| Message ID | 20191204224131.3384-7-nramas@linux.microsoft.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | KEYS: Measure keys when they are created or updated | expand |
On Wed, 2019-12-04 at 14:41 -0800, Lakshmi Ramasubramanian wrote: > Read "keyrings=" option, if specified in the IMA policy, and store in > the list of IMA rules when the configured IMA policy is read. > > This patch defines a new policy token enum namely Opt_keyrings > and an option flag IMA_KEYRINGS for reading "keyrings=" option > from the IMA policy. > > Updated ima_parse_rule() to parse "keyrings=" option in the policy. > Updated ima_policy_show() to display "keyrings=" option. > > The following example illustrates how key measurement can be verified. > > Sample "key" measurement rule in the IMA policy: > > measure func=KEY_CHECK uid=0 keyrings=.ima|.evm template=ima-buf > > Display "key" measurement in the IMA measurement list: > > cat /sys/kernel/security/ima/ascii_runtime_measurements > > 10 faf3...e702 ima-buf > sha256:27c915b8ddb9fae7214cf0a8a7043cc3eeeaa7539bcb136f8427067b5f6c3 > b7b .ima 308202863082...4aee > > Verify "key" measurement data for a key added to ".ima" keyring: > > cat /sys/kernel/security/integrity/ima/ascii_runtime_measurements | > grep ".ima" | cut -d' ' -f 6 | xxd -r -p |tee ima-cert.der | > sha256sum | cut -d' ' -f 1 > The dot needs to be quoted, otherwise it matches any character. I would also limit the above command to the first instance (eg. grep -m 1 "\.ima). > The output of the above command should match the sha256 hash > in the "key" measurement entry in the IMA measurement list. There are multiple hashes in a measurement list record. Perhaps refer to the 2nd hash as the "template hash". Mimi > > The file namely "ima-cert.der" generated by the above command > should be a valid x509 certificate (in DER format) and should match > the one that was used to import the key to the .ima keyring. > The certificate file can be verified using openssl tool. > > Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 5db990c8b02d..73030a69d546 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -34,6 +34,7 @@ #define IMA_EUID 0x0080 #define IMA_PCR 0x0100 #define IMA_FSNAME 0x0200 +#define IMA_KEYRINGS 0x0400 #define UNKNOWN 0 #define MEASURE 0x0001 /* same as IMA_MEASURE */ @@ -821,7 +822,8 @@ enum { Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt, Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt, Opt_appraise_type, Opt_appraise_flag, - Opt_permit_directio, Opt_pcr, Opt_template, Opt_err + Opt_permit_directio, Opt_pcr, Opt_template, Opt_keyrings, + Opt_err }; static const match_table_t policy_tokens = { @@ -857,6 +859,7 @@ static const match_table_t policy_tokens = { {Opt_permit_directio, "permit_directio"}, {Opt_pcr, "pcr=%s"}, {Opt_template, "template=%s"}, + {Opt_keyrings, "keyrings=%s"}, {Opt_err, NULL} }; @@ -1106,6 +1109,23 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) result = 0; entry->flags |= IMA_FSNAME; break; + case Opt_keyrings: + ima_log_string(ab, "keyrings", args[0].from); + + if ((entry->keyrings) || + (entry->action != MEASURE) || + (entry->func != KEY_CHECK)) { + result = -EINVAL; + break; + } + entry->keyrings = kstrdup(args[0].from, GFP_KERNEL); + if (!entry->keyrings) { + result = -ENOMEM; + break; + } + result = 0; + entry->flags |= IMA_KEYRINGS; + break; case Opt_fsuuid: ima_log_string(ab, "fsuuid", args[0].from); @@ -1481,6 +1501,13 @@ int ima_policy_show(struct seq_file *m, void *v) seq_puts(m, " "); } + if (entry->flags & IMA_KEYRINGS) { + if (entry->keyrings != NULL) + snprintf(tbuf, sizeof(tbuf), "%s", entry->keyrings); + seq_printf(m, pt(Opt_keyrings), tbuf); + seq_puts(m, " "); + } + if (entry->flags & IMA_PCR) { snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr); seq_printf(m, pt(Opt_pcr), tbuf);
Read "keyrings=" option, if specified in the IMA policy, and store in the list of IMA rules when the configured IMA policy is read. This patch defines a new policy token enum namely Opt_keyrings and an option flag IMA_KEYRINGS for reading "keyrings=" option from the IMA policy. Updated ima_parse_rule() to parse "keyrings=" option in the policy. Updated ima_policy_show() to display "keyrings=" option. The following example illustrates how key measurement can be verified. Sample "key" measurement rule in the IMA policy: measure func=KEY_CHECK uid=0 keyrings=.ima|.evm template=ima-buf Display "key" measurement in the IMA measurement list: cat /sys/kernel/security/ima/ascii_runtime_measurements 10 faf3...e702 ima-buf sha256:27c915b8ddb9fae7214cf0a8a7043cc3eeeaa7539bcb136f8427067b5f6c3b7b .ima 308202863082...4aee Verify "key" measurement data for a key added to ".ima" keyring: cat /sys/kernel/security/integrity/ima/ascii_runtime_measurements | grep ".ima" | cut -d' ' -f 6 | xxd -r -p |tee ima-cert.der | sha256sum | cut -d' ' -f 1 The output of the above command should match the sha256 hash in the "key" measurement entry in the IMA measurement list. The file namely "ima-cert.der" generated by the above command should be a valid x509 certificate (in DER format) and should match the one that was used to import the key to the .ima keyring. The certificate file can be verified using openssl tool. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> --- security/integrity/ima/ima_policy.c | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-)