From: Nayna Jain <nayna@linux.vnet.ibm.com>
To: dhowells@redhat.com
Cc: keyrings@vger.kernel.org, linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org,
Nayna Jain <nayna@linux.vnet.ibm.com>
Subject: [PATCH 3/3] ima: support platform keyring for kernel appraisal
Date: Wed, 28 Feb 2018 17:57:16 +0000 [thread overview]
Message-ID: <20180228175521.10287-3-nayna@linux.vnet.ibm.com> (raw)
In-Reply-To: <20180228175521.10287-1-nayna@linux.vnet.ibm.com>
Distros may sign the kernel images and, possibly, the initramfs with
platform trusted keys. On secure boot enabled systems or embedded
devices, these signatures are to be validated using keys on the platform
keyring.
This patch enables IMA-appraisal to access the platform keyring, based
on a new Kconfig option "IMA_USE_PLATFORM_KEYRING".
Signed-off-by: Nayna Jain <nayna@linux.vnet.ibm.com>
---
security/integrity/digsig.c | 15 +++++++++++++++
security/integrity/ima/Kconfig | 10 ++++++++++
security/integrity/ima/ima_appraise.c | 22 +++++++++++++++++-----
security/integrity/ima/ima_init.c | 4 ++++
security/integrity/integrity.h | 17 ++++++++++++++++-
5 files changed, 62 insertions(+), 6 deletions(-)
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 6f9e4ce568cd..87f2ae5ba48c 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -34,6 +34,8 @@ static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
".ima",
#endif
"_module",
+ ".platform_keys",
+
};
#ifdef CONFIG_INTEGRITY_TRUSTED_KEYRING
@@ -78,6 +80,19 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
return -EOPNOTSUPP;
}
+#ifdef CONFIG_IMA_USE_PLATFORM_KEYRING
+int __init integrity_load_keyring(const unsigned int id)
+{
+
+ keyring[id] = find_keyring_by_name(keyring_name[id], 0);
+ if (IS_ERR(keyring[id]))
+ if (PTR_ERR(keyring[id]) != -ENOKEY)
+ return PTR_ERR(keyring[id]);
+ return 0;
+
+}
+#endif
+
int __init integrity_init_keyring(const unsigned int id)
{
const struct cred *cred = current_cred();
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 35ef69312811..2e89d4f8a364 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -227,3 +227,13 @@ config IMA_APPRAISE_SIGNED_INIT
default n
help
This option requires user-space init to be signed.
+
+config IMA_USE_PLATFORM_KEYRING
+ bool "IMA uses keys from Platform Keyring for verification"
+ depends on PLATFORM_KEYRING
+ depends on IMA_APPRAISE
+ depends on INTEGRITY_ASYMMETRIC_KEYS
+ default n
+ help
+ This option enables IMA appraisal to look for the platform
+ trusted keys in .platform_keys keyring.
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index f2803a40ff82..5fec29f40595 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -276,13 +276,25 @@ int ima_appraise_measurement(enum ima_hooks func,
(const char *)xattr_value, rc,
iint->ima_hash->digest,
iint->ima_hash->length);
- if (rc = -EOPNOTSUPP) {
- status = INTEGRITY_UNKNOWN;
- } else if (rc) {
+ if (rc) {
+ if (rc = -EOPNOTSUPP) {
+ status = INTEGRITY_UNKNOWN;
+ break;
+ }
+ if (func = KEXEC_KERNEL_CHECK) {
+ rc = integrity_digsig_verify(
+ INTEGRITY_KEYRING_PLATFORM,
+ (const char *)xattr_value,
+ xattr_len,
+ iint->ima_hash->digest,
+ iint->ima_hash->length);
+ if (!rc) {
+ status = INTEGRITY_PASS;
+ break;
+ }
+ }
cause = "invalid-signature";
status = INTEGRITY_FAIL;
- } else {
- status = INTEGRITY_PASS;
}
break;
default:
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
index 29b72cd2502e..fda38b6c3ab3 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -122,6 +122,10 @@ int __init ima_init(void)
if (rc)
return rc;
+ rc = integrity_load_keyring(INTEGRITY_KEYRING_PLATFORM);
+ if (rc)
+ pr_info("Platform keyring is not found. (rc=%d)\n", rc);
+
rc = ima_init_crypto();
if (rc)
return rc;
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 50a8e3365df7..d0aeb6a39036 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -136,13 +136,23 @@ int integrity_kernel_read(struct file *file, loff_t offset,
#define INTEGRITY_KEYRING_EVM 0
#define INTEGRITY_KEYRING_IMA 1
#define INTEGRITY_KEYRING_MODULE 2
-#define INTEGRITY_KEYRING_MAX 3
+#define INTEGRITY_KEYRING_PLATFORM 3
+#define INTEGRITY_KEYRING_MAX 4
#ifdef CONFIG_INTEGRITY_SIGNATURE
int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
const char *digest, int digestlen);
+#ifdef CONFIG_IMA_USE_PLATFORM_KEYRING
+int __init integrity_load_keyring(const unsigned int id);
+#else
+static inline int __init integrity_load_keyring(const unsigned int id)
+{
+ return 0;
+}
+#endif
+
int __init integrity_init_keyring(const unsigned int id);
int __init integrity_load_x509(const unsigned int id, const char *path);
#else
@@ -154,6 +164,11 @@ static inline int integrity_digsig_verify(const unsigned int id,
return -EOPNOTSUPP;
}
+static inline int __init integrity_load_keyring(const unsigned int id)
+{
+ return 0;
+}
+
static inline int integrity_init_keyring(const unsigned int id)
{
return 0;
--
2.13.6
WARNING: multiple messages have this Message-ID (diff)
From: Nayna Jain <nayna@linux.vnet.ibm.com>
To: dhowells@redhat.com
Cc: keyrings@vger.kernel.org, linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org,
Nayna Jain <nayna@linux.vnet.ibm.com>
Subject: [PATCH 3/3] ima: support platform keyring for kernel appraisal
Date: Wed, 28 Feb 2018 23:25:21 +0530 [thread overview]
Message-ID: <20180228175521.10287-3-nayna@linux.vnet.ibm.com> (raw)
In-Reply-To: <20180228175521.10287-1-nayna@linux.vnet.ibm.com>
Distros may sign the kernel images and, possibly, the initramfs with
platform trusted keys. On secure boot enabled systems or embedded
devices, these signatures are to be validated using keys on the platform
keyring.
This patch enables IMA-appraisal to access the platform keyring, based
on a new Kconfig option "IMA_USE_PLATFORM_KEYRING".
Signed-off-by: Nayna Jain <nayna@linux.vnet.ibm.com>
---
security/integrity/digsig.c | 15 +++++++++++++++
security/integrity/ima/Kconfig | 10 ++++++++++
security/integrity/ima/ima_appraise.c | 22 +++++++++++++++++-----
security/integrity/ima/ima_init.c | 4 ++++
security/integrity/integrity.h | 17 ++++++++++++++++-
5 files changed, 62 insertions(+), 6 deletions(-)
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 6f9e4ce568cd..87f2ae5ba48c 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -34,6 +34,8 @@ static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
".ima",
#endif
"_module",
+ ".platform_keys",
+
};
#ifdef CONFIG_INTEGRITY_TRUSTED_KEYRING
@@ -78,6 +80,19 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
return -EOPNOTSUPP;
}
+#ifdef CONFIG_IMA_USE_PLATFORM_KEYRING
+int __init integrity_load_keyring(const unsigned int id)
+{
+
+ keyring[id] = find_keyring_by_name(keyring_name[id], 0);
+ if (IS_ERR(keyring[id]))
+ if (PTR_ERR(keyring[id]) != -ENOKEY)
+ return PTR_ERR(keyring[id]);
+ return 0;
+
+}
+#endif
+
int __init integrity_init_keyring(const unsigned int id)
{
const struct cred *cred = current_cred();
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 35ef69312811..2e89d4f8a364 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -227,3 +227,13 @@ config IMA_APPRAISE_SIGNED_INIT
default n
help
This option requires user-space init to be signed.
+
+config IMA_USE_PLATFORM_KEYRING
+ bool "IMA uses keys from Platform Keyring for verification"
+ depends on PLATFORM_KEYRING
+ depends on IMA_APPRAISE
+ depends on INTEGRITY_ASYMMETRIC_KEYS
+ default n
+ help
+ This option enables IMA appraisal to look for the platform
+ trusted keys in .platform_keys keyring.
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index f2803a40ff82..5fec29f40595 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -276,13 +276,25 @@ int ima_appraise_measurement(enum ima_hooks func,
(const char *)xattr_value, rc,
iint->ima_hash->digest,
iint->ima_hash->length);
- if (rc == -EOPNOTSUPP) {
- status = INTEGRITY_UNKNOWN;
- } else if (rc) {
+ if (rc) {
+ if (rc == -EOPNOTSUPP) {
+ status = INTEGRITY_UNKNOWN;
+ break;
+ }
+ if (func == KEXEC_KERNEL_CHECK) {
+ rc = integrity_digsig_verify(
+ INTEGRITY_KEYRING_PLATFORM,
+ (const char *)xattr_value,
+ xattr_len,
+ iint->ima_hash->digest,
+ iint->ima_hash->length);
+ if (!rc) {
+ status = INTEGRITY_PASS;
+ break;
+ }
+ }
cause = "invalid-signature";
status = INTEGRITY_FAIL;
- } else {
- status = INTEGRITY_PASS;
}
break;
default:
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
index 29b72cd2502e..fda38b6c3ab3 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -122,6 +122,10 @@ int __init ima_init(void)
if (rc)
return rc;
+ rc = integrity_load_keyring(INTEGRITY_KEYRING_PLATFORM);
+ if (rc)
+ pr_info("Platform keyring is not found. (rc=%d)\n", rc);
+
rc = ima_init_crypto();
if (rc)
return rc;
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 50a8e3365df7..d0aeb6a39036 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -136,13 +136,23 @@ int integrity_kernel_read(struct file *file, loff_t offset,
#define INTEGRITY_KEYRING_EVM 0
#define INTEGRITY_KEYRING_IMA 1
#define INTEGRITY_KEYRING_MODULE 2
-#define INTEGRITY_KEYRING_MAX 3
+#define INTEGRITY_KEYRING_PLATFORM 3
+#define INTEGRITY_KEYRING_MAX 4
#ifdef CONFIG_INTEGRITY_SIGNATURE
int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
const char *digest, int digestlen);
+#ifdef CONFIG_IMA_USE_PLATFORM_KEYRING
+int __init integrity_load_keyring(const unsigned int id);
+#else
+static inline int __init integrity_load_keyring(const unsigned int id)
+{
+ return 0;
+}
+#endif
+
int __init integrity_init_keyring(const unsigned int id);
int __init integrity_load_x509(const unsigned int id, const char *path);
#else
@@ -154,6 +164,11 @@ static inline int integrity_digsig_verify(const unsigned int id,
return -EOPNOTSUPP;
}
+static inline int __init integrity_load_keyring(const unsigned int id)
+{
+ return 0;
+}
+
static inline int integrity_init_keyring(const unsigned int id)
{
return 0;
--
2.13.6
WARNING: multiple messages have this Message-ID (diff)
From: nayna@linux.vnet.ibm.com (Nayna Jain)
To: linux-security-module@vger.kernel.org
Subject: [PATCH 3/3] ima: support platform keyring for kernel appraisal
Date: Wed, 28 Feb 2018 23:25:21 +0530 [thread overview]
Message-ID: <20180228175521.10287-3-nayna@linux.vnet.ibm.com> (raw)
In-Reply-To: <20180228175521.10287-1-nayna@linux.vnet.ibm.com>
Distros may sign the kernel images and, possibly, the initramfs with
platform trusted keys. On secure boot enabled systems or embedded
devices, these signatures are to be validated using keys on the platform
keyring.
This patch enables IMA-appraisal to access the platform keyring, based
on a new Kconfig option "IMA_USE_PLATFORM_KEYRING".
Signed-off-by: Nayna Jain <nayna@linux.vnet.ibm.com>
---
security/integrity/digsig.c | 15 +++++++++++++++
security/integrity/ima/Kconfig | 10 ++++++++++
security/integrity/ima/ima_appraise.c | 22 +++++++++++++++++-----
security/integrity/ima/ima_init.c | 4 ++++
security/integrity/integrity.h | 17 ++++++++++++++++-
5 files changed, 62 insertions(+), 6 deletions(-)
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 6f9e4ce568cd..87f2ae5ba48c 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -34,6 +34,8 @@ static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
".ima",
#endif
"_module",
+ ".platform_keys",
+
};
#ifdef CONFIG_INTEGRITY_TRUSTED_KEYRING
@@ -78,6 +80,19 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
return -EOPNOTSUPP;
}
+#ifdef CONFIG_IMA_USE_PLATFORM_KEYRING
+int __init integrity_load_keyring(const unsigned int id)
+{
+
+ keyring[id] = find_keyring_by_name(keyring_name[id], 0);
+ if (IS_ERR(keyring[id]))
+ if (PTR_ERR(keyring[id]) != -ENOKEY)
+ return PTR_ERR(keyring[id]);
+ return 0;
+
+}
+#endif
+
int __init integrity_init_keyring(const unsigned int id)
{
const struct cred *cred = current_cred();
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 35ef69312811..2e89d4f8a364 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -227,3 +227,13 @@ config IMA_APPRAISE_SIGNED_INIT
default n
help
This option requires user-space init to be signed.
+
+config IMA_USE_PLATFORM_KEYRING
+ bool "IMA uses keys from Platform Keyring for verification"
+ depends on PLATFORM_KEYRING
+ depends on IMA_APPRAISE
+ depends on INTEGRITY_ASYMMETRIC_KEYS
+ default n
+ help
+ This option enables IMA appraisal to look for the platform
+ trusted keys in .platform_keys keyring.
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index f2803a40ff82..5fec29f40595 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -276,13 +276,25 @@ int ima_appraise_measurement(enum ima_hooks func,
(const char *)xattr_value, rc,
iint->ima_hash->digest,
iint->ima_hash->length);
- if (rc == -EOPNOTSUPP) {
- status = INTEGRITY_UNKNOWN;
- } else if (rc) {
+ if (rc) {
+ if (rc == -EOPNOTSUPP) {
+ status = INTEGRITY_UNKNOWN;
+ break;
+ }
+ if (func == KEXEC_KERNEL_CHECK) {
+ rc = integrity_digsig_verify(
+ INTEGRITY_KEYRING_PLATFORM,
+ (const char *)xattr_value,
+ xattr_len,
+ iint->ima_hash->digest,
+ iint->ima_hash->length);
+ if (!rc) {
+ status = INTEGRITY_PASS;
+ break;
+ }
+ }
cause = "invalid-signature";
status = INTEGRITY_FAIL;
- } else {
- status = INTEGRITY_PASS;
}
break;
default:
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
index 29b72cd2502e..fda38b6c3ab3 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -122,6 +122,10 @@ int __init ima_init(void)
if (rc)
return rc;
+ rc = integrity_load_keyring(INTEGRITY_KEYRING_PLATFORM);
+ if (rc)
+ pr_info("Platform keyring is not found. (rc=%d)\n", rc);
+
rc = ima_init_crypto();
if (rc)
return rc;
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 50a8e3365df7..d0aeb6a39036 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -136,13 +136,23 @@ int integrity_kernel_read(struct file *file, loff_t offset,
#define INTEGRITY_KEYRING_EVM 0
#define INTEGRITY_KEYRING_IMA 1
#define INTEGRITY_KEYRING_MODULE 2
-#define INTEGRITY_KEYRING_MAX 3
+#define INTEGRITY_KEYRING_PLATFORM 3
+#define INTEGRITY_KEYRING_MAX 4
#ifdef CONFIG_INTEGRITY_SIGNATURE
int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
const char *digest, int digestlen);
+#ifdef CONFIG_IMA_USE_PLATFORM_KEYRING
+int __init integrity_load_keyring(const unsigned int id);
+#else
+static inline int __init integrity_load_keyring(const unsigned int id)
+{
+ return 0;
+}
+#endif
+
int __init integrity_init_keyring(const unsigned int id);
int __init integrity_load_x509(const unsigned int id, const char *path);
#else
@@ -154,6 +164,11 @@ static inline int integrity_digsig_verify(const unsigned int id,
return -EOPNOTSUPP;
}
+static inline int __init integrity_load_keyring(const unsigned int id)
+{
+ return 0;
+}
+
static inline int integrity_init_keyring(const unsigned int id)
{
return 0;
--
2.13.6
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-02-28 17:57 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-28 17:55 [PATCH 1/3] certs: define a trusted platform keyring Nayna Jain
2018-02-28 17:58 ` Nayna Jain
2018-02-28 17:55 ` Nayna Jain
2018-02-28 17:55 ` [PATCH 2/3] keys: export find_keyring_by_name() Nayna Jain
2018-02-28 17:57 ` Nayna Jain
2018-02-28 17:55 ` Nayna Jain
2018-02-28 17:55 ` Nayna Jain [this message]
2018-02-28 17:57 ` [PATCH 3/3] ima: support platform keyring for kernel appraisal Nayna Jain
2018-02-28 17:55 ` Nayna Jain
2018-03-07 16:03 ` [PATCH 1/3] certs: define a trusted platform keyring David Howells
2018-03-07 16:03 ` David Howells
2018-03-07 17:47 ` Nayna Jain
2018-03-07 17:59 ` Nayna Jain
2018-03-07 17:47 ` Nayna Jain
2018-03-07 17:47 ` Nayna Jain
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180228175521.10287-3-nayna@linux.vnet.ibm.com \
--to=nayna@linux.vnet.ibm.com \
--cc=dhowells@redhat.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.