From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>,
linux-integrity@vger.kernel.org
Cc: linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
linux-crypto@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
linux-kernel@vger.kernel.org,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
David Howells <dhowells@redhat.com>,
David Woodhouse <dwmw2@infradead.org>,
Jessica Yu <jeyu@kernel.org>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
"AKASHI, Takahiro" <takahiro.akashi@linaro.org>
Subject: Re: [PATCH v6 05/12] integrity: Introduce integrity_keyring_from_id()
Date: Wed, 21 Mar 2018 22:46:51 +0000 [thread overview]
Message-ID: <1521672411.3848.219.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20180316203837.10174-6-bauerman@linux.vnet.ibm.com>
On Fri, 2018-03-16 at 17:38 -0300, Thiago Jung Bauermann wrote:
> IMA will need to obtain the keyring used to verify file signatures so that
> it can verify the module-style signature appended to files.
>
> Signed-off-by: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> ---
> security/integrity/digsig.c | 28 +++++++++++++++++++++-------
> security/integrity/integrity.h | 6 ++++++
> 2 files changed, 27 insertions(+), 7 deletions(-)
>
> diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
> index 6f9e4ce568cd..e641a67b9fc7 100644
> --- a/security/integrity/digsig.c
> +++ b/security/integrity/digsig.c
> @@ -48,11 +48,10 @@ static bool init_keyring __initdata;
> #define restrict_link_to_ima restrict_link_by_builtin_trusted
> #endif
>
> -int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
> - const char *digest, int digestlen)
> +struct key *integrity_keyring_from_id(const unsigned int id)
> {
> - if (id >= INTEGRITY_KEYRING_MAX || siglen < 2)
> - return -EINVAL;
> + if (id >= INTEGRITY_KEYRING_MAX)
> + return ERR_PTR(-EINVAL);
>
> if (!keyring[id]) {
> keyring[id] > @@ -61,17 +60,32 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
> int err = PTR_ERR(keyring[id]);
> pr_err("no %s keyring: %d\n", keyring_name[id], err);
> keyring[id] = NULL;
> - return err;
> + return ERR_PTR(err);
> }
> }
>
> + return keyring[id];
> +}
> +
> +int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
> + const char *digest, int digestlen)
> +{
> + struct key *keyring;
> +
> + if (siglen < 2)
> + return -EINVAL;
> +
> + keyring = integrity_keyring_from_id(id);
> + if (IS_ERR(keyring))
> + return PTR_ERR(keyring);
> +
> switch (sig[1]) {
> case 1:
> /* v1 API expect signature without xattr type */
> - return digsig_verify(keyring[id], sig + 1, siglen - 1,
> + return digsig_verify(keyring, sig + 1, siglen - 1,
> digest, digestlen);
> case 2:
> - return asymmetric_verify(keyring[id], sig, siglen,
> + return asymmetric_verify(keyring, sig, siglen,
> digest, digestlen);
> }
>
> diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
> index 79799a0d9195..2d245f44ca26 100644
> --- a/security/integrity/integrity.h
> +++ b/security/integrity/integrity.h
> @@ -150,6 +150,7 @@ int integrity_kernel_read(struct file *file, loff_t offset,
>
> #ifdef CONFIG_INTEGRITY_SIGNATURE
>
> +struct key *integrity_keyring_from_id(const unsigned int id);
> int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
> const char *digest, int digestlen);
>
> @@ -157,6 +158,11 @@ int __init integrity_init_keyring(const unsigned int id);
> int __init integrity_load_x509(const unsigned int id, const char *path);
> #else
>
> +static inline struct key *integrity_keyring_from_id(const unsigned int id)
> +{
> + return ERR_PTR(-EINVAL);
> +}
> +
> static inline int integrity_digsig_verify(const unsigned int id,
> const char *sig, int siglen,
> const char *digest, int digestlen)
>
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>,
linux-integrity@vger.kernel.org
Cc: linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
linux-crypto@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
linux-kernel@vger.kernel.org,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
David Howells <dhowells@redhat.com>,
David Woodhouse <dwmw2@infradead.org>,
Jessica Yu <jeyu@kernel.org>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
"AKASHI, Takahiro" <takahiro.akashi@linaro.org>
Subject: Re: [PATCH v6 05/12] integrity: Introduce integrity_keyring_from_id()
Date: Wed, 21 Mar 2018 18:46:51 -0400 [thread overview]
Message-ID: <1521672411.3848.219.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20180316203837.10174-6-bauerman@linux.vnet.ibm.com>
On Fri, 2018-03-16 at 17:38 -0300, Thiago Jung Bauermann wrote:
> IMA will need to obtain the keyring used to verify file signatures so that
> it can verify the module-style signature appended to files.
>
> Signed-off-by: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> ---
> security/integrity/digsig.c | 28 +++++++++++++++++++++-------
> security/integrity/integrity.h | 6 ++++++
> 2 files changed, 27 insertions(+), 7 deletions(-)
>
> diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
> index 6f9e4ce568cd..e641a67b9fc7 100644
> --- a/security/integrity/digsig.c
> +++ b/security/integrity/digsig.c
> @@ -48,11 +48,10 @@ static bool init_keyring __initdata;
> #define restrict_link_to_ima restrict_link_by_builtin_trusted
> #endif
>
> -int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
> - const char *digest, int digestlen)
> +struct key *integrity_keyring_from_id(const unsigned int id)
> {
> - if (id >= INTEGRITY_KEYRING_MAX || siglen < 2)
> - return -EINVAL;
> + if (id >= INTEGRITY_KEYRING_MAX)
> + return ERR_PTR(-EINVAL);
>
> if (!keyring[id]) {
> keyring[id] =
> @@ -61,17 +60,32 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
> int err = PTR_ERR(keyring[id]);
> pr_err("no %s keyring: %d\n", keyring_name[id], err);
> keyring[id] = NULL;
> - return err;
> + return ERR_PTR(err);
> }
> }
>
> + return keyring[id];
> +}
> +
> +int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
> + const char *digest, int digestlen)
> +{
> + struct key *keyring;
> +
> + if (siglen < 2)
> + return -EINVAL;
> +
> + keyring = integrity_keyring_from_id(id);
> + if (IS_ERR(keyring))
> + return PTR_ERR(keyring);
> +
> switch (sig[1]) {
> case 1:
> /* v1 API expect signature without xattr type */
> - return digsig_verify(keyring[id], sig + 1, siglen - 1,
> + return digsig_verify(keyring, sig + 1, siglen - 1,
> digest, digestlen);
> case 2:
> - return asymmetric_verify(keyring[id], sig, siglen,
> + return asymmetric_verify(keyring, sig, siglen,
> digest, digestlen);
> }
>
> diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
> index 79799a0d9195..2d245f44ca26 100644
> --- a/security/integrity/integrity.h
> +++ b/security/integrity/integrity.h
> @@ -150,6 +150,7 @@ int integrity_kernel_read(struct file *file, loff_t offset,
>
> #ifdef CONFIG_INTEGRITY_SIGNATURE
>
> +struct key *integrity_keyring_from_id(const unsigned int id);
> int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
> const char *digest, int digestlen);
>
> @@ -157,6 +158,11 @@ int __init integrity_init_keyring(const unsigned int id);
> int __init integrity_load_x509(const unsigned int id, const char *path);
> #else
>
> +static inline struct key *integrity_keyring_from_id(const unsigned int id)
> +{
> + return ERR_PTR(-EINVAL);
> +}
> +
> static inline int integrity_digsig_verify(const unsigned int id,
> const char *sig, int siglen,
> const char *digest, int digestlen)
>
WARNING: multiple messages have this Message-ID (diff)
From: zohar@linux.vnet.ibm.com (Mimi Zohar)
To: linux-security-module@vger.kernel.org
Subject: [PATCH v6 05/12] integrity: Introduce integrity_keyring_from_id()
Date: Wed, 21 Mar 2018 18:46:51 -0400 [thread overview]
Message-ID: <1521672411.3848.219.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20180316203837.10174-6-bauerman@linux.vnet.ibm.com>
On Fri, 2018-03-16 at 17:38 -0300, Thiago Jung Bauermann wrote:
> IMA will need to obtain the keyring used to verify file signatures so that
> it can verify the module-style signature appended to files.
>
> Signed-off-by: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> ---
> security/integrity/digsig.c | 28 +++++++++++++++++++++-------
> security/integrity/integrity.h | 6 ++++++
> 2 files changed, 27 insertions(+), 7 deletions(-)
>
> diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
> index 6f9e4ce568cd..e641a67b9fc7 100644
> --- a/security/integrity/digsig.c
> +++ b/security/integrity/digsig.c
> @@ -48,11 +48,10 @@ static bool init_keyring __initdata;
> #define restrict_link_to_ima restrict_link_by_builtin_trusted
> #endif
>
> -int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
> - const char *digest, int digestlen)
> +struct key *integrity_keyring_from_id(const unsigned int id)
> {
> - if (id >= INTEGRITY_KEYRING_MAX || siglen < 2)
> - return -EINVAL;
> + if (id >= INTEGRITY_KEYRING_MAX)
> + return ERR_PTR(-EINVAL);
>
> if (!keyring[id]) {
> keyring[id] =
> @@ -61,17 +60,32 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
> int err = PTR_ERR(keyring[id]);
> pr_err("no %s keyring: %d\n", keyring_name[id], err);
> keyring[id] = NULL;
> - return err;
> + return ERR_PTR(err);
> }
> }
>
> + return keyring[id];
> +}
> +
> +int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
> + const char *digest, int digestlen)
> +{
> + struct key *keyring;
> +
> + if (siglen < 2)
> + return -EINVAL;
> +
> + keyring = integrity_keyring_from_id(id);
> + if (IS_ERR(keyring))
> + return PTR_ERR(keyring);
> +
> switch (sig[1]) {
> case 1:
> /* v1 API expect signature without xattr type */
> - return digsig_verify(keyring[id], sig + 1, siglen - 1,
> + return digsig_verify(keyring, sig + 1, siglen - 1,
> digest, digestlen);
> case 2:
> - return asymmetric_verify(keyring[id], sig, siglen,
> + return asymmetric_verify(keyring, sig, siglen,
> digest, digestlen);
> }
>
> diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
> index 79799a0d9195..2d245f44ca26 100644
> --- a/security/integrity/integrity.h
> +++ b/security/integrity/integrity.h
> @@ -150,6 +150,7 @@ int integrity_kernel_read(struct file *file, loff_t offset,
>
> #ifdef CONFIG_INTEGRITY_SIGNATURE
>
> +struct key *integrity_keyring_from_id(const unsigned int id);
> int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
> const char *digest, int digestlen);
>
> @@ -157,6 +158,11 @@ int __init integrity_init_keyring(const unsigned int id);
> int __init integrity_load_x509(const unsigned int id, const char *path);
> #else
>
> +static inline struct key *integrity_keyring_from_id(const unsigned int id)
> +{
> + return ERR_PTR(-EINVAL);
> +}
> +
> static inline int integrity_digsig_verify(const unsigned int id,
> const char *sig, int siglen,
> const char *digest, int digestlen)
>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-03-21 22:46 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-16 20:38 [PATCH v6 00/12] Appended signatures support for IMA appraisal Thiago Jung Bauermann
2018-03-16 20:38 ` Thiago Jung Bauermann
2018-03-16 20:38 ` Thiago Jung Bauermann
2018-03-16 20:38 ` Thiago Jung Bauermann
2018-03-16 20:38 ` [PATCH v6 01/12] MODSIGN: Export module signature definitions Thiago Jung Bauermann
2018-03-16 20:38 ` Thiago Jung Bauermann
2018-03-16 20:38 ` Thiago Jung Bauermann
2018-03-16 20:38 ` [PATCH v6 02/12] PKCS#7: Introduce pkcs7_get_message_sig() and verify_pkcs7_message_sig() Thiago Jung Bauermann
2018-03-16 20:38 ` Thiago Jung Bauermann
2018-03-16 20:38 ` Thiago Jung Bauermann
2018-03-22 21:49 ` Mimi Zohar
2018-03-22 21:49 ` Mimi Zohar
2018-03-22 21:49 ` Mimi Zohar
2018-03-22 21:49 ` Mimi Zohar
2018-03-16 20:38 ` [PATCH v6 03/12] PKCS#7: Introduce pkcs7_get_digest() Thiago Jung Bauermann
2018-03-16 20:38 ` Thiago Jung Bauermann
2018-03-16 20:38 ` Thiago Jung Bauermann
2018-03-22 23:07 ` Mimi Zohar
2018-03-22 23:07 ` Mimi Zohar
2018-03-22 23:07 ` Mimi Zohar
2018-03-16 20:38 ` [PATCH v6 04/12] ima: Introduce is_ima_sig() Thiago Jung Bauermann
2018-03-16 20:38 ` Thiago Jung Bauermann
2018-03-16 20:38 ` Thiago Jung Bauermann
2018-03-26 14:24 ` Mimi Zohar
2018-03-26 14:24 ` Mimi Zohar
2018-03-26 14:24 ` Mimi Zohar
2018-03-26 14:24 ` Mimi Zohar
2018-03-16 20:38 ` [PATCH v6 05/12] integrity: Introduce integrity_keyring_from_id() Thiago Jung Bauermann
2018-03-16 20:38 ` Thiago Jung Bauermann
2018-03-16 20:38 ` Thiago Jung Bauermann
2018-03-21 22:46 ` Mimi Zohar [this message]
2018-03-21 22:46 ` Mimi Zohar
2018-03-21 22:46 ` Mimi Zohar
2018-03-16 20:38 ` [PATCH v6 06/12] integrity: Introduce asymmetric_sig_has_known_key() Thiago Jung Bauermann
2018-03-16 20:38 ` Thiago Jung Bauermann
2018-03-16 20:38 ` Thiago Jung Bauermann
2018-03-21 23:17 ` Mimi Zohar
2018-03-21 23:17 ` Mimi Zohar
2018-03-21 23:17 ` Mimi Zohar
2018-03-16 20:38 ` [PATCH v6 07/12] integrity: Select CONFIG_KEYS instead of depending on it Thiago Jung Bauermann
2018-03-16 20:38 ` Thiago Jung Bauermann
2018-03-16 20:38 ` Thiago Jung Bauermann
2018-03-21 23:18 ` Mimi Zohar
2018-03-21 23:18 ` Mimi Zohar
2018-03-21 23:18 ` Mimi Zohar
2018-03-16 20:38 ` [PATCH v6 08/12] ima: Export func_tokens Thiago Jung Bauermann
2018-03-16 20:38 ` Thiago Jung Bauermann
2018-03-16 20:38 ` Thiago Jung Bauermann
2018-03-16 20:38 ` [PATCH v6 09/12] ima: Add modsig appraise_type option for module-style appended signatures Thiago Jung Bauermann
2018-03-16 20:38 ` Thiago Jung Bauermann
2018-03-16 20:38 ` Thiago Jung Bauermann
2018-03-16 20:38 ` [PATCH v6 10/12] ima: Add functions to read and verify a modsig signature Thiago Jung Bauermann
2018-03-16 20:38 ` Thiago Jung Bauermann
2018-03-16 20:38 ` Thiago Jung Bauermann
2018-03-16 20:38 ` [PATCH v6 11/12] ima: Implement support for module-style appended signatures Thiago Jung Bauermann
2018-03-16 20:38 ` Thiago Jung Bauermann
2018-03-16 20:38 ` Thiago Jung Bauermann
2018-03-26 12:56 ` Mimi Zohar
2018-03-26 12:56 ` Mimi Zohar
2018-03-26 12:56 ` Mimi Zohar
2018-03-26 12:56 ` Mimi Zohar
2018-03-16 20:38 ` [PATCH v6 12/12] ima: Write modsig to the measurement list Thiago Jung Bauermann
2018-03-16 20:38 ` Thiago Jung Bauermann
2018-03-16 20:38 ` Thiago Jung Bauermann
2018-03-26 12:29 ` Mimi Zohar
2018-03-26 12:29 ` Mimi Zohar
2018-03-26 12:29 ` Mimi Zohar
2018-03-16 21:38 ` [PATCH v6 00/12] Appended signatures support for IMA appraisal Thiago Jung Bauermann
2018-03-16 21:38 ` Thiago Jung Bauermann
2018-03-16 21:38 ` Thiago Jung Bauermann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1521672411.3848.219.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=bauerman@linux.vnet.ibm.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=dwmw2@infradead.org \
--cc=herbert@gondor.apana.org.au \
--cc=jeyu@kernel.org \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=serge@hallyn.com \
--cc=takahiro.akashi@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.