* [PATCH 1/4] Remove 98integrity's dependency on selinux
@ 2015-04-27 22:24 Mimi Zohar
[not found] ` <1430173454-3665-1-git-send-email-zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
0 siblings, 1 reply; 5+ messages in thread
From: Mimi Zohar @ 2015-04-27 22:24 UTC (permalink / raw)
To: initramfs-u79uwXL29TY76Z2rM5mHXA; +Cc: Mimi Zohar
Loading the EVM key(s) is not dependent on selinux. Remove
the dependency.
---
modules.d/98integrity/module-setup.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules.d/98integrity/module-setup.sh b/modules.d/98integrity/module-setup.sh
index a838664..2d4d2ed 100755
--- a/modules.d/98integrity/module-setup.sh
+++ b/modules.d/98integrity/module-setup.sh
@@ -7,7 +7,7 @@ check() {
# called by dracut
depends() {
- echo masterkey securityfs selinux
+ echo masterkey securityfs
return 0
}
--
2.1.0
^ permalink raw reply related [flat|nested] 5+ messages in thread[parent not found: <1430173454-3665-1-git-send-email-zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>]
* [PATCH 2/4] Extend evm-enable.sh to load the EVM public key [not found] ` <1430173454-3665-1-git-send-email-zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> @ 2015-04-27 22:24 ` Mimi Zohar 2015-04-27 22:24 ` [PATCH 3/4] Define new script to load keys on the IMA keyring Mimi Zohar 2015-04-27 22:24 ` [PATCH 4/4] Revert securitfs change Mimi Zohar 2 siblings, 0 replies; 5+ messages in thread From: Mimi Zohar @ 2015-04-27 22:24 UTC (permalink / raw) To: initramfs-u79uwXL29TY76Z2rM5mHXA; +Cc: Mimi Zohar Create the _evm keyring and load the EVM public key on it. --- modules.d/98integrity/evm-enable.sh | 42 +++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/modules.d/98integrity/evm-enable.sh b/modules.d/98integrity/evm-enable.sh index dee1c6c..ec4f03b 100755 --- a/modules.d/98integrity/evm-enable.sh +++ b/modules.d/98integrity/evm-enable.sh @@ -48,6 +48,45 @@ load_evm_key() info "integrity: failed to load the EVM encrypted key: ${EVMKEYDESC}"; return 1; } + return 0 +} + +load_evm_x509() +{ + info "Load EVM IMA X509" + + # override the EVM key path name from the 'evmx509=' parameter in + # the kernel command line + EVMX509ARG=$(getarg evmx509=) + [ $? -eq 0 ] && \ + EVMX509=${EVMX509ARG} + + # set the default value + [ -z "${EVMX509}" ] && \ + EVMX509="/etc/keys/x509_evm.der"; + + # set the EVM public key path name + EVMX509PATH="${NEWROOT}${EVMX509}" + + # check for EVM public key's existence + if [ ! -f "${EVMX509PATH}" ]; then + if [ "${RD_DEBUG}" = "yes" ]; then + info "integrity: EVM x509 cert file not found: ${EVMX509PATH}" + fi + return 1 + fi + + # load the EVM public key onto the EVM keyring + evm_pubid=`keyctl newring _evm @u` + EVMX509ID=$(evmctl import ${EVMX509PATH} ${evm_pubid}) + [ $? -eq 0 ] || { + info "integrity: failed to load the EVM X509 cert ${EVMX509PATH}"; + return 1; + } + + if [ "${RD_DEBUG}" = "yes" ]; then + keyctl show @u + fi return 0 } @@ -76,6 +115,9 @@ enable_evm() # load the EVM encrypted key load_evm_key || return 1 + # load the EVM public key, if it exists + load_evm_x509 + # initialize EVM info "Enabling EVM" echo 1 > ${EVMSECFILE} -- 2.1.0 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 3/4] Define new script to load keys on the IMA keyring [not found] ` <1430173454-3665-1-git-send-email-zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> 2015-04-27 22:24 ` [PATCH 2/4] Extend evm-enable.sh to load the EVM public key Mimi Zohar @ 2015-04-27 22:24 ` Mimi Zohar [not found] ` <1430173454-3665-3-git-send-email-zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> 2015-04-27 22:24 ` [PATCH 4/4] Revert securitfs change Mimi Zohar 2 siblings, 1 reply; 5+ messages in thread From: Mimi Zohar @ 2015-04-27 22:24 UTC (permalink / raw) To: initramfs-u79uwXL29TY76Z2rM5mHXA; +Cc: Mimi Zohar This patch supports loading keys either on the _ima keyring or, as of Linux 3.17, on the trusted .ima keyring. Only certificates signed by a key on the system keyring can be loaded onto the trusted .ima keyring. --- modules.d/98integrity/ima-keys-load.sh | 62 ++++++++++++++++++++++++++++++++++ modules.d/98integrity/module-setup.sh | 2 ++ 2 files changed, 64 insertions(+) create mode 100755 modules.d/98integrity/ima-keys-load.sh diff --git a/modules.d/98integrity/ima-keys-load.sh b/modules.d/98integrity/ima-keys-load.sh new file mode 100755 index 0000000..659b722 --- /dev/null +++ b/modules.d/98integrity/ima-keys-load.sh @@ -0,0 +1,62 @@ +#!/bin/sh + +SECURITYFSDIR="/sys/kernel/security" +IMASECDIR="${SECURITYFSDIR}/ima" +IMACONFIG="${NEWROOT}/etc/sysconfig/ima" + +load_x509_keys() +{ + KEYRING_ID=$1 + + # override the default configuration + if [ -f "${IMACONFIG}" ]; then + . ${IMACONFIG} + fi + + if [ -z "${IMAKEYDIR}" ]; then + IMAKEYSDIR="/etc/keys/ima" + fi + + PUBKEY_LIST=`ls ${NEWROOT}${IMAKEYSDIR}/*` + for PUBKEY in ${PUBKEY_LIST}; do + # check for public key's existence + if [ ! -f "${PUBKEY}" ]; then + if [ "${RD_DEBUG}" = "yes" ]; then + info "integrity: IMA x509 cert file not found: ${PUBKEY}" + fi + continue + fi + + X509ID=$(evmctl import ${PUBKEY} ${KEYRING_ID}) + if [ $? -ne 0 ]; then + info "integrity: IMA x509 cert not loaded on keyring: ${PUBKEY}" + fi + done + + if [ "${RD_DEBUG}" = "yes" ]; then + keyctl show ${KEYRING_ID} + fi + return 0 +} + +# check kernel support for IMA +if [ ! -e "${IMASECDIR}" ]; then + if [ "${RD_DEBUG}" = "yes" ]; then + info "integrity: IMA kernel support is disabled" + fi + return 0 +fi + +# get the IMA keyring id +line=$(keyctl describe %keyring:.ima) +if [ $? -eq 0 ]; then + _ima_id=${line%%:*} +else + _ima_id=`keyctl search @u keyring _ima` + if [ -z "${_ima_id}" ]; then + _ima_id=`keyctl newring _ima @u` + fi +fi + +# load the IMA public key(s) +load_x509_keys ${_ima_id} diff --git a/modules.d/98integrity/module-setup.sh b/modules.d/98integrity/module-setup.sh index 2d4d2ed..34b33cd 100755 --- a/modules.d/98integrity/module-setup.sh +++ b/modules.d/98integrity/module-setup.sh @@ -13,6 +13,8 @@ depends() { # called by dracut install() { + dracut_install evmctl keyctl ls inst_hook pre-pivot 61 "$moddir/evm-enable.sh" + inst_hook pre-pivot 61 "$moddir/ima-keys-load.sh" inst_hook pre-pivot 62 "$moddir/ima-policy-load.sh" } -- 2.1.0 ^ permalink raw reply related [flat|nested] 5+ messages in thread
[parent not found: <1430173454-3665-3-git-send-email-zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>]
* Re: [PATCH 3/4] Define new script to load keys on the IMA keyring (update) [not found] ` <1430173454-3665-3-git-send-email-zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> @ 2015-04-29 15:05 ` Mimi Zohar 0 siblings, 0 replies; 5+ messages in thread From: Mimi Zohar @ 2015-04-29 15:05 UTC (permalink / raw) To: initramfs-u79uwXL29TY76Z2rM5mHXA; +Cc: Harald Hoyer This patch supports loading keys either on the _ima keyring or, as of Linux 3.17, on the trusted .ima keyring. Only certificates signed by a key on the system keyring can be loaded onto the trusted .ima keyring. Changelog: - Update 98integrity/README --- modules.d/98integrity/README | 28 +++++++++++++++ modules.d/98integrity/ima-keys-load.sh | 62 ++++++++++++++++++++++++++++++++++ modules.d/98integrity/module-setup.sh | 2 ++ 3 files changed, 92 insertions(+) create mode 100755 modules.d/98integrity/ima-keys-load.sh diff --git a/modules.d/98integrity/README b/modules.d/98integrity/README index d74e063..2c7857b 100644 --- a/modules.d/98integrity/README +++ b/modules.d/98integrity/README @@ -38,3 +38,31 @@ line. ------------- '/etc/sysconfig/ima' (with the default value) ------------- IMAPOLICY="/etc/sysconfig/ima-policy" ------------------------------------------------------------------------- + + +# Information on loading distro, third party or local keys on the trusted IMA keyring + +# Loading distro, third party or local keys on the trusted IMA keyring requires +# creating a local certificate authority(local-CA), installing the local-CA's +# public key on the system-keyring and signing the certificates with the local-CA +# key. +# +# Many directions for creating a mini certificate authority exist on the web +# (eg. openssl, yubikey). (Reminder: safely storing the private key offline is +# really important, especially in the case of the local-CA's private key.) The +# local-CA's public key can be loaded onto the system keyring either by building +# the key into the kernel or, on Fedora, storing it in the UEFI/Mok keyring. (As +# of writing, the patches for loading the UEFI/Mok keys on the system-keyring +# have not been upstreamed.) +# +# To view the system keyring: keyctl show %keyring:.system_keyring +# +# Most on-line directions for signing certificates requires creating a Certificate +# Signing Request (CSR). Creating such a request requires access to the private +# key, which would not be available when signing distro or 3rd party certificates. +# Openssl provides the "-ss_cert" option for directly signing certificates. + +# 98integrity/ima-keys-load.sh script loads the signed certificates stored +# in the $IMAKEYSDIR onto the trusted IMA keyring. The default $IMAKEYSDIR +# directory is /etc/keys/ima, but can be specified in the /etc/sysconfig/ima +# policy. diff --git a/modules.d/98integrity/ima-keys-load.sh b/modules.d/98integrity/ima-keys-load.sh new file mode 100755 index 0000000..659b722 --- /dev/null +++ b/modules.d/98integrity/ima-keys-load.sh @@ -0,0 +1,62 @@ +#!/bin/sh + +SECURITYFSDIR="/sys/kernel/security" +IMASECDIR="${SECURITYFSDIR}/ima" +IMACONFIG="${NEWROOT}/etc/sysconfig/ima" + +load_x509_keys() +{ + KEYRING_ID=$1 + + # override the default configuration + if [ -f "${IMACONFIG}" ]; then + . ${IMACONFIG} + fi + + if [ -z "${IMAKEYDIR}" ]; then + IMAKEYSDIR="/etc/keys/ima" + fi + + PUBKEY_LIST=`ls ${NEWROOT}${IMAKEYSDIR}/*` + for PUBKEY in ${PUBKEY_LIST}; do + # check for public key's existence + if [ ! -f "${PUBKEY}" ]; then + if [ "${RD_DEBUG}" = "yes" ]; then + info "integrity: IMA x509 