From patchwork Wed Nov 13 18:46:56 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lakshmi Ramasubramanian X-Patchwork-Id: 11242667 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 49C5E109A for ; Wed, 13 Nov 2019 18:47:21 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 191BA206F3 for ; Wed, 13 Nov 2019 18:47:21 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="Y84pILzO" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728504AbfKMSrE (ORCPT ); Wed, 13 Nov 2019 13:47:04 -0500 Received: from linux.microsoft.com ([13.77.154.182]:43334 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727122AbfKMSrE (ORCPT ); Wed, 13 Nov 2019 13:47:04 -0500 Received: from nramas-ThinkStation-P520.corp.microsoft.com (unknown [131.107.174.108]) by linux.microsoft.com (Postfix) with ESMTPSA id C6C5A20B4903; Wed, 13 Nov 2019 10:47:02 -0800 (PST) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com C6C5A20B4903 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1573670822; bh=WvcJyWsHuGMEIucDgLKSJndbtm2SR+vqMHm92p3VGFk=; h=From:To:Subject:Date:In-Reply-To:References:From; b=Y84pILzOwUa8ip7ekcFjXl5s6BjxGKnezIZay3DdX9WK1TfFZI45UnRks9OAFAoA6 L3TfGxF9EKV6/VnZCdpcXdQfIe4VDBuQANefDm7zrvYKRSxa5A3Iyr2xW5k0sJzYO6 iiX7RRt4lvxjrOSqA0plktyG7sTcAwUu1Lpnxw/0= From: Lakshmi Ramasubramanian To: zohar@linux.ibm.com, dhowells@redhat.com, matthewgarrett@google.com, sashal@kernel.org, jamorris@linux.microsoft.com, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v6 1/3] IMA: Add KEY_CHECK func to measure keys Date: Wed, 13 Nov 2019 10:46:56 -0800 Message-Id: <20191113184658.2862-2-nramas@linux.microsoft.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191113184658.2862-1-nramas@linux.microsoft.com> References: <20191113184658.2862-1-nramas@linux.microsoft.com> Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Measure keys loaded onto any keyring. This patch defines a new IMA policy func namely KEY_CHECK to measure keys. Updated ima_match_rules() to check for KEY_CHECK and ima_parse_rule() to handle KEY_CHECK. Signed-off-by: Lakshmi Ramasubramanian --- Documentation/ABI/testing/ima_policy | 6 +++++- security/integrity/ima/ima.h | 1 + security/integrity/ima/ima_main.c | 7 +++++++ security/integrity/ima/ima_policy.c | 4 +++- 4 files changed, 16 insertions(+), 2 deletions(-) diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy index 29aaedf33246..066d32797500 100644 --- a/Documentation/ABI/testing/ima_policy +++ b/Documentation/ABI/testing/ima_policy @@ -29,7 +29,7 @@ Description: base: func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK] [FIRMWARE_CHECK] [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK] - [KEXEC_CMDLINE] + [KEXEC_CMDLINE] [KEY_CHECK] mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND] [[^]MAY_EXEC] fsmagic:= hex value @@ -113,3 +113,7 @@ Description: Example of appraise rule allowing modsig appended signatures: appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig + + Example of measure rule using KEY_CHECK to measure all keys: + + measure func=KEY_CHECK diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index df4ca482fb53..fe6c698617bd 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -193,6 +193,7 @@ static inline unsigned long ima_hash_key(u8 *digest) hook(KEXEC_INITRAMFS_CHECK) \ hook(POLICY_CHECK) \ hook(KEXEC_CMDLINE) \ + hook(KEY_CHECK) \ hook(MAX_CHECK) #define __ima_hook_enumify(ENUM) ENUM, diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index d7e987baf127..12684e8d7124 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -655,6 +655,13 @@ void process_buffer_measurement(const void *buf, int size, int action = 0; u32 secid; + /* + * If IMA is not yet initialized or IMA policy is empty + * then there is no need to measure. + */ + if (!ima_policy_flag) + return; + /* * Both LSM hooks and auxilary based buffer measurements are * based on policy. To avoid code duplication, differentiate diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index f19a895ad7cd..1525a28fd705 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -373,7 +373,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, { int i; - if (func == KEXEC_CMDLINE) { + if ((func == KEXEC_CMDLINE) || (func == KEY_CHECK)) { if ((rule->flags & IMA_FUNC) && (rule->func == func)) return true; return false; @@ -997,6 +997,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) entry->func = POLICY_CHECK; else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0) entry->func = KEXEC_CMDLINE; + else if (strcmp(args[0].from, "KEY_CHECK") == 0) + entry->func = KEY_CHECK; else result = -EINVAL; if (!result) From patchwork Wed Nov 13 18:46:57 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lakshmi Ramasubramanian X-Patchwork-Id: 11242665 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4CD9B109A for ; Wed, 13 Nov 2019 18:47:16 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 1E14F206F3 for ; Wed, 13 Nov 2019 18:47:16 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="iieNDePt" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728426AbfKMSrP (ORCPT ); Wed, 13 Nov 2019 13:47:15 -0500 Received: from linux.microsoft.com ([13.77.154.182]:43344 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727241AbfKMSrE (ORCPT ); Wed, 13 Nov 2019 13:47:04 -0500 Received: from nramas-ThinkStation-P520.corp.microsoft.com (unknown [131.107.174.108]) by linux.microsoft.com (Postfix) with ESMTPSA id ED11F20B4904; Wed, 13 Nov 2019 10:47:02 -0800 (PST) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com ED11F20B4904 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1573670823; bh=DKCaB/fse/DmuVBERqJi6zlr2kjIKA9EFo+2/yYf1DA=; h=From:To:Subject:Date:In-Reply-To:References:From; b=iieNDePtOMwQYbIUxCM8KyrQE3/t/JQ5JbXXc8gUKNVe5RKcTPRqUYAq3PIPES0Sn M19RKfCZh2HdoiZolTtQyaGdB6bk3eaUesRXI+lK+rrXN92RJqx8I7ddq41OGoEx5W iu79XxRvO9mfOFrBTrB7xyAvDGcwycqib9uglyJg= From: Lakshmi Ramasubramanian To: zohar@linux.ibm.com, dhowells@redhat.com, matthewgarrett@google.com, sashal@kernel.org, jamorris@linux.microsoft.com, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v6 2/3] IMA: Define an IMA hook to measure keys Date: Wed, 13 Nov 2019 10:46:57 -0800 Message-Id: <20191113184658.2862-3-nramas@linux.microsoft.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191113184658.2862-1-nramas@linux.microsoft.com> References: <20191113184658.2862-1-nramas@linux.microsoft.com> Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Measure asymmetric keys used for verifying file signatures, certificates, etc. This patch defines a new IMA hook namely ima_post_key_create_or_update() to measure asymmetric keys. Note that currently IMA subsystem can be enabled without enabling KEYS subsystem. Adding support for measuring asymmetric keys in IMA requires KEYS subsystem to be enabled. To handle this dependency a new config namely CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS has been added. Enabling this config requires the following configs to be enabled: CONFIG_IMA, CONFIG_KEYS, CONFIG_ASYMMETRIC_KEY_TYPE, and CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE. CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS is off by default. The IMA hook is defined in a new file namely ima_asymmetric_keys.c which is built only if CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS is enabled. Signed-off-by: Lakshmi Ramasubramanian --- security/integrity/ima/Kconfig | 14 ++++++ security/integrity/ima/Makefile | 1 + security/integrity/ima/ima_asymmetric_keys.c | 51 ++++++++++++++++++++ 3 files changed, 66 insertions(+) create mode 100644 security/integrity/ima/ima_asymmetric_keys.c diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index 838476d780e5..c6d14884bc19 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -310,3 +310,17 @@ config IMA_APPRAISE_SIGNED_INIT default n help This option requires user-space init to be signed. + +config IMA_MEASURE_ASYMMETRIC_KEYS + bool "Enable measuring asymmetric keys on key create or update" + depends on IMA + depends on KEYS + depends on ASYMMETRIC_KEY_TYPE + depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE + default n + help + This option enables measuring asymmetric keys when + the key is created or updated. Additionally, IMA policy + needs to be configured to either measure keys linked to + any keyring or only measure keys linked to the keyrings + specified in the IMA policy through the keyrings= option. diff --git a/security/integrity/ima/Makefile b/security/integrity/ima/Makefile index 31d57cdf2421..3e9d0ad68c7b 100644 --- a/security/integrity/ima/Makefile +++ b/security/integrity/ima/Makefile @@ -12,3 +12,4 @@ ima-$(CONFIG_IMA_APPRAISE) += ima_appraise.o ima-$(CONFIG_IMA_APPRAISE_MODSIG) += ima_modsig.o ima-$(CONFIG_HAVE_IMA_KEXEC) += ima_kexec.o obj-$(CONFIG_IMA_BLACKLIST_KEYRING) += ima_mok.o +obj-$(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) += ima_asymmetric_keys.o diff --git a/security/integrity/ima/ima_asymmetric_keys.c b/security/integrity/ima/ima_asymmetric_keys.c new file mode 100644 index 000000000000..f6884641a622 --- /dev/null +++ b/security/integrity/ima/ima_asymmetric_keys.c @@ -0,0 +1,51 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * Copyright (C) 2019 Microsoft Corporation + * + * Author: Lakshmi Ramasubramanian (nramas@linux.microsoft.com) + * + * File: ima_asymmetric_keys.c + * Defines an IMA hook to measure asymmetric keys on key + * create or update. + */ + +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt + +#include +#include +#include "ima.h" + +/** + * ima_post_key_create_or_update - measure asymmetric keys + * @keyring: keyring to which the key is linked to + * @key: created or updated key + * @flags: key flags + * @create: flag indicating whether the key was created or updated + * + * Keys can only be measured, not appraised. + */ +void ima_post_key_create_or_update(struct key *keyring, struct key *key, + unsigned long flags, bool create) +{ + const struct public_key *pk; + + /* Only asymmetric keys are handled by this hook. */ + if (key->type != &key_type_asymmetric) + return; + + /* Get the public_key of the given asymmetric key to measure. */ + pk = key->payload.data[asym_crypto]; + + /* + * keyring->description points to the name of the keyring + * (such as ".builtin_trusted_keys", ".ima", etc.) to + * which the given key is linked to. + * + * The name of the keyring is passed in the "eventname" + * parameter to process_buffer_measurement() and is set + * in the "eventname" field in ima_event_data for + * the key measurement IMA event. + */ + process_buffer_measurement(pk->key, pk->keylen, + keyring->description, KEY_CHECK, 0); +} From patchwork Wed Nov 13 18:46:58 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lakshmi Ramasubramanian X-Patchwork-Id: 11242657 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2DE28109A for ; Wed, 13 Nov 2019 18:47:05 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id F30F2206F3 for ; Wed, 13 Nov 2019 18:47:04 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="mVk6DHX1" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727662AbfKMSrE (ORCPT ); Wed, 13 Nov 2019 13:47:04 -0500 Received: from linux.microsoft.com ([13.77.154.182]:43360 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727413AbfKMSrE (ORCPT ); Wed, 13 Nov 2019 13:47:04 -0500 Received: from nramas-ThinkStation-P520.corp.microsoft.com (unknown [131.107.174.108]) by linux.microsoft.com (Postfix) with ESMTPSA id 1F9D220B4905; Wed, 13 Nov 2019 10:47:03 -0800 (PST) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 1F9D220B4905 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1573670823; bh=MOGUb7jpfG2A7HaNkFYloS4DcIBLS63Y9W6vcnBeebA=; h=From:To:Subject:Date:In-Reply-To:References:From; b=mVk6DHX1r+C7PhN9DfwBCPD4ru4MKm36HB/n92YK3yN415hVa8HTS4fC1YeJkVPhX SaYkDStmJ32TCO8asF08uNz2a8JTTRL4dtoGvbR7KwsH3JwA+jEn33yJeL1JwBjZeD FFkZ+6JRY0WQYqLbFzUeclvTFv7OG/yOV7QH8JzY= From: Lakshmi Ramasubramanian To: zohar@linux.ibm.com, dhowells@redhat.com, matthewgarrett@google.com, sashal@kernel.org, jamorris@linux.microsoft.com, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v6 3/3] KEYS: Call the IMA hook to measure keys Date: Wed, 13 Nov 2019 10:46:58 -0800 Message-Id: <20191113184658.2862-4-nramas@linux.microsoft.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191113184658.2862-1-nramas@linux.microsoft.com> References: <20191113184658.2862-1-nramas@linux.microsoft.com> Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Call the IMA hook from key_create_or_update function to measure the key when a new key is created or an existing key is updated. This patch adds the call to the IMA hook from key_create_or_update function to measure the key on key create or update. Signed-off-by: Lakshmi Ramasubramanian --- include/linux/ima.h | 13 +++++++++++++ security/keys/key.c | 9 +++++++++ 2 files changed, 22 insertions(+) diff --git a/include/linux/ima.h b/include/linux/ima.h index 6d904754d858..ec5afe319ab7 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -25,6 +25,12 @@ extern int ima_post_read_file(struct file *file, void *buf, loff_t size, extern void ima_post_path_mknod(struct dentry *dentry); extern void ima_kexec_cmdline(const void *buf, int size); +#ifdef CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS +extern void ima_post_key_create_or_update(struct key *keyring, + struct key *key, + unsigned long flags, bool create); +#endif + #ifdef CONFIG_IMA_KEXEC extern void ima_add_kexec_buffer(struct kimage *image); #endif @@ -101,6 +107,13 @@ static inline void ima_add_kexec_buffer(struct kimage *image) {} #endif +#ifndef CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS +static inline void ima_post_key_create_or_update(struct key *keyring, + struct key *key, + unsigned long flags, + bool create) {} +#endif + #ifdef CONFIG_IMA_APPRAISE extern bool is_ima_appraise_enabled(void); extern void ima_inode_post_setattr(struct dentry *dentry); diff --git a/security/keys/key.c b/security/keys/key.c index 764f4c57913e..9782d4d046fd 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -13,6 +13,7 @@ #include #include #include +#include #include #include "internal.h" @@ -936,6 +937,9 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, goto error_link_end; } + /* let the ima module know about the created key. */ + ima_post_key_create_or_update(keyring, key, flags, true); + key_ref = make_key_ref(key, is_key_possessed(keyring_ref)); error_link_end: @@ -965,6 +969,11 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, } key_ref = __key_update(key_ref, &prep); + + /* let the ima module know about the updated key. */ + if (!IS_ERR(key_ref)) + ima_post_key_create_or_update(keyring, key, flags, false); + goto error_free_prep; } EXPORT_SYMBOL(key_create_or_update);