Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp664305pxj; Fri, 14 May 2021 12:30:03 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxKU58aAxy2ZGHL8+C404+6j3Kd18ZxWCf3ea0XK4hxP9/KJldhovW/SdYlOIgO3GrcRyRT X-Received: by 2002:a17:906:c0c3:: with SMTP id bn3mr50363028ejb.498.1621020603430; Fri, 14 May 2021 12:30:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621020603; cv=none; d=google.com; s=arc-20160816; b=CGvSQUX2c0uD+rO3JqvVm/wCdR0B/bZbCSeUuzsl4MUBab1pcI10vxhMAN6IiB9+FO XWFvTq6IUcxaCZLocq6vW4MOJxh4ve+yTFeHMf5FO3lKy1OSvXvSY3fa3F1RehF6brdd jRJVBlBuXhiEUKLIP3QAmpmv1/4J9OR/utEHLBrECQyxuhQgrqxtboJCd2bKjOC9mm53 0fUT5dVDJO7rS2txyW2rAbdcQdOMfcw/m7wOqc5VAjSW5HV0Dgo3GnRx/lnWOT8aiELy ci1vAzsI24WciC9OzU/QvfqGpxMT9rNaN4gG0q53ZoAhx2/su2CteCNTWzZUmkNKjztf Uxeg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=+2jcavqM8esWsdfnEo4Y61j+CRXBnLglEuIsgfO51R4=; b=MOPzLLPdZe9jhTq7hlIX17DF0lDkOOl1KToWb/RfGY3xga8mElmxzg6nwq5UE2Gf5J SF+lBL4owBI10JVj06CvyOfSFwnOZmStTCPVRGYw24/gQUTfT204MRj1BwXCIPqTq4gi YgcqtGGBMJP1OCWCq1nVdwtylBIlSEtyCeZFWcloBX4gB9XVw/NTML2nm36Gz1QYj09m ezeMpuBNUoIwlBS/ZBeogekLofxScElrNxm0WYulP7kSqNlL2gU3th7wwzCknPNgIbOT EqApAJSB/TpV3kb82WGnSrnLvLz1j1ljpf/iQy/VzS09QKndsRZzm8YakLx2gExuTahO Ikgg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p13si6718399ejb.542.2021.05.14.12.29.40; Fri, 14 May 2021 12:30:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234797AbhENPbw (ORCPT + 99 others); Fri, 14 May 2021 11:31:52 -0400 Received: from frasgout.his.huawei.com ([185.176.79.56]:3079 "EHLO frasgout.his.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232023AbhENPbs (ORCPT ); Fri, 14 May 2021 11:31:48 -0400 Received: from fraeml714-chm.china.huawei.com (unknown [172.18.147.207]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4FhXPs3t2Cz6cw7w; Fri, 14 May 2021 23:24:33 +0800 (CST) Received: from roberto-ThinkStation-P620.huawei.com (10.204.62.217) by fraeml714-chm.china.huawei.com (10.206.15.33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2176.2; Fri, 14 May 2021 17:30:35 +0200 From: Roberto Sassu To: , CC: , , , Roberto Sassu Subject: [PATCH v7 11/12] ima: Introduce template field evmsig and write to field sig as fallback Date: Fri, 14 May 2021 17:27:52 +0200 Message-ID: <20210514152753.982958-12-roberto.sassu@huawei.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210514152753.982958-1-roberto.sassu@huawei.com> References: <20210514152753.982958-1-roberto.sassu@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII X-Originating-IP: [10.204.62.217] X-ClientProxiedBy: lhreml753-chm.china.huawei.com (10.201.108.203) To fraeml714-chm.china.huawei.com (10.206.15.33) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org With the patch to accept EVM portable signatures when the appraise_type=imasig requirement is specified in the policy, appraisal can be successfully done even if the file does not have an IMA signature. However, remote attestation would not see that a different signature type was used, as only IMA signatures can be included in the measurement list. This patch solves the issue by introducing the new template field 'evmsig' to show EVM portable signatures and by including its value in the existing field 'sig' if the IMA signature is not found. Signed-off-by: Roberto Sassu Suggested-by: Mimi Zohar --- Documentation/security/IMA-templates.rst | 4 ++- security/integrity/ima/ima_template.c | 2 ++ security/integrity/ima/ima_template_lib.c | 33 ++++++++++++++++++++++- security/integrity/ima/ima_template_lib.h | 2 ++ 4 files changed, 39 insertions(+), 2 deletions(-) diff --git a/Documentation/security/IMA-templates.rst b/Documentation/security/IMA-templates.rst index c5a8432972ef..9f3e86ab028a 100644 --- a/Documentation/security/IMA-templates.rst +++ b/Documentation/security/IMA-templates.rst @@ -70,9 +70,11 @@ descriptors by adding their identifier to the format string prefix is shown only if the hash algorithm is not SHA1 or MD5); - 'd-modsig': the digest of the event without the appended modsig; - 'n-ng': the name of the event, without size limitations; - - 'sig': the file signature; + - 'sig': the file signature, or the EVM portable signature if the file + signature is not found; - 'modsig' the appended file signature; - 'buf': the buffer data that was used to generate the hash without size limitations; + - 'evmsig': the EVM portable signature; Below, there is the list of defined template descriptors: diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c index 4e081e650047..7a60848c04a5 100644 --- a/security/integrity/ima/ima_template.c +++ b/security/integrity/ima/ima_template.c @@ -45,6 +45,8 @@ static const struct ima_template_field supported_fields[] = { .field_show = ima_show_template_digest_ng}, {.field_id = "modsig", .field_init = ima_eventmodsig_init, .field_show = ima_show_template_sig}, + {.field_id = "evmsig", .field_init = ima_eventevmsig_init, + .field_show = ima_show_template_sig}, }; /* diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c index c022ee9e2a4e..4314d9a3514c 100644 --- a/security/integrity/ima/ima_template_lib.c +++ b/security/integrity/ima/ima_template_lib.c @@ -10,6 +10,7 @@ */ #include "ima_template_lib.h" +#include static bool ima_template_hash_algo_allowed(u8 algo) { @@ -438,7 +439,7 @@ int ima_eventsig_init(struct ima_event_data *event_data, struct evm_ima_xattr_data *xattr_value = event_data->xattr_value; if ((!xattr_value) || (xattr_value->type != EVM_IMA_XATTR_DIGSIG)) - return 0; + return ima_eventevmsig_init(event_data, field_data); return ima_write_template_field_data(xattr_value, event_data->xattr_len, DATA_FMT_HEX, field_data); @@ -484,3 +485,33 @@ int ima_eventmodsig_init(struct ima_event_data *event_data, return ima_write_template_field_data(data, data_len, DATA_FMT_HEX, field_data); } + +/* + * ima_eventevmsig_init - include the EVM portable signature as part of the + * template data + */ +int ima_eventevmsig_init(struct ima_event_data *event_data, + struct ima_field_data *field_data) +{ + struct evm_ima_xattr_data *xattr_data = NULL; + int rc = 0; + + if (!event_data->file) + return 0; + + rc = vfs_getxattr_alloc(&init_user_ns, file_dentry(event_data->file), + XATTR_NAME_EVM, (char **)&xattr_data, 0, + GFP_NOFS); + if (rc <= 0) + return 0; + + if (xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG) { + kfree(xattr_data); + return 0; + } + + rc = ima_write_template_field_data((char *)xattr_data, rc, DATA_FMT_HEX, + field_data); + kfree(xattr_data); + return rc; +} diff --git a/security/integrity/ima/ima_template_lib.h b/security/integrity/ima/ima_template_lib.h index 6b3b880637a0..f4b2a2056d1d 100644 --- a/security/integrity/ima/ima_template_lib.h +++ b/security/integrity/ima/ima_template_lib.h @@ -46,4 +46,6 @@ int ima_eventbuf_init(struct ima_event_data *event_data, struct ima_field_data *field_data); int ima_eventmodsig_init(struct ima_event_data *event_data, struct ima_field_data *field_data); +int ima_eventevmsig_init(struct ima_event_data *event_data, + struct ima_field_data *field_data); #endif /* __LINUX_IMA_TEMPLATE_LIB_H */ -- 2.25.1