2023-07-26 21:35:37

by Eric Snowberg

[permalink] [raw]
Subject: [PATCH v4] integrity: Always reference the blacklist keyring with appraisal

Commit 273df864cf746 ("ima: Check against blacklisted hashes for files with
modsig") introduced an appraise_flag option for referencing the blacklist
keyring. Any matching binary found on this keyring fails signature
validation. This flag only works with module appended signatures.

An important part of a PKI infrastructure is to have the ability to do
revocation at a later time should a vulnerability be found. Expand the
revocation flag usage to all appraisal functions. The flag is now
enabled by default. Setting the flag with an IMA policy has been
deprecated. Without a revocation capability like this in place, only
authenticity can be maintained. With this change, integrity can now be
achieved with digital signature based IMA appraisal.

Signed-off-by: Eric Snowberg <[email protected]>
---
v4 changes:
Fixed typo
Also did some performance testing with this patch. With the associative array
implementation used within the keyring code, there doesn't seem to be much of a
difference between doing an appraisal with an empty blacklist keyring and one
containing 1500 entries. At this time it is unknown how many entries a user
would place in this keyring, but this seemed like a bigger number than most use
cases. With the 1500 entries, there were only 7 lookups to get through the
entire list for a file not contained within it. For something that was
on the list, there was an average of 4 lookups and a single string compare.
Based on this testing, IMHO, there could be a lot more entries added to the
blacklist keyring without any real performance issues.

v3 changes:
No longer display appraise_flag=check_blacklist in the policy

v2 changes:
Update the "case Opt_apprase_flag"
Removed "appraise_flag=" in the powerpc arch specific policy rules
---
Documentation/ABI/testing/ima_policy | 6 +++---
arch/powerpc/kernel/ima_arch.c | 8 ++++----
security/integrity/ima/ima_appraise.c | 12 +++++++-----
security/integrity/ima/ima_policy.c | 17 +++++------------
4 files changed, 19 insertions(+), 24 deletions(-)

diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index 49db0ff288e5..c2385183826c 100644
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -57,9 +57,9 @@ Description:
stored in security.ima xattr. Requires
specifying "digest_type=verity" first.)

- appraise_flag:= [check_blacklist]
- Currently, blacklist check is only for files signed with appended
- signature.
+ appraise_flag:= [check_blacklist] (deprecated)
+ Setting the check_blacklist flag is no longer necessary.
+ All appraisal functions set it by default.
digest_type:= verity
Require fs-verity's file digest instead of the
regular IMA file hash.
diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
index 957abd592075..b7029beed847 100644
--- a/arch/powerpc/kernel/ima_arch.c
+++ b/arch/powerpc/kernel/ima_arch.c
@@ -23,9 +23,9 @@ bool arch_ima_get_secureboot(void)
* is not enabled.
*/
static const char *const secure_rules[] = {
- "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
+ "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig",
#ifndef CONFIG_MODULE_SIG
- "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
+ "appraise func=MODULE_CHECK appraise_type=imasig|modsig",
#endif
NULL
};
@@ -49,9 +49,9 @@ static const char *const trusted_rules[] = {
static const char *const secure_and_trusted_rules[] = {
"measure func=KEXEC_KERNEL_CHECK template=ima-modsig",
"measure func=MODULE_CHECK template=ima-modsig",
- "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
+ "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig",
#ifndef CONFIG_MODULE_SIG
- "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
+ "appraise func=MODULE_CHECK appraise_type=imasig|modsig",
#endif
NULL
};
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 491c1aca0b1c..870dde67707b 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -458,11 +458,13 @@ int ima_check_blacklist(struct integrity_iint_cache *iint,
ima_get_modsig_digest(modsig, &hash_algo, &digest, &digestsize);

rc = is_binary_blacklisted(digest, digestsize);
- if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))
- process_buffer_measurement(&nop_mnt_idmap, NULL, digest, digestsize,
- "blacklisted-hash", NONE,
- pcr, NULL, false, NULL, 0);
- }
+ } else if (iint->flags & IMA_DIGSIG_REQUIRED && iint->ima_hash)
+ rc = is_binary_blacklisted(iint->ima_hash->digest, iint->ima_hash->length);
+
+ if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))
+ process_buffer_measurement(&nop_mnt_idmap, NULL, digest, digestsize,
+ "blacklisted-hash", NONE,
+ pcr, NULL, false, NULL, 0);

return rc;
}
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index c9b3bd8f1bb9..69452b79686b 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -1280,7 +1280,7 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
IMA_FSNAME | IMA_GID | IMA_EGID |
IMA_FGROUP | IMA_DIGSIG_REQUIRED |
IMA_PERMIT_DIRECTIO | IMA_VALIDATE_ALGOS |
- IMA_VERITY_REQUIRED))
+ IMA_CHECK_BLACKLIST | IMA_VERITY_REQUIRED))
return false;

break;
@@ -1355,7 +1355,7 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)

/* Ensure that combinations of flags are compatible with each other */
if (entry->flags & IMA_CHECK_BLACKLIST &&
- !(entry->flags & IMA_MODSIG_ALLOWED))
+ !(entry->flags & IMA_DIGSIG_REQUIRED))
return false;

/*
@@ -1803,11 +1803,11 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
if (entry->flags & IMA_VERITY_REQUIRED)
result = -EINVAL;
else
- entry->flags |= IMA_DIGSIG_REQUIRED;
+ entry->flags |= IMA_DIGSIG_REQUIRED | IMA_CHECK_BLACKLIST;
} else if (strcmp(args[0].from, "sigv3") == 0) {
/* Only fsverity supports sigv3 for now */
if (entry->flags & IMA_VERITY_REQUIRED)
- entry->flags |= IMA_DIGSIG_REQUIRED;
+ entry->flags |= IMA_DIGSIG_REQUIRED | IMA_CHECK_BLACKLIST;
else
result = -EINVAL;
} else if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) &&
@@ -1816,18 +1816,13 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
result = -EINVAL;
else
entry->flags |= IMA_DIGSIG_REQUIRED |
- IMA_MODSIG_ALLOWED;
+ IMA_MODSIG_ALLOWED | IMA_CHECK_BLACKLIST;
} else {
result = -EINVAL;
}
break;
case Opt_appraise_flag:
ima_log_string(ab, "appraise_flag", args[0].from);
- if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) &&
- strstr(args[0].from, "blacklist"))
- entry->flags |= IMA_CHECK_BLACKLIST;
- else
- result = -EINVAL;
break;
case Opt_appraise_algos:
ima_log_string(ab, "appraise_algos", args[0].from);
@@ -2271,8 +2266,6 @@ int ima_policy_show(struct seq_file *m, void *v)
}
if (entry->flags & IMA_VERITY_REQUIRED)
seq_puts(m, "digest_type=verity ");
- if (entry->flags & IMA_CHECK_BLACKLIST)
- seq_puts(m, "appraise_flag=check_blacklist ");
if (entry->flags & IMA_PERMIT_DIRECTIO)
seq_puts(m, "permit_directio ");
rcu_read_unlock();
--
2.39.3



2023-07-27 18:00:43

by Mimi Zohar

[permalink] [raw]
Subject: Re: [PATCH v4] integrity: Always reference the blacklist keyring with appraisal

On Wed, 2023-07-26 at 17:17 -0400, Eric Snowberg wrote:
> Commit 273df864cf746 ("ima: Check against blacklisted hashes for files with
> modsig") introduced an appraise_flag option for referencing the blacklist
> keyring. Any matching binary found on this keyring fails signature
> validation. This flag only works with module appended signatures.
>
> An important part of a PKI infrastructure is to have the ability to do
> revocation at a later time should a vulnerability be found. Expand the
> revocation flag usage to all appraisal functions. The flag is now
> enabled by default. Setting the flag with an IMA policy has been
> deprecated. Without a revocation capability like this in place, only
> authenticity can be maintained. With this change, integrity can now be
> achieved with digital signature based IMA appraisal.
>
> Signed-off-by: Eric Snowberg <[email protected]>
> ---
> v4 changes:
> Fixed typo
> Also did some performance testing with this patch. With the associative array
> implementation used within the keyring code, there doesn't seem to be much of a
> difference between doing an appraisal with an empty blacklist keyring and one
> containing 1500 entries. At this time it is unknown how many entries a user
> would place in this keyring, but this seemed like a bigger number than most use
> cases. With the 1500 entries, there were only 7 lookups to get through the
> entire list for a file not contained within it. For something that was
> on the list, there was an average of 4 lookups and a single string compare.
> Based on this testing, IMHO, there could be a lot more entries added to the
> blacklist keyring without any real performance issues.

Thank you for the blacklist performance testing. The patch is now
queued in next-integrity-testing.

--
thanks,

Mimib


2023-07-31 18:09:50

by Nayna Jain

[permalink] [raw]
Subject: Re: [PATCH v4] integrity: Always reference the blacklist keyring with appraisal


On 7/26/23 17:17, Eric Snowberg wrote:
> Commit 273df864cf746 ("ima: Check against blacklisted hashes for files with
> modsig") introduced an appraise_flag option for referencing the blacklist
> keyring. Any matching binary found on this keyring fails signature
> validation. This flag only works with module appended signatures.
>
> An important part of a PKI infrastructure is to have the ability to do
> revocation at a later time should a vulnerability be found. Expand the
> revocation flag usage to all appraisal functions. The flag is now
> enabled by default. Setting the flag with an IMA policy has been
> deprecated. Without a revocation capability like this in place, only
> authenticity can be maintained. With this change, integrity can now be
> achieved with digital signature based IMA appraisal.
>
> Signed-off-by: Eric Snowberg <[email protected]>
> ---
> v4 changes:
> Fixed typo
> Also did some performance testing with this patch. With the associative array
> implementation used within the keyring code, there doesn't seem to be much of a
> difference between doing an appraisal with an empty blacklist keyring and one
> containing 1500 entries. At this time it is unknown how many entries a user
> would place in this keyring, but this seemed like a bigger number than most use
> cases. With the 1500 entries, there were only 7 lookups to get through the
> entire list for a file not contained within it. For something that was
> on the list, there was an average of 4 lookups and a single string compare.
> Based on this testing, IMHO, there could be a lot more entries added to the
> blacklist keyring without any real performance issues.

Nice to see the performance test results.

Reviewed-by: Nayna Jain <[email protected]>

Thanks & Regards,

     - Nayna

>
> v3 changes:
> No longer display appraise_flag=check_blacklist in the policy
>
> v2 changes:
> Update the "case Opt_apprase_flag"
> Removed "appraise_flag=" in the powerpc arch specific policy rules
> ---
> Documentation/ABI/testing/ima_policy | 6 +++---
> arch/powerpc/kernel/ima_arch.c | 8 ++++----
> security/integrity/ima/ima_appraise.c | 12 +++++++-----
> security/integrity/ima/ima_policy.c | 17 +++++------------
> 4 files changed, 19 insertions(+), 24 deletions(-)
>
> diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
> index 49db0ff288e5..c2385183826c 100644
> --- a/Documentation/ABI/testing/ima_policy
> +++ b/Documentation/ABI/testing/ima_policy
> @@ -57,9 +57,9 @@ Description:
> stored in security.ima xattr. Requires
> specifying "digest_type=verity" first.)
>
> - appraise_flag:= [check_blacklist]
> - Currently, blacklist check is only for files signed with appended
> - signature.
> + appraise_flag:= [check_blacklist] (deprecated)
> + Setting the check_blacklist flag is no longer necessary.
> + All appraisal functions set it by default.
> digest_type:= verity
> Require fs-verity's file digest instead of the
> regular IMA file hash.
> diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
> index 957abd592075..b7029beed847 100644
> --- a/arch/powerpc/kernel/ima_arch.c
> +++ b/arch/powerpc/kernel/ima_arch.c
> @@ -23,9 +23,9 @@ bool arch_ima_get_secureboot(void)
> * is not enabled.
> */
> static const char *const secure_rules[] = {
> - "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
> + "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig",
> #ifndef CONFIG_MODULE_SIG
> - "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
> + "appraise func=MODULE_CHECK appraise_type=imasig|modsig",
> #endif
> NULL
> };
> @@ -49,9 +49,9 @@ static const char *const trusted_rules[] = {
> static const char *const secure_and_trusted_rules[] = {
> "measure func=KEXEC_KERNEL_CHECK template=ima-modsig",
> "measure func=MODULE_CHECK template=ima-modsig",
> - "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
> + "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig",
> #ifndef CONFIG_MODULE_SIG
> - "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
> + "appraise func=MODULE_CHECK appraise_type=imasig|modsig",
> #endif
> NULL
> };
> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> index 491c1aca0b1c..870dde67707b 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -458,11 +458,13 @@ int ima_check_blacklist(struct integrity_iint_cache *iint,
> ima_get_modsig_digest(modsig, &hash_algo, &digest, &digestsize);
>
> rc = is_binary_blacklisted(digest, digestsize);
> - if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))
> - process_buffer_measurement(&nop_mnt_idmap, NULL, digest, digestsize,
> - "blacklisted-hash", NONE,
> - pcr, NULL, false, NULL, 0);
> - }
> + } else if (iint->flags & IMA_DIGSIG_REQUIRED && iint->ima_hash)
> + rc = is_binary_blacklisted(iint->ima_hash->digest, iint->ima_hash->length);
> +
> + if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))
> + process_buffer_measurement(&nop_mnt_idmap, NULL, digest, digestsize,
> + "blacklisted-hash", NONE,
> + pcr, NULL, false, NULL, 0);
>
> return rc;
> }
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index c9b3bd8f1bb9..69452b79686b 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -1280,7 +1280,7 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
> IMA_FSNAME | IMA_GID | IMA_EGID |
> IMA_FGROUP | IMA_DIGSIG_REQUIRED |
> IMA_PERMIT_DIRECTIO | IMA_VALIDATE_ALGOS |
> - IMA_VERITY_REQUIRED))
> + IMA_CHECK_BLACKLIST | IMA_VERITY_REQUIRED))
> return false;
>
> break;
> @@ -1355,7 +1355,7 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
>
> /* Ensure that combinations of flags are compatible with each other */
> if (entry->flags & IMA_CHECK_BLACKLIST &&
> - !(entry->flags & IMA_MODSIG_ALLOWED))
> + !(entry->flags & IMA_DIGSIG_REQUIRED))
> return false;
>
> /*
> @@ -1803,11 +1803,11 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
> if (entry->flags & IMA_VERITY_REQUIRED)
> result = -EINVAL;
> else
> - entry->flags |= IMA_DIGSIG_REQUIRED;
> + entry->flags |= IMA_DIGSIG_REQUIRED | IMA_CHECK_BLACKLIST;
> } else if (strcmp(args[0].from, "sigv3") == 0) {
> /* Only fsverity supports sigv3 for now */
> if (entry->flags & IMA_VERITY_REQUIRED)
> - entry->flags |= IMA_DIGSIG_REQUIRED;
> + entry->flags |= IMA_DIGSIG_REQUIRED | IMA_CHECK_BLACKLIST;
> else
> result = -EINVAL;
> } else if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) &&
> @@ -1816,18 +1816,13 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
> result = -EINVAL;
> else
> entry->flags |= IMA_DIGSIG_REQUIRED |
> - IMA_MODSIG_ALLOWED;
> + IMA_MODSIG_ALLOWED | IMA_CHECK_BLACKLIST;
> } else {
> result = -EINVAL;
> }
> break;
> case Opt_appraise_flag:
> ima_log_string(ab, "appraise_flag", args[0].from);
> - if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) &&
> - strstr(args[0].from, "blacklist"))
> - entry->flags |= IMA_CHECK_BLACKLIST;
> - else
> - result = -EINVAL;
> break;
> case Opt_appraise_algos:
> ima_log_string(ab, "appraise_algos", args[0].from);
> @@ -2271,8 +2266,6 @@ int ima_policy_show(struct seq_file *m, void *v)
> }
> if (entry->flags & IMA_VERITY_REQUIRED)
> seq_puts(m, "digest_type=verity ");
> - if (entry->flags & IMA_CHECK_BLACKLIST)
> - seq_puts(m, "appraise_flag=check_blacklist ");
> if (entry->flags & IMA_PERMIT_DIRECTIO)
> seq_puts(m, "permit_directio ");
> rcu_read_unlock();