linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Stefan Berger <stefanb@linux.ibm.com>
To: Patrick Uiterwijk <patrick@puiterwijk.org>,
	peterhuewe@gmx.de, jarkko@kernel.org, jgg@ziepe.ca,
	zohar@linux.ibm.com, dmitry.kasatkin@gmail.com,
	linux-integrity@vger.kernel.org
Cc: pbrobinson@gmail.com, kgold@linux.ibm.com
Subject: Re: [PATCH 3/3] integrity: Load keys from TPM NV onto IMA keyring
Date: Fri, 26 Feb 2021 16:51:06 -0500	[thread overview]
Message-ID: <df01935b-4f73-1fdd-787a-e2620fdb082f@linux.ibm.com> (raw)
In-Reply-To: <4dcd8fe8-632a-a60b-e502-2185f61529f3@linux.ibm.com>

On 2/26/21 4:47 PM, Stefan Berger wrote:
> On 2/25/21 3:32 PM, Patrick Uiterwijk wrote:
>> Allows users to enroll their own public key stored in a specific TPM2
>> NV Index, requiring the absence of the Platform Create and Platform
>> Write attributes on the NV Index, to be loaded on the IMA keyring.
>>
>> Provides a method for users to load keys without the need to recompile
>> the kernel or change the kernel binary, which would require a resign of
>> the kernel image.
>>
>> Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
>> ---
>>   security/integrity/ima/Kconfig    | 22 +++++++++++++
>>   security/integrity/ima/ima_init.c | 53 +++++++++++++++++++++++++++++++
>>   2 files changed, 75 insertions(+)
>>
>> diff --git a/security/integrity/ima/Kconfig 
>> b/security/integrity/ima/Kconfig
>> index 12e9250c1bec..28424b930c81 100644
>> --- a/security/integrity/ima/Kconfig
>> +++ b/security/integrity/ima/Kconfig
>> @@ -291,6 +291,28 @@ config IMA_BLACKLIST_KEYRING
>>          the search is successful the requested operation is rejected 
>> and
>>          an error is returned to the caller.
>>   +config IMA_LOAD_CERT_NVINDEX
>> +    bool "Load certificate from TPM nvindex into '.ima' trusted 
>> keyring"
>> +    depends on IMA_TRUSTED_KEYRING && TCG_TPM
>> +    default n
>> +    help
>> +       File signature verification is based on the public keys
>> +       loaded on the .ima trusted keyring. These public keys are
>> +       X509 certificates signed by a trusted key on the
>> +       .system keyring.  This option enables X509 certificate
>> +       loading by the kernel onto the '.ima' trusted keyring
>> +       from a TPM nvindex, bypassing the builtin keyring check.
>> +
>> +config IMA_LOAD_CERT_NVINDEX_INDEX
>> +    hex "The TPM NV Index to load into the '.ima' trusted keyring"
>> +    depends on IMA_LOAD_CERT_NVINDEX
>> +    default 0x184b520
>> +    help
>> +       Defines the index of the NV Index that gets loaded into the
>> +       '.ima' keyring.
>> +       The default is the "0x18" prefix for a non-TCG specified NV 
>> Index,
>> +       suffixed with ASCII for "KR" (keyring) and then 0
>> +
>>   config IMA_LOAD_X509
>>       bool "Load X509 certificate onto the '.ima' trusted keyring"
>>       depends on IMA_TRUSTED_KEYRING
>> diff --git a/security/integrity/ima/ima_init.c 
>> b/security/integrity/ima/ima_init.c
>> index 6e8742916d1d..ea0949e8df12 100644
>> --- a/security/integrity/ima/ima_init.c
>> +++ b/security/integrity/ima/ima_init.c
>> @@ -112,6 +112,55 @@ void __init ima_load_x509(void)
>>   }
>>   #endif
>>   +#ifndef CONFIG_IMA_LOAD_CERT_NVINDEX
>> +int __init ima_load_key_nvindex(void)
>> +{
>> +    return 0;
>> +}
>> +#else
>> +int __init ima_load_key_nvindex(void)
>> +{
>> +    void *cert_buffer;
>> +    int rc;
>> +    key_perm_t perm;
>> +    u32 nvindex_attributes = 0;
>> +
>> +    rc = tpm_nv_read(tpm_default_chip(),
>
>
> You should do chip = tpm_default_chip() so that later on you can do 
> put_device(&chip->dev).


... or just use ima_tpm_chip if != NULL: 
https://elixir.bootlin.com/linux/latest/source/security/integrity/ima/ima_init.c#L23



>
>
>> + CONFIG_IMA_LOAD_CERT_NVINDEX_INDEX,
>> +                &nvindex_attributes, &cert_buffer);
>> +    if (rc < 0) {
>> +        if (rc == -ENODEV)  /* No TPM2 */
>> +            rc = 0;
>> +        if (rc == -ENOENT)  /* No certificate in NV Index */
>> +            rc = 0;
>> +        goto out;
>> +    }
>> +
>> +    pr_info("Loading IMA key from TPM NV Index 0x%x", 
>> CONFIG_IMA_LOAD_CERT_NVINDEX_INDEX);
>> +
>> +    if (nvindex_attributes & TPM2_ATTR_NV_PLATFORMCREATE) {
>> +        pr_err("NV Index has the Platform Create attribute");
>> +        rc = -EACCES;
>> +        goto out_free;
>> +    }
>> +    if (nvindex_attributes & TPM2_ATTR_NV_PPWRITE) {
>> +        pr_err("NV Index has the Platform Write attribute");
>> +        rc = -EACCES;
>> +        goto out_free;
>> +    }
>> +
>> +    perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW | 
>> KEY_USR_READ;
>> +    rc = integrity_load_cert(INTEGRITY_KEYRING_IMA, "TPM NV Index",
>> +                 cert_buffer, rc, perm,
>> +                 KEY_ALLOC_BYPASS_RESTRICTION);
>> +
>> +out_free:
>> +    kvfree(cert_buffer);
>
>
> kfree?
>
>
>> +out:
>> +    return rc;
>> +}
>> +#endif
>> +
>>   int __init ima_init(void)
>>   {
>>       int rc;
>> @@ -124,6 +173,10 @@ int __init ima_init(void)
>>       if (rc)
>>           return rc;
>>   +    rc = ima_load_key_nvindex();
>> +    if (rc)
>> +        pr_info("Failed to load IMA key from TPM NV Index (%d)", rc);
>> +
>>       rc = ima_init_crypto();
>>       if (rc)
>>           return rc;



  reply	other threads:[~2021-02-26 21:51 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-02-25 20:32 [PATCH 0/3] Load keys from TPM2 NV Index on IMA keyring Patrick Uiterwijk
2021-02-25 20:32 ` [PATCH 1/3] tpm: Add support for reading a TPM NV Index Patrick Uiterwijk
2021-02-25 21:50   ` Stefan Berger
2021-02-26  1:09   ` Jarkko Sakkinen
2021-02-25 20:32 ` [PATCH 2/3] integrity: Allow specifying flags in integrity_load_cert Patrick Uiterwijk
2021-02-26 21:04   ` Stefan Berger
2021-02-25 20:32 ` [PATCH 3/3] integrity: Load keys from TPM NV onto IMA keyring Patrick Uiterwijk
2021-02-26 21:47   ` Stefan Berger
2021-02-26 21:51     ` Stefan Berger [this message]
2021-02-25 21:50 ` [PATCH 0/3] Load keys from TPM2 NV Index on " James Bottomley
2021-02-26 21:45   ` Ken Goldman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=df01935b-4f73-1fdd-787a-e2620fdb082f@linux.ibm.com \
    --to=stefanb@linux.ibm.com \
    --cc=dmitry.kasatkin@gmail.com \
    --cc=jarkko@kernel.org \
    --cc=jgg@ziepe.ca \
    --cc=kgold@linux.ibm.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=patrick@puiterwijk.org \
    --cc=pbrobinson@gmail.com \
    --cc=peterhuewe@gmx.de \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).