From: Dmitry Kasatkin <d.kasatkin@samsung.com>
To: zohar@linux.vnet.ibm.com, linux-ima-devel@lists.sourceforge.net,
linux-security-module@vger.kernel.org, akpm@linux-foundation.org
Cc: linux-kernel@vger.kernel.org, dhowells@redhat.com,
dmitry.kasatkin@gmail.com,
Dmitry Kasatkin <d.kasatkin@samsung.com>
Subject: [PATCH v1 0/4] ima: require signed user-space initialization
Date: Tue, 15 Jul 2014 15:54:19 +0300 [thread overview]
Message-ID: <cover.1405428802.git.d.kasatkin@samsung.com> (raw)
Currently secure IMA/EVM initialization has to be done from the initramfs,
embedded in the signed kernel image. Many systems do not want to use
initramfs or usage of embedded initramfs makes it difficult to have
multi-target kernels.
This is a very simple patchset which makes it possible to perform secure
initialization by requiring initial user-space to be signed.
It does it by:
- introducing IMA public keys loading hook
- loading IMA trusted public key into .ima trusted keyring
- making default IMA appraisal policy to require everything to be signed
When builtin initramfs is not in use, keys cannot be read from initcalls,
because root filesystem is not yet mounted. In order to read keys before
executing init process, ima_prepare_keys() hook is introduced. Reading
public keys from the kernel is justified because signature verification
key is needed in order to verify anything else which is read from the
file system. Public keys are X509 certificates and itself signed by the
trusted key from the .system keyring. Kernel BIG KEYS support is an example
of reading keys directly by the kernel.
CONFIG_IMA_APPRAISE_SIGNED_INIT kernel option is provided to make the IMA
default appraisal policy to required signature validation. Signed init
process need to initialize EVM key and load appropriate IMA policy which
would not require everything to be signed.
Unless real '/sbin/init' is signed, a simple and practical way is to place
all signed programs, libraries, scripts and configuration files under
dedicated directory, for example '/ima', and run signed init process by
providing a kernel command line parameter 'init=/ima/init'
-Dmitry
Dmitry Kasatkin (4):
ima: provide hook to load IMA keys when rootfs is ready
integrity: provide file reading API
integrity: provide x509 certificate loading from the kernel
ima: require signed user-space initialization
include/linux/ima.h | 9 +++++
init/main.c | 6 ++-
security/integrity/Kconfig | 7 ++++
security/integrity/digsig.c | 78 +++++++++++++++++++++++++++++++++++++
security/integrity/ima/Kconfig | 15 +++++++
security/integrity/ima/ima_init.c | 17 ++++++++
security/integrity/ima/ima_policy.c | 5 +++
security/integrity/integrity.h | 11 +++++-
8 files changed, 146 insertions(+), 2 deletions(-)
--
1.9.1
next reply other threads:[~2014-07-15 12:56 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-15 12:54 Dmitry Kasatkin [this message]
2014-07-15 12:54 ` [PATCH v1 1/4] ima: provide hook to load IMA keys when rootfs is ready Dmitry Kasatkin
2014-07-15 12:54 ` [PATCH v1 2/4] integrity: provide file reading API Dmitry Kasatkin
2014-07-15 12:54 ` [PATCH v1 3/4] integrity: provide x509 certificate loading from the kernel Dmitry Kasatkin
2014-07-15 12:54 ` [PATCH v1 4/4] ima: require signed user-space initialization Dmitry Kasatkin
2014-07-15 21:33 ` [PATCH v1 0/4] " Andrew Morton
2014-07-16 20:26 ` Dmitry Kasatkin
2014-07-23 19:08 ` Mimi Zohar
2014-07-29 21:37 ` Dmitry Kasatkin
2014-10-10 14:15 ` Dmitry Kasatkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1405428802.git.d.kasatkin@samsung.com \
--to=d.kasatkin@samsung.com \
--cc=akpm@linux-foundation.org \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=linux-ima-devel@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox