From patchwork Fri Dec 13 17:18:26 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lakshmi Ramasubramanian X-Patchwork-Id: 11290899 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 75F41188B for ; Fri, 13 Dec 2019 20:38:12 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 2AA91246B1 for ; Fri, 13 Dec 2019 20:38:12 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="Roo+Teyi" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728457AbfLMRSi (ORCPT ); Fri, 13 Dec 2019 12:18:38 -0500 Received: from linux.microsoft.com ([13.77.154.182]:35414 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728436AbfLMRSf (ORCPT ); Fri, 13 Dec 2019 12:18:35 -0500 Received: from nramas-ThinkStation-P520.corp.microsoft.com (unknown [131.107.174.108]) by linux.microsoft.com (Postfix) with ESMTPSA id 8ADF220B718B; Fri, 13 Dec 2019 09:18:33 -0800 (PST) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 8ADF220B718B DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1576257513; bh=jADnlL0dScM/cB5nRhiad/MPIa+FT5l8gEeKADfdnb4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Roo+Teyi617ejW1JVRHXXJdpY+Z+jgXiTXymOVcrQrSdtqUTyrigFPq27pAcIqJx6 nb9R/1/6IwJVIiZ1PRZVkgRgQV0dOc2JXkX40lQptSws+Cq+C/RuoNpNLW3YVmqci/ UUMixaeRzwWagPG4x2IL3fesSzBG8Zpb2HlAj4HE= From: Lakshmi Ramasubramanian To: zohar@linux.ibm.com, linux-integrity@vger.kernel.org Cc: eric.snowberg@oracle.com, dhowells@redhat.com, mathew.j.martineau@linux.intel.com, matthewgarrett@google.com, sashal@kernel.org, jamorris@linux.microsoft.com, linux-kernel@vger.kernel.org, keyrings@vger.kernel.org Subject: [PATCH v4 1/2] IMA: Define workqueue for early boot "key" measurements Date: Fri, 13 Dec 2019 09:18:26 -0800 Message-Id: <20191213171827.28657-2-nramas@linux.microsoft.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191213171827.28657-1-nramas@linux.microsoft.com> References: <20191213171827.28657-1-nramas@linux.microsoft.com> Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Measuring keys requires a custom IMA policy to be loaded. Keys created or updated before a custom IMA policy is loaded should be queued and the keys should be processed after a custom policy is loaded. This patch defines workqueue for queuing keys when a custom IMA policy has not yet been loaded. A flag namely ima_process_keys is used to check if the key should be queued or should be processed immediately. Signed-off-by: Lakshmi Ramasubramanian --- security/integrity/ima/ima.h | 15 +++ security/integrity/ima/ima_asymmetric_keys.c | 128 +++++++++++++++++++ 2 files changed, 143 insertions(+) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index f06238e41a7c..97f8a4078483 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -205,6 +205,21 @@ extern const char *const func_tokens[]; struct modsig; +#ifdef CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE +/* + * To track keys that need to be measured. + */ +struct ima_key_entry { + struct list_head list; + void *payload; + size_t payload_len; + char *keyring_name; +}; +void ima_process_queued_keys(void); +#else +static inline void ima_process_queued_keys(void) {} +#endif /* CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE */ + /* LIM API function definitions */ int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid, int mask, enum ima_hooks func, int *pcr, diff --git a/security/integrity/ima/ima_asymmetric_keys.c b/security/integrity/ima/ima_asymmetric_keys.c index fea2e7dd3b09..ae6de1bb2e79 100644 --- a/security/integrity/ima/ima_asymmetric_keys.c +++ b/security/integrity/ima/ima_asymmetric_keys.c @@ -14,6 +14,134 @@ #include #include "ima.h" +/* + * Flag to indicate whether a key can be processed + * right away or should be queued for processing later. + */ +static bool ima_process_keys; + +/* + * To synchronize access to the list of keys that need to be measured + */ +static DEFINE_MUTEX(ima_keys_mutex); +static LIST_HEAD(ima_keys); + +static void ima_free_key_entry(struct ima_key_entry *entry) +{ + if (entry) { + kfree(entry->payload); + kfree(entry->keyring_name); + kfree(entry); + } +} + +static struct ima_key_entry *ima_alloc_key_entry( + struct key *keyring, + const void *payload, size_t payload_len) +{ + int rc = 0; + struct ima_key_entry *entry; + + entry = kzalloc(sizeof(*entry), GFP_KERNEL); + if (entry) { + entry->payload = kmemdup(payload, payload_len, GFP_KERNEL); + entry->keyring_name = kstrdup(keyring->description, + GFP_KERNEL); + entry->payload_len = payload_len; + } + + if ((entry == NULL) || (entry->payload == NULL) || + (entry->keyring_name == NULL)) { + rc = -ENOMEM; + goto out; + } + + INIT_LIST_HEAD(&entry->list); + +out: + if (rc) { + ima_free_key_entry(entry); + entry = NULL; + } + + return entry; +} + +bool ima_queue_key(struct key *keyring, const void *payload, + size_t payload_len) +{ + bool queued = false; + struct ima_key_entry *entry; + + entry = ima_alloc_key_entry(keyring, payload, payload_len); + if (!entry) + return false; + + mutex_lock(&ima_keys_mutex); + if (!ima_process_keys) { + list_add_tail(&entry->list, &ima_keys); + queued = true; + } + mutex_unlock(&ima_keys_mutex); + + if (!queued) + ima_free_key_entry(entry); + + return queued; +} + +/* + * ima_process_queued_keys() - process keys queued for measurement + * + * This function sets ima_process_keys to true and processes queued keys. + * From here on keys will be processed right away (not queued). + */ +void ima_process_queued_keys(void) +{ + struct ima_key_entry *entry, *tmp; + LIST_HEAD(temp_ima_keys); + bool process = false; + + if (ima_process_keys) + return; + + /* + * To avoid holding the mutex when processing queued keys, + * transfer the queued keys with the mutex held to a temp list, + * release the mutex, and then process the queued keys from + * the temp list. + * + * Since ima_process_keys is set to true, any new key will be + * processed immediately and not be queued. + */ + INIT_LIST_HEAD(&temp_ima_keys); + + mutex_lock(&ima_keys_mutex); + + if (!ima_process_keys) { + ima_process_keys = true; + + if (!list_empty(&ima_keys)) { + list_for_each_entry_safe(entry, tmp, &ima_keys, list) + list_move_tail(&entry->list, &temp_ima_keys); + process = true; + } + } + + mutex_unlock(&ima_keys_mutex); + + if (!process) + return; + + list_for_each_entry_safe(entry, tmp, &temp_ima_keys, list) { + process_buffer_measurement(entry->payload, entry->payload_len, + entry->keyring_name, KEY_CHECK, 0, + entry->keyring_name); + list_del(&entry->list); + ima_free_key_entry(entry); + } +} + /** * ima_post_key_create_or_update - measure asymmetric keys * @keyring: keyring to which the key is linked to From patchwork Fri Dec 13 17:18:27 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lakshmi Ramasubramanian X-Patchwork-Id: 11290897 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3E2CF6C1 for ; Fri, 13 Dec 2019 20:38:12 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id E6295246B1 for ; Fri, 13 Dec 2019 20:38:11 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="YqVEwjtO" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728504AbfLMRSf (ORCPT ); Fri, 13 Dec 2019 12:18:35 -0500 Received: from linux.microsoft.com ([13.77.154.182]:35420 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728455AbfLMRSf (ORCPT ); Fri, 13 Dec 2019 12:18:35 -0500 Received: from nramas-ThinkStation-P520.corp.microsoft.com (unknown [131.107.174.108]) by linux.microsoft.com (Postfix) with ESMTPSA id DB2BE20B71AC; Fri, 13 Dec 2019 09:18:33 -0800 (PST) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com DB2BE20B71AC DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1576257513; bh=I0gjxohX1nBjPsiUh65vZrUktQccLgJ11vyHnoHaE/0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=YqVEwjtOsUq9YlmsaHv8f0c4NvpJKet2O1xdGggQL60Kze0GC24Y4LS/WS2A6zCeZ On0Ns5QiyMf+dWJEtgXEwtIVFlRru7yiBK1z4sfE9rXeg0RAXoJmsdBgNL9SBHuxq6 FotJZq7cOU1NbnkplGvIPfeduMkGeEHpN6ixa22s= From: Lakshmi Ramasubramanian To: zohar@linux.ibm.com, linux-integrity@vger.kernel.org Cc: eric.snowberg@oracle.com, dhowells@redhat.com, mathew.j.martineau@linux.intel.com, matthewgarrett@google.com, sashal@kernel.org, jamorris@linux.microsoft.com, linux-kernel@vger.kernel.org, keyrings@vger.kernel.org Subject: [PATCH v4 2/2] IMA: Call workqueue functions to measure queued keys Date: Fri, 13 Dec 2019 09:18:27 -0800 Message-Id: <20191213171827.28657-3-nramas@linux.microsoft.