Received: by 10.223.185.111 with SMTP id b44csp451951wrg; Fri, 9 Mar 2018 07:41:13 -0800 (PST) X-Google-Smtp-Source: AG47ELs/AnonV+mGHVhb1wp6o7w7kdqxDrlbNZe5ArHXR5pv/5i4dto2XxkHo8NS9Z+q/yF6ddb2 X-Received: by 2002:a17:902:b704:: with SMTP id d4-v6mr28750649pls.406.1520610073182; Fri, 09 Mar 2018 07:41:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520610073; cv=none; d=google.com; s=arc-20160816; b=GBezapDZpt6MUSGysKfuzSJtrkm6TFmMUzrA10lnGxmTI6l99oealiIisus4SSmU/1 dza69LKLEDLXjOXrJGNoVKm7IQAfadaiCfqj0PjbhGHkz3BiNtsuT1AFilWTa9OewlqQ 5n3zWos0X+eXcwh33nuzleTUeQNA0Hp9fXvMFYsizvYcaEx38W/EJawdNFK7C87A9Ae0 WupeAF2NEZQRo1fzHJ2TYsz+OQozy0EPqRUJsYW87xjNmOLJtRLyw/m7K0Vw3xJgk75/ n1PXxZ8NQmQJro65/d/r8537EAmDZLF1/+hGj3QIiedhzhzXNFfCi7szTo5hlm3f8W5l PvpQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:references:in-reply-to:date :subject:cc:to:from:arc-authentication-results; bh=YlGNyR93at8UcD5R+4ZEJFMOn2FFjw4QKLeybEa2U/o=; b=xjwu6A9PW+0uPYeLL3spfQmSgkX8yZ6v03CEDQiuxUxolY6f1ONYjZQjuq982apjhG 3OwA1xIb3ROthdRrTXdy4UYpq/4iIuam4uHKDS0WU0Mdw+kFwcsN1n+3rBqT39OdSsAp qMlKfDuY/hUikcyBMQH6W+CsncZIPbrwAb1KnEzIGuerDYjCNsH5i6rwPChT6ijIlqBh ZN9iX8kpQxx7QLRtehq7hzG/WAlb+bSYbpqTFswFcaOecyJFVEPuX7klzgmcTXGz9iO2 wt2I6gXamGqUquo21TS6+3UlzeuSKH438NSv8nxwXRPg9eY3I4lT3ZJy64gzH8MJ+8VO 0xBA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 64si884744pgi.67.2018.03.09.07.40.58; Fri, 09 Mar 2018 07:41:13 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932279AbeCIPjl (ORCPT + 99 others); Fri, 9 Mar 2018 10:39:41 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:55870 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S932254AbeCIPji (ORCPT ); Fri, 9 Mar 2018 10:39:38 -0500 Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w29FVcix020273 for ; Fri, 9 Mar 2018 10:39:37 -0500 Received: from e06smtp12.uk.ibm.com (e06smtp12.uk.ibm.com [195.75.94.108]) by mx0b-001b2d01.pphosted.com with ESMTP id 2gkuq4bxjd-1 (version=TLSv1.2 cipher=AES256-SHA256 bits=256 verify=NOT) for ; Fri, 09 Mar 2018 10:39:36 -0500 Received: from localhost by e06smtp12.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Fri, 9 Mar 2018 15:39:34 -0000 Received: from b06cxnps4075.portsmouth.uk.ibm.com (9.149.109.197) by e06smtp12.uk.ibm.com (192.168.101.142) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Fri, 9 Mar 2018 15:39:32 -0000 Received: from d06av26.portsmouth.uk.ibm.com (d06av26.portsmouth.uk.ibm.com [9.149.105.62]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w29FdWJR50921722; Fri, 9 Mar 2018 15:39:32 GMT Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 63FF5AE045; Fri, 9 Mar 2018 15:30:05 +0000 (GMT) Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0F3C1AE04D; Fri, 9 Mar 2018 15:30:03 +0000 (GMT) Received: from swastik.in.ibm.com (unknown [9.195.43.182]) by d06av26.portsmouth.uk.ibm.com (Postfix) with ESMTP; Fri, 9 Mar 2018 15:30:02 +0000 (GMT) From: Nayna Jain To: dhowells@redhat.com Cc: keyrings@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, Nayna Jain Subject: [PATCH v2 3/3] ima: support platform keyring for kernel appraisal Date: Fri, 9 Mar 2018 21:08:03 +0530 X-Mailer: git-send-email 2.13.6 In-Reply-To: <20180309153803.25859-1-nayna@linux.vnet.ibm.com> References: <20180309153803.25859-1-nayna@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 18030915-0008-0000-0000-000004D9E3AA X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18030915-0009-0000-0000-00001E6D088D Message-Id: <20180309153803.25859-3-nayna@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2018-03-09_07:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1803090194 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Distros may sign the kernel images and, possibly, the initramfs with platform trusted keys. On secure boot enabled systems or embedded devices, these signatures are to be validated using keys on the platform keyring. This patch enables IMA-appraisal to access the platform keyring, based on a new Kconfig option "IMA_USE_PLATFORM_KEYRING". Signed-off-by: Nayna Jain --- Changelog: v2: * Rename integrity_load_keyring() to integrity_find_keyring() * Fix the patch description per line length as suggested by Mimi security/integrity/digsig.c | 15 +++++++++++++++ security/integrity/ima/Kconfig | 10 ++++++++++ security/integrity/ima/ima_appraise.c | 22 +++++++++++++++++----- security/integrity/ima/ima_init.c | 4 ++++ security/integrity/integrity.h | 17 ++++++++++++++++- 5 files changed, 62 insertions(+), 6 deletions(-) diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 6f9e4ce568cd..cfeb977bced9 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -34,6 +34,8 @@ static const char *keyring_name[INTEGRITY_KEYRING_MAX] = { ".ima", #endif "_module", + ".platform_keys", + }; #ifdef CONFIG_INTEGRITY_TRUSTED_KEYRING @@ -78,6 +80,19 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, return -EOPNOTSUPP; } +#ifdef CONFIG_IMA_USE_PLATFORM_KEYRING +int __init integrity_find_keyring(const unsigned int id) +{ + + keyring[id] = find_keyring_by_name(keyring_name[id], 0); + if (IS_ERR(keyring[id])) + if (PTR_ERR(keyring[id]) != -ENOKEY) + return PTR_ERR(keyring[id]); + return 0; + +} +#endif + int __init integrity_init_keyring(const unsigned int id) { const struct cred *cred = current_cred(); diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index 35ef69312811..2e89d4f8a364 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -227,3 +227,13 @@ config IMA_APPRAISE_SIGNED_INIT default n help This option requires user-space init to be signed. + +config IMA_USE_PLATFORM_KEYRING + bool "IMA uses keys from Platform Keyring for verification" + depends on PLATFORM_KEYRING + depends on IMA_APPRAISE + depends on INTEGRITY_ASYMMETRIC_KEYS + default n + help + This option enables IMA appraisal to look for the platform + trusted keys in .platform_keys keyring. diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index f2803a40ff82..5fec29f40595 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -276,13 +276,25 @@ int ima_appraise_measurement(enum ima_hooks func, (const char *)xattr_value, rc, iint->ima_hash->digest, iint->ima_hash->length); - if (rc == -EOPNOTSUPP) { - status = INTEGRITY_UNKNOWN; - } else if (rc) { + if (rc) { + if (rc == -EOPNOTSUPP) { + status = INTEGRITY_UNKNOWN; + break; + } + if (func == KEXEC_KERNEL_CHECK) { + rc = integrity_digsig_verify( + INTEGRITY_KEYRING_PLATFORM, + (const char *)xattr_value, + xattr_len, + iint->ima_hash->digest, + iint->ima_hash->length); + if (!rc) { + status = INTEGRITY_PASS; + break; + } + } cause = "invalid-signature"; status = INTEGRITY_FAIL; - } else { - status = INTEGRITY_PASS; } break; default: diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c index 29b72cd2502e..5778647c6bc4 100644 --- a/security/integrity/ima/ima_init.c +++ b/security/integrity/ima/ima_init.c @@ -122,6 +122,10 @@ int __init ima_init(void) if (rc) return rc; + rc = integrity_find_keyring(INTEGRITY_KEYRING_PLATFORM); + if (rc) + pr_info("Platform keyring is not found. (rc=%d)\n", rc); + rc = ima_init_crypto(); if (rc) return rc; diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 50a8e3365df7..3d3b7171ead2 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -136,13 +136,23 @@ int integrity_kernel_read(struct file *file, loff_t offset, #define INTEGRITY_KEYRING_EVM 0 #define INTEGRITY_KEYRING_IMA 1 #define INTEGRITY_KEYRING_MODULE 2 -#define INTEGRITY_KEYRING_MAX 3 +#define INTEGRITY_KEYRING_PLATFORM 3 +#define INTEGRITY_KEYRING_MAX 4 #ifdef CONFIG_INTEGRITY_SIGNATURE int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, const char *digest, int digestlen); +#ifdef CONFIG_IMA_USE_PLATFORM_KEYRING +int __init integrity_find_keyring(const unsigned int id); +#else +static inline int __init integrity_find_keyring(const unsigned int id) +{ + return 0; +} +#endif + int __init integrity_init_keyring(const unsigned int id); int __init integrity_load_x509(const unsigned int id, const char *path); #else @@ -154,6 +164,11 @@ static inline int integrity_digsig_verify(const unsigned int id, return -EOPNOTSUPP; } +static inline int __init integrity_find_keyring(const unsigned int id) +{ + return 0; +} + static inline int integrity_init_keyring(const unsigned int id) { return 0; -- 2.13.6