Commit d54e17b4 authored by Mimi Zohar's avatar Mimi Zohar
Browse files

Merge branch 'next-integrity.defer-measuring-keys' into next-integrity 

From patch set cover letter:

The IMA subsystem supports measuring asymmetric keys when the key is
created or updated[1]. But keys created or updated before a custom IMA
policy is loaded are currently not measured.  This includes keys added,
for instance, to either the .ima or .builtin_trusted_keys keyrings, which
happens early in the boot process.

Measuring the early boot keys, by design, requires loading a custom IMA
policy.  This change adds support for queuing keys created or updated
before a custom IMA policy is loaded.  The queued keys are processed when
a custom policy is loaded.  Keys created or updated after a custom policy
is loaded are measured immediately (not queued).  In the case when a
custom policy is not loaded within 5 minutes of IMA initialization, the
queued keys are freed.

[1] https://lore.kernel.org/linux-integrity/20191211164707.4698-1-nramas@linux.microsoft.com/
parents 5c7bac9f 5b3014b9

security/integrity/ima/Kconfig

+6 −0
Original line number Diff line number Diff line
@@ -316,3 +316,9 @@ config IMA_MEASURE_ASYMMETRIC_KEYS 
	depends on IMA

	depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y

	default y



config IMA_QUEUE_EARLY_BOOT_KEYS

	bool

	depends on IMA_MEASURE_ASYMMETRIC_KEYS

	depends on SYSTEM_TRUSTED_KEYRING

	default y

security/integrity/ima/Makefile

+1 −0
Original line number Diff line number Diff line
@@ -13,3 +13,4 @@ ima-$(CONFIG_IMA_APPRAISE_MODSIG) += ima_modsig.o 
ima-$(CONFIG_HAVE_IMA_KEXEC) += ima_kexec.o

obj-$(CONFIG_IMA_BLACKLIST_KEYRING) += ima_mok.o

obj-$(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) += ima_asymmetric_keys.o

obj-$(CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS) += ima_queue_keys.o

security/integrity/ima/ima.h

+24 −0
Original line number Diff line number Diff line
@@ -205,6 +205,30 @@ extern const char *const func_tokens[]; 


struct modsig;



#ifdef CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS

/*

 * To track keys that need to be measured.

 */

struct ima_key_entry {

	struct list_head list;

	void *payload;

	size_t payload_len;

	char *keyring_name;

};

void ima_init_key_queue(void);

bool ima_should_queue_key(void);

bool ima_queue_key(struct key *keyring, const void *payload,

		   size_t payload_len);

void ima_process_queued_keys(void);

#else

static inline void ima_init_key_queue(void) {}

static inline bool ima_should_queue_key(void) { return false; }

static inline bool ima_queue_key(struct key *keyring,

				 const void *payload,

				 size_t payload_len) { return false; }

static inline void ima_process_queued_keys(void) {}

#endif /* CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS */



/* LIM API function definitions */

int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid,

		   int mask, enum ima_hooks func, int *pcr,

security/integrity/ima/ima_asymmetric_keys.c

+8 −0
Original line number Diff line number Diff line
@@ -30,6 +30,8 @@ void ima_post_key_create_or_update(struct key *keyring, struct key *key, 
				   const void *payload, size_t payload_len,

				   unsigned long flags, bool create)

{

	bool queued = false;



	/* Only asymmetric keys are handled by this hook. */

	if (key->type != &key_type_asymmetric)

		return;
@@ -37,6 +39,12 @@ void ima_post_key_create_or_update(struct key *keyring, struct key *key, 
	if (!payload || (payload_len == 0))

		return;



	if (ima_should_queue_key())

		queued = ima_queue_key(keyring, payload, payload_len);



	if (queued)

		return;



	/*

	 * keyring->description points to the name of the keyring

	 * (such as ".builtin_trusted_keys", ".ima", etc.) to

security/integrity/ima/ima_init.c

+7 −1
Original line number Diff line number Diff line
@@ -131,5 +131,11 @@ int __init ima_init(void) 


	ima_init_policy();



	return ima_fs_init();

	rc = ima_fs_init();

	if (rc != 0)

		return rc;



	ima_init_key_queue();



	return rc;

}

CRA Git | Maintained and supported by SUSTech CRA and CCSE