From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mimi Zohar Date: Wed, 27 Nov 2019 19:32:54 +0000 Subject: Re: [PATCH v9 6/6] IMA: Read keyrings= option from the IMA policy Message-Id: <1574883174.4793.318.camel@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset="maccentraleurope" Content-Transfer-Encoding: base64 List-Id: References: <20191127015654.3744-1-nramas@linux.microsoft.com> <20191127015654.3744-7-nramas@linux.microsoft.com> In-Reply-To: <20191127015654.3744-7-nramas@linux.microsoft.com> To: Lakshmi Ramasubramanian , linux-integrity@vger.kernel.org Cc: eric.snowberg@oracle.com, dhowells@redhat.com, matthewgarrett@google.com, sashal@kernel.org, jamorris@linux.microsoft.com, linux-kernel@vger.kernel.org, keyrings@vger.kernel.org T24gVHVlLCAyMDE5LTExLTI2IGF0IDE3OjU2IC0wODAwLCBMYWtzaG1pIFJhbWFzdWJyYW1hbmlh biB3cm90ZToKPiBSZWFkICJrZXlyaW5ncz0iIG9wdGlvbiwgaWYgc3BlY2lmaWVkIGluIHRoZSBJ TUEgcG9saWN5LCBhbmQgc3RvcmUgaW4KPiB0aGUgbGlzdCBvZiBJTUEgcnVsZXMgd2hlbiB0aGUg Y29uZmlndXJlZCBJTUEgcG9saWN5IGlzIHJlYWQuCj4gCj4gVGhpcyBwYXRjaCBkZWZpbmVzIGEg bmV3IHBvbGljeSB0b2tlbiBlbnVtIG5hbWVseSBPcHRfa2V5cmluZ3MKPiBhbmQgYW4gb3B0aW9u IGZsYWcgSU1BX0tFWVJJTkdTIGZvciByZWFkaW5nICJrZXlyaW5ncz0iIG9wdGlvbgo+IGZyb20g dGhlIElNQSBwb2xpY3kuCj4gCj4gVXBkYXRlZCBpbWFfcGFyc2VfcnVsZSgpIHRvIHBhcnNlICJr ZXlyaW5ncz0iIG9wdGlvbiBpbiB0aGUgcG9saWN5Lgo+IFVwZGF0ZWQgaW1hX3BvbGljeV9zaG93 KCkgdG8gZGlzcGxheSAia2V5cmluZ3M9IiBvcHRpb24uCj4gCj4gVGhlIGZvbGxvd2luZyBleGFt cGxlIGlsbHVzdHJhdGVzIGhvdyBrZXkgbWVhc3VyZW1lbnQgY2FuIGJlIHZlcmlmaWVkLgoKVGhl IGV4YW1wbGUgaXMgcmVhbGx5IHRvbyBjb2xsb3F1aWFsL3ZlcmJvc2UuIMKgUGxlYXNlIHRydW5j YXRlIGl0LApsZWF2aW5nIGp1c3QgYSBzYW1wbGUgImtleSIgcG9saWN5IHJ1bGUsIHdpdGggZGly ZWN0aW9ucyBmb3IgdmVyaWZ5aW5nCnRoZSB0ZW1wbGF0ZSBkYXRhIGFnYWluc3QgdGhlIGRpZ2Vz dCBpbmNsdWRlZCBpbiB0aGUgbWVhc3VyZW1lbnQgbGlzdC4KCj4gCj4gU2FtcGxlIElNQSBQb2xp Y3kgZW50cnkgdG8gbWVhc3VyZSBrZXlzCj4gKEFkZGVkIGluIHRoZSBmaWxlIC9ldGMvaW1hL2lt YS1wb2xpY3kpOgoKUmVtb3ZlIHRoZSBhYm92ZS4KClNhbXBsZSAia2V5IiBtZWFzdXJlbWVudCBy dWxlOgoKPiBtZWFzdXJlIGZ1bmM9S0VZX0NIRUNLIGtleXJpbmdzPS5pbWF8LmV2bSB0ZW1wbGF0 ZT1pbWEtYnVmCj4gCj4gQnVpbGQgdGhlIGtlcm5lbCB3aXRoIHRoaXMgcGF0Y2ggc2V0IGFwcGxp ZWQgYW5kIHJlYm9vdCB0byB0aGF0IGtlcm5lbC4KPiAKPiBFbnN1cmUgdGhlIElNQSBwb2xpY3kg aXMgYXBwbGllZDoKPiAKPiByb290QG5yYW1hczovaG9tZS9ucmFtYXMjIGNhdCAvc3lzL2tlcm5l bC9zZWN1cml0eS9pbWEvcG9saWN5Cj4gbWVhc3VyZSBmdW5jPUtFWV9DSEVDSyBrZXlyaW5ncz0u aW1hfC5ldm0gdGVtcGxhdGU9aW1hLWJ1Zgo+IAo+IFZpZXcgdGhlIGluaXRpYWwgSU1BIG1lYXN1 cmVtZW50IGxvZzoKPiAKPiByb290QG5yYW1hczovaG9tZS9ucmFtYXMKPiAjIGNhdCAvc3lzL2tl cm5lbC9zZWN1cml0eS9pbWEvYXNjaWlfcnVudGltZV9tZWFzdXJlbWVudHMKPiAxMCA2N2VjLi4u IGltYS1uZyBzaGExOmI1NDY2YzUwODU4M2YwZTYzM2RmODNhYTU4ZmM3YzViNjdjY2Y2NjcgYm9v dF9hZ2dyZWdhdGUKPiAKPiBOb3csIGFkZCBhIGNlcnRpZmljYXRlIChmb3IgZXhhbXBsZSwgeDUw OV9pbWEuZGVyKSB0byB0aGUgLmltYSBrZXlyaW5nCj4gdXNpbmcgZXZtY3RsIChJTUEtRVZNIFV0 aWxpdHkpCj4gCj4gcm9vdEBucmFtYXM6L2hvbWUvbnJhbWFzIyBrZXljdGwgc2hvdyAlOi5pbWEK PiBLZXlyaW5nCj4gIDU0NzUxNTY0MCAtLS1sc3dydiAgICAgIDAgICAgIDAgIGtleXJpbmc6IC5p bWEKPiAKPiByb290QG5yYW1hczovaG9tZS9ucmFtYXMjIGV2bWN0bCBpbXBvcnQgeDUwOV9pbWEu ZGVyIDU0NzUxNTY0MAo+IAo+IHJvb3RAbnJhbWFzOi9ob21lL25yYW1hcyMga2V5Y3RsIHNob3cg JTouaW1hCj4gS2V5cmluZwo+ICA1NDc1MTU2NDAgLS0tbHN3cnYgICAgICAwICAgICAwICBrZXly aW5nOiAuaW1hCj4gIDgwOTY3ODc2NiAtLWFscy0tdiAgICAgIDAgICAgIDAgICBcXyBhc3ltbWV0 cmljOiBob3N0bmFtZTogd2hvYW1pIHNpZ25pbmcga2V5OiAwNTJkZDI0N2RjM2MzNi4uLgo+IAo+ IFZpZXcgdGhlIHVwZGF0ZWQgSU1BIG1lYXN1cmVtZW50IGxvZzoKPiAKPiByb290QG5yYW1hczov aG9tZS9ucmFtYXMjCgpSZW1vdmUgZXZlcnl0aGluZyB1cCB0byBoZXJlIGFuZCBzaW1wbHkgc2F5 IHNvbWV0aGluZyBsaWtlOgoKRGlzcGxheSAia2V5IiBtZWFzdXJlbWVudCBpbiB0aGUgSU1BIG1l YXN1cmVtZW50IGxpc3Q6Cgo+ICMgY2F0IC9zeXMva2VybmVsL3NlY3VyaXR5L2ltYS9hc2NpaV9y dW50aW1lX21lYXN1cmVtZW50cwoKPiAxMCAzYWRmLi4uIGltYS1idWYKPiBzaGEyNTY6MjdjOTE1 YjhkZGI5ZmFlNzIxNGNmMGE4YTcwNDNjYzNlZWVhYTc1MzliY2IxMzZmODQyNzA2N2I1ZjZjMwo+ IGI3YiAuaW1hIDMwODIwMjg2MzA4Mi4uLjRhZWUKCgo+IHJvb3RAbnJhbWFzOi9ob21lL25yYW1h cyMKClJlbW92ZSB0aGlzIHN0cmluZyBmcm9tIGFsbCB0aGUgY29tbWFuZHMuCj4gCj4gRm9yIHRo aXMgc2FtcGxlLCBTSEEyNTYgc2hvdWxkIGJlIHNlbGVjdGVkIGFzIHRoZSBoYXNoIGFsZ29yaXRo bQo+IHVzZWQgYnkgSU1BLgo+IAo+IFRoZSBmb2xsb3dpbmcgY29tbWFuZCB2ZXJpZmllcyBpZiB0 aGUgU0hBMjU2IGhhc2ggZ2VuZXJhdGVkIGZyb20KPiB0aGUgcGF5bG9hZCBpbiB0aGUgSU1BIGxv ZyBlbnRyeSAobGlzdGVkIGFib3ZlKSBmb3IgdGhlIC5pbWEga2V5Cj4gbWF0Y2hlcyB0aGUgU0hB MjU2IGhhc2ggaW4gdGhlIElNQSBsb2cgZW50cnkuIFRoZSBvdXRwdXQgb2YgdGhpcwo+IGNvbW1h bmQgc2hvdWxkIG1hdGNoIHRoZSBTSEEyNTYgaGFzaCBnaXZlbiBpbiB0aGUgSU1BIGxvZyBlbnRy eQo+IChJbiB0aGlzIGNhc2UsIGl0IHNob3VsZCBiZQo+IDI3YzkxNWI4ZGRiOWZhZTcyMTRjZjBh OGE3MDQzY2MzZWVlYWE3NTM5YmNiMTM2Zjg0MjcwNjdiNWY2YzNiN2IpCgpQcmV2aW91c2x5IHlv dSBkaWRuJ3QgdXNlIHRoZSBoYXNoIHZhbHVlLCBidXQgIi5pbWEiIHRvIGxvY2F0ZSB0aGUKImtl eSIgbWVhc3VyZW1lbnQgaW4gdGhlIG1lYXN1cmVtZW50IGxpc3QuIMKgSW4gZWFjaCBvZiB0aGUg Y29tbWFuZHMKYWJvdmUsIGl0IG1pZ2h0IGJlIGNsZWFyZXIuCgo+IAo+IHJvb3RAbnJhbWFzOi9o b21lL25yYW1hcwoKZGl0dG8KCj4gIyBjYXQgL3N5cy9rZXJuZWwvc2VjdXJpdHkvaW50ZWdyaXR5 L2ltYS9hc2NpaV9ydW50aW1lX21lYXN1cmVtZW50cwo+IHwgZ3JlcAo+IDI3YzkxNWI4ZGRiOWZh ZTcyMTRjZjBhOGE3MDQzY2MzZWVlYWE3NTM5YmNiMTM2Zjg0MjcwNjdiNWY2YzNiN2IgfCAKCj4g Y3V0IC1kJyAnIC1mIDYgfCB4eGQgLXIgLXAgfHRlZSBpbWEtY2VydC5kZXIgfCBzaGEyNTZzdW0g fCBjdXQgLWQnICcKPiAtZiAxCj4gCj4gVGhlIGFib3ZlIGNvbW1hbmQgYWxzbyBjcmVhdGVzIGEg YmluYXJ5IGZpbGUgbmFtZWx5IGltYS1jZXJ0LmRlcgo+IHVzaW5nIHRoZSBwYXlsb2FkIGluIHRo ZSBJTUEgbG9nIGVudHJ5LiBUaGlzIGZpbGUgc2hvdWxkIGJlIGEgdmFsaWQKPiB4NTA5IGNlcnRp ZmljYXRlIHdoaWNoIGNhbiBiZSB2ZXJpZmllZCB1c2luZyBvcGVuc3NsIGFzIGdpdmVuIGJlbG93 Ogo+IAo+IHJvb3RAbnJhbWFzOi9ob21lL25yYW1hcwoKZGl0dG8KCgo+ICMgb3BlbnNzbCB4NTA5 IC1pbiBpbWEtY2VydC5kZXIgLWluZm9ybSBERVIgLXRleHQKPiAKPiBUaGUgYWJvdmUgY29tbWFu ZCBzaG91bGQgZGlzcGxheSB0aGUgY29udGVudHMgb2YgdGhlIGZpbGUgaW1hLWNlcnQuZGVyCj4g YXMgYW4geDUwOSBjZXJ0aWZpY2F0ZS4KCkVpdGhlciB0aGUgY29tbWVudHMgc2hvdWxkIGJlIGFi b3ZlIG9yIGJlbG93IHRoZSBjb21tYW5kcywgbm90IGJvdGguCgo+IAo+IFRoZSBJTUEgcG9saWN5 IHVzZWQgaGVyZSBhbGxvd3MgbWVhc3VyZW1lbnQgb2Yga2V5cyBhZGRlZCB0bwo+ICIuaW1hIiBh bmQgIi5ldm0iIGtleXJpbmdzIG9ubHkuIEFkZCBhIGtleSB0byBhbnkgb3RoZXIga2V5cmluZyBh bmQKPiB2ZXJpZnkgdGhhdCB0aGUga2V5IGlzIG5vdCBtZWFzdXJlZC4KClRoaXMgY29tbWVudCB3 b3VsZCBiZSBpbmNsdWRlZCwgaWYgZGVzaXJlZCwgd2hlbiBkZWZpbmluZyB0aGUgcG9saWN5CnJ1 bGUsIG5vdCBoZXJlLgoKTWltaQo= From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.2 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_2 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0A202C432C0 for ; Wed, 27 Nov 2019 19:33:09 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id E169720835 for ; Wed, 27 Nov 2019 19:33:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727821AbfK0TdH (ORCPT ); Wed, 27 Nov 2019 14:33:07 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:58144 "EHLO mx0b-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727803AbfK0TdE (ORCPT ); Wed, 27 Nov 2019 14:33:04 -0500 Received: from pps.filterd (m0127361.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xARJWjKK179255 for ; Wed, 27 Nov 2019 14:33:03 -0500 Received: from e06smtp02.uk.ibm.com (e06smtp02.uk.ibm.com [195.75.94.98]) by mx0a-001b2d01.pphosted.com with ESMTP id 2whrgmf0my-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 27 Nov 2019 14:33:02 -0500 Received: from localhost by e06smtp02.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 27 Nov 2019 19:33:00 -0000 Received: from b06cxnps3074.portsmouth.uk.ibm.com (9.149.109.194) by e06smtp02.uk.ibm.com (192.168.101.132) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Wed, 27 Nov 2019 19:32:57 -0000 Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com [9.149.105.61]) by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id xARJWuS458196162 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 27 Nov 2019 19:32:56 GMT Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8A3B011C052; Wed, 27 Nov 2019 19:32:56 +0000 (GMT) Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 74A1711C050; Wed, 27 Nov 2019 19:32:55 +0000 (GMT) Received: from dhcp-9-31-103-87.watson.ibm.com (unknown [9.31.103.87]) by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTP; Wed, 27 Nov 2019 19:32:55 +0000 (GMT) Subject: Re: [PATCH v9 6/6] IMA: Read keyrings= option from the IMA policy From: Mimi Zohar To: Lakshmi Ramasubramanian , linux-integrity@vger.kernel.org Cc: eric.snowberg@oracle.com, dhowells@redhat.com, matthewgarrett@google.com, sashal@kernel.org, jamorris@linux.microsoft.com, linux-kernel@vger.kernel.org, keyrings@vger.kernel.org Date: Wed, 27 Nov 2019 14:32:54 -0500 In-Reply-To: <20191127015654.3744-7-nramas@linux.microsoft.com> References: <20191127015654.3744-1-nramas@linux.microsoft.com> <20191127015654.3744-7-nramas@linux.microsoft.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 x-cbid: 19112719-0008-0000-0000-000003391467 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19112719-0009-0000-0000-00004A581E18 Message-Id: <1574883174.4793.318.camel@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,18.0.572 definitions=2019-11-27_04:2019-11-27,2019-11-27 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 bulkscore=0 phishscore=0 suspectscore=3 adultscore=0 impostorscore=0 priorityscore=1501 mlxlogscore=999 lowpriorityscore=0 mlxscore=0 spamscore=0 clxscore=1015 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1911270158 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org On Tue, 2019-11-26 at 17:56 -0800, Lakshmi Ramasubramanian wrote: > Read "keyrings=" option, if specified in the IMA policy, and store in > the list of IMA rules when the configured IMA policy is read. > > This patch defines a new policy token enum namely Opt_keyrings > and an option flag IMA_KEYRINGS for reading "keyrings=" option > from the IMA policy. > > Updated ima_parse_rule() to parse "keyrings=" option in the policy. > Updated ima_policy_show() to display "keyrings=" option. > > The following example illustrates how key measurement can be verified. The example is really too colloquial/verbose.  Please truncate it, leaving just a sample "key" policy rule, with directions for verifying the template data against the digest included in the measurement list. > > Sample IMA Policy entry to measure keys > (Added in the file /etc/ima/ima-policy): Remove the above. Sample "key" measurement rule: > measure func=KEY_CHECK keyrings=.ima|.evm template=ima-buf > > Build the kernel with this patch set applied and reboot to that kernel. > > Ensure the IMA policy is applied: > > root@nramas:/home/nramas# cat /sys/kernel/security/ima/policy > measure func=KEY_CHECK keyrings=.ima|.evm template=ima-buf > > View the initial IMA measurement log: > > root@nramas:/home/nramas > # cat /sys/kernel/security/ima/ascii_runtime_measurements > 10 67ec... ima-ng sha1:b5466c508583f0e633df83aa58fc7c5b67ccf667 boot_aggregate > > Now, add a certificate (for example, x509_ima.der) to the .ima keyring > using evmctl (IMA-EVM Utility) > > root@nramas:/home/nramas# keyctl show %:.ima > Keyring > 547515640 ---lswrv 0 0 keyring: .ima > > root@nramas:/home/nramas# evmctl import x509_ima.der 547515640 > > root@nramas:/home/nramas# keyctl show %:.ima > Keyring > 547515640 ---lswrv 0 0 keyring: .ima > 809678766 --als--v 0 0 \_ asymmetric: hostname: whoami signing key: 052dd247dc3c36... > > View the updated IMA measurement log: > > root@nramas:/home/nramas# Remove everything up to here and simply say something like: Display "key" measurement in the IMA measurement list: > # cat /sys/kernel/security/ima/ascii_runtime_measurements > 10 3adf... ima-buf > sha256:27c915b8ddb9fae7214cf0a8a7043cc3eeeaa7539bcb136f8427067b5f6c3 > b7b .ima 308202863082...4aee > root@nramas:/home/nramas# Remove this string from all the commands. > > For this sample, SHA256 should be selected as the hash algorithm > used by IMA. > > The following command verifies if the SHA256 hash generated from > the payload in the IMA log entry (listed above) for the .ima key > matches the SHA256 hash in the IMA log entry. The output of this > command should match the SHA256 hash given in the IMA log entry > (In this case, it should be > 27c915b8ddb9fae7214cf0a8a7043cc3eeeaa7539bcb136f8427067b5f6c3b7b) Previously you didn't use the hash value, but ".ima" to locate the "key" measurement in the measurement list.  In each of the commands above, it might be clearer. > > root@nramas:/home/nramas ditto > # cat /sys/kernel/security/integrity/ima/ascii_runtime_measurements > | grep > 27c915b8ddb9fae7214cf0a8a7043cc3eeeaa7539bcb136f8427067b5f6c3b7b | > cut -d' ' -f 6 | xxd -r -p |tee ima-cert.der | sha256sum | cut -d' ' > -f 1 > > The above command also creates a binary file namely ima-cert.der > using the payload in the IMA log entry. This file should be a valid > x509 certificate which can be verified using openssl as given below: > > root@nramas:/home/nramas ditto > # openssl x509 -in ima-cert.der -inform DER -text > > The above command should display the contents of the file ima-cert.der > as an x509 certificate. Either the comments should be above or below the commands, not both. > > The IMA policy used here allows measurement of keys added to > ".ima" and ".evm" keyrings only. Add a key to any other keyring and > verify that the key is not measured. This comment would be included, if desired, when defining the policy rule, not here. Mimi