Menu
▾
▴
Re: [Linux-ima-user] [RFC] IMA Root certificate hierarchy keyring
|
From: Mimi Z. <zo...@li...> - 2015-05-12 18:55:54
|
On Tue, 2015-05-12 at 19:36 +0300, Petko Manolov wrote:
> On 15-05-12 19:00:58, Petko Manolov wrote:
> > Hi guys,
> >
> > Please excuse the monolithic patch - it is small and meant for RFC only.
The size is fine.
> > The project i am currently working on requires dynamic add/revoke of both IMA
> > keys and their respective signing certificates. This requirement pivots around
> > two things: machine uptime and achieving some sort of CA hierarchy.
> >
> > The name is misleading but shows its primary use: .ima_root_ca_keyring - it is
> > in fact system-wide keyring storing intermediate CA public keys, which are used
> > to verify the actual IMA key's signature.
The original trusted keys patch set defined two separate keyrings. One
for the keys used for verifying the IMA certificate and another for the
IMA keys themselves. Until a use case was defined, only the trusted IMA
keyring was upstreamed. The "ca_keys=" boot command line option was
defined to limit the system keyring to either the builtin keys or a
specific key.
> > .ima_root_ca_keyring allows the root user to dynamically add new certificate and
> > signed IMA key to the system, mount new FS with properly signed objects and
> > read/execute files off it without going through reboot cycle. It also gives us
> > the ability to import IMA keys signed by different entities/certificates, all
> > having their root at a certificate in .system_keyring.
Keys can be added to the IMA keyring without rebooting the system. Why
the need for the additional keyring?
Mimi
> > The patch is tested and, as far as i can tell, does what it was designed for.
> > Any comment would be greatly appreciated.
> >
> >
> > thanks,
> > Petko
>
> Posting the patch again as a non-attachment.
>
>
> Petko
>
>
> ---
>
> diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c
> index a6c4203..83a0425 100644
> --- a/crypto/asymmetric_keys/x509_public_key.c
> +++ b/crypto/asymmetric_keys/x509_public_key.c
> @@ -281,6 +281,8 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
> goto error_free_cert;
> } else if (!prep->trusted) {
> ret = x509_validate_trust(cert, get_system_trusted_keyring());
> + if (ret)
> + ret = x509_validate_trust(cert, get_ima_root_ca_keyring());
> if (!ret)
> prep->trusted = 1;
> }
> diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
> index 72665eb..7a632e1 100644
> --- a/include/keys/system_keyring.h
> +++ b/include/keys/system_keyring.h
> @@ -28,4 +28,17 @@ static inline struct key *get_system_trusted_keyring(void)
> }
> #endif
>
> +#ifdef CONFIG_IMA_ROOT_CA_KEYRING
> +extern struct key *ima_root_ca_keyring;
> +static inline struct key *get_ima_root_ca_keyring(void)
> +{
> + return ima_root_ca_keyring;
> +}
> +#else
> +static inline struct key *get_ima_root_ca_keyring(void)
> +{
> + return NULL;
> +}
> +#endif /* CONFIG_IMA_ROOT_CA_KEYRING */
> +
> #endif /* _KEYS_SYSTEM_KEYRING_H */
> diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
> index df30334..f859451 100644
> --- a/security/integrity/ima/Kconfig
> +++ b/security/integrity/ima/Kconfig
> @@ -131,6 +131,15 @@ config IMA_TRUSTED_KEYRING
> This option requires that all keys added to the .ima
> keyring be signed by a key on the system trusted keyring.
>
> +config IMA_ROOT_CA_KEYRING
> + bool "Create IMA Root CA keyring"
> + depends on IMA_TRUSTED_KEYRING
> + default y
> + help
> + This option creates IMA Root CA keyring. All keys in it must be
> + signed either by a key in the .system keyring or one which is already
> + in .ima_root_ca_keyring.
> +
> config IMA_LOAD_X509
> bool "Load X509 certificate onto the '.ima' trusted keyring"
> depends on IMA_TRUSTED_KEYRING
> diff --git a/security/integrity/ima/Makefile b/security/integrity/ima/Makefile
> index d79263d..b2f9aa0 100644
> --- a/security/integrity/ima/Makefile
> +++ b/security/integrity/ima/Makefile
> @@ -8,3 +8,4 @@ obj-$(CONFIG_IMA) += ima.o
> ima-y := ima_fs.o ima_queue.o ima_init.o ima_main.o ima_crypto.o ima_api.o \
> ima_policy.o ima_template.o ima_template_lib.o
> ima-$(CONFIG_IMA_APPRAISE) += ima_appraise.o
> +obj-$(CONFIG_IMA_ROOT_CA_KEYRING) += ima_root_ca.o
> diff --git a/security/integrity/ima/ima_root_ca.c b/security/integrity/ima/ima_root_ca.c
> new file mode 100644
> index 0000000..95d2526
> --- /dev/null
> +++ b/security/integrity/ima/ima_root_ca.c
> @@ -0,0 +1,41 @@
> +/*
> + * This program is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU General Public License as
> + * published by the Free Software Foundation, version 2 of the
> + * License.
> + *
> + */
> +
> +#include <linux/export.h>
> +#include <linux/kernel.h>
> +#include <linux/sched.h>
> +#include <linux/cred.h>
> +#include <linux/err.h>
> +#include <linux/module.h>
> +#include <keys/asymmetric-type.h>
> +
> +MODULE_LICENSE("GPL");
> +
> +struct key *ima_root_ca_keyring = NULL;
> +EXPORT_SYMBOL_GPL(ima_root_ca_keyring);
> +
> +/*
> + * Allocate the IMA Root CA keyring
> + */
> +__init int ima_root_ca_init(void)
> +{
> + pr_notice("Initialise IMA Root CA keyring.\n");
> +
> + ima_root_ca_keyring = keyring_alloc(".ima_root_ca",
> + KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
> + (KEY_POS_ALL & ~KEY_POS_SETATTR) |
> + KEY_USR_VIEW | KEY_USR_READ |
> + KEY_USR_WRITE | KEY_USR_SEARCH,
> + KEY_ALLOC_NOT_IN_QUOTA, NULL);
> + if (IS_ERR(ima_root_ca_keyring))
> + panic("Can't allocate IMA Root CA keyring.");
> + set_bit(KEY_FLAG_TRUSTED_ONLY, &ima_root_ca_keyring->flags);
> + return 0;
> +}
> +
> +module_init(ima_root_ca_init);
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to maj...@vg...
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
|
