From: Petko Manolov <petkan@mip-labs.com>
To: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Cc: zohar@linux.vnet.ibm.com, linux-ima-devel@lists.sourceforge.net,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org,
Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
Subject: Re: [PATCHv3 1/6] integrity: define '.evm' as a builtin 'trusted' keyring
Date: Fri, 23 Oct 2015 16:05:03 +0300 [thread overview]
Message-ID: <20151023130450.GL5224@localhost> (raw)
In-Reply-To: <f0e136f90bff2f694648f1d6c43549dbd11c6cc5.1445539084.git.dmitry.kasatkin@huawei.com>
On 15-10-22 21:49:25, Dmitry Kasatkin wrote:
> Require all keys added to the EVM keyring be signed by an
> existing trusted key on the system trusted keyring.
>
> This patch also switches IMA to use integrity_init_keyring().
>
> Changes in v3:
> * Added 'init_keyring' config based variable to skip initializing
> keyring instead of using __integrity_init_keyring() wrapper.
> * Added dependency back to CONFIG_IMA_TRUSTED_KEYRING
>
> Changes in v2:
> * Replace CONFIG_EVM_TRUSTED_KEYRING with IMA and EVM common
> CONFIG_INTEGRITY_TRUSTED_KEYRING configuration option
> * Deprecate CONFIG_IMA_TRUSTED_KEYRING but keep it for config
> file compatibility. (Mimi Zohar)
>
> Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
> ---
> security/integrity/Kconfig | 11 +++++++++++
> security/integrity/digsig.c | 14 ++++++++++++--
> security/integrity/evm/evm_main.c | 8 +++++---
> security/integrity/ima/Kconfig | 5 ++++-
> security/integrity/ima/ima.h | 12 ------------
> security/integrity/ima/ima_init.c | 2 +-
> security/integrity/integrity.h | 5 ++---
> 7 files changed, 35 insertions(+), 22 deletions(-)
>
> diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
> index 73c457b..21d7568 100644
> --- a/security/integrity/Kconfig
> +++ b/security/integrity/Kconfig
> @@ -41,6 +41,17 @@ config INTEGRITY_ASYMMETRIC_KEYS
> This option enables digital signature verification using
> asymmetric keys.
>
> +config INTEGRITY_TRUSTED_KEYRING
> + bool "Require all keys on the integrity keyrings be signed"
> + depends on SYSTEM_TRUSTED_KEYRING
> + depends on INTEGRITY_ASYMMETRIC_KEYS
> + select KEYS_DEBUG_PROC_KEYS
> + default y
> + help
> + This option requires that all keys added to the .ima and
> + .evm keyrings be signed by a key on the system trusted
> + keyring.
> +
> config INTEGRITY_AUDIT
> bool "Enables integrity auditing support "
> depends on AUDIT
> diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
> index 5be9ffb..8ef1511 100644
> --- a/security/integrity/digsig.c
> +++ b/security/integrity/digsig.c
> @@ -24,15 +24,22 @@
> static struct key *keyring[INTEGRITY_KEYRING_MAX];
>
> static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
> +#ifndef CONFIG_INTEGRITY_TRUSTED_KEYRING
> "_evm",
> - "_module",
> -#ifndef CONFIG_IMA_TRUSTED_KEYRING
> "_ima",
> #else
> + ".evm",
> ".ima",
> #endif
> + "_module",
> };
>
> +#ifdef CONFIG_INTEGRITY_TRUSTED_KEYRING
> +static bool init_keyring __initdata = true;
> +#else
> +static bool init_keyring __initdata;
> +#endif
> +
> int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
> const char *digest, int digestlen)
> {
> @@ -68,6 +75,9 @@ int __init integrity_init_keyring(const unsigned int id)
> const struct cred *cred = current_cred();
> int err = 0;
>
> + if (!init_keyring)
> + return 0;
> +
> keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0),
> KGIDT_INIT(0), cred,
> ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
> diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
> index 1334e02..75b7e30 100644
> --- a/security/integrity/evm/evm_main.c
> +++ b/security/integrity/evm/evm_main.c
> @@ -478,15 +478,17 @@ static int __init init_evm(void)
>
> evm_init_config();
>
> + error = integrity_init_keyring(INTEGRITY_KEYRING_EVM);
> + if (error)
> + return error;
> +
> error = evm_init_secfs();
> if (error < 0) {
> pr_info("Error registering secfs\n");
> - goto err;
> + return error;
> }
>
> return 0;
> -err:
> - return error;
> }
>
> /*
> diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
> index df30334..a292b88 100644
> --- a/security/integrity/ima/Kconfig
> +++ b/security/integrity/ima/Kconfig
> @@ -123,14 +123,17 @@ config IMA_APPRAISE
> If unsure, say N.
>
> config IMA_TRUSTED_KEYRING
> - bool "Require all keys on the .ima keyring be signed"
> + bool "Require all keys on the .ima keyring be signed (deprecated)"
> depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING
> depends on INTEGRITY_ASYMMETRIC_KEYS
> + select INTEGRITY_TRUSTED_KEYRING
> default y
> help
> This option requires that all keys added to the .ima
> keyring be signed by a key on the system trusted keyring.
>
> + This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING
> +
> config IMA_LOAD_X509
> bool "Load X509 certificate onto the '.ima' trusted keyring"
> depends on IMA_TRUSTED_KEYRING
I guess we may as well remove this switch. Otherwise somebody have to remember
to post a patch that does so a few kernel releases after this one goes mainline.
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index e2a60c3..9e82367 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -251,16 +251,4 @@ static inline int security_filter_rule_match(u32 secid, u32 field, u32 op,
> return -EINVAL;
> }
> #endif /* CONFIG_IMA_LSM_RULES */
> -
> -#ifdef CONFIG_IMA_TRUSTED_KEYRING
> -static inline int ima_init_keyring(const unsigned int id)
> -{
> - return integrity_init_keyring(id);
> -}
> -#else
> -static inline int ima_init_keyring(const unsigned int id)
> -{
> - return 0;
> -}
> -#endif /* CONFIG_IMA_TRUSTED_KEYRING */
> #endif
> diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
> index e600cad..bd79f25 100644
> --- a/security/integrity/ima/ima_init.c
> +++ b/security/integrity/ima/ima_init.c
> @@ -116,7 +116,7 @@ int __init ima_init(void)
> if (!ima_used_chip)
> pr_info("No TPM chip found, activating TPM-bypass!\n");
>
> - rc = ima_init_keyring(INTEGRITY_KEYRING_IMA);
> + rc = integrity_init_keyring(INTEGRITY_KEYRING_IMA);
> if (rc)
> return rc;
>
> diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
> index 9c61687..07726a7 100644
> --- a/security/integrity/integrity.h
> +++ b/security/integrity/integrity.h
> @@ -125,8 +125,8 @@ int integrity_kernel_read(struct file *file, loff_t offset,
> int __init integrity_read_file(const char *path, char **data);
>
> #define INTEGRITY_KEYRING_EVM 0
> -#define INTEGRITY_KEYRING_MODULE 1
> -#define INTEGRITY_KEYRING_IMA 2
> +#define INTEGRITY_KEYRING_IMA 1
> +#define INTEGRITY_KEYRING_MODULE 2
> #define INTEGRITY_KEYRING_MAX 3
>
> #ifdef CONFIG_INTEGRITY_SIGNATURE
> @@ -149,7 +149,6 @@ static inline int integrity_init_keyring(const unsigned int id)
> {
> return 0;
> }
> -
> #endif /* CONFIG_INTEGRITY_SIGNATURE */
>
> #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
> --
> 2.1.4
ACK to the rest of the code.
Petko
next prev parent reply other threads:[~2015-10-23 13:04 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-22 18:49 [PATCHv3 0/6] integrity: few EVM patches Dmitry Kasatkin
2015-10-22 18:49 ` [PATCHv3 1/6] integrity: define '.evm' as a builtin 'trusted' keyring Dmitry Kasatkin
2015-10-23 13:05 ` Petko Manolov [this message]
2015-10-23 13:40 ` Dmitry Kasatkin
2015-10-23 18:43 ` Mimi Zohar
2015-10-24 9:35 ` Petko Manolov
2015-10-22 18:49 ` [PATCHv3 2/6] evm: load x509 certificate from the kernel Dmitry Kasatkin
2015-10-22 18:49 ` [PATCHv3 3/6] evm: enable EVM when X509 certificate is loaded Dmitry Kasatkin
2015-10-23 18:31 ` Mimi Zohar
2015-10-26 19:18 ` Dmitry Kasatkin
2015-10-22 18:49 ` [PATCHv3 4/6] evm: provide a function to set EVM key from the kernel Dmitry Kasatkin
2015-10-23 18:30 ` Mimi Zohar
2015-10-26 19:18 ` Dmitry Kasatkin
2015-10-22 18:49 ` [PATCHv3 5/6] evm: define EVM key max and min sizes Dmitry Kasatkin
2015-10-22 18:49 ` [PATCHv3 6/6] evm: reset EVM status when file attributes changes Dmitry Kasatkin
2015-11-05 18:35 ` [PATCHv3 0/6] integrity: few EVM patches Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151023130450.GL5224@localhost \
--to=petkan@mip-labs.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=dmitry.kasatkin@huawei.com \
--cc=linux-ima-devel@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).