Commit f47825c6 authored by Mimi Zohar's avatar Mimi Zohar
Browse files

Merge branch 'next-integrity.measure-keys' into next-integrity 

From "KEYS: Measure keys when they are created or updated" cover letter:

Keys created or updated in the system are currently not measured.
Therefore an attestation service, for instance, would not be able to
attest whether or not the trusted keys keyring(s), for instance, contain
only known good (trusted) keys.

IMA measures system files, command line arguments passed to kexec,
boot aggregate, etc. It can be used to measure keys as well.
But there is no mechanism available in the kernel for IMA to
know when a key is created or updated.

This change aims to address measuring keys created or updated
in the system.

To achieve the above the following changes have been made:

 - Added a new IMA hook namely, ima_post_key_create_or_update, which
   measures the key. This IMA hook is called from key_create_or_update
   function. The key measurement can be controlled through IMA policy.

   A new IMA policy function KEY_CHECK has been added to measure keys.
   "keyrings=" option can be specified for KEY_CHECK to limit
   measuring the keys loaded onto the specified keyrings only.

   uid can be specified to further restrict key measurement for keys
   created by specific user.

   # measure keys loaded onto any keyring
   measure func=KEY_CHECK

   # measure keys loaded onto the IMA keyring only for root user
   measure func=KEY_CHECK uid=0 keyring=".ima"

   # measure keys on the BUILTIN and IMA keyrings into a different PCR
   measure func=KEY_CHECK keyring=".builtin_trusted_keys|.ima" pcr=11
parents 96c9e1de 2b60c0ec

Documentation/ABI/testing/ima_policy

+14 −2
Original line number Diff line number Diff line
@@ -25,11 +25,11 @@ Description: 
			lsm:	[[subj_user=] [subj_role=] [subj_type=]

				 [obj_user=] [obj_role=] [obj_type=]]

			option:	[[appraise_type=]] [template=] [permit_directio]

				[appraise_flag=]

				[appraise_flag=] [keyrings=]

		base: 	func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]

				[FIRMWARE_CHECK]

				[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]

				[KEXEC_CMDLINE]

				[KEXEC_CMDLINE] [KEY_CHECK]

			mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]

			       [[^]MAY_EXEC]

			fsmagic:= hex value
@@ -42,6 +42,9 @@ Description: 
			appraise_flag:= [check_blacklist]

			Currently, blacklist check is only for files signed with appended

			signature.

			keyrings:= list of keyrings

			(eg, .builtin_trusted_keys|.ima). Only valid

			when action is "measure" and func is KEY_CHECK.

			template:= name of a defined IMA template type

			(eg, ima-ng). Only valid when action is "measure".

			pcr:= decimal value
@@ -113,3 +116,12 @@ Description: 
		Example of appraise rule allowing modsig appended signatures:



			appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig



		Example of measure rule using KEY_CHECK to measure all keys:



			measure func=KEY_CHECK



		Example of measure rule using KEY_CHECK to only measure

		keys added to .builtin_trusted_keys or .ima keyring:



			measure func=KEY_CHECK keyrings=.builtin_trusted_keys|.ima

include/linux/ima.h

+14 −0
Original line number Diff line number Diff line
@@ -101,6 +101,20 @@ static inline void ima_add_kexec_buffer(struct kimage *image) 
{}

#endif



#if defined(CONFIG_IMA) && defined(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE)

extern void ima_post_key_create_or_update(struct key *keyring,

					  struct key *key,

					  const void *payload, size_t plen,

					  unsigned long flags, bool create);

#else

static inline void ima_post_key_create_or_update(struct key *keyring,

						 struct key *key,

						 const void *payload,

						 size_t plen,

						 unsigned long flags,

						 bool create) {}

#endif  /* CONFIG_IMA && CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE */



#ifdef CONFIG_IMA_APPRAISE

extern bool is_ima_appraise_enabled(void);

extern void ima_inode_post_setattr(struct dentry *dentry);

security/integrity/ima/Makefile

+1 −0
Original line number Diff line number Diff line
@@ -12,3 +12,4 @@ ima-$(CONFIG_IMA_APPRAISE) += ima_appraise.o 
ima-$(CONFIG_IMA_APPRAISE_MODSIG) += ima_modsig.o

ima-$(CONFIG_HAVE_IMA_KEXEC) += ima_kexec.o

obj-$(CONFIG_IMA_BLACKLIST_KEYRING) += ima_mok.o

obj-$(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += ima_asymmetric_keys.o

security/integrity/ima/ima.h

+6 −3
Original line number Diff line number Diff line
@@ -193,6 +193,7 @@ static inline unsigned long ima_hash_key(u8 *digest) 
	hook(KEXEC_INITRAMFS_CHECK)	\

	hook(POLICY_CHECK)		\

	hook(KEXEC_CMDLINE)		\

	hook(KEY_CHECK)			\

	hook(MAX_CHECK)

#define __ima_hook_enumify(ENUM)	ENUM,
@@ -207,7 +208,8 @@ struct modsig; 
/* LIM API function definitions */

int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid,

		   int mask, enum ima_hooks func, int *pcr,

		   struct ima_template_desc **template_desc);

		   struct ima_template_desc **template_desc,

		   const char *keyring);

int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func);

int ima_collect_measurement(struct integrity_iint_cache *iint,

			    struct file *file, void *buf, loff_t size,
@@ -219,7 +221,7 @@ void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file, 
			   struct ima_template_desc *template_desc);

void process_buffer_measurement(const void *buf, int size,

				const char *eventname, enum ima_hooks func,

				int pcr);

				int pcr, const char *keyring);

void ima_audit_measurement(struct integrity_iint_cache *iint,

			   const unsigned char *filename);

int ima_alloc_init_template(struct ima_event_data *event_data,
@@ -234,7 +236,8 @@ const char *ima_d_path(const struct path *path, char **pathbuf, char *filename); 
/* IMA policy related functions */

int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,

		     enum ima_hooks func, int mask, int flags, int *pcr,

		     struct ima_template_desc **template_desc);

		     struct ima_template_desc **template_desc,

		     const char *keyring);

void ima_init_policy(void);

void ima_update_policy(void);

void ima_update_policy_flag(void);

security/integrity/ima/ima_api.c

+5 −3
Original line number Diff line number Diff line
@@ -169,12 +169,13 @@ err_out: 
 * @func: caller identifier

 * @pcr: pointer filled in if matched measure policy sets pcr=

 * @template_desc: pointer filled in if matched measure policy sets template=

 * @keyring: keyring name used to determine the action

 *

 * The policy is defined in terms of keypairs:

 *		subj=, obj=, type=, func=, mask=, fsmagic=

 *	subj,obj, and type: are LSM specific.

 *	func: FILE_CHECK | BPRM_CHECK | CREDS_CHECK | MMAP_CHECK | MODULE_CHECK

 *	| KEXEC_CMDLINE

 *	| KEXEC_CMDLINE | KEY_CHECK

 *	mask: contains the permission mask

 *	fsmagic: hex value

 *
@@ -183,14 +184,15 @@ err_out: 
 */

int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid,

		   int mask, enum ima_hooks func, int *pcr,

		   struct ima_template_desc **template_desc)

		   struct ima_template_desc **template_desc,

		   const char *keyring)

{

	int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE | IMA_HASH;



	flags &= ima_policy_flag;



	return ima_match_policy(inode, cred, secid, func, mask, flags, pcr,

				template_desc);

				template_desc, keyring);

}



/*

CRA Git | Maintained and supported by SUSTech CRA and CCSE