From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
To: zohar@linux.ibm.com
Cc: tyhicks@linux.microsoft.com, tusharsu@linux.microsoft.com,
sashal@kernel.org, linux-integrity@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [PATCH v3 0/3] IMA: Generalize early boot data measurement
Date: Sat, 26 Sep 2020 08:52:16 -0700 [thread overview]
Message-ID: <20200926155219.5561-1-nramas@linux.microsoft.com> (raw)
The current implementation of early boot measurement in the IMA
subsystem is specific to asymmetric keys. It does not handle
early boot measurement of data from other subsystems such as
Linux Security Module (LSM), Device-Mapper, etc. As a result, data
provided by these subsystems during system boot are not measured by IMA.
This patch series makes the early boot key measurement functions generic
such that they can be used to measure any early boot data. The functions
in ima_queue_keys.c are refactored to a new file ima_queue_data.c.
The kernel configuration CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS is removed
and instead a new function namely ima_queuing_enabled() is added to
check if the subsystems using early boot data measurement are enabled.
Since measurement of asymmetric keys is the first consumer of early
boot measurement, enable queuing if CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS
and CONFIG_SYSTEM_TRUSTED_KEYRING are both enabled.
The IMA hook to measure kernel critical data ima_measure_critical_data()
is updated to utilize early boot measurement support.
This series is based on the following repo/branch:
https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
branch: next-integrity
commit aa662fc04f5b ("ima: Fix NULL pointer dereference in ima_file_hash")
This patch is dependent on the following patch series:
https://patchwork.kernel.org/patch/11795559/
Lakshmi Ramasubramanian (3):
IMA: Generalize early boot measurement of asymmetric keys
IMA: Support measurement of generic data during early
IMA: Support early boot measurement of critical data
security/integrity/ima/Kconfig | 6 -
security/integrity/ima/Makefile | 3 +-
security/integrity/ima/ima.h | 29 ++-
security/integrity/ima/ima_asymmetric_keys.c | 7 +-
security/integrity/ima/ima_init.c | 2 +-
security/integrity/ima/ima_main.c | 10 +
security/integrity/ima/ima_policy.c | 2 +-
security/integrity/ima/ima_queue_data.c | 200 +++++++++++++++++++
security/integrity/ima/ima_queue_keys.c | 175 ----------------
9 files changed, 229 insertions(+), 205 deletions(-)
create mode 100644 security/integrity/ima/ima_queue_data.c
delete mode 100644 security/integrity/ima/ima_queue_keys.c
--
2.28.0
next reply other threads:[~2020-09-26 15:52 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-26 15:52 Lakshmi Ramasubramanian [this message]
2020-09-26 15:52 ` [PATCH v3 1/3] IMA: Generalize early boot measurement of asymmetric keys Lakshmi Ramasubramanian
2020-09-26 15:52 ` [PATCH v3 2/3] IMA: Support measurement of generic data during early Lakshmi Ramasubramanian
2020-09-26 15:52 ` [PATCH v3 3/3] IMA: Support early boot measurement of critical data Lakshmi Ramasubramanian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200926155219.5561-1-nramas@linux.microsoft.com \
--to=nramas@linux.microsoft.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=tusharsu@linux.microsoft.com \
--cc=tyhicks@linux.microsoft.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox