From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
To: zohar@linux.ibm.com, dhowells@redhat.com,
matthewgarrett@google.com, sashal@kernel.org,
jamorris@linux.microsoft.com, linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [PATCH v5 06/10] IMA: Defined an IMA hook to measure keys on key create or update
Date: Mon, 11 Nov 2019 19:32:59 +0000 [thread overview]
Message-ID: <20191111193303.12781-7-nramas@linux.microsoft.com> (raw)
In-Reply-To: <20191111193303.12781-1-nramas@linux.microsoft.com>
Asymmetric keys used for verifying file signatures or certificates
are currently not included in the IMA measurement list.
This patch defines a new IMA hook namely ima_post_key_create_or_update()
to measure asymmetric keys.
The IMA hook is defined in a new file namely ima_asymmetric_keys.c
Note that currently IMA subsystem can be enabled without
enabling KEYS subsystem.
Adding support for measuring asymmetric keys in IMA requires KEYS
subsystem to be enabled. To handle this dependency a new config
namely CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS has been added. Enabling
this config requires the following configs to be enabled:
CONFIG_IMA, CONFIG_KEYS, CONFIG_ASYMMETRIC_KEY_TYPE, and
CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE.
The new file ima_asymmetric_keys.c is built only if
CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS is enabled.
This config is turned off by default.
Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
---
security/integrity/ima/Kconfig | 14 +++++++
security/integrity/ima/Makefile | 1 +
security/integrity/ima/ima_asymmetric_keys.c | 44 ++++++++++++++++++++
3 files changed, 59 insertions(+)
create mode 100644 security/integrity/ima/ima_asymmetric_keys.c
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 838476d780e5..c6d14884bc19 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -310,3 +310,17 @@ config IMA_APPRAISE_SIGNED_INIT
default n
help
This option requires user-space init to be signed.
+
+config IMA_MEASURE_ASYMMETRIC_KEYS
+ bool "Enable measuring asymmetric keys on key create or update"
+ depends on IMA
+ depends on KEYS
+ depends on ASYMMETRIC_KEY_TYPE
+ depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+ default n
+ help
+ This option enables measuring asymmetric keys when
+ the key is created or updated. Additionally, IMA policy
+ needs to be configured to either measure keys linked to
+ any keyring or only measure keys linked to the keyrings
+ specified in the IMA policy through the keyrings= option.
diff --git a/security/integrity/ima/Makefile b/security/integrity/ima/Makefile
index 31d57cdf2421..3e9d0ad68c7b 100644
--- a/security/integrity/ima/Makefile
+++ b/security/integrity/ima/Makefile
@@ -12,3 +12,4 @@ ima-$(CONFIG_IMA_APPRAISE) += ima_appraise.o
ima-$(CONFIG_IMA_APPRAISE_MODSIG) += ima_modsig.o
ima-$(CONFIG_HAVE_IMA_KEXEC) += ima_kexec.o
obj-$(CONFIG_IMA_BLACKLIST_KEYRING) += ima_mok.o
+obj-$(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) += ima_asymmetric_keys.o
diff --git a/security/integrity/ima/ima_asymmetric_keys.c b/security/integrity/ima/ima_asymmetric_keys.c
new file mode 100644
index 000000000000..7d6603bfcc06
--- /dev/null
+++ b/security/integrity/ima/ima_asymmetric_keys.c
@@ -0,0 +1,44 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Copyright (C) 2019 Microsoft Corporation
+ *
+ * Author: Lakshmi Ramasubramanian (nramas@linux.microsoft.com)
+ *
+ * File: ima_asymmetric_keys.c
+ * Defines an IMA hook to measure asymmetric keys on key
+ * create or update.
+ */
+
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+#include <crypto/public_key.h>
+#include <keys/asymmetric-type.h>
+#include "ima.h"
+
+/**
+ * ima_post_key_create_or_update - measure asymmetric keys
+ * @keyring: keyring to which the key is linked to
+ * @key: created or updated key
+ * @flags: key flags
+ * @create: flag indicating whether the key was created or updated
+ *
+ * Keys can only be measured, not appraised.
+ */
+void ima_post_key_create_or_update(struct key *keyring, struct key *key,
+ unsigned long flags, bool create)
+{
+ const struct public_key *pk;
+
+ /* Only asymmetric keys are handled */
+ if (key->type != &key_type_asymmetric)
+ return;
+
+ /*
+ * Get the public_key of the given asymmetric key to measure.
+ */
+ pk = key->payload.data[asym_crypto];
+ process_buffer_measurement(pk->key, pk->keylen,
+ keyring->description,
+ KEYRING_CHECK, 0,
+ keyring->description);
+}
--
2.17.1
WARNING: multiple messages have this Message-ID (diff)
From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
To: zohar@linux.ibm.com, dhowells@redhat.com,
matthewgarrett@google.com, sashal@kernel.org,
jamorris@linux.microsoft.com, linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [PATCH v5 06/10] IMA: Defined an IMA hook to measure keys on key create or update
Date: Mon, 11 Nov 2019 11:32:59 -0800 [thread overview]
Message-ID: <20191111193303.12781-7-nramas@linux.microsoft.com> (raw)
In-Reply-To: <20191111193303.12781-1-nramas@linux.microsoft.com>
Asymmetric keys used for verifying file signatures or certificates
are currently not included in the IMA measurement list.
This patch defines a new IMA hook namely ima_post_key_create_or_update()
to measure asymmetric keys.
The IMA hook is defined in a new file namely ima_asymmetric_keys.c
Note that currently IMA subsystem can be enabled without
enabling KEYS subsystem.
Adding support for measuring asymmetric keys in IMA requires KEYS
subsystem to be enabled. To handle this dependency a new config
namely CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS has been added. Enabling
this config requires the following configs to be enabled:
CONFIG_IMA, CONFIG_KEYS, CONFIG_ASYMMETRIC_KEY_TYPE, and
CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE.
The new file ima_asymmetric_keys.c is built only if
CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS is enabled.
This config is turned off by default.
Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
---
security/integrity/ima/Kconfig | 14 +++++++
security/integrity/ima/Makefile | 1 +
security/integrity/ima/ima_asymmetric_keys.c | 44 ++++++++++++++++++++
3 files changed, 59 insertions(+)
create mode 100644 security/integrity/ima/ima_asymmetric_keys.c
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 838476d780e5..c6d14884bc19 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -310,3 +310,17 @@ config IMA_APPRAISE_SIGNED_INIT
default n
help
This option requires user-space init to be signed.
+
+config IMA_MEASURE_ASYMMETRIC_KEYS
+ bool "Enable measuring asymmetric keys on key create or update"
+ depends on IMA
+ depends on KEYS
+ depends on ASYMMETRIC_KEY_TYPE
+ depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+ default n
+ help
+ This option enables measuring asymmetric keys when
+ the key is created or updated. Additionally, IMA policy
+ needs to be configured to either measure keys linked to
+ any keyring or only measure keys linked to the keyrings
+ specified in the IMA policy through the keyrings= option.
diff --git a/security/integrity/ima/Makefile b/security/integrity/ima/Makefile
index 31d57cdf2421..3e9d0ad68c7b 100644
--- a/security/integrity/ima/Makefile
+++ b/security/integrity/ima/Makefile
@@ -12,3 +12,4 @@ ima-$(CONFIG_IMA_APPRAISE) += ima_appraise.o
ima-$(CONFIG_IMA_APPRAISE_MODSIG) += ima_modsig.o
ima-$(CONFIG_HAVE_IMA_KEXEC) += ima_kexec.o
obj-$(CONFIG_IMA_BLACKLIST_KEYRING) += ima_mok.o
+obj-$(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) += ima_asymmetric_keys.o
diff --git a/security/integrity/ima/ima_asymmetric_keys.c b/security/integrity/ima/ima_asymmetric_keys.c
new file mode 100644
index 000000000000..7d6603bfcc06
--- /dev/null
+++ b/security/integrity/ima/ima_asymmetric_keys.c
@@ -0,0 +1,44 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Copyright (C) 2019 Microsoft Corporation
+ *
+ * Author: Lakshmi Ramasubramanian (nramas@linux.microsoft.com)
+ *
+ * File: ima_asymmetric_keys.c
+ * Defines an IMA hook to measure asymmetric keys on key
+ * create or update.
+ */
+
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+#include <crypto/public_key.h>
+#include <keys/asymmetric-type.h>
+#include "ima.h"
+
+/**
+ * ima_post_key_create_or_update - measure asymmetric keys
+ * @keyring: keyring to which the key is linked to
+ * @key: created or updated key
+ * @flags: key flags
+ * @create: flag indicating whether the key was created or updated
+ *
+ * Keys can only be measured, not appraised.
+ */
+void ima_post_key_create_or_update(struct key *keyring, struct key *key,
+ unsigned long flags, bool create)
+{
+ const struct public_key *pk;
+
+ /* Only asymmetric keys are handled */
+ if (key->type != &key_type_asymmetric)
+ return;
+
+ /*
+ * Get the public_key of the given asymmetric key to measure.
+ */
+ pk = key->payload.data[asym_crypto];
+ process_buffer_measurement(pk->key, pk->keylen,
+ keyring->description,
+ KEYRING_CHECK, 0,
+ keyring->description);
+}
--
2.17.1
next prev parent reply other threads:[~2019-11-11 19:32 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-11 19:32 [PATCH v5 0/10] KEYS: Measure keys when they are created or updated Lakshmi Ramasubramanian
2019-11-11 19:32 ` Lakshmi Ramasubramanian
2019-11-11 19:32 ` [PATCH v5 01/10] IMA: Added KEYRING_CHECK func in IMA policy to measure keys Lakshmi Ramasubramanian
2019-11-11 19:32 ` Lakshmi Ramasubramanian
2019-11-12 17:04 ` Mimi Zohar
2019-11-12 17:04 ` Mimi Zohar
2019-11-12 17:37 ` Lakshmi Ramasubramanian
2019-11-12 17:37 ` Lakshmi Ramasubramanian
2019-11-11 19:32 ` [PATCH v5 02/10] IMA: Added keyrings= option in IMA policy to only measure keys added to the specifi Lakshmi Ramasubramanian
2019-11-11 19:32 ` [PATCH v5 02/10] IMA: Added keyrings= option in IMA policy to only measure keys added to the specified keyrings Lakshmi Ramasubramanian
2019-11-12 17:05 ` [PATCH v5 02/10] IMA: Added keyrings= option in IMA policy to only measure keys added to the spe Mimi Zohar
2019-11-12 17:05 ` [PATCH v5 02/10] IMA: Added keyrings= option in IMA policy to only measure keys added to the specified keyrings Mimi Zohar
2019-11-12 17:43 ` [PATCH v5 02/10] IMA: Added keyrings= option in IMA policy to only measure keys added to the spe Lakshmi Ramasubramanian
2019-11-12 17:43 ` [PATCH v5 02/10] IMA: Added keyrings= option in IMA policy to only measure keys added to the specified keyrings Lakshmi Ramasubramanian
2019-11-12 17:58 ` [PATCH v5 02/10] IMA: Added keyrings= option in IMA policy to only measure keys added to the spe Mimi Zohar
2019-11-12 17:58 ` [PATCH v5 02/10] IMA: Added keyrings= option in IMA policy to only measure keys added to the specified keyrings Mimi Zohar
2019-11-11 19:32 ` [PATCH v5 03/10] IMA: Read keyrings= option from the IMA policy into ima_rule_entry Lakshmi Ramasubramanian
2019-11-11 19:32 ` Lakshmi Ramasubramanian
2019-11-11 19:32 ` [PATCH v5 04/10] IMA: Updated IMA policy functions to return keyrings option read from the policy Lakshmi Ramasubramanian
2019-11-11 19:32 ` Lakshmi Ramasubramanian
2019-11-12 17:05 ` [PATCH v5 04/10] IMA: Updated IMA policy functions to return keyrings option read from the polic Mimi Zohar
2019-11-12 17:05 ` [PATCH v5 04/10] IMA: Updated IMA policy functions to return keyrings option read from the policy Mimi Zohar
2019-11-12 17:47 ` [PATCH v5 04/10] IMA: Updated IMA policy functions to return keyrings option read from the polic Lakshmi Ramasubramanian
2019-11-12 17:47 ` [PATCH v5 04/10] IMA: Updated IMA policy functions to return keyrings option read from the policy Lakshmi Ramasubramanian
2019-11-12 18:06 ` [PATCH v5 04/10] IMA: Updated IMA policy functions to return keyrings option read from the polic Mimi Zohar
2019-11-12 18:06 ` [PATCH v5 04/10] IMA: Updated IMA policy functions to return keyrings option read from the policy Mimi Zohar
2019-11-11 19:32 ` [PATCH v5 05/10] IMA: Measure key if the IMA policy allows measurement for the keyring to which the Lakshmi Ramasubramanian
2019-11-11 19:32 ` [PATCH v5 05/10] IMA: Measure key if the IMA policy allows measurement for the keyring to which the key is linked to Lakshmi Ramasubramanian
2019-11-11 19:32 ` Lakshmi Ramasubramanian [this message]
2019-11-11 19:32 ` [PATCH v5 06/10] IMA: Defined an IMA hook to measure keys on key create or update Lakshmi Ramasubramanian
2019-11-11 19:33 ` [PATCH v5 07/10] KEYS: Call the IMA hook to measure key when a new key is created or an existing key Lakshmi Ramasubramanian
2019-11-11 19:33 ` [PATCH v5 07/10] KEYS: Call the IMA hook to measure key when a new key is created or an existing key is updated Lakshmi Ramasubramanian
2019-11-11 19:33 ` [PATCH v5 08/10] IMA: Added a flag to determine whether IMA hook can process the key now or has to q Lakshmi Ramasubramanian
2019-11-11 19:33 ` [PATCH v5 08/10] IMA: Added a flag to determine whether IMA hook can process the key now or has to queue for processing later Lakshmi Ramasubramanian
2019-11-11 19:33 ` [PATCH v5 09/10] IMA: Defined functions to queue and dequeue keys for measurement Lakshmi Ramasubramanian
2019-11-11 19:33 ` Lakshmi Ramasubramanian
2019-11-11 19:33 ` [PATCH v5 10/10] IMA: Call queue and dequeue functions to measure keys Lakshmi Ramasubramanian
2019-11-11 19:33 ` Lakshmi Ramasubramanian
2019-11-11 19:41 ` [PATCH v5 0/10] KEYS: Measure keys when they are created or updated Lakshmi Ramasubramanian
2019-11-11 19:41 ` Lakshmi Ramasubramanian
2019-11-12 17:08 ` Mimi Zohar
2019-11-12 17:08 ` Mimi Zohar
2019-11-12 17:52 ` Lakshmi Ramasubramanian
2019-11-12 17:52 ` Lakshmi Ramasubramanian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191111193303.12781-7-nramas@linux.microsoft.com \
--to=nramas@linux.microsoft.com \
--cc=dhowells@redhat.com \
--cc=jamorris@linux.microsoft.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=matthewgarrett@google.com \
--cc=sashal@kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.