ima: load x509 certificate from the kernel

Define configuration option to load X509 certificate into the
IMA trusted kernel keyring. It implements ima_load_x509() hook
to load X509 certificate into the .ima trusted kernel keyring
from the root filesystem.

Changes in v3:
* use ima_policy_flag in ima_get_action()
  ima_load_x509 temporarily clears ima_policy_flag to disable
  appraisal to load key. Use it to skip appraisal rules.
* Key directory path changed to /etc/keys (Mimi)
* Expand IMA_LOAD_X509 Kconfig help

Changes in v2:
* added '__init'
* use ima_policy_flag to disable appraisal to load keys

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>

diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index e099875643c54b11b3aabe7031b5a5fbcbee342d..b0840f9a552ffbb3e363ac95a8a08f2275d0c0c2 100644 (file)
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -131,3 +131,21 @@ config IMA_TRUSTED_KEYRING
        help
           This option requires that all keys added to the .ima
           keyring be signed by a key on the system trusted keyring.
+
+config IMA_LOAD_X509
+       bool "Load X509 certificate onto the '.ima' trusted keyring"
+       depends on IMA_TRUSTED_KEYRING
+       default n
+       help
+          File signature verification is based on the public keys
+          loaded on the .ima trusted keyring. These public keys are
+          X509 certificates signed by a trusted key on the
+          .system keyring.  This option enables X509 certificate
+          loading from the kernel onto the '.ima' trusted keyring.
+
+config IMA_X509_PATH
+       string "IMA X509 certificate path"
+       depends on IMA_LOAD_X509
+       default "/etc/keys/x509_ima.der"
+       help
+          This option defines IMA X509 certificate path.

diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index a99eb6d4bc09dc76b86ae9f49627e00e361f8beb..b0dc922d8be3192932a170ad8a8f7b0511bbfaf6 100644 (file)
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -173,8 +173,7 @@ int ima_get_action(struct inode *inode, int mask, int function)
 {
        int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE;
 
-       if (!ima_appraise)
-               flags &= ~IMA_APPRAISE;
+       flags &= ima_policy_flag;
 
        return ima_match_policy(inode, function, mask, flags);
 }

diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
index 9164fc8cac84adb53d79b867d7547fcaaf35aa70..5e4c29d174eee3b9281e83c4c9f0e2dac5b390a1 100644 (file)
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -24,6 +24,12 @@
 #include <crypto/hash_info.h>
 #include "ima.h"
 
+#ifdef CONFIG_IMA_X509_PATH
+#define IMA_X509_PATH  CONFIG_IMA_X509_PATH
+#else
+#define IMA_X509_PATH  "/etc/keys/x509_ima.der"
+#endif
+
 /* name for boot aggregate entry */
 static const char *boot_aggregate_name = "boot_aggregate";
 int ima_used_chip;
@@ -91,6 +97,17 @@ err_out:
        return result;
 }
 
+#ifdef CONFIG_IMA_LOAD_X509
+void __init ima_load_x509(void)
+{
+       int unset_flags = ima_policy_flag & IMA_APPRAISE;
+
+       ima_policy_flag &= ~unset_flags;
+       integrity_load_x509(INTEGRITY_KEYRING_IMA, IMA_X509_PATH);
+       ima_policy_flag |= unset_flags;
+}
+#endif
+
 int __init ima_init(void)
 {
        u8 pcr_i[TPM_DIGEST_SIZE];

diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 1057abbd31cdeb4de93e76ce810963a8b2001b77..caa1f6ca72e9f8b2ecea6decb1e1728efa2df0d9 100644 (file)
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -162,6 +162,14 @@ static inline int asymmetric_verify(struct key *keyring, const char *sig,
 }
 #endif
 
+#ifdef CONFIG_IMA_LOAD_X509
+void __init ima_load_x509(void);
+#else
+static inline void ima_load_x509(void)
+{
+}
+#endif
+
 #ifdef CONFIG_INTEGRITY_AUDIT
 /* declarations */
 void integrity_audit_msg(int audit_msgno, struct inode *inode,