[PATCH 0/7] ima: Add template fields to verify EVM portable signatures

[Roberto Sassu <roberto.sassu@huawei.com>]

The recent patch set 'evm: Improve usability of portable signatures' added
the possibility to include EVM portable signatures in the IMA measurement
list.

However, the information necessary to verify the signature were not
included in the IMA measurement list. This patch set introduces new
template fields to accomplish this goal:

- 'iuid': the inode UID;
- 'igid': the inode GID;
- 'mntuidmap': the UID mappings of the idmapped mount (nr extents,
  [ uid_gid_extent1 ] ... [ uid_gid_extentN ], all u32 in canonical
  format);
- 'mntgidmap': the GID mappings of the idmapped mount (same format as
  'mntuidmap');
- 'imode': the inode mode;
- 'evmxattrs': the EVM protected xattrs (num xattrs (u32 in canonical
   format), xattr names separated by \0, xattr lengths (u32 in canonical
   format) and xattr values).

mntuidmap and mntgidmap are not empty only if the measurement is performed
on an idmapped mount. In that case, the inode UID and GID need to be
converted with the provided mappings.

Patches 1-4, 6 introduce new template fields. Patch 5 make it possible to
verify EVM portable signatures which protect xattrs belonging to LSMs not
enabled in the target platform. Patch 7 fixes a small issue in
evm_write_xattrs() when audit is not enabled.

This patch set has been tested with:

https://github.com/robertosassu/ima-evm-utils/blob/ima-template-fields-v1-devel-v1/tests/verify_evmsig.test
https://github.com/robertosassu/ima-evm-utils/blob/ima-template-fields-v1-devel-v1/tests/evm_hmac_non_enabled_xattrs.test

The first test sets the IMA template format to:

d-ng|n-ng|sig|evmxattrs|iuid|igid|imode|mntuidmap|mntgidmap

Then, it creates a test file, sets some metadata and reads the file to
generate a measurement entry. To verify that the information provided by
IMA are correct, the test creates another file and sets the metadata
obtained from the measurement list. Finally, it executes evmctl to verify
the signature on the second file.

The test is performed without and with an idmapped mount. evmctl has been
extended to parse mntuidmap and mntgidmap (only one mapping), so that it
can convert the mapped UID and GID from the measurement list to the
original ones. In this way, the signature can be verified.

The second test verifies that setting a non-enabled xattr does not change
the HMAC.

The test results are available at:

https://travis-ci.com/github/robertosassu/ima-evm-utils/jobs/506431933
https://travis-ci.com/github/robertosassu/ima-evm-utils/jobs/506431937

This patch set has been also tested on s390x, with and without the
canonical format enabled (the test results are not shown, as the UML kernel
used in Travis is not available for this architecture).

Roberto Sassu (7):
  ima: Add ima_show_template_uint() template library function
  ima: Introduce template fields iuid and igid
  ima: Introduce template fields mntuidmap and mntgidmap
  ima: Introduce template field imode
  evm: Verify portable signatures against all protected xattrs
  ima: Introduce template field evmxattrs
  evm: Don't return an error in evm_write_xattrs() if audit is not
    enabled

 Documentation/security/IMA-templates.rst  |  10 +
 include/linux/evm.h                       |   6 +
 security/integrity/evm/evm.h              |   1 +
 security/integrity/evm/evm_crypto.c       |   7 +
 security/integrity/evm/evm_main.c         |  56 +++-
 security/integrity/evm/evm_secfs.c        |  18 +-
 security/integrity/ima/ima_template.c     |  14 +
 security/integrity/ima/ima_template_lib.c | 322 +++++++++++++++++++++-
 security/integrity/ima/ima_template_lib.h |  14 +
 9 files changed, 434 insertions(+), 14 deletions(-)

-- 
2.25.1