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191213171827.28657-1-nramas@linux.microsoft.com> References: <20191213171827.28657-1-nramas@linux.microsoft.com> Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Measuring keys requires a custom IMA policy to be loaded. Keys should be queued for measurement if a custom IMA policy is not yet loaded. Keys queued for measurement, if any, should be processed when a custom IMA policy is loaded. This patch updates the IMA hook function ima_post_key_create_or_update() to queue the key if a custom IMA policy has not yet been loaded. And, ima_update_policy() function, which is called when a custom IMA policy is loaded, is updated to process queued keys. Sample "key" measurement rule in the IMA policy: measure func=KEY_CHECK uid=0 keyrings=.ima|.builtin_trusted_keys template=ima-buf If the kernel is built with one or more built-in trusted certificates, IMA measurement should list all the keys imported from those certificates. Display "key" measurement in the IMA measurement list: cat /sys/kernel/security/ima/ascii_runtime_measurements 10 faf3...e702 ima-buf sha256:27c915b8ddb9fae7214cf0a8a7043cc3eeeaa7539bcb136f8427067b5f6c3b7b .builtin_trusted_keys 308202863082...4aee Verify "key" measurement data for a key added to ".builtin_trusted_keys" keyring: cat /sys/kernel/security/integrity/ima/ascii_runtime_measurements | grep -m 1 "\.builtin_trusted_keys" | cut -d' ' -f 6 | xxd -r -p |tee btk-cert.der | sha256sum | cut -d' ' -f 1 The output of the above command should match the template hash of the first "key" measurement entry in the IMA measurement list for the key added to ".builtin_trusted_keys" keyring. The file namely "btk-cert.der" generated by the above command should be a valid x509 certificate (in DER format) and should match the one that was used to import the key to the ".builtin_trusted_keys" keyring. The certificate file can be verified using openssl tool. Signed-off-by: Lakshmi Ramasubramanian --- security/integrity/ima/ima_asymmetric_keys.c | 8 ++++++++ security/integrity/ima/ima_policy.c | 3 +++ 2 files changed, 11 insertions(+) diff --git a/security/integrity/ima/ima_asymmetric_keys.c b/security/integrity/ima/ima_asymmetric_keys.c index ae6de1bb2e79..8a9d8bc7e10d 100644 --- a/security/integrity/ima/ima_asymmetric_keys.c +++ b/security/integrity/ima/ima_asymmetric_keys.c @@ -158,6 +158,8 @@ void ima_post_key_create_or_update(struct key *keyring, struct key *key, const void *payload, size_t payload_len, unsigned long flags, bool create) { + bool queued = false; + /* Only asymmetric keys are handled by this hook. */ if (key->type != &key_type_asymmetric) return; @@ -165,6 +167,12 @@ void ima_post_key_create_or_update(struct key *keyring, struct key *key, if (!payload || (payload_len == 0)) return; + if (!ima_process_keys) + queued = ima_queue_key(keyring, payload, payload_len); + + if (queued) + return; + /* * keyring->description points to the name of the keyring * (such as ".builtin_trusted_keys", ".ima", etc.) to diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index a4dde9d575b2..04b9c6c555de 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -807,6 +807,9 @@ void ima_update_policy(void) kfree(arch_policy_entry); } ima_update_policy_flag(); + + /* Custom IMA policy has been loaded */ + ima_process_queued_keys(); } /* Keep the enumeration in sync with the policy_tokens! */