From: Dmitry Kasatkin <d.kasatkin@samsung.com>
To: zohar@linux.vnet.ibm.com, linux-ima-devel@lists.sourceforge.net,
        linux-security-module@vger.kernel.org, akpm@linux-foundation.org
Cc: linux-kernel@vger.kernel.org, dhowells@redhat.com,
        dmitry.kasatkin@gmail.com, Dmitry Kasatkin <d.kasatkin@samsung.com>
Subject: [PATCH v1 0/4] ima: require signed user-space initialization
Date: Tue, 15 Jul 2014 15:54:19 +0300
Message-id: <cover.1405428802.git.d.kasatkin@samsung.com>
Sender: linux-kernel-owner@vger.kernel.org

Currently secure IMA/EVM initialization has to be done from the initramfs,
embedded in the signed kernel image. Many systems do not want to use
initramfs or usage of embedded initramfs makes it difficult to have
multi-target kernels.

This is a very simple patchset which makes it possible to perform secure
initialization by requiring initial user-space to be signed.

It does it by:
- introducing IMA public keys loading hook
- loading IMA trusted public key into .ima trusted keyring
- making default IMA appraisal policy to require everything to be signed

When builtin initramfs is not in use, keys cannot be read from initcalls,
because root filesystem is not yet mounted. In order to read keys before
executing init process, ima_prepare_keys() hook is introduced. Reading
public keys from the kernel is justified because signature verification
key is needed in order to verify anything else which is read from the
file system. Public keys are X509 certificates and itself signed by the
trusted key from the .system keyring. Kernel BIG KEYS support is an example
of reading keys directly by the kernel.

CONFIG_IMA_APPRAISE_SIGNED_INIT kernel option is provided to make the IMA
default appraisal policy to required signature validation. Signed init
process need to initialize EVM key and load appropriate IMA policy which
would not require everything to be signed.

Unless real '/sbin/init' is signed, a simple and practical way is to place
all signed programs, libraries, scripts and configuration files under
dedicated directory, for example '/ima', and run signed init process by
providing a kernel command line parameter 'init=/ima/init'

-Dmitry

Dmitry Kasatkin (4):
  ima: provide hook to load IMA keys when rootfs is ready
  integrity: provide file reading API
  integrity: provide x509 certificate loading from the kernel
  ima: require signed user-space initialization

 include/linux/ima.h                 |  9 +++++
 init/main.c                         |  6 ++-
 security/integrity/Kconfig          |  7 ++++
 security/integrity/digsig.c         | 78 +++++++++++++++++++++++++++++++++++++
 security/integrity/ima/Kconfig      | 15 +++++++
 security/integrity/ima/ima_init.c   | 17 ++++++++
 security/integrity/ima/ima_policy.c |  5 +++
 security/integrity/integrity.h      | 11 +++++-
 8 files changed, 146 insertions(+), 2 deletions(-)

-- 
1.9.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/