Linux-Integrity Archive on lore.kernel.org
 help / color / Atom feed
From: Mimi Zohar <zohar@linux.ibm.com>
To: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
	linux-integrity@vger.kernel.org, sashal@kernel.org,
	jamorris@linux.microsoft.com, kgoldman@us.ibm.com,
	mjg59@google.com, dhowells@redhat.com
Cc: balajib@linux.microsoft.com, prsriva@linux.microsoft.com,
	jorhand@linux.microsoft.com, patatash@linux.microsoft.com
Subject: Re: [PATCH v0 1/2] KEYS: Measure keys added to builtin or secondary trusted keys keyring
Date: Sat, 12 Oct 2019 22:49:18 -0400
Message-ID: <1570934958.5250.121.camel@linux.ibm.com> (raw)
In-Reply-To: <20191011173547.3200-2-nramas@linux.microsoft.com>

On Fri, 2019-10-11 at 10:35 -0700, Lakshmi Ramasubramanian wrote:
> IMA hook TRUSTED_KEYS to measure keys added to builtin or secondary
> trusted keys keyring. This can be enabled through IMA policy.
> 
> The key data is queued up if IMA is not yet initialized and measured
> when IMA is initialized. If IMA is initialized then the key is
> measured immediately.
> 
> Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>

This patch needs to be broken up into multiple, smaller patches.  As
discussed, measuring keys should be separate from the early
measurement workqueue, at minimum as separate patches, if not separate
patch sets.  A new LSM hook definitely needs to be defined in a
separate patch.

>  /*
> - * process_buffer_measurement - Measure the buffer to ima log.
> - * @buf: pointer to the buffer that needs to be added to the log.
> - * @size: size of buffer(in bytes).
> - * @eventname: event name to be used for the buffer entry.
> - * @cred: a pointer to a credentials structure for user validation.
> - * @secid: the secid of the task to be validated.
> + * ima_post_key_create_or_update
> + *     @keyring points to the keyring to which the key belongs
> + *     @key points to the key being created or updated
> + *     @builtin_or_secondary flag indicating whether
> + *     the keyring to which the key belongs is the builtin
> + *     or secondary trusted keys keyring
> + * Measure keys added to the builtin or secondary trusted keyring
>   *
> - * Based on policy, the buffer is measured into the ima log.
> + * On success return 0.
> + * Return appropriate error code on error
>   */
> -static void process_buffer_measurement(const void *buf, int size,
> -				       const char *eventname,
> -				       const struct cred *cred, u32 secid)
> +int ima_post_key_create_or_update(struct key *keyring,
> +				  struct key *key,
> +				  bool builtin_or_secondary)
>  {
> -	int ret = 0;
> -	struct ima_template_entry *entry = NULL;
> -	struct integrity_iint_cache iint = {};
> -	struct ima_event_data event_data = {.iint = &iint,
> -					    .filename = eventname,
> -					    .buf = buf,
> -					    .buf_len = size};
> -	struct ima_template_desc *template_desc = NULL;
> -	struct {
> -		struct ima_digest_data hdr;
> -		char digest[IMA_MAX_DIGEST_SIZE];
> -	} hash = {};
> -	int violation = 0;
> -	int pcr = CONFIG_IMA_MEASURE_PCR_IDX;
> -	int action = 0;
> +	int rc = 0;
> +	struct ima_trusted_key_entry *entry = NULL;
> +	const struct public_key *pk;
> +	u32 secid;
> +	bool queued = false;
>  
> -	action = ima_get_action(NULL, cred, secid, 0, KEXEC_CMDLINE, &pcr,
> -				&template_desc);
> -	if (!(action & IMA_MEASURE))
> -		return;
> +	/*
> +	 * We only measure asymmetric keys added to either
> +	 * the builtin or the secondary trusted keys keyring.
> +	 */
> +	if (!builtin_or_secondary ||
> +	    (key->type != &key_type_asymmetric))
> +		return 0;

Measuring keys should be generic, independent of the keyring that it
is being added to.  Please do not hard code policy.

Mimi

>  
> -	iint.ima_hash = &hash.hdr;
> -	iint.ima_hash->algo = ima_hash_algo;
> -	iint.ima_hash->length = hash_digest_size[ima_hash_algo];
> +	mutex_lock(&ima_trusted_keys_mutex);


  reply index

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-10-11 17:35 [PATCH v0 0/2] " Lakshmi Ramasubramanian
2019-10-11 17:35 ` [PATCH v0 1/2] " Lakshmi Ramasubramanian
2019-10-13  2:49   ` Mimi Zohar [this message]
2019-10-13 18:34   ` Nayna
2019-10-14 16:21     ` Lakshmi Ramasubramanian
2019-10-11 17:35 ` [PATCH v0 2/2] KEYS: LSM Hook for key_create_or_update Lakshmi Ramasubramanian
2019-10-13  2:57   ` Mimi Zohar

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1570934958.5250.121.camel@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=balajib@linux.microsoft.com \
    --cc=dhowells@redhat.com \
    --cc=jamorris@linux.microsoft.com \
    --cc=jorhand@linux.microsoft.com \
    --cc=kgoldman@us.ibm.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=mjg59@google.com \
    --cc=nramas@linux.microsoft.com \
    --cc=patatash@linux.microsoft.com \
    --cc=prsriva@linux.microsoft.com \
    --cc=sashal@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Integrity Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-integrity/0 linux-integrity/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-integrity linux-integrity/ https://lore.kernel.org/linux-integrity \
		linux-integrity@vger.kernel.org
	public-inbox-index linux-integrity

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-integrity


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git