integrity: define '.evm' as a builtin 'trusted' keyring
authorDmitry Kasatkin <dmitry.kasatkin@huawei.com>
Thu, 22 Oct 2015 18:26:10 +0000 (21:26 +0300)
committerMimi Zohar <zohar@linux.vnet.ibm.com>
Mon, 23 Nov 2015 19:30:02 +0000 (14:30 -0500)
Require all keys added to the EVM keyring be signed by an
existing trusted key on the system trusted keyring.

This patch also switches IMA to use integrity_init_keyring().

Changes in v3:
* Added 'init_keyring' config based variable to skip initializing
  keyring instead of using  __integrity_init_keyring() wrapper.
* Added dependency back to CONFIG_IMA_TRUSTED_KEYRING

Changes in v2:
* Replace CONFIG_EVM_TRUSTED_KEYRING with IMA and EVM common
  CONFIG_INTEGRITY_TRUSTED_KEYRING configuration option
* Deprecate CONFIG_IMA_TRUSTED_KEYRING but keep it for config
  file compatibility. (Mimi Zohar)

Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
security/integrity/Kconfig
security/integrity/digsig.c
security/integrity/evm/evm_main.c
security/integrity/ima/Kconfig
security/integrity/ima/ima.h
security/integrity/ima/ima_init.c
security/integrity/integrity.h

index 73c457bf5a4aea01eb56b36613ee69f929428765..21d756832b754322f71722f6b0857294e1a5ffd2 100644 (file)
@@ -41,6 +41,17 @@ config INTEGRITY_ASYMMETRIC_KEYS
          This option enables digital signature verification using
          asymmetric keys.
 
+config INTEGRITY_TRUSTED_KEYRING
+       bool "Require all keys on the integrity keyrings be signed"
+       depends on SYSTEM_TRUSTED_KEYRING
+       depends on INTEGRITY_ASYMMETRIC_KEYS
+       select KEYS_DEBUG_PROC_KEYS
+       default y
+       help
+          This option requires that all keys added to the .ima and
+          .evm keyrings be signed by a key on the system trusted
+          keyring.
+
 config INTEGRITY_AUDIT
        bool "Enables integrity auditing support "
        depends on AUDIT
index 5be9ffbe90bad1511d12b65345064dec22bac00a..8ef15118cc78cfdb373c1962f3504e9364e0d453 100644 (file)
 static struct key *keyring[INTEGRITY_KEYRING_MAX];
 
 static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
+#ifndef CONFIG_INTEGRITY_TRUSTED_KEYRING
        "_evm",
-       "_module",
-#ifndef CONFIG_IMA_TRUSTED_KEYRING
        "_ima",
 #else
+       ".evm",
        ".ima",
 #endif
+       "_module",
 };
 
+#ifdef CONFIG_INTEGRITY_TRUSTED_KEYRING
+static bool init_keyring __initdata = true;
+#else
+static bool init_keyring __initdata;
+#endif
+
 int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
                            const char *digest, int digestlen)
 {
@@ -68,6 +75,9 @@ int __init integrity_init_keyring(const unsigned int id)
        const struct cred *cred = current_cred();
        int err = 0;
 
+       if (!init_keyring)
+               return 0;
+
        keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0),
                                    KGIDT_INIT(0), cred,
                                    ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
index 1334e02ae8f412910151d73acc670745f01ca2bf..75b7e3031d2a6de77ae58e47da5fb3c996470c8e 100644 (file)
@@ -478,15 +478,17 @@ static int __init init_evm(void)
 
        evm_init_config();
 
+       error = integrity_init_keyring(INTEGRITY_KEYRING_EVM);
+       if (error)
+               return error;
+
        error = evm_init_secfs();
        if (error < 0) {
                pr_info("Error registering secfs\n");
-               goto err;
+               return error;
        }
 
        return 0;
-err:
-       return error;
 }
 
 /*
index df303346029ba5f722d9e2787d9f8884ddef4b4d..a292b881c16f7ed7d32f19154564e81f1a5e6c4b 100644 (file)
@@ -123,14 +123,17 @@ config IMA_APPRAISE
          If unsure, say N.
 
 config IMA_TRUSTED_KEYRING
-       bool "Require all keys on the .ima keyring be signed"
+       bool "Require all keys on the .ima keyring be signed (deprecated)"
        depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING
        depends on INTEGRITY_ASYMMETRIC_KEYS
+       select INTEGRITY_TRUSTED_KEYRING
        default y
        help
           This option requires that all keys added to the .ima
           keyring be signed by a key on the system trusted keyring.
 
+          This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING
+
 config IMA_LOAD_X509
        bool "Load X509 certificate onto the '.ima' trusted keyring"
        depends on IMA_TRUSTED_KEYRING
index e2a60c30df44b33526fd8ec5f7175d7f72cc2a18..9e82367f519068a8ef10da53fbf6096f232b5fad 100644 (file)
@@ -251,16 +251,4 @@ static inline int security_filter_rule_match(u32 secid, u32 field, u32 op,
        return -EINVAL;
 }
 #endif /* CONFIG_IMA_LSM_RULES */
-
-#ifdef CONFIG_IMA_TRUSTED_KEYRING
-static inline int ima_init_keyring(const unsigned int id)
-{
-       return integrity_init_keyring(id);
-}
-#else
-static inline int ima_init_keyring(const unsigned int id)
-{
-       return 0;
-}
-#endif /* CONFIG_IMA_TRUSTED_KEYRING */
 #endif
index e600cadd231cb985d4107b0c8149bdbe6b5fb152..bd79f254d204b3503b3a7a64cec88ae3d37a1e9f 100644 (file)
@@ -116,7 +116,7 @@ int __init ima_init(void)
        if (!ima_used_chip)
                pr_info("No TPM chip found, activating TPM-bypass!\n");
 
-       rc = ima_init_keyring(INTEGRITY_KEYRING_IMA);
+       rc = integrity_init_keyring(INTEGRITY_KEYRING_IMA);
        if (rc)
                return rc;
 
index 9c6168709d3bc6957261bb6c17cefa64d8c4ffc5..07726a731727de59ad26d0fc0ddf3def032a4177 100644 (file)
@@ -125,8 +125,8 @@ int integrity_kernel_read(struct file *file, loff_t offset,
 int __init integrity_read_file(const char *path, char **data);
 
 #define INTEGRITY_KEYRING_EVM          0
-#define INTEGRITY_KEYRING_MODULE       1
-#define INTEGRITY_KEYRING_IMA          2
+#define INTEGRITY_KEYRING_IMA          1
+#define INTEGRITY_KEYRING_MODULE       2
 #define INTEGRITY_KEYRING_MAX          3
 
 #ifdef CONFIG_INTEGRITY_SIGNATURE
@@ -149,7 +149,6 @@ static inline int integrity_init_keyring(const unsigned int id)
 {
        return 0;
 }
-
 #endif /* CONFIG_INTEGRITY_SIGNATURE */
 
 #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS