Commit 9f81a2ed authored by Lakshmi Ramasubramanian's avatar Lakshmi Ramasubramanian Committed by Mimi Zohar
Browse files

IMA: Define workqueue for early boot key measurements 



Measuring keys requires a custom IMA policy to be loaded.  Keys created
or updated before a custom IMA policy is loaded should be queued and
will be processed after a custom policy is loaded.

This patch defines a workqueue for queuing keys when a custom IMA policy
has not yet been loaded.  An intermediate Kconfig boolean option namely
IMA_QUEUE_EARLY_BOOT_KEYS is used to declare the workqueue functions.

A flag namely ima_process_keys is used to check if the key should be
queued or should be processed immediately.

Signed-off-by: default avatarLakshmi Ramasubramanian <nramas@linux.microsoft.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
parent 5c7bac9f

security/integrity/ima/Kconfig

+6 −0
Original line number Diff line number Diff line
@@ -316,3 +316,9 @@ config IMA_MEASURE_ASYMMETRIC_KEYS 
	depends on IMA

	depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y

	default y



config IMA_QUEUE_EARLY_BOOT_KEYS

	bool

	depends on IMA_MEASURE_ASYMMETRIC_KEYS

	depends on SYSTEM_TRUSTED_KEYRING

	default y

security/integrity/ima/Makefile

+1 −0
Original line number Diff line number Diff line
@@ -13,3 +13,4 @@ ima-$(CONFIG_IMA_APPRAISE_MODSIG) += ima_modsig.o 
ima-$(CONFIG_HAVE_IMA_KEXEC) += ima_kexec.o

obj-$(CONFIG_IMA_BLACKLIST_KEYRING) += ima_mok.o

obj-$(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) += ima_asymmetric_keys.o

obj-$(CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS) += ima_queue_keys.o

security/integrity/ima/ima.h

+22 −0
Original line number Diff line number Diff line
@@ -205,6 +205,28 @@ extern const char *const func_tokens[]; 


struct modsig;



#ifdef CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS

/*

 * To track keys that need to be measured.

 */

struct ima_key_entry {

	struct list_head list;

	void *payload;

	size_t payload_len;

	char *keyring_name;

};

bool ima_should_queue_key(void);

bool ima_queue_key(struct key *keyring, const void *payload,

		   size_t payload_len);

void ima_process_queued_keys(void);

#else

static inline bool ima_should_queue_key(void) { return false; }

static inline bool ima_queue_key(struct key *keyring,

				 const void *payload,

				 size_t payload_len) { return false; }

static inline void ima_process_queued_keys(void) {}

#endif /* CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS */



/* LIM API function definitions */

int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid,

		   int mask, enum ima_hooks func, int *pcr,

security/integrity/ima/ima_queue_keys.c

0 → 100644
+137 −0
Original line number Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0+

/*

 * Copyright (C) 2019 Microsoft Corporation

 *

 * Author: Lakshmi Ramasubramanian (nramas@linux.microsoft.com)

 *

 * File: ima_queue_keys.c

 *       Enables deferred processing of keys

 */



#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt



#include <keys/asymmetric-type.h>

#include "ima.h"



/*

 * Flag to indicate whether a key can be processed

 * right away or should be queued for processing later.

 */

static bool ima_process_keys;



/*

 * To synchronize access to the list of keys that need to be measured

 */

static DEFINE_MUTEX(ima_keys_lock);

static LIST_HEAD(ima_keys);



static void ima_free_key_entry(struct ima_key_entry *entry)

{

	if (entry) {

		kfree(entry->payload);

		kfree(entry->keyring_name);

		kfree(entry);

	}

}



static struct ima_key_entry *ima_alloc_key_entry(struct key *keyring,

						 const void *payload,

						 size_t payload_len)

{

	int rc = 0;

	struct ima_key_entry *entry;



	entry = kzalloc(sizeof(*entry), GFP_KERNEL);

	if (entry) {

		entry->payload = kmemdup(payload, payload_len, GFP_KERNEL);

		entry->keyring_name = kstrdup(keyring->description,

					      GFP_KERNEL);

		entry->payload_len = payload_len;

	}



	if ((entry == NULL) || (entry->payload == NULL) ||

	    (entry->keyring_name == NULL)) {

		rc = -ENOMEM;

		goto out;

	}



	INIT_LIST_HEAD(&entry->list);



out:

	if (rc) {

		ima_free_key_entry(entry);

		entry = NULL;

	}



	return entry;

}



bool ima_queue_key(struct key *keyring, const void *payload,

		   size_t payload_len)

{

	bool queued = false;

	struct ima_key_entry *entry;



	entry = ima_alloc_key_entry(keyring, payload, payload_len);

	if (!entry)

		return false;



	mutex_lock(&ima_keys_lock);

	if (!ima_process_keys) {

		list_add_tail(&entry->list, &ima_keys);

		queued = true;

	}

	mutex_unlock(&ima_keys_lock);



	if (!queued)

		ima_free_key_entry(entry);



	return queued;

}



/*

 * ima_process_queued_keys() - process keys queued for measurement

 *

 * This function sets ima_process_keys to true and processes queued keys.

 * From here on keys will be processed right away (not queued).

 */

void ima_process_queued_keys(void)

{

	struct ima_key_entry *entry, *tmp;

	bool process = false;



	if (ima_process_keys)

		return;



	/*

	 * Since ima_process_keys is set to true, any new key will be

	 * processed immediately and not be queued to ima_keys list.

	 * First one setting the ima_process_keys flag to true will

	 * process the queued keys.

	 */

	mutex_lock(&ima_keys_lock);

	if (!ima_process_keys) {

		ima_process_keys = true;

		process = true;

	}

	mutex_unlock(&ima_keys_lock);



	if (!process)

		return;





	list_for_each_entry_safe(entry, tmp, &ima_keys, list) {

		process_buffer_measurement(entry->payload,

					   entry->payload_len,

					   entry->keyring_name,

					   KEY_CHECK, 0,

					   entry->keyring_name);

		list_del(&entry->list);

		ima_free_key_entry(entry);

	}

}



inline bool ima_should_queue_key(void)

{

	return !ima_process_keys;

}

CRA Git | Maintained and supported by SUSTech CRA and CCSE