diff options
author | Dmitry Kasatkin <d.kasatkin@samsung.com> | 2014-11-05 10:01:14 -0500 |
---|---|---|
committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2014-11-17 23:12:00 -0500 |
commit | fd5f4e9054acbf4f22fac81a358baf3c27aa42ac (patch) | |
tree | 1f17112d28c5dcf786d7edb3e950c51812d2d28d /security/integrity | |
parent | 65d543b2335ede80e5e66bc4f559f62db5f469bd (diff) |
ima: load x509 certificate from the kernel
Define configuration option to load X509 certificate into the
IMA trusted kernel keyring. It implements ima_load_x509() hook
to load X509 certificate into the .ima trusted kernel keyring
from the root filesystem.
Changes in v3:
* use ima_policy_flag in ima_get_action()
ima_load_x509 temporarily clears ima_policy_flag to disable
appraisal to load key. Use it to skip appraisal rules.
* Key directory path changed to /etc/keys (Mimi)
* Expand IMA_LOAD_X509 Kconfig help
Changes in v2:
* added '__init'
* use ima_policy_flag to disable appraisal to load keys
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security/integrity')
-rw-r--r-- | security/integrity/ima/Kconfig | 18 | ||||
-rw-r--r-- | security/integrity/ima/ima_api.c | 3 | ||||
-rw-r--r-- | security/integrity/ima/ima_init.c | 17 | ||||
-rw-r--r-- | security/integrity/integrity.h | 8 |
4 files changed, 44 insertions, 2 deletions
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index e099875643c5..b0840f9a552f 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig | |||
@@ -131,3 +131,21 @@ config IMA_TRUSTED_KEYRING | |||
131 | help | 131 | help |
132 | This option requires that all keys added to the .ima | 132 | This option requires that all keys added to the .ima |
133 | keyring be signed by a key on the system trusted keyring. | 133 | keyring be signed by a key on the system trusted keyring. |
134 | |||
135 | config IMA_LOAD_X509 | ||
136 | bool "Load X509 certificate onto the '.ima' trusted keyring" | ||
137 | depends on IMA_TRUSTED_KEYRING | ||
138 | default n | ||
139 | help | ||
140 | File signature verification is based on the public keys | ||
141 | loaded on the .ima trusted keyring. These public keys are | ||
142 | X509 certificates signed by a trusted key on the | ||
143 | .system keyring. This option enables X509 certificate | ||
144 | loading from the kernel onto the '.ima' trusted keyring. | ||
145 | |||
146 | config IMA_X509_PATH | ||
147 | string "IMA X509 certificate path" | ||
148 | depends on IMA_LOAD_X509 | ||
149 | default "/etc/keys/x509_ima.der" | ||
150 | help | ||
151 | This option defines IMA X509 certificate path. | ||
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index a99eb6d4bc09..b0dc922d8be3 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c | |||
@@ -173,8 +173,7 @@ int ima_get_action(struct inode *inode, int mask, int function) | |||
173 | { | 173 | { |
174 | int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE; | 174 | int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE; |
175 | 175 | ||
176 | if (!ima_appraise) | 176 | flags &= ima_policy_flag; |
177 | flags &= ~IMA_APPRAISE; | ||
178 | 177 | ||
179 | return ima_match_policy(inode, function, mask, flags); | 178 | return ima_match_policy(inode, function, mask, flags); |
180 | } | 179 | } |
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c index 9164fc8cac84..5e4c29d174ee 100644 --- a/security/integrity/ima/ima_init.c +++ b/security/integrity/ima/ima_init.c | |||
@@ -24,6 +24,12 @@ | |||
24 | #include <crypto/hash_info.h> | 24 | #include <crypto/hash_info.h> |
25 | #include "ima.h" | 25 | #include "ima.h" |
26 | 26 | ||
27 | #ifdef CONFIG_IMA_X509_PATH | ||
28 | #define IMA_X509_PATH CONFIG_IMA_X509_PATH | ||
29 | #else | ||
30 | #define IMA_X509_PATH "/etc/keys/x509_ima.der" | ||
31 | #endif | ||
32 | |||
27 | /* name for boot aggregate entry */ | 33 | /* name for boot aggregate entry */ |
28 | static const char *boot_aggregate_name = "boot_aggregate"; | 34 | static const char *boot_aggregate_name = "boot_aggregate"; |
29 | int ima_used_chip; | 35 | int ima_used_chip; |
@@ -91,6 +97,17 @@ err_out: | |||
91 | return result; | 97 | return result; |
92 | } | 98 | } |
93 | 99 | ||
100 | #ifdef CONFIG_IMA_LOAD_X509 | ||
101 | void __init ima_load_x509(void) | ||
102 | { | ||
103 | int unset_flags = ima_policy_flag & IMA_APPRAISE; | ||
104 | |||
105 | ima_policy_flag &= ~unset_flags; | ||
106 | integrity_load_x509(INTEGRITY_KEYRING_IMA, IMA_X509_PATH); | ||
107 | ima_policy_flag |= unset_flags; | ||
108 | } | ||
109 | #endif | ||
110 | |||
94 | int __init ima_init(void) | 111 | int __init ima_init(void) |
95 | { | 112 | { |
96 | u8 pcr_i[TPM_DIGEST_SIZE]; | 113 | u8 pcr_i[TPM_DIGEST_SIZE]; |
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 1057abbd31cd..caa1f6ca72e9 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h | |||
@@ -162,6 +162,14 @@ static inline int asymmetric_verify(struct key *keyring, const char *sig, | |||
162 | } | 162 | } |
163 | #endif | 163 | #endif |
164 | 164 | ||
165 | #ifdef CONFIG_IMA_LOAD_X509 | ||
166 | void __init ima_load_x509(void); | ||
167 | #else | ||
168 | static inline void ima_load_x509(void) | ||
169 | { | ||
170 | } | ||
171 | #endif | ||
172 | |||
165 | #ifdef CONFIG_INTEGRITY_AUDIT | 173 | #ifdef CONFIG_INTEGRITY_AUDIT |
166 | /* declarations */ | 174 | /* declarations */ |
167 | void integrity_audit_msg(int audit_msgno, struct inode *inode, | 175 | void integrity_audit_msg(int audit_msgno, struct inode *inode, |