aboutsummaryrefslogtreecommitdiffstats
path: root/security/integrity
diff options
context:
space:
mode:
authorDmitry Kasatkin <d.kasatkin@samsung.com>2014-11-05 10:01:14 -0500
committerMimi Zohar <zohar@linux.vnet.ibm.com>2014-11-17 23:12:00 -0500
commitfd5f4e9054acbf4f22fac81a358baf3c27aa42ac (patch)
tree1f17112d28c5dcf786d7edb3e950c51812d2d28d /security/integrity
parent65d543b2335ede80e5e66bc4f559f62db5f469bd (diff)
ima: load x509 certificate from the kernel
Define configuration option to load X509 certificate into the IMA trusted kernel keyring. It implements ima_load_x509() hook to load X509 certificate into the .ima trusted kernel keyring from the root filesystem. Changes in v3: * use ima_policy_flag in ima_get_action() ima_load_x509 temporarily clears ima_policy_flag to disable appraisal to load key. Use it to skip appraisal rules. * Key directory path changed to /etc/keys (Mimi) * Expand IMA_LOAD_X509 Kconfig help Changes in v2: * added '__init' * use ima_policy_flag to disable appraisal to load keys Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security/integrity')
-rw-r--r--security/integrity/ima/Kconfig18
-rw-r--r--security/integrity/ima/ima_api.c3
-rw-r--r--security/integrity/ima/ima_init.c17
-rw-r--r--security/integrity/integrity.h8
4 files changed, 44 insertions, 2 deletions
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index e099875643c5..b0840f9a552f 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -131,3 +131,21 @@ config IMA_TRUSTED_KEYRING
131 help 131 help
132 This option requires that all keys added to the .ima 132 This option requires that all keys added to the .ima
133 keyring be signed by a key on the system trusted keyring. 133 keyring be signed by a key on the system trusted keyring.
134
135config IMA_LOAD_X509
136 bool "Load X509 certificate onto the '.ima' trusted keyring"
137 depends on IMA_TRUSTED_KEYRING
138 default n
139 help
140 File signature verification is based on the public keys
141 loaded on the .ima trusted keyring. These public keys are
142 X509 certificates signed by a trusted key on the
143 .system keyring. This option enables X509 certificate
144 loading from the kernel onto the '.ima' trusted keyring.
145
146config IMA_X509_PATH
147 string "IMA X509 certificate path"
148 depends on IMA_LOAD_X509
149 default "/etc/keys/x509_ima.der"
150 help
151 This option defines IMA X509 certificate path.
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index a99eb6d4bc09..b0dc922d8be3 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -173,8 +173,7 @@ int ima_get_action(struct inode *inode, int mask, int function)
173{ 173{
174 int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE; 174 int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE;
175 175
176 if (!ima_appraise) 176 flags &= ima_policy_flag;
177 flags &= ~IMA_APPRAISE;
178 177
179 return ima_match_policy(inode, function, mask, flags); 178 return ima_match_policy(inode, function, mask, flags);
180} 179}
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
index 9164fc8cac84..5e4c29d174ee 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -24,6 +24,12 @@
24#include <crypto/hash_info.h> 24#include <crypto/hash_info.h>
25#include "ima.h" 25#include "ima.h"
26 26
27#ifdef CONFIG_IMA_X509_PATH
28#define IMA_X509_PATH CONFIG_IMA_X509_PATH
29#else
30#define IMA_X509_PATH "/etc/keys/x509_ima.der"
31#endif
32
27/* name for boot aggregate entry */ 33/* name for boot aggregate entry */
28static const char *boot_aggregate_name = "boot_aggregate"; 34static const char *boot_aggregate_name = "boot_aggregate";
29int ima_used_chip; 35int ima_used_chip;
@@ -91,6 +97,17 @@ err_out:
91 return result; 97 return result;
92} 98}
93 99
100#ifdef CONFIG_IMA_LOAD_X509
101void __init ima_load_x509(void)
102{
103 int unset_flags = ima_policy_flag & IMA_APPRAISE;
104
105 ima_policy_flag &= ~unset_flags;
106 integrity_load_x509(INTEGRITY_KEYRING_IMA, IMA_X509_PATH);
107 ima_policy_flag |= unset_flags;
108}
109#endif
110
94int __init ima_init(void) 111int __init ima_init(void)
95{ 112{
96 u8 pcr_i[TPM_DIGEST_SIZE]; 113 u8 pcr_i[TPM_DIGEST_SIZE];
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 1057abbd31cd..caa1f6ca72e9 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -162,6 +162,14 @@ static inline int asymmetric_verify(struct key *keyring, const char *sig,
162} 162}
163#endif 163#endif
164 164
165#ifdef CONFIG_IMA_LOAD_X509
166void __init ima_load_x509(void);
167#else
168static inline void ima_load_x509(void)
169{
170}
171#endif
172
165#ifdef CONFIG_INTEGRITY_AUDIT 173#ifdef CONFIG_INTEGRITY_AUDIT
166/* declarations */ 174/* declarations */
167void integrity_audit_msg(int audit_msgno, struct inode *inode, 175void integrity_audit_msg(int audit_msgno, struct inode *inode,