From patchwork Wed Dec 18 16:44:33 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lakshmi Ramasubramanian X-Patchwork-Id: 11301427 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A3F08139A for ; Wed, 18 Dec 2019 16:44:41 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 7784620717 for ; Wed, 18 Dec 2019 16:44:41 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="qxnt133Q" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727217AbfLRQol (ORCPT ); Wed, 18 Dec 2019 11:44:41 -0500 Received: from linux.microsoft.com ([13.77.154.182]:45132 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727121AbfLRQok (ORCPT ); Wed, 18 Dec 2019 11:44:40 -0500 Received: from nramas-ThinkStation-P520.corp.microsoft.com (unknown [131.107.174.108]) by linux.microsoft.com (Postfix) with ESMTPSA id 0896F20B4798; Wed, 18 Dec 2019 08:44:40 -0800 (PST) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 0896F20B4798 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1576687480; bh=26/PqYgoXKGyL3G1FiobmwvKJvqO4GWGXSQQ44RkqkY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=qxnt133QZObIjJBWdsEPf9UNgrphzL8WUz3MPAnTFnJXNXbTzeAWB+8QRuYaNV6I1 XuU1trlz0jvjyfIYWq80CXph/u89KuLFKLXEgtdljvQiCmWpj7kYJaG+ePybgFQoSL W1mhr92SJnpKLvGRc9Odz2DTBZVQBbWKp++IXglk= From: Lakshmi Ramasubramanian To: zohar@linux.ibm.com, James.Bottomley@HansenPartnership.com, linux-integrity@vger.kernel.org Cc: eric.snowberg@oracle.com, dhowells@redhat.com, mathew.j.martineau@linux.intel.com, matthewgarrett@google.com, sashal@kernel.org, jamorris@linux.microsoft.com, linux-kernel@vger.kernel.org, keyrings@vger.kernel.org Subject: [PATCH v5 1/2] IMA: Define workqueue for early boot "key" measurements Date: Wed, 18 Dec 2019 08:44:33 -0800 Message-Id: <20191218164434.2877-2-nramas@linux.microsoft.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191218164434.2877-1-nramas@linux.microsoft.com> References: <20191218164434.2877-1-nramas@linux.microsoft.com> Sender: keyrings-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: keyrings@vger.kernel.org Measuring keys requires a custom IMA policy to be loaded. Keys created or updated before a custom IMA policy is loaded should be queued and the keys should be processed after a custom policy is loaded. This patch defines workqueue for queuing keys when a custom IMA policy has not yet been loaded. A flag namely ima_process_keys is used to check if the key should be queued or should be processed immediately. Signed-off-by: Lakshmi Ramasubramanian --- security/integrity/ima/ima.h | 15 +++ security/integrity/ima/ima_asymmetric_keys.c | 115 +++++++++++++++++++ 2 files changed, 130 insertions(+) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index f06238e41a7c..97f8a4078483 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -205,6 +205,21 @@ extern const char *const func_tokens[]; struct modsig; +#ifdef CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE +/* + * To track keys that need to be measured. + */ +struct ima_key_entry { + struct list_head list; + void *payload; + size_t payload_len; + char *keyring_name; +}; +void ima_process_queued_keys(void); +#else +static inline void ima_process_queued_keys(void) {} +#endif /* CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE */ + /* LIM API function definitions */ int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid, int mask, enum ima_hooks func, int *pcr, diff --git a/security/integrity/ima/ima_asymmetric_keys.c b/security/integrity/ima/ima_asymmetric_keys.c index fea2e7dd3b09..d520a67180d8 100644 --- a/security/integrity/ima/ima_asymmetric_keys.c +++ b/security/integrity/ima/ima_asymmetric_keys.c @@ -14,6 +14,121 @@ #include #include "ima.h" +/* + * Flag to indicate whether a key can be processed + * right away or should be queued for processing later. + */ +static bool ima_process_keys; + +/* + * To synchronize access to the list of keys that need to be measured + */ +static DEFINE_MUTEX(ima_keys_mutex); +static LIST_HEAD(ima_keys); + +static void ima_free_key_entry(struct ima_key_entry *entry) +{ + if (entry) { + kfree(entry->payload); + kfree(entry->keyring_name); + kfree(entry); + } +} + +static struct ima_key_entry *ima_alloc_key_entry( + struct key *keyring, + const void *payload, size_t payload_len) +{ + int rc = 0; + struct ima_key_entry *entry; + + entry = kzalloc(sizeof(*entry), GFP_KERNEL); + if (entry) { + entry->payload = kmemdup(payload, payload_len, GFP_KERNEL); + entry->keyring_name = kstrdup(keyring->description, + GFP_KERNEL); + entry->payload_len = payload_len; + } + + if ((entry == NULL) || (entry->payload == NULL) || + (entry->keyring_name == NULL)) { + rc = -ENOMEM; + goto out; + } + + INIT_LIST_HEAD(&entry->list); + +out: + if (rc) { + ima_free_key_entry(entry); + entry = NULL; + } + + return entry; +} + +bool ima_queue_key(struct key *keyring, const void *payload, + size_t payload_len) +{ + bool queued = false; + struct ima_key_entry *entry; + + entry = ima_alloc_key_entry(keyring, payload, payload_len); + if (!entry) + return false; + + mutex_lock(&ima_keys_mutex); + if (!ima_process_keys) { + list_add_tail(&entry->list, &ima_keys); + queued = true; + } + mutex_unlock(&ima_keys_mutex); + + if (!queued) + ima_free_key_entry(entry); + + return queued; +} + +/* + * ima_process_queued_keys() - process keys queued for measurement + * + * This function sets ima_process_keys to true and processes queued keys. + * From here on keys will be processed right away (not queued). + */ +void ima_process_queued_keys(void) +{ + struct ima_key_entry *entry, *tmp; + bool process = false; + + if (ima_process_keys) + return; + + /* + * Since ima_process_keys is set to true, any new key will be + * processed immediately and not be queued to ima_keys list. + * First one setting the ima_process_keys flag to true will + * process the queued keys. + */ + mutex_lock(&ima_keys_mutex); + if (!ima_process_keys) { + ima_process_keys = true; + process = true; + } + mutex_unlock(&ima_keys_mutex); + + if (!process) + return; + + list_for_each_entry_safe(entry, tmp, &ima_keys, list) { + process_buffer_measurement(entry->payload, entry->payload_len, + entry->keyring_name, KEY_CHECK, 0, + entry->keyring_name); + list_del(&entry->list); + ima_free_key_entry(entry); + } +} + /** * ima_post_key_create_or_update - measure asymmetric keys * @keyring: keyring to which the key is linked to From patchwork Wed Dec 18 16:44:34 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lakshmi Ramasubramanian X-Patchwork-Id: 11301429 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 52417139A for ; Wed, 18 Dec 2019 16:44:48 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 2FEB520717 for ; Wed, 18 Dec 2019 16:44:48 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="fPjvMO4I" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727512AbfLRQol (ORCPT ); Wed, 18 Dec 2019 11:44:41 -0500 Received: from linux.microsoft.com ([13.77.154.182]:45142 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727215AbfLRQol (ORCPT ); Wed, 18 Dec 2019 11:44:41 -0500 Received: from nramas-ThinkStation-P520.corp.microsoft.com (unknown [131.107.174.108]) by linux.microsoft.com (Postfix) with ESMTPSA id 3149C20B479A; Wed, 18 Dec 2019 08:44:40 -0800 (PST) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 3149C20B479A DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1576687480; bh=7oX3VjVjQ+qxdF/mzYJ1sOnrnFWgeNPXNB/HYkY5A+o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=fPjvMO4IVlR7+CgLSY1M2HhFQ1ROTpZvGRHi1qfqL8CzE0hqNupbB0pZ43rnxJnFk B+WFd2WNyWdimKHuAxoySIwa0nuEevouCXPicgntJA5AO7C4sdwCw68OMk6r0/CfkT PFUjkatRILjXDgqzqL4uGX/1f4inXsDHEE59c9yU= From: Lakshmi Ramasubramanian To: zohar@linux.ibm.com, James.Bottomley@HansenPartnership.com, linux-integrity@vger.kernel.org Cc: eric.snowberg@oracle.com, dhowells@redhat.com, mathew.j.martineau@linux.intel.com, matthewgarrett@google.com, sashal@kernel.org, jamorris@linux.microsoft.com, linux-kernel@vger.kernel.org, keyrings@vger.kernel.org Subject: [PATCH v5 2/2] IMA: Call workqueue functions to measure queued keys Date: Wed, 18 Dec 2019 08:44:34 -0800 Message-Id: <20191218164434.2877-3-nramas@linux.microsoft.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191218164434.2877-1-nramas@linux.microsoft.com> References: <20191218164434.2877-1-nramas@linux.microsoft.com> Sender: keyrings-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: keyrings@vger.kernel.org Measuring keys requires a custom IMA policy to be loaded. Keys should be queued for measurement if a custom IMA policy is not yet loaded. Keys queued for measurement, if any, should be processed when a custom IMA policy is loaded. This patch updates the IMA hook function ima_post_key_create_or_update() to queue the key if a custom IMA policy has not yet been loaded. And, ima_update_policy() function, which is called when a custom IMA policy is loaded, is updated to process queued keys. Sample "key" measurement rule in the IMA policy: measure func=KEY_CHECK uid=0 keyrings=.ima|.builtin_trusted_keys template=ima-buf If the kernel is built with one or more built-in trusted certificates, IMA measurement should list all the keys imported from those certificates. Display "key" measurement in the IMA measurement list: cat /sys/kernel/security/ima/ascii_runtime_measurements 10 faf3...e702 ima-buf sha256:27c915b8ddb9fae7214cf0a8a7043cc3eeeaa7539bcb136f8427067b5f6c3b7b .builtin_trusted_keys 308202863082...4aee Verify "key" measurement data for a key added to ".builtin_trusted_keys" keyring: cat /sys/kernel/security/integrity/ima/ascii_runtime_measurements | grep -m 1 "\.builtin_trusted_keys" | cut -d' ' -f 6 | xxd -r -p |tee btk-cert.der | sha256sum | cut -d' ' -f 1 The output of the above command should match the template hash of the first "key" measurement entry in the IMA measurement list for the key added to ".builtin_trusted_keys" keyring. The file namely "btk-cert.der" generated by the above command should be a valid x509 certificate (in DER format) and should match the one that was used to import the key to the ".builtin_trusted_keys" keyring. The certificate file can be verified using openssl tool. Signed-off-by: Lakshmi Ramasubramanian --- security/integrity/ima/ima_asymmetric_keys.c | 8 ++++++++ security/integrity/ima/ima_policy.c | 3 +++ 2 files changed, 11 insertions(+) diff --git a/security/integrity/ima/ima_asymmetric_keys.c b/security/integrity/ima/ima_asymmetric_keys.c index d520a67180d8..4124f10ff0c2 100644 --- a/security/integrity/ima/ima_asymmetric_keys.c +++ b/security/integrity/ima/ima_asymmetric_keys.c @@ -145,6 +145,8 @@ void ima_post_key_create_or_update(struct key *keyring, struct key *key, const void *payload, size_t payload_len, unsigned long flags, bool create) { + bool queued = false; + /* Only asymmetric keys are handled by this hook. */ if (key->type != &key_type_asymmetric) return; @@ -152,6 +154,12 @@ void ima_post_key_create_or_update(struct key *keyring, struct key *key, if (!payload || (payload_len == 0)) return; + if (!ima_process_keys) + queued = ima_queue_key(keyring, payload, payload_len); + + if (queued) + return; + /* * keyring->description points to the name of the keyring * (such as ".builtin_trusted_keys", ".ima", etc.) to diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index a4dde9d575b2..04b9c6c555de 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -807,6 +807,9 @@ void ima_update_policy(void) kfree(arch_policy_entry); } ima_update_policy_flag(); + + /* Custom IMA policy has been loaded */ + ima_process_queued_keys(); } /* Keep the enumeration in sync with the policy_tokens! */