| Message ID | 20201111092302.1589-3-roberto.sassu@huawei.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | evm: Improve usability of portable signatures | expand |
On Wed, 2020-11-11 at 10:22 +0100, Roberto Sassu wrote: > Public keys do not need to be appraised by IMA as the restriction on the > IMA/EVM keyrings ensures that a key can be loaded only if it is signed with > a key in the primary or secondary keyring. Let's clean this up a bit. - The public builtin keys ... - IMA/EVM trusted keyrings ... - on the builtin or secondary keyrings > However, when evm_load_x509() is called, appraisal is already enabled and > a valid IMA signature must be added to the EVM key to pass verification. > > Since the restriction is applied on both IMA and EVM keyrings, it is safe and update: - IMA and EVM trusted keyrings > to disable appraisal also when the EVM key is loaded. This patch calls > evm_load_x509() inside ima_load_x509() if CONFIG_IMA_LOAD_X509 is defined. , which crosses the normal IMA and EVM boundary, thanks, Mimi
Hi Roberto, On Wed, 2020-11-11 at 10:22 +0100, Roberto Sassu wrote: > Public keys do not need to be appraised by IMA as the restriction on the > IMA/EVM keyrings ensures that a key can be loaded only if it is signed with > a key in the primary or secondary keyring. > > However, when evm_load_x509() is called, appraisal is already enabled and > a valid IMA signature must be added to the EVM key to pass verification. > > Since the restriction is applied on both IMA and EVM keyrings, it is safe > to disable appraisal also when the EVM key is loaded. This patch calls > evm_load_x509() inside ima_load_x509() if CONFIG_IMA_LOAD_X509 is defined. > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > --- > security/integrity/iint.c | 2 ++ > security/integrity/ima/ima_init.c | 4 ++++ > 2 files changed, 6 insertions(+) > > diff --git a/security/integrity/iint.c b/security/integrity/iint.c > index 1d20003243c3..7d08c31c612f 100644 > --- a/security/integrity/iint.c > +++ b/security/integrity/iint.c > @@ -200,7 +200,9 @@ int integrity_kernel_read(struct file *file, loff_t offset, > void __init integrity_load_keys(void) > { > ima_load_x509(); > +#ifndef CONFIG_IMA_LOAD_X509 > evm_load_x509(); > +#endif Please replace the ifdef with the IS_ENABLED() equivalent. thanks, Mimi
diff --git a/security/integrity/iint.c b/security/integrity/iint.c index 1d20003243c3..7d08c31c612f 100644 --- a/security/integrity/iint.c +++ b/security/integrity/iint.c @@ -200,7 +200,9 @@ int integrity_kernel_read(struct file *file, loff_t offset, void __init integrity_load_keys(void) { ima_load_x509(); +#ifndef CONFIG_IMA_LOAD_X509 evm_load_x509(); +#endif } static int __init integrity_fs_init(void) diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c index 4902fe7bd570..9d29a1680da8 100644 --- a/security/integrity/ima/ima_init.c +++ b/security/integrity/ima/ima_init.c @@ -106,6 +106,10 @@ void __init ima_load_x509(void) ima_policy_flag &= ~unset_flags; integrity_load_x509(INTEGRITY_KEYRING_IMA, CONFIG_IMA_X509_PATH); + + /* load also EVM key to avoid appraisal */ + evm_load_x509(); + ima_policy_flag |= unset_flags; } #endif