From: Mimi Zohar <zohar@linux.ibm.com>
To: Eric Snowberg <eric.snowberg@oracle.com>,
dmitry.kasatkin@gmail.com, jmorris@namei.org, serge@hallyn.com
Cc: dhowells@redhat.com, geert@linux-m68k.org,
gregkh@linuxfoundation.org, nayna@linux.ibm.com,
tglx@linutronix.de, bauerman@linux.ibm.com, mpe@ellerman.id.au,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [RFC PATCH 1/2] ima: Implement support for uncompressed module appended signatures
Date: Thu, 06 Feb 2020 13:05:29 -0500 [thread overview]
Message-ID: <1581012329.5585.439.camel@linux.ibm.com> (raw)
In-Reply-To: <20200206164226.24875-2-eric.snowberg@oracle.com>
Hi Eric,
On Thu, 2020-02-06 at 11:42 -0500, Eric Snowberg wrote:
> Currently IMA can validate compressed modules containing appended
> signatures. This adds the ability to also validate uncompressed
> modules when appraise_type=imasig|modsig.
>
> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
Your patch description in no way matches the code.
Mimi
> ---
> security/integrity/digsig.c | 9 +++++++--
> security/integrity/ima/ima_appraise.c | 3 +++
> security/integrity/integrity.h | 3 ++-
> 3 files changed, 12 insertions(+), 3 deletions(-)
>
> diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
> index ea1aae3d07b3..5e0c4d04ab9d 100644
> --- a/security/integrity/digsig.c
> +++ b/security/integrity/digsig.c
> @@ -15,6 +15,7 @@
> #include <linux/key-type.h>
> #include <linux/digsig.h>
> #include <linux/vmalloc.h>
> +#include <linux/verification.h>
> #include <crypto/public_key.h>
> #include <keys/system_keyring.h>
>
> @@ -31,6 +32,7 @@ static const char * const keyring_name[INTEGRITY_KEYRING_MAX] = {
> ".ima",
> #endif
> ".platform",
> + ".builtin_trusted_keys",
> };
>
> #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
> @@ -45,8 +47,11 @@ static struct key *integrity_keyring_from_id(const unsigned int id)
> return ERR_PTR(-EINVAL);
>
> if (!keyring[id]) {
> - keyring[id] =
> - request_key(&key_type_keyring, keyring_name[id], NULL);
> + if (id == INTEGRITY_KEYRING_KERNEL)
> + keyring[id] = VERIFY_USE_SECONDARY_KEYRING;
> + else
> + keyring[id] = request_key(&key_type_keyring,
> + keyring_name[id], NULL);
> if (IS_ERR(keyring[id])) {
> int err = PTR_ERR(keyring[id]);
> pr_err("no %s keyring: %d\n", keyring_name[id], err);
> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> index 300c8d2943c5..4c009c55d620 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -294,6 +294,9 @@ static int modsig_verify(enum ima_hooks func, const struct modsig *modsig,
> func == KEXEC_KERNEL_CHECK)
> rc = integrity_modsig_verify(INTEGRITY_KEYRING_PLATFORM,
> modsig);
> + if (rc && func == MODULE_CHECK)
> + rc = integrity_modsig_verify(INTEGRITY_KEYRING_KERNEL, modsig);
> +
> if (rc) {
> *cause = "invalid-signature";
> *status = INTEGRITY_FAIL;
> diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
> index 73fc286834d7..63f0e6bff0e0 100644
> --- a/security/integrity/integrity.h
> +++ b/security/integrity/integrity.h
> @@ -145,7 +145,8 @@ int integrity_kernel_read(struct file *file, loff_t offset,
> #define INTEGRITY_KEYRING_EVM 0
> #define INTEGRITY_KEYRING_IMA 1
> #define INTEGRITY_KEYRING_PLATFORM 2
> -#define INTEGRITY_KEYRING_MAX 3
> +#define INTEGRITY_KEYRING_KERNEL 3
> +#define INTEGRITY_KEYRING_MAX 4
>
> extern struct dentry *integrity_dir;
>
next prev parent reply other threads:[~2020-02-06 18:05 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-06 16:42 [RFC PATCH 0/2] ima: uncompressed module appraisal support Eric Snowberg
2020-02-06 16:42 ` [RFC PATCH 1/2] ima: Implement support for uncompressed module appended signatures Eric Snowberg
2020-02-06 17:07 ` Lakshmi Ramasubramanian
2020-02-06 17:30 ` Eric Snowberg
2020-02-06 18:05 ` Mimi Zohar [this message]
2020-02-06 19:01 ` Eric Snowberg
2020-02-06 19:10 ` Mimi Zohar
2020-02-06 16:42 ` [RFC PATCH 2/2] ima: Change default secure_boot policy to include " Eric Snowberg
2020-02-06 20:22 ` [RFC PATCH 0/2] ima: uncompressed module appraisal support Nayna
2020-02-06 21:40 ` Eric Snowberg
2020-02-07 14:51 ` Mimi Zohar
2020-02-07 16:57 ` Eric Snowberg
2020-02-07 17:40 ` Mimi Zohar
2020-02-07 17:49 ` Eric Snowberg
2020-02-07 18:28 ` Mimi Zohar
2020-02-07 18:45 ` Eric Snowberg
2020-02-07 18:54 ` Mimi Zohar
2020-02-07 21:38 ` Eric Snowberg
2020-02-08 23:43 ` Mimi Zohar
2020-02-10 16:34 ` Eric Snowberg
2020-02-10 17:09 ` Mimi Zohar
2020-02-10 19:24 ` Eric Snowberg
2020-02-10 20:33 ` Mimi Zohar
2020-02-11 17:33 ` Eric Snowberg
2020-02-12 14:04 ` Nayna
2020-02-13 15:32 ` Eric Snowberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1581012329.5585.439.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=bauerman@linux.ibm.com \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=eric.snowberg@oracle.com \
--cc=geert@linux-m68k.org \
--cc=gregkh@linuxfoundation.org \
--cc=jmorris@namei.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mpe@ellerman.id.au \
--cc=nayna@linux.ibm.com \
--cc=serge@hallyn.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.