cert file not found: ${PUBKEY}" + fi + continue + fi + + X509ID=$(evmctl import ${PUBKEY} ${KEYRING_ID}) + if [ $? -ne 0 ]; then + info "integrity: IMA x509 cert not loaded on keyring: ${PUBKEY}" + fi + done + + if [ "${RD_DEBUG}" = "yes" ]; then + keyctl show ${KEYRING_ID} + fi + return 0 +} + +# check kernel support for IMA +if [ ! -e "${IMASECDIR}" ]; then + if [ "${RD_DEBUG}" = "yes" ]; then + info "integrity: IMA kernel support is disabled" + fi + return 0 +fi + +# get the IMA keyring id +line=$(keyctl describe %keyring:.ima) +if [ $? -eq 0 ]; then + _ima_id=${line%%:*} +else + _ima_id=`keyctl search @u keyring _ima` + if [ -z "${_ima_id}" ]; then + _ima_id=`keyctl newring _ima @u` + fi +fi + +# load the IMA public key(s) +load_x509_keys ${_ima_id} diff --git a/modules.d/98integrity/module-setup.sh b/modules.d/98integrity/module-setup.sh index 2d4d2ed..34b33cd 100755 --- a/modules.d/98integrity/module-setup.sh +++ b/modules.d/98integrity/module-setup.sh @@ -13,6 +13,8 @@ depends() { # called by dracut install() { + dracut_install evmctl keyctl ls inst_hook pre-pivot 61 "$moddir/evm-enable.sh" + inst_hook pre-pivot 61 "$moddir/ima-keys-load.sh" inst_hook pre-pivot 62 "$moddir/ima-policy-load.sh" } -- 2.1.0 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 4/4] Revert securitfs change [not found] ` <1430173454-3665-1-git-send-email-zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> 2015-04-27 22:24 ` [PATCH 2/4] Extend evm-enable.sh to load the EVM public key Mimi Zohar 2015-04-27 22:24 ` [PATCH 3/4] Define new script to load keys on the IMA keyring Mimi Zohar @ 2015-04-27 22:24 ` Mimi Zohar 2 siblings, 0 replies; 5+ messages in thread From: Mimi Zohar @ 2015-04-27 22:24 UTC (permalink / raw) To: initramfs-u79uwXL29TY76Z2rM5mHXA; +Cc: Mimi Zohar Commit 5e60145 use findmnt with "--source" or "--target" broke mounting securityfs. This patch reverts only the securityfs portion of the patch. --- modules.d/96securityfs/securityfs.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules.d/96securityfs/securityfs.sh b/modules.d/96securityfs/securityfs.sh index 8ccb151..8e57571 100755 --- a/modules.d/96securityfs/securityfs.sh +++ b/modules.d/96securityfs/securityfs.sh @@ -3,6 +3,6 @@ SECURITYFSDIR="/sys/kernel/security" export SECURITYFSDIR -if ! findmnt --target "${SECURITYFSDIR}" >/dev/null 2>&1; then +if ! findmnt "${SECURITYFSDIR}" >/dev/null 2>&1; then mount -t securityfs -o nosuid,noexec,nodev securityfs ${SECURITYFSDIR} >/dev/null 2>&1 fi -- 2.1.0 ^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-04-29 15:05 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-04-27 22:24 [PATCH 1/4] Remove 98integrity's dependency on selinux Mimi Zohar
[not found] ` <1430173454-3665-1-git-send-email-zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2015-04-27 22:24 ` [PATCH 2/4] Extend evm-enable.sh to load the EVM public key Mimi Zohar
2015-04-27 22:24 ` [PATCH 3/4] Define new script to load keys on the IMA keyring Mimi Zohar
[not found] ` <1430173454-3665-3-git-send-email-zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2015-04-29 15:05 ` [PATCH 3/4] Define new script to load keys on the IMA keyring (update) Mimi Zohar
2015-04-27 22:24 ` [PATCH 4/4] Revert securitfs change Mimi Zohar
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox