From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
To: zohar@linux.ibm.com, linux-integrity@vger.kernel.org
Cc: Nayna Jain <nayna@linux.ibm.com>, bauerman@linux.ibm.com
Subject: Validating key measurement
Date: Wed, 20 Nov 2019 08:30:11 -0800 [thread overview]
Message-ID: <faab8e25-6aac-e44d-2364-ab2d0eca36a6@linux.microsoft.com> (raw)
In-Reply-To: <20191118223818.3353-5-nramas@linux.microsoft.com>
On 11/18/19 2:38 PM, Lakshmi Ramasubramanian wrote:
Hi Mimi,
I have described below how we can validate key measurement using the
data in the IMA log, tools such as openssl, etc.
Also, I have included how the key measurement data can be used to
correlate with ima-sig and ima-modsig entries (have taken some of this
from Nayna's patch on "appraising using blacklist of file hash".
Appreciate if you could please review and let me know if I should add
more info.
thanks,
-lakshmi
>
> The following example illustrates how key measurement can be verified.
>
> Sample IMA Policy entry to measure keys
> (Added in the file /etc/ima/ima-policy):
> measure func=KEY_CHECK keyrings=.ima|.evm|.blacklist template=ima-buf
>
> Build the kernel with this patch set applied and reboot to that kernel.
>
> Ensure the IMA policy is applied:
>
> root@nramas:/home/nramas# cat /sys/kernel/security/ima/policy
> measure func=KEY_CHECK keyrings=.ima|.evm|.blacklist template=ima-buf
>
> View the initial IMA measurement log:
>
> root@nramas:/home/nramas# cat /sys/kernel/security/ima/ascii_runtime_measurements
> 10 67ec... ima-ng sha1:b5466c508583f0e633df83aa58fc7c5b67ccf667 boot_aggregate
>
> Now, add a certificate in DER format (for example, x509_ima.der) to
> the .ima keyring:
>
> root@nramas:/home/nramas# keyctl show %:.ima
> Keyring
> 547515640 ---lswrv 0 0 keyring: .ima
>
> root@nramas:/home/nramas# evmctl import x509_ima.der 547515640
>
> root@nramas:/home/nramas# keyctl show %:.ima
> Keyring
> 547515640 ---lswrv 0 0 keyring: .ima
> 809678766 --als--v 0 0 \_ asymmetric: hostname: whoami signing key: 052dd247dc3c36...
>
> View the updated IMA measurement log:
>
> root@nramas:/home/nramas# cat /sys/kernel/security/ima/ascii_runtime_measurements
> 10 67ec... ima-ng sha1:b5466c508583f0e633df83aa58fc7c5b67ccf667 boot_aggregate
> 10 3adf... ima-buf sha256:27c915b8ddb9fae7214cf0a8a7043cc3eeeaa7539bcb136f8427067b5f6c3b7b .ima 30818902818100ee96b264072a42888f78a2f9b8198467a3ad97d126f3d1cc1c24d23e7185cc743b04d4a54254ca16e1e11ed4450deb98b1f7bb4288424570fabcfc6d5aa93a2a14fa2b7835ac877cfea761e5ff414c6ee274eff26f8bd6c484312e56619299acf0dbd224b87c3883b66a9393d21af8962458663b0ac1706c63773cd50e8236270203010001
> root@nramas:/home/nramas#
>
> The public key of x509_ima.der certificate and the key's SHA-256 hash
> are included in the IMA log.
>
> For example, in the above IMA log entry the public key is the following:
>
> 30818902818100ee96b264072a42888f78a2f9b8198467a3ad97d126f3d1cc1c24d23e7185cc743b04d4a54254ca16e1e11ed4450deb98b1f7bb4288424570fabcfc6d5aa93a2a14fa2b7835ac877cfea761e5ff414c6ee274eff26f8bd6c484312e56619299acf0dbd224b87c3883b66a9393d21af8962458663b0ac1706c63773cd50e8236270203010001
>
> sha256:27c915b8ddb9fae7214cf0a8a7043cc3eeeaa7539bcb136f8427067b5f6c3b7b
>
> root@nramas:/home/nramas# cat /sys/kernel/security/ima/ascii_runtime_measurements |
> grep " .ima" | cut -d' ' -f 6 | xxd -r -p | sha256sum
> 27c915b8ddb9fae7214cf0a8a7043cc3eeeaa7539bcb136f8427067b5f6c3b7b
> root@nramas:/home/nramas#
>
> SHA-256 hash in the IMA log and the above output should match.
>
> Now run the following "openssl" command to display
> various fields of x509_ima.der certificate:
>
> Verify the "Modulus" and the "Exponent" with that
> in the public key data in the IMA log entry.
> Note that the "Modulus" in the IMA log entry follows
> the RSA Header (For example, 308189028181)
> The "Exponent" is the last 3 hex numbers in the IMA log
> (For example, 0x01 0x00 0x01)
>
> root@nramas:/home/nramas# openssl x509 -in x509_ima.der -inform der -noout -text
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> 5b:e0:23:4f:f3:ad:f0:50:34:9b:33:b8:94:65:a6:aa:b6:e3:39:f7
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: O = hostname, CN = whoami signing key, emailAddress = whoami@hostname
> Validity
> Not Before: Aug 22 02:29:02 2019 GMT
> Not After : Aug 21 02:29:02 2020 GMT
> Subject: O = hostname, CN = whoami signing key, emailAddress = whoami@hostname
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public-Key: (1024 bit)
> Modulus:
> 00:ee:96:b2:64:07:2a:42:88:8f:78:a2:f9:b8:19:
> 84:67:a3:ad:97:d1:26:f3:d1:cc:1c:24:d2:3e:71:
> 85:cc:74:3b:04:d4:a5:42:54:ca:16:e1:e1:1e:d4:
> 45:0d:eb:98:b1:f7:bb:42:88:42:45:70:fa:bc:fc:
> 6d:5a:a9:3a:2a:14:fa:2b:78:35:ac:87:7c:fe:a7:
> 61:e5:ff:41:4c:6e:e2:74:ef:f2:6f:8b:d6:c4:84:
> 31:2e:56:61:92:99:ac:f0:db:d2:24:b8:7c:38:83:
> b6:6a:93:93:d2:1a:f8:96:24:58:66:3b:0a:c1:70:
> 6c:63:77:3c:d5:0e:82:36:27
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Basic Constraints: critical
> CA:FALSE
> X509v3 Key Usage:
> Digital Signature
> X509v3 Subject Key Identifier:
> 05:2D:D2:47:DC:3C:36:D6:D6:06:75:FE:7A:E8:69:79:0B:E5:61:71
> X509v3 Authority Key Identifier:
> keyid:E3:67:10:F0:83:4C:97:3E:D9:4A:18:6F:BC:D2:23:75:B4:5E:24:54
>
> Signature Algorithm: sha256WithRSAEncryption
> b1:2f:ae:ff:1e:0e:39:0c:fd:5e:b7:14:0a:f3:b7:a6:53:cb:
> 49:c6:ab:0a:23:be:24:c0:35:33:1d:76:00:c8:f7:58:f9:df:
> 7f:df:c5:ee:b6:fe:c3:58:59:20:3e:ca:0e:4f:01:f9:a7:9a:
> 58:be:63:09:47:cb:95:9a:52:d3:f2:de:96:f2:10:d4:92:47:
> c3:3a:62:26:dc:2a:52:ee:54:10:69:ed:3c:62:1f:87:67:fd:
> 36:a0:61:e9:a6:1a:db:5d:1d:d3:44:99:d9:9a:1c:e6:ba:a4:
> 96:b4:f5:e2:26:8b:fc:52:c3:ee:a4:a6:b7:b5:18:1f:08:52:
> 4a:ee
> root@nramas:/home/nramas#
>
> An ima-sig entry for a kernel module, say, kheaders.ko
> from the IMA log entry is given below:
>
> 10 0c98... ima-sig
> sha256:3bc6ed4f0b4d6e31bc1dbc9ef844605abc7afdc6d81a57d77a1ec9407997c40
> 2 /usr/lib/modules/5.4.0-rc3+/kernel/kernel/kheaders.ko
> 03020BE561710100abcde...
>
> In the above 0BE56171 is the Key ID of the key used to verify
> the IMA signature. This Key ID is the last 4 hex digits of
> the subject key identifier displayed in openssl output
> for the certificate x509_ima.der (Which is the IMA certificate
> used to sign the kernel module).
>
> X509v3 Subject Key Identifier:
> 05:2D:D2:47:DC:3C:36:D6:D6:06:75:FE:7A:E8:69:79:0B:E5:61:71
>
> The ima-modsig entry for the same kernel module is:
>
> 10 82aa... ima-modsig
> sha256:3bc6ed4f0b4d6e31bc1dbc9ef844605abc7afdc6d81a57d77a1ec9407997c40
> 2 /usr/lib/modules/5.4.0rc3+/kernel/kernel/kheaders.ko
> sha256:77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3
> 30818902818100ee96b264072a42888f78a2f9b8198467a3ad97d126f3d1cc1c24d23e7185cc743b04d4a54254ca16e1e11ed4450deb98b1f7bb4288424570fabcfc6d5aa93a2a14fa2b7835ac877cfea761e5ff414c6ee274eff26f8bd6c484312e56619299acf0dbd224b87c3883b66a9393d21af8962458663b0ac1706c63773cd50e8236270203010001
>
> If the kernel module was signed by x509_ima.der certificate then
> the public key entry in the ima-modsig should match the public key
> for the key measurement for x509_ima.der.
>
> The above can be used to correlate the key measurement IMA entry,
> ima-sig and ima-modsig entries using the same key.
next prev parent reply other threads:[~2019-11-20 16:30 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-18 22:38 [PATCH v8 0/5] KEYS: Measure keys when they are created or updated Lakshmi Ramasubramanian
2019-11-18 22:38 ` [PATCH v8 1/5] IMA: Add KEY_CHECK func to measure keys Lakshmi Ramasubramanian
2019-11-18 22:38 ` [PATCH v8 2/5] IMA: Define an IMA hook " Lakshmi Ramasubramanian
2019-11-20 23:28 ` Eric Snowberg
2019-11-20 23:40 ` Lakshmi Ramasubramanian
2019-11-21 1:22 ` Mimi Zohar
2019-11-21 1:32 ` Lakshmi Ramasubramanian
2019-11-21 17:16 ` Lakshmi Ramasubramanian
2019-11-18 22:38 ` [PATCH v8 3/5] KEYS: Call the " Lakshmi Ramasubramanian
2019-11-19 1:18 ` Eric Snowberg
2019-11-19 1:58 ` Lakshmi Ramasubramanian
2019-11-18 22:38 ` [PATCH v8 4/5] IMA: Add support to limit measuring keys Lakshmi Ramasubramanian
2019-11-20 16:30 ` Lakshmi Ramasubramanian [this message]
2019-11-20 23:19 ` Mimi Zohar
2019-11-21 0:03 ` Lakshmi Ramasubramanian
2019-11-21 0:53 ` Mimi Zohar
2019-11-21 3:11 ` Lakshmi Ramasubramanian
2019-11-18 22:38 ` [PATCH v8 5/5] IMA: Read keyrings= option from the IMA policy Lakshmi Ramasubramanian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=faab8e25-6aac-e44d-2364-ab2d0eca36a6@linux.microsoft.com \
--to=nramas@linux.microsoft.com \
--cc=bauerman@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=nayna@linux.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).