Re: IMA: Data included in the key measurement

linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
	Mimi Zohar <zohar@linux.ibm.com>,
	linux-integrity@vger.kernel.org, dhowells@redhat.com
Cc: James Morris <jamorris@linuxonhyperv.com>
Subject: Re: IMA: Data included in the key measurement
Date: Fri, 22 Nov 2019 08:17:31 -0800	[thread overview]
Message-ID: <1574439451.3331.14.camel@HansenPartnership.com> (raw)
In-Reply-To: <b4257d08-f6cf-19a0-f6f0-99c962ededac@linux.microsoft.com>

On Thu, 2019-11-21 at 17:15 -0800, Lakshmi Ramasubramanian wrote:
> On 11/21/19 8:38 AM, James Bottomley wrote:
> 
> Hi James,
> 
> > You're making the assumption that the public key and the
> > certificate are isomorphic.  That's only true if you trust the
> > issuer (which you obviously do, since it's you [microsoft]) but
> > nothing in X.509 prevents the issuer from issuing multiple
> > certificates with the same public key and different
> > properties.  Even in your use case, I would think
> > attesting to whether the certificate had expired or not would be
> > useful.
> 
> I agree attesting the x509 certificate and not just the public key
> is the right approach. But in the kernel the certificate is not
> stored - only the key extracted from the certificate is stored
> (please correct me  if I am wrong).

It depends what you mean by "store".  The built in certificates are
available in the system_certificate_list array; IMA tends to expect
public keys as X.509 certificates.  In the actual keyring key, we get
the subject + serial/skid, the subtype the keyids and the signature. 
It does seem we don't set the key expiry to the expiry date of the
cert, though.  And before loading we do verify the key chain (depending
on how we were loaded).

> When IMA, for instance, verifies the file signature only the public
> key (the data in "struct public_key") of the corresponding IMA key is
> used - the certificate is not used.

Once you've performed the certificate verification, we only need
certain parameters for signature verification, so we store them. 
However, what we verify depends on the signature algorithm. For pkcs1,
obviously we can only check the signature and nothing else, so the cert
and the public key become isomorphic here.  For pkcs7, which is what
IMA mostly uses, we do check some of the parameters.

> In my key measurement implementation, IMA hook is called when 
> key_create_or_update() function has successfully added\updated a key
> in a keyring. At that point, I do not have the corresponding x509
> certificate.

It sounds like you might be hooking into the wrong place ... we
definitely pass in the whole certificate for public key load.

> Please let me know if the kernel indeed stores the x509 certificate
> also and it can be queried when the corresponding key is added to a
> keyring. I'll make the changes to measure the x509 cert instead of
> just the public key.

If you measure at time of insertion you should be able to measure the
entire key because it's inserted as a complete certificate.  If there's
additional data you need to retrieve after the load, we might be able
to store it in addition to the data we already save from the
certificate.

James

next prev parent reply	other threads:[~2019-11-22 16:17 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-21 16:17 IMA: Data included in the key measurement Lakshmi Ramasubramanian
2019-11-21 16:38 ` James Bottomley
2019-11-22  1:15   ` Lakshmi Ramasubramanian
2019-11-22 16:17     ` James Bottomley [this message]
2019-11-22 17:39       ` Lakshmi Ramasubramanian
2019-11-22 19:32         ` James Bottomley
2019-11-25 17:33       ` Lakshmi Ramasubramanian
2019-11-25 18:14         ` Mimi Zohar
2019-11-25 18:19           ` Lakshmi Ramasubramanian
2019-11-22 17:38 ` Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1574439451.3331.14.camel@HansenPartnership.com \
    --to=james.bottomley@hansenpartnership.com \
    --cc=dhowells@redhat.com \
    --cc=jamorris@linuxonhyperv.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=nramas@linux.microsoft.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).