> An ima-sig entry for a kernel module, say, kheaders.ko
> from the IMA log entry is given below:
>
> 10 0c98... ima-sig
> sha256:3bc6ed4f0b4d6e31bc1dbc9ef844605abc7afdc6d81a57d77a1ec9407997c40
> 2 /usr/lib/modules/5.4.0-rc3+/kernel/kernel/kheaders.ko
> 03020BE561710100abcde...
>
> In the above 0BE56171 is the Key ID of the key used to verify
> the IMA signature. This Key ID is the last 4 hex digits of
> the subject key identifier displayed in openssl output
> for the certificate x509_ima.der (Which is the IMA certificate
> used to sign the kernel module).
>
> X509v3 Subject Key Identifier:
> 05:2D:D2:47:DC:3C:36:D6:D6:06:75:FE:7A:E8:69:79:0B:E5:61:71
>
> The ima-modsig entry for the same kernel module is:
>
> 10 82aa... ima-modsig
> sha256:3bc6ed4f0b4d6e31bc1dbc9ef844605abc7afdc6d81a57d77a1ec9407997c40
> 2 /usr/lib/modules/5.4.0rc3+/kernel/kernel/kheaders.ko
> sha256:77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3
> 30818902818100ee96b264072a42888f78a2f9b8198467a3ad97d126f3d1cc1c24d23e7185cc743b04d4a54254ca16e1e11ed4450deb98b1f7bb4288424570fabcfc6d5aa93a2a14fa2b7835ac877cfea761e5ff414c6ee274eff26f8bd6c484312e56619299acf0dbd224b87c3883b66a9393d21af8962458663b0ac1706c63773cd50e8236270203010001
>
> If the kernel module was signed by x509_ima.der certificate then
> the public key entry in the ima-modsig should match the public key
> for the key measurement for x509_ima.der.
>
> The above can be used to correlate the key measurement IMA entry,
> ima-sig and ima-modsig entries using the same key.
True, but associating the public key measurement with the file
signature requires information from the certificate (e.g. issuer,
serial number, and/or subject, subject keyid).
For a regression test, it would be nice if the key measurement,
itself, contained everything needed in order to validate the file
signatures in the measurement list.
Mimi
next prev parent reply other threads:[~2019-11-20 23:19 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-18 22:38 [PATCH v8 0/5] KEYS: Measure keys when they are created or updated Lakshmi Ramasubramanian
2019-11-18 22:38 ` Lakshmi Ramasubramanian
2019-11-18 22:38 ` [PATCH v8 1/5] IMA: Add KEY_CHECK func to measure keys Lakshmi Ramasubramanian
2019-11-18 22:38 ` Lakshmi Ramasubramanian
2019-11-18 22:38 ` [PATCH v8 2/5] IMA: Define an IMA hook " Lakshmi Ramasubramanian
2019-11-18 22:38 ` Lakshmi Ramasubramanian
2019-11-20 23:28 ` Eric Snowberg
2019-11-20 23:28 ` Eric Snowberg
2019-11-20 23:40 ` Lakshmi Ramasubramanian
2019-11-20 23:40 ` Lakshmi Ramasubramanian
2019-11-21 1:22 ` Mimi Zohar
2019-11-21 1:22 ` Mimi Zohar
2019-11-21 1:32 ` Lakshmi Ramasubramanian
2019-11-21 1:32 ` Lakshmi Ramasubramanian
2019-11-21 17:16 ` Lakshmi Ramasubramanian
2019-11-21 17:16 ` Lakshmi Ramasubramanian
2019-11-18 22:38 ` [PATCH v8 3/5] KEYS: Call the " Lakshmi Ramasubramanian
2019-11-18 22:38 ` Lakshmi Ramasubramanian
2019-11-19 1:18 ` Eric Snowberg
2019-11-19 1:18 ` Eric Snowberg
2019-11-19 1:58 ` Lakshmi Ramasubramanian
2019-11-19 1:58 ` Lakshmi Ramasubramanian
2019-11-18 22:38 ` [PATCH v8 4/5] IMA: Add support to limit measuring keys Lakshmi Ramasubramanian
2019-11-18 22:38 ` Lakshmi Ramasubramanian
2019-11-20 16:30 ` Validating key measurement Lakshmi Ramasubramanian
2019-11-20 23:19 ` Mimi Zohar [this message]
2019-11-20 23:19 ` [PATCH v8 4/5] IMA: Add support to limit measuring keys Mimi Zohar
2019-11-21 0:03 ` Lakshmi Ramasubramanian
2019-11-21 0:03 ` Lakshmi Ramasubramanian
2019-11-21 0:53 ` Mimi Zohar
2019-11-21 0:53 ` Mimi Zohar
2019-11-21 3:11 ` Lakshmi Ramasubramanian
2019-11-18 22:38 ` [PATCH v8 5/5] IMA: Read keyrings= option from the IMA policy Lakshmi Ramasubramanian
2019-11-18 22:38 ` Lakshmi Ramasubramanian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1574291957.4793.144.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nramas@linux.microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.