From: Mimi Zohar <zohar@linux.ibm.com>
To: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
James Bottomley <James.Bottomley@HansenPartnership.com>,
linux-integrity@vger.kernel.org, dhowells@redhat.com
Cc: James Morris <jamorris@linuxonhyperv.com>
Subject: Re: IMA: Data included in the key measurement
Date: Mon, 25 Nov 2019 13:14:37 -0500 [thread overview]
Message-ID: <1574705677.4793.215.camel@linux.ibm.com> (raw)
In-Reply-To: <6ceecb10-61f5-1067-d219-1f6caaa104a9@linux.microsoft.com>
On Mon, 2019-11-25 at 09:33 -0800, Lakshmi Ramasubramanian wrote:
> On 11/22/19 8:17 AM, James Bottomley wrote:
>
> > If you measure at time of insertion you should be able to measure the
> > entire key because it's inserted as a complete certificate. If there's
> > additional data you need to retrieve after the load, we might be able
> > to store it in addition to the data we already save from the
> > certificate.
> >
> > James
>
> You are right James - at the time of insertion the complete certificate
> can be measured. Thanks for the information.
>
> I will update my patch set to include the certificate data in key
> measurement. Please let me know if you have any comments\concerns.
>
> Please see below for details:
>
> In the file "security/keys/key.c" =>
> key_ref_t key_create_or_update(key_ref_t keyring_ref,
> const char *type,
> const char *description,
> const void *payload,
> size_t plen,
> key_perm_t perm,
> unsigned long flags)
>
> In the key measurement, instead of just the "public key", I included the
> buffer pointed to by the "payload" parameter (buffer of size "plen"
> bytes) in the call to key_create_or_update(). It is the entire certificate.
>
> thanks,
> -lakshmi
>
> Please see the sequence of commands below to import a certificate (in
> DER format) to ".ima" keyring and regenerate the certificate from the
> IMA measurement log.
>
> ****** Import a DER certificate to .ima keyring ******
>
> root@nramas:/home/nramas# keyctl show %:.ima
> Keyring
> 75295183 ---lswrv 0 0 keyring: .ima
>
> root@nramas:/home/nramas# evmctl import x509_ima.der 75295183
> 118886017
>
> root@nramas:/home/nramas# keyctl show %:.ima
> Keyring
> 75295183 ---lswrv 0 0 keyring: .ima
> 118886017 --als--v 0 0 \_ asymmetric: hostname: whoami
> signing key: 052dd247dc3c36d6d60675fe7ae869790be56171
>
> ****** View the IMA measurement log ******
>
> root@nramas:/home/nramas# cat
> /sys/kernel/security/integrity/ima/ascii_runtime_measurements
> 10 faf3dd532114feed8b8215eb7b5d8c3107d5e702 ima-buf
> sha256:ac8bd67bdaded63be9231c495585fd88edce0812d9b677e1e1e219e2dd3bcd60
> .ima
> 30820286308201efa00302010202145be0234ff3adf050349b33b89465a6aab6e339f7300d06092a864886f70d01010b050030503111300f060355040a0c08686f73746e616d65311b301906035504030c1277686f616d69207369676e696e67206b6579311e301c06092a864886f70d010901160f77686f616d6940686f73746e616d65301e170d3139303832323032323930325a170d3230303832313032323930325a30503111300f060355040a0c08686f73746e616d65311b301906035504030c1277686f616d69207369676e696e67206b6579311e301c06092a864886f70d010901160f77686f616d6940686f73746e616d6530819f300d06092a864886f70d010101050003818d0030818902818100ee96b264072a42888f78a2f9b8198467a3ad97d126f3d1cc1c24d23e7185cc743b04d4a54254ca16e1e11ed4450deb98b1f7bb4288424570fabcfc6d5aa93a2a14fa2b7835ac877cfea761e5ff414c6ee274eff26f8bd6c484312e56619299acf0dbd224b87c3883b66a9393d21af8962458663b0ac1706c63773cd50e8236270203010001a35d305b300c0603551d130101ff04023000300b0603551d0f040403020780301d0603551d0e04160414052dd247dc3c36d6d60675fe7ae869790be56171301f0603551d23041830168014e36710f0834c973ed94a186fbcd223
75b45e2454300d06092a864886f70d01010b050003818100b12faeff1e0e390cfd5eb7140af3b7a653cb49c6ab0a23be24c035331d7600c8f758f9df7fdfc5eeb6fec35859203eca0e4f01f9a79a58be630947cb959a52d3f2de96f210d49247c33a6226dc2a52ee541069ed3c621f8767fd36a061e9a61adb5d1dd34499d99a1ce6baa496b4f5e2268bfc52c3eea4a6b7b5181f08524aee
>
> ****** Regenerate the certificate from IMA measurement log ******
>
> root@nramas:/home/nramas# cat
> /sys/kernel/security/ima/ascii_runtime_measurements | grep " .ima" | cut
> -d' ' -f 6 | xxd -r -p > ima-cert.der
>
> root@nramas:/home/nramas# openssl x509 -in ima-cert.der -inform DER
> -text -noout
Only the commands to validate the "key" measurement and extract the
certificate need to be included in the patch description. You could
combine these two commands using "tee". One would save the
certificate, while the other would calculate the template data hash.
Providing the openssl command to display the saved certificate is
optional.
Mimi
next prev parent reply other threads:[~2019-11-25 18:14 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-21 16:17 IMA: Data included in the key measurement Lakshmi Ramasubramanian
2019-11-21 16:38 ` James Bottomley
2019-11-22 1:15 ` Lakshmi Ramasubramanian
2019-11-22 16:17 ` James Bottomley
2019-11-22 17:39 ` Lakshmi Ramasubramanian
2019-11-22 19:32 ` James Bottomley
2019-11-25 17:33 ` Lakshmi Ramasubramanian
2019-11-25 18:14 ` Mimi Zohar [this message]
2019-11-25 18:19 ` Lakshmi Ramasubramanian
2019-11-22 17:38 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1574705677.4793.215.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=dhowells@redhat.com \
--cc=jamorris@linuxonhyperv.com \
--cc=linux-integrity@vger.kernel.org \
--cc=nramas@linux.microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).