korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-11-23 20:24:12 +08:00
Code Issues Packages Projects Releases Wiki Activity
2b60c0eced
linux/security/integrity/ima
History
Lakshmi Ramasubramanian 2b60c0eced IMA: Read keyrings= option from the IMA policy 
Read "keyrings=" option, if specified in the IMA policy, and store in
the list of IMA rules when the configured IMA policy is read.

This patch defines a new policy token enum namely Opt_keyrings
and an option flag IMA_KEYRINGS for reading "keyrings=" option
from the IMA policy.

Updated ima_parse_rule() to parse "keyrings=" option in the policy.
Updated ima_policy_show() to display "keyrings=" option.

The following example illustrates how key measurement can be verified.

Sample "key" measurement rule in the IMA policy:

measure func=KEY_CHECK uid=0 keyrings=.ima|.evm template=ima-buf

Display "key" measurement in the IMA measurement list:

cat /sys/kernel/security/ima/ascii_runtime_measurements

10 faf3...e702 ima-buf sha256:27c915b8ddb9fae7214cf0a8a7043cc3eeeaa7539bcb136f8427067b5f6c3b7b .ima 308202863082...4aee

Verify "key" measurement data for a key added to ".ima" keyring:

cat /sys/kernel/security/integrity/ima/ascii_runtime_measurements | grep -m 1 "\.ima" | cut -d' ' -f 6 | xxd -r -p |tee ima-cert.der | sha256sum | cut -d' ' -f 1

The output of the above command should match the template hash
of the first "key" measurement entry in the IMA measurement list for
the key added to ".ima" keyring.

The file namely "ima-cert.der" generated by the above command
should be a valid x509 certificate (in DER format) and should match
the one that was used to import the key to the ".ima" keyring.
The certificate file can be verified using openssl tool.

Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2019-12-12 08:53:50 -05:00
..
ima_api.c IMA: Add support to limit measuring keys 2019-12-12 08:53:50 -05:00
ima_appraise.c IMA: Add support to limit measuring keys 2019-12-12 08:53:50 -05:00
ima_asymmetric_keys.c IMA: Add support to limit measuring keys 2019-12-12 08:53:50 -05:00
ima_crypto.c ima: avoid appraise error for hash calc interrupt 2019-12-12 08:52:05 -05:00
ima_fs.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441 2019-06-05 17:37:17 +02:00
ima_init.c Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity 2019-07-08 20:28:59 -07:00
ima_kexec.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
ima_main.c IMA: Add support to limit measuring keys 2019-12-12 08:53:50 -05:00
ima_modsig.c ima: Fix use after free in ima_read_modsig() 2019-08-28 15:01:24 -04:00
ima_mok.c Revert "Merge tag 'keys-acl-20190703' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs" 2019-07-10 18:43:43 -07:00
ima_policy.c IMA: Read keyrings= option