From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Cc: linux-security-module@vger.kernel.org,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
dhowells@redhat.com, herbert@gondor.hengli.com.au
Subject: Re: [PATCH v2.2 6/7] integrity: digital signature verification using multiple keyrings
Date: Fri, 04 Nov 2011 07:29:46 -0400 [thread overview]
Message-ID: <1320406187.2010.11.camel@falcor> (raw)
In-Reply-To: <f094bd1603dcf682b8ab5fb41af7c5635cb04d23.1319025009.git.dmitry.kasatkin@intel.com>
On Wed, 2011-10-19 at 14:51 +0300, Dmitry Kasatkin wrote:
> Define separate keyrings for each of the different use cases - evm, ima,
> and modules. Using different keyrings improves search performance, and also
> allows "locking" specific keyring to prevent adding new keys.
> This is useful for evm and module keyrings, when keys are usually only
> added from initramfs.
>
> Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Thanks Dmitry! Other than the couple of trailing whitespaces, the
patches look good. I think adding the word 'public', above, to 'adding
new keys' clarifies that the keyrings are only used for the digital
signatures.
Acked-by: Mimi Zohar <zohar@us.ibm.com>
> ---
> security/integrity/Kconfig | 14 +++++++++++
> security/integrity/Makefile | 1 +
> security/integrity/digsig.c | 48 ++++++++++++++++++++++++++++++++++++++++
> security/integrity/integrity.h | 20 ++++++++++++++++
> 4 files changed, 83 insertions(+), 0 deletions(-)
> create mode 100644 security/integrity/digsig.c
>
> diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
> index 4bf00ac..d87fa2a 100644
> --- a/security/integrity/Kconfig
> +++ b/security/integrity/Kconfig
> @@ -3,5 +3,19 @@ config INTEGRITY
> def_bool y
> depends on IMA || EVM
>
> +config INTEGRITY_DIGSIG
> + boolean "Digital signature verification using multiple keyrings"
> + depends on INTEGRITY
> + default n
> + select DIGSIG
> + help
> + This option enables digital signature verification support
> + using multiple keyrings. It defines separate keyrings for each
> + of the different use cases - evm, ima, and modules.
> + Different keyrings improves search performance, but also allow
> + to "lock" certain keyring to prevent adding new keys.
> + This is useful for evm and module keyrings, when keys are
> + usually only added from initramfs.
> +
> source security/integrity/ima/Kconfig
> source security/integrity/evm/Kconfig
> diff --git a/security/integrity/Makefile b/security/integrity/Makefile
> index 0ae44ae..bece056 100644
> --- a/security/integrity/Makefile
> +++ b/security/integrity/Makefile
> @@ -3,6 +3,7 @@
> #
>
> obj-$(CONFIG_INTEGRITY) += integrity.o
> +obj-$(CONFIG_INTEGRITY_DIGSIG) += digsig.o
>
> integrity-y := iint.o
>
> diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
> new file mode 100644
> index 0000000..b5d1e01
> --- /dev/null
> +++ b/security/integrity/digsig.c
> @@ -0,0 +1,48 @@
> +/*
> + * Copyright (C) 2011 Intel Corporation
> + *
> + * Author:
> + * Dmitry Kasatkin <dmitry.kasatkin@intel.com>
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License as published by
> + * the Free Software Foundation, version 2 of the License.
> + *
> + */
> +
> +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
> +
> +#include <linux/err.h>
> +#include <linux/rbtree.h>
> +#include <linux/key-type.h>
> +#include <linux/digsig.h>
> +
> +#include "integrity.h"
> +
> +static struct key *keyring[INTEGRITY_KEYRING_MAX];
> +
> +static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
> + "_evm",
> + "_module",
> + "_ima",
> +};
> +
> +int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
> + const char *digest, int digestlen)
> +{
> + if (id >= INTEGRITY_KEYRING_MAX)
> + return -EINVAL;
> +
> + if (!keyring[id]) {
> + keyring[id] =
> + request_key(&key_type_keyring, keyring_name[id], NULL);
> + if (IS_ERR(keyring[id])) {
> + pr_err("no %s keyring: %ld\n", keyring_name[id],
> + PTR_ERR(keyring[id]));
> + keyring[id] = NULL;
> + return PTR_ERR(keyring[id]);
> + }
> + }
> +
> + return digsig_verify(keyring[id], sig, siglen, digest, digestlen);
> +}
> diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
> index e898094..9fc723b 100644
> --- a/security/integrity/integrity.h
> +++ b/security/integrity/integrity.h
> @@ -51,5 +51,25 @@ struct integrity_iint_cache {
> struct integrity_iint_cache *integrity_iint_insert(struct inode *inode);
> struct integrity_iint_cache *integrity_iint_find(struct inode *inode);
>
> +#define INTEGRITY_KEYRING_EVM 0
> +#define INTEGRITY_KEYRING_MODULE 1
> +#define INTEGRITY_KEYRING_IMA 2
> +#define INTEGRITY_KEYRING_MAX 3
> +
> +#ifdef CONFIG_INTEGRITY_DIGSIG
> +
> +int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
> + const char *digest, int digestlen);
> +
> +#else
> +
> +static inline int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
> + const char *digest, int digestlen)
> +{
> + return -EOPNOTSUPP;
> +}
> +
> +#endif /* CONFIG_INTEGRITY_DIGSIG */
> +
> /* set during initialization */
> extern int iint_initialized;
next prev parent reply other threads:[~2011-11-04 11:31 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-10-19 11:51 [PATCH v2.2 0/7] evm: digital signature verification extension Dmitry Kasatkin
2011-10-19 11:51 ` [PATCH v2.2 1/7] crypto: GnuPG based MPI lib - source files (part 1) Dmitry Kasatkin
2011-11-19 3:33 ` Stephen Rothwell
2011-11-21 10:20 ` Kasatkin, Dmitry
2011-11-21 11:27 ` James Morris
2011-11-21 15:32 ` Kasatkin, Dmitry
2011-11-21 21:09 ` Stephen Rothwell
2011-10-19 11:51 ` [PATCH v2.2 2/7] crypto: GnuPG based MPI lib - header files (part 2) Dmitry Kasatkin
2012-03-11 9:55 ` Geert Uytterhoeven
2012-03-21 8:39 ` Geert Uytterhoeven
2012-03-22 8:21 ` Kasatkin, Dmitry
2011-10-19 11:51 ` [PATCH v2.2 3/7] crypto: GnuPG based MPI lib - make files (part 3) Dmitry Kasatkin
2011-10-19 11:51 ` [PATCH v2.2 4/7] crypto: GnuPG based MPI lib - additional sources (part 4) Dmitry Kasatkin
2011-10-19 11:51 ` [PATCH v2.2 5/7] crypto: digital signature verification support Dmitry Kasatkin
2011-10-19 11:51 ` [PATCH v2.2 6/7] integrity: digital signature verification using multiple keyrings Dmitry Kasatkin
2011-11-04 11:29 ` Mimi Zohar [this message]
2011-10-19 11:51 ` [PATCH v2.2 7/7] evm: digital signature verification support Dmitry Kasatkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1320406187.2010.11.camel@falcor \
--to=zohar@linux.vnet.ibm.com \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@intel.com \
--cc=herbert@gondor.hengli.com.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).