From patchwork Tue Jan 7 19:43:47 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lakshmi Ramasubramanian X-Patchwork-Id: 11321693 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 699431871 for ; Tue, 7 Jan 2020 19:44:07 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 4803C214D8 for ; Tue, 7 Jan 2020 19:44:07 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="s6lo+isQ" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728682AbgAGTn7 (ORCPT ); Tue, 7 Jan 2020 14:43:59 -0500 Received: from linux.microsoft.com ([13.77.154.182]:34200 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728440AbgAGTnz (ORCPT ); Tue, 7 Jan 2020 14:43:55 -0500 Received: from nramas-ThinkStation-P520.corp.microsoft.com (unknown [131.107.174.108]) by linux.microsoft.com (Postfix) with ESMTPSA id 7D31F20B4798; Tue, 7 Jan 2020 11:43:54 -0800 (PST) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 7D31F20B4798 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1578426234; bh=TkQ5nY0p46xtuOLS8IYT3yF4T4Gc66FJ+Oz2GWcSYYg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=s6lo+isQbjMpv5lJHSZ1s/KupcraJoe1FhWSKHouXvSF3sM9wPHka/KiupN9vZPTK KFuEmslIXdKDuluEKlBT8frKFkANzYzJqKHrLB0E/m0cr03xEJlSETOMWSjEFxf+Ul ABeG/nc13EoMBU/u2opabS+Hv8zkxyIs6wSSDUJA= From: Lakshmi Ramasubramanian To: zohar@linux.ibm.com, James.Bottomley@HansenPartnership.com, linux-integrity@vger.kernel.org Cc: eric.snowberg@oracle.com, dhowells@redhat.com, mathew.j.martineau@linux.intel.com, matthewgarrett@google.com, sashal@kernel.org, jamorris@linux.microsoft.com, linux-kernel@vger.kernel.org, keyrings@vger.kernel.org Subject: [PATCH 1/4] IMA: Define an IMA hook to measure keys Date: Tue, 7 Jan 2020 11:43:47 -0800 Message-Id: <20200107194350.3782-2-nramas@linux.microsoft.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200107194350.3782-1-nramas@linux.microsoft.com> References: <20200107194350.3782-1-nramas@linux.microsoft.com> Sender: keyrings-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: keyrings@vger.kernel.org Measure asymmetric keys used for verifying file signatures, certificates, etc. This patch defines a new IMA hook namely ima_post_key_create_or_update() to measure the payload used to create a new asymmetric key or update an existing asymmetric key. Added a new config CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS that is enabled when CONFIG_IMA and CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE are defined. Asymmetric key structure is defined only when CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE is defined. Since the IMA hook measures asymmetric keys, the IMA hook is defined in a new file namely ima_asymmetric_keys.c which is built only if CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS is defined. Signed-off-by: Lakshmi Ramasubramanian Reported-by: kbuild test robot # ima_asymmetric_keys.c is built as a kernel module when it is actually not. Fixes: 88e70da170e8 ("IMA: Define an IMA hook to measure keys") --- security/integrity/ima/Kconfig | 9 ++++ security/integrity/ima/Makefile | 1 + security/integrity/ima/ima_asymmetric_keys.c | 52 ++++++++++++++++++++ 3 files changed, 62 insertions(+) create mode 100644 security/integrity/ima/ima_asymmetric_keys.c diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index 838476d780e5..73a3974712d8 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -310,3 +310,12 @@ config IMA_APPRAISE_SIGNED_INIT default n help This option requires user-space init to be signed. + +config IMA_MEASURE_ASYMMETRIC_KEYS + bool "Enable measuring asymmetric keys on key create or update" + depends on IMA=y + depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y + default y + help + This option enables measuring asymmetric keys when + the key is created or updated. diff --git a/security/integrity/ima/Makefile b/security/integrity/ima/Makefile index 31d57cdf2421..3e9d0ad68c7b 100644 --- a/security/integrity/ima/Makefile +++ b/security/integrity/ima/Makefile @@ -12,3 +12,4 @@ ima-$(CONFIG_IMA_APPRAISE) += ima_appraise.o ima-$(CONFIG_IMA_APPRAISE_MODSIG) += ima_modsig.o ima-$(CONFIG_HAVE_IMA_KEXEC) += ima_kexec.o obj-$(CONFIG_IMA_BLACKLIST_KEYRING) += ima_mok.o +obj-$(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) += ima_asymmetric_keys.o diff --git a/security/integrity/ima/ima_asymmetric_keys.c b/security/integrity/ima/ima_asymmetric_keys.c new file mode 100644 index 000000000000..994d89d58af9 --- /dev/null +++ b/security/integrity/ima/ima_asymmetric_keys.c @@ -0,0 +1,52 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * Copyright (C) 2019 Microsoft Corporation + * + * Author: Lakshmi Ramasubramanian (nramas@linux.microsoft.com) + * + * File: ima_asymmetric_keys.c + * Defines an IMA hook to measure asymmetric keys on key + * create or update. + */ + +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt + +#include +#include "ima.h" + +/** + * ima_post_key_create_or_update - measure asymmetric keys + * @keyring: keyring to which the key is linked to + * @key: created or updated key + * @payload: The data used to instantiate or update the key. + * @payload_len: The length of @payload. + * @flags: key flags + * @create: flag indicating whether the key was created or updated + * + * Keys can only be measured, not appraised. + * The payload data used to instantiate or update the key is measured. + */ +void ima_post_key_create_or_update(struct key *keyring, struct key *key, + const void *payload, size_t payload_len, + unsigned long flags, bool create) +{ + /* Only asymmetric keys are handled by this hook. */ + if (key->type != &key_type_asymmetric) + return; + + if (!payload || (payload_len == 0)) + return; + + /* + * keyring->description points to the name of the keyring + * (such as ".builtin_trusted_keys", ".ima", etc.) to + * which the given key is linked to. + * + * The name of the keyring is passed in the "eventname" + * parameter to process_buffer_measurement() and is set + * in the "eventname" field in ima_event_data for + * the key measurement IMA event. + */ + process_buffer_measurement(payload, payload_len, + keyring->description, KEY_CHECK, 0); +}