Commit 8606404f authored by Dmitry Kasatkin's avatar Dmitry Kasatkin Committed by Mimi Zohar

ima: digital signature verification support

This patch adds support for digital signature based integrity appraisal.
With this patch, 'security.ima' contains either the file data hash or
a digital signature of the file data hash. The file data hash provides
the security attribute of file integrity. In addition to file integrity,
a digital signature provides the security attribute of authenticity.

Unlike EVM, when the file metadata changes, the digital signature is
replaced with an HMAC, modification of the file data does not cause the
'security.ima' digital signature to be replaced with a hash. As a
result, after any modification, subsequent file integrity appraisals
would fail.

Although digitally signed files can be modified, but by not updating
'security.ima' to reflect these modifications, in essence digitally
signed files could be considered 'immutable'.

IMA uses a different keyring than EVM. While the EVM keyring should not
be updated after initialization and locked, the IMA keyring should allow
updating or adding new keys when upgrading or installing packages.

Changelog v4:
- Change IMA_DIGSIG to hex equivalent
Changelog v3:
- Permit files without any 'security.ima' xattr to be labeled properly.
Signed-off-by: default avatarDmitry Kasatkin <dmitry.kasatkin@intel.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
parent 5a44b412
...@@ -63,7 +63,7 @@ int ima_appraise_measurement(struct integrity_iint_cache *iint, ...@@ -63,7 +63,7 @@ int ima_appraise_measurement(struct integrity_iint_cache *iint,
{ {
struct dentry *dentry = file->f_dentry; struct dentry *dentry = file->f_dentry;
struct inode *inode = dentry->d_inode; struct inode *inode = dentry->d_inode;
struct evm_ima_xattr_data xattr_value; struct evm_ima_xattr_data *xattr_value = NULL;
enum integrity_status status = INTEGRITY_UNKNOWN; enum integrity_status status = INTEGRITY_UNKNOWN;
const char *op = "appraise_data"; const char *op = "appraise_data";
char *cause = "unknown"; char *cause = "unknown";
...@@ -77,8 +77,8 @@ int ima_appraise_measurement(struct integrity_iint_cache *iint, ...@@ -77,8 +77,8 @@ int ima_appraise_measurement(struct integrity_iint_cache *iint,
if (iint->flags & IMA_APPRAISED) if (iint->flags & IMA_APPRAISED)
return iint->ima_status; return iint->ima_status;
rc = inode->i_op->getxattr(dentry, XATTR_NAME_IMA, (u8 *)&xattr_value, rc = vfs_getxattr_alloc(dentry, XATTR_NAME_IMA, (char **)&xattr_value,
sizeof xattr_value); 0, GFP_NOFS);
if (rc <= 0) { if (rc <= 0) {
if (rc && rc != -ENODATA) if (rc && rc != -ENODATA)
goto out; goto out;
...@@ -89,8 +89,7 @@ int ima_appraise_measurement(struct integrity_iint_cache *iint, ...@@ -89,8 +89,7 @@ int ima_appraise_measurement(struct integrity_iint_cache *iint,
goto out; goto out;
} }
status = evm_verifyxattr(dentry, XATTR_NAME_IMA, (u8 *)&xattr_value, status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint);
rc, iint);
if ((status != INTEGRITY_PASS) && (status != INTEGRITY_UNKNOWN)) { if ((status != INTEGRITY_PASS) && (status != INTEGRITY_UNKNOWN)) {
if ((status == INTEGRITY_NOLABEL) if ((status == INTEGRITY_NOLABEL)
|| (status == INTEGRITY_NOXATTRS)) || (status == INTEGRITY_NOXATTRS))
...@@ -100,30 +99,58 @@ int ima_appraise_measurement(struct integrity_iint_cache *iint, ...@@ -100,30 +99,58 @@ int ima_appraise_measurement(struct integrity_iint_cache *iint,
goto out; goto out;
} }
rc = memcmp(xattr_value.digest, iint->ima_xattr.digest, switch (xattr_value->type) {
IMA_DIGEST_SIZE); case IMA_XATTR_DIGEST:
if (rc) { rc = memcmp(xattr_value->digest, iint->ima_xattr.digest,
status = INTEGRITY_FAIL; IMA_DIGEST_SIZE);
cause = "invalid-hash"; if (rc) {
print_hex_dump_bytes("security.ima: ", DUMP_PREFIX_NONE, cause = "invalid-hash";
&xattr_value, sizeof xattr_value); status = INTEGRITY_FAIL;
print_hex_dump_bytes("collected: ", DUMP_PREFIX_NONE, print_hex_dump_bytes("security.ima: ", DUMP_PREFIX_NONE,
(u8 *)&iint->ima_xattr, xattr_value, sizeof(*xattr_value));
sizeof iint->ima_xattr); print_hex_dump_bytes("collected: ", DUMP_PREFIX_NONE,
goto out; (u8 *)&iint->ima_xattr,
sizeof iint->ima_xattr);
break;
}
status = INTEGRITY_PASS;
break;
case EVM_IMA_XATTR_DIGSIG:
iint->flags |= IMA_DIGSIG;
rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,
xattr_value->digest, rc - 1,
iint->ima_xattr.digest,
IMA_DIGEST_SIZE);
if (rc == -EOPNOTSUPP) {
status = INTEGRITY_UNKNOWN;
} else if (rc) {
cause = "invalid-signature";
status = INTEGRITY_FAIL;
} else {
status = INTEGRITY_PASS;
}
break;
default:
status = INTEGRITY_UNKNOWN;
cause = "unknown-ima-data";
break;
} }
status = INTEGRITY_PASS;
iint->flags |= IMA_APPRAISED;
out: out:
if (status != INTEGRITY_PASS) { if (status != INTEGRITY_PASS) {
if (ima_appraise & IMA_APPRAISE_FIX) { if ((ima_appraise & IMA_APPRAISE_FIX) &&
(!xattr_value ||
xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
ima_fix_xattr(dentry, iint); ima_fix_xattr(dentry, iint);
status = INTEGRITY_PASS; status = INTEGRITY_PASS;
} }
integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename, integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
op, cause, rc, 0); op, cause, rc, 0);
} else {
iint->flags |= IMA_APPRAISED;
} }
iint->ima_status = status; iint->ima_status = status;
kfree(xattr_value);
return status; return status;
} }
...@@ -135,9 +162,14 @@ void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file) ...@@ -135,9 +162,14 @@ void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file)
struct dentry *dentry = file->f_dentry; struct dentry *dentry = file->f_dentry;
int rc = 0; int rc = 0;
/* do not collect and update hash for digital signatures */
if (iint->flags & IMA_DIGSIG)
return;
rc = ima_collect_measurement(iint, file); rc = ima_collect_measurement(iint, file);
if (rc < 0) if (rc < 0)
return; return;
ima_fix_xattr(dentry, iint); ima_fix_xattr(dentry, iint);
} }
......
...@@ -21,6 +21,7 @@ ...@@ -21,6 +21,7 @@
#define IMA_APPRAISE 0x04 #define IMA_APPRAISE 0x04
#define IMA_APPRAISED 0x08 #define IMA_APPRAISED 0x08
#define IMA_COLLECTED 0x10 #define IMA_COLLECTED 0x10
#define IMA_DIGSIG 0x20
enum evm_ima_xattr_type { enum evm_ima_xattr_type {
IMA_XATTR_DIGEST = 0x01, IMA_XATTR_DIGEST = 0x01,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment