@@ -34,6 +34,8 @@ static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
".ima",
#endif
"_module",
+ ".platform_keys",
+
};
#ifdef CONFIG_INTEGRITY_TRUSTED_KEYRING
@@ -78,6 +80,19 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
return -EOPNOTSUPP;
}
+#ifdef CONFIG_IMA_USE_PLATFORM_KEYRING
+int __init integrity_load_keyring(const unsigned int id)
+{
+
+ keyring[id] = find_keyring_by_name(keyring_name[id], 0);
+ if (IS_ERR(keyring[id]))
+ if (PTR_ERR(keyring[id]) != -ENOKEY)
+ return PTR_ERR(keyring[id]);
+ return 0;
+
+}
+#endif
+
int __init integrity_init_keyring(const unsigned int id)
{
const struct cred *cred = current_cred();
@@ -227,3 +227,13 @@ config IMA_APPRAISE_SIGNED_INIT
default n
help
This option requires user-space init to be signed.
+
+config IMA_USE_PLATFORM_KEYRING
+ bool "IMA uses keys from Platform Keyring for verification"
+ depends on PLATFORM_KEYRING
+ depends on IMA_APPRAISE
+ depends on INTEGRITY_ASYMMETRIC_KEYS
+ default n
+ help
+ This option enables IMA appraisal to look for the platform
+ trusted keys in .platform_keys keyring.
@@ -276,13 +276,25 @@ int ima_appraise_measurement(enum ima_hooks func,
(const char *)xattr_value, rc,
iint->ima_hash->digest,
iint->ima_hash->length);
- if (rc == -EOPNOTSUPP) {
- status = INTEGRITY_UNKNOWN;
- } else if (rc) {
+ if (rc) {
+ if (rc == -EOPNOTSUPP) {
+ status = INTEGRITY_UNKNOWN;
+ break;
+ }
+ if (func == KEXEC_KERNEL_CHECK) {
+ rc = integrity_digsig_verify(
+ INTEGRITY_KEYRING_PLATFORM,
+ (const char *)xattr_value,
+ xattr_len,
+ iint->ima_hash->digest,
+ iint->ima_hash->length);
+ if (!rc) {
+ status = INTEGRITY_PASS;
+ break;
+ }
+ }
cause = "invalid-signature";
status = INTEGRITY_FAIL;
- } else {
- status = INTEGRITY_PASS;
}
break;
default:
@@ -122,6 +122,10 @@ int __init ima_init(void)
if (rc)
return rc;
+ rc = integrity_load_keyring(INTEGRITY_KEYRING_PLATFORM);
+ if (rc)
+ pr_info("Platform keyring is not found. (rc=%d)\n", rc);
+
rc = ima_init_crypto();
if (rc)
return rc;
@@ -136,13 +136,23 @@ int integrity_kernel_read(struct file *file, loff_t offset,
#define INTEGRITY_KEYRING_EVM 0
#define INTEGRITY_KEYRING_IMA 1
#define INTEGRITY_KEYRING_MODULE 2
-#define INTEGRITY_KEYRING_MAX 3
+#define INTEGRITY_KEYRING_PLATFORM 3
+#define INTEGRITY_KEYRING_MAX 4
#ifdef CONFIG_INTEGRITY_SIGNATURE
int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
const char *digest, int digestlen);
+#ifdef CONFIG_IMA_USE_PLATFORM_KEYRING
+int __init integrity_load_keyring(const unsigned int id);
+#else
+static inline int __init integrity_load_keyring(const unsigned int id)
+{
+ return 0;
+}
+#endif
+
int __init integrity_init_keyring(const unsigned int id);
int __init integrity_load_x509(const unsigned int id, const char *path);
#else
@@ -154,6 +164,11 @@ static inline int integrity_digsig_verify(const unsigned int id,
return -EOPNOTSUPP;
}
+static inline int __init integrity_load_keyring(const unsigned int id)
+{
+ return 0;
+}
+
static inline int integrity_init_keyring(const unsigned int id)
{
return 0;
Distros may sign the kernel images and, possibly, the initramfs with platform trusted keys. On secure boot enabled systems or embedded devices, these signatures are to be validated using keys on the platform keyring. This patch enables IMA-appraisal to access the platform keyring, based on a new Kconfig option "IMA_USE_PLATFORM_KEYRING". Signed-off-by: Nayna Jain <nayna@linux.vnet.ibm.com> --- security/integrity/digsig.c | 15 +++++++++++++++ security/integrity/ima/Kconfig | 10 ++++++++++ security/integrity/ima/ima_appraise.c | 22 +++++++++++++++++----- security/integrity/ima/ima_init.c | 4 ++++ security/integrity/integrity.h | 17 ++++++++++++++++- 5 files changed, 62 insertions(+), 6 deletions(-)