From: Roberto Sassu <roberto.sassu@huawei.com>
To: <zohar@linux.ibm.com>, <mjg59@srcf.ucam.org>
Cc: <linux-integrity@vger.kernel.org>,
<linux-security-module@vger.kernel.org>,
<linux-doc@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
Roberto Sassu <roberto.sassu@huawei.com>
Subject: [PATCH 0/7] ima: Add template fields to verify EVM portable signatures
Date: Thu, 20 May 2021 10:56:54 +0200 [thread overview]
Message-ID: <20210520085701.465369-1-roberto.sassu@huawei.com> (raw)
The recent patch set 'evm: Improve usability of portable signatures' added
the possibility to include EVM portable signatures in the IMA measurement
list.
However, the information necessary to verify the signature were not
included in the IMA measurement list. This patch set introduces new
template fields to accomplish this goal:
- 'iuid': the inode UID;
- 'igid': the inode GID;
- 'mntuidmap': the UID mappings of the idmapped mount (nr extents,
[ uid_gid_extent1 ] ... [ uid_gid_extentN ], all u32 in canonical
format);
- 'mntgidmap': the GID mappings of the idmapped mount (same format as
'mntuidmap');
- 'imode': the inode mode;
- 'evmxattrs': the EVM protected xattrs (num xattrs (u32 in canonical
format), xattr names separated by \0, xattr lengths (u32 in canonical
format) and xattr values).
mntuidmap and mntgidmap are not empty only if the measurement is performed
on an idmapped mount. In that case, the inode UID and GID need to be
converted with the provided mappings.
Patches 1-4, 6 introduce new template fields. Patch 5 make it possible to
verify EVM portable signatures which protect xattrs belonging to LSMs not
enabled in the target platform. Patch 7 fixes a small issue in
evm_write_xattrs() when audit is not enabled.
This patch set has been tested with:
https://github.com/robertosassu/ima-evm-utils/blob/ima-template-fields-v1-devel-v1/tests/verify_evmsig.test
https://github.com/robertosassu/ima-evm-utils/blob/ima-template-fields-v1-devel-v1/tests/evm_hmac_non_enabled_xattrs.test
The first test sets the IMA template format to:
d-ng|n-ng|sig|evmxattrs|iuid|igid|imode|mntuidmap|mntgidmap
Then, it creates a test file, sets some metadata and reads the file to
generate a measurement entry. To verify that the information provided by
IMA are correct, the test creates another file and sets the metadata
obtained from the measurement list. Finally, it executes evmctl to verify
the signature on the second file.
The test is performed without and with an idmapped mount. evmctl has been
extended to parse mntuidmap and mntgidmap (only one mapping), so that it
can convert the mapped UID and GID from the measurement list to the
original ones. In this way, the signature can be verified.
The second test verifies that setting a non-enabled xattr does not change
the HMAC.
The test results are available at:
https://travis-ci.com/github/robertosassu/ima-evm-utils/jobs/506431933
https://travis-ci.com/github/robertosassu/ima-evm-utils/jobs/506431937
This patch set has been also tested on s390x, with and without the
canonical format enabled (the test results are not shown, as the UML kernel
used in Travis is not available for this architecture).
Roberto Sassu (7):
ima: Add ima_show_template_uint() template library function
ima: Introduce template fields iuid and igid
ima: Introduce template fields mntuidmap and mntgidmap
ima: Introduce template field imode
evm: Verify portable signatures against all protected xattrs
ima: Introduce template field evmxattrs
evm: Don't return an error in evm_write_xattrs() if audit is not
enabled
Documentation/security/IMA-templates.rst | 10 +
include/linux/evm.h | 6 +
security/integrity/evm/evm.h | 1 +
security/integrity/evm/evm_crypto.c | 7 +
security/integrity/evm/evm_main.c | 56 +++-
security/integrity/evm/evm_secfs.c | 18 +-
security/integrity/ima/ima_template.c | 14 +
security/integrity/ima/ima_template_lib.c | 322 +++++++++++++++++++++-
security/integrity/ima/ima_template_lib.h | 14 +
9 files changed, 434 insertions(+), 14 deletions(-)
--
2.25.1
next reply other threads:[~2021-05-20 8:57 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-20 8:56 Roberto Sassu [this message]
2021-05-20 8:56 ` [PATCH 1/7] ima: Add ima_show_template_uint() template library function Roberto Sassu
2021-05-20 8:56 ` [PATCH 2/7] ima: Introduce template fields iuid and igid Roberto Sassu
2021-05-20 8:56 ` [PATCH 3/7] ima: Introduce template fields mntuidmap and mntgidmap Roberto Sassu
2021-05-20 9:36 ` Christian Brauner
2021-05-20 9:41 ` Christian Brauner
2021-05-20 11:54 ` Roberto Sassu
2021-05-20 8:56 ` [PATCH 4/7] ima: Introduce template field imode Roberto Sassu
2021-05-20 8:56 ` [PATCH 5/7] evm: Verify portable signatures against all protected xattrs Roberto Sassu
2021-05-24 18:21 ` Mimi Zohar
2021-05-20 8:57 ` [PATCH 6/7] ima: Introduce template field evmxattrs Roberto Sassu
2021-05-24 18:31 ` Mimi Zohar
2021-05-20 8:57 ` [PATCH 7/7] evm: Don't return an error in evm_write_xattrs() if audit is not enabled Roberto Sassu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210520085701.465369-1-roberto.sassu@huawei.com \
--to=roberto.sassu@huawei.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mjg59@srcf.ucam.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).