From: Stefan Berger <stefanb@linux.ibm.com>
To: Patrick Uiterwijk <patrick@puiterwijk.org>,
peterhuewe@gmx.de, jarkko@kernel.org, jgg@ziepe.ca,
zohar@linux.ibm.com, dmitry.kasatkin@gmail.com,
linux-integrity@vger.kernel.org
Cc: pbrobinson@gmail.com, kgold@linux.ibm.com
Subject: Re: [PATCH 3/3] integrity: Load keys from TPM NV onto IMA keyring
Date: Fri, 26 Feb 2021 16:47:25 -0500 [thread overview]
Message-ID: <4dcd8fe8-632a-a60b-e502-2185f61529f3@linux.ibm.com> (raw)
In-Reply-To: <20210225203229.363302-4-patrick@puiterwijk.org>
On 2/25/21 3:32 PM, Patrick Uiterwijk wrote:
> Allows users to enroll their own public key stored in a specific TPM2
> NV Index, requiring the absence of the Platform Create and Platform
> Write attributes on the NV Index, to be loaded on the IMA keyring.
>
> Provides a method for users to load keys without the need to recompile
> the kernel or change the kernel binary, which would require a resign of
> the kernel image.
>
> Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
> ---
> security/integrity/ima/Kconfig | 22 +++++++++++++
> security/integrity/ima/ima_init.c | 53 +++++++++++++++++++++++++++++++
> 2 files changed, 75 insertions(+)
>
> diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
> index 12e9250c1bec..28424b930c81 100644
> --- a/security/integrity/ima/Kconfig
> +++ b/security/integrity/ima/Kconfig
> @@ -291,6 +291,28 @@ config IMA_BLACKLIST_KEYRING
> the search is successful the requested operation is rejected and
> an error is returned to the caller.
>
> +config IMA_LOAD_CERT_NVINDEX
> + bool "Load certificate from TPM nvindex into '.ima' trusted keyring"
> + depends on IMA_TRUSTED_KEYRING && TCG_TPM
> + default n
> + help
> + File signature verification is based on the public keys
> + loaded on the .ima trusted keyring. These public keys are
> + X509 certificates signed by a trusted key on the
> + .system keyring. This option enables X509 certificate
> + loading by the kernel onto the '.ima' trusted keyring
> + from a TPM nvindex, bypassing the builtin keyring check.
> +
> +config IMA_LOAD_CERT_NVINDEX_INDEX
> + hex "The TPM NV Index to load into the '.ima' trusted keyring"
> + depends on IMA_LOAD_CERT_NVINDEX
> + default 0x184b520
> + help
> + Defines the index of the NV Index that gets loaded into the
> + '.ima' keyring.
> + The default is the "0x18" prefix for a non-TCG specified NV Index,
> + suffixed with ASCII for "KR" (keyring) and then 0
> +
> config IMA_LOAD_X509
> bool "Load X509 certificate onto the '.ima' trusted keyring"
> depends on IMA_TRUSTED_KEYRING
> diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
> index 6e8742916d1d..ea0949e8df12 100644
> --- a/security/integrity/ima/ima_init.c
> +++ b/security/integrity/ima/ima_init.c
> @@ -112,6 +112,55 @@ void __init ima_load_x509(void)
> }
> #endif
>
> +#ifndef CONFIG_IMA_LOAD_CERT_NVINDEX
> +int __init ima_load_key_nvindex(void)
> +{
> + return 0;
> +}
> +#else
> +int __init ima_load_key_nvindex(void)
> +{
> + void *cert_buffer;
> + int rc;
> + key_perm_t perm;
> + u32 nvindex_attributes = 0;
> +
> + rc = tpm_nv_read(tpm_default_chip(),
You should do chip = tpm_default_chip() so that later on you can do
put_device(&chip->dev).
> + CONFIG_IMA_LOAD_CERT_NVINDEX_INDEX,
> + &nvindex_attributes, &cert_buffer);
> + if (rc < 0) {
> + if (rc == -ENODEV) /* No TPM2 */
> + rc = 0;
> + if (rc == -ENOENT) /* No certificate in NV Index */
> + rc = 0;
> + goto out;
> + }
> +
> + pr_info("Loading IMA key from TPM NV Index 0x%x", CONFIG_IMA_LOAD_CERT_NVINDEX_INDEX);
> +
> + if (nvindex_attributes & TPM2_ATTR_NV_PLATFORMCREATE) {
> + pr_err("NV Index has the Platform Create attribute");
> + rc = -EACCES;
> + goto out_free;
> + }
> + if (nvindex_attributes & TPM2_ATTR_NV_PPWRITE) {
> + pr_err("NV Index has the Platform Write attribute");
> + rc = -EACCES;
> + goto out_free;
> + }
> +
> + perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW | KEY_USR_READ;
> + rc = integrity_load_cert(INTEGRITY_KEYRING_IMA, "TPM NV Index",
> + cert_buffer, rc, perm,
> + KEY_ALLOC_BYPASS_RESTRICTION);
> +
> +out_free:
> + kvfree(cert_buffer);
kfree?
> +out:
> + return rc;
> +}
> +#endif
> +
> int __init ima_init(void)
> {
> int rc;
> @@ -124,6 +173,10 @@ int __init ima_init(void)
> if (rc)
> return rc;
>
> + rc = ima_load_key_nvindex();
> + if (rc)
> + pr_info("Failed to load IMA key from TPM NV Index (%d)", rc);
> +
> rc = ima_init_crypto();
> if (rc)
> return rc;
next prev parent reply other threads:[~2021-02-26 21:48 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-25 20:32 [PATCH 0/3] Load keys from TPM2 NV Index on IMA keyring Patrick Uiterwijk
2021-02-25 20:32 ` [PATCH 1/3] tpm: Add support for reading a TPM NV Index Patrick Uiterwijk
2021-02-25 21:50 ` Stefan Berger
2021-02-26 1:09 ` Jarkko Sakkinen
2021-02-25 20:32 ` [PATCH 2/3] integrity: Allow specifying flags in integrity_load_cert Patrick Uiterwijk
2021-02-26 21:04 ` Stefan Berger
2021-02-25 20:32 ` [PATCH 3/3] integrity: Load keys from TPM NV onto IMA keyring Patrick Uiterwijk
2021-02-26 21:47 ` Stefan Berger [this message]
2021-02-26 21:51 ` Stefan Berger
2021-02-25 21:50 ` [PATCH 0/3] Load keys from TPM2 NV Index on " James Bottomley
2021-02-26 21:45 ` Ken Goldman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4dcd8fe8-632a-a60b-e502-2185f61529f3@linux.ibm.com \
--to=stefanb@linux.ibm.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=jarkko@kernel.org \
--cc=jgg@ziepe.ca \
--cc=kgold@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=patrick@puiterwijk.org \
--cc=pbrobinson@gmail.com \
--cc=peterhuewe@gmx.de \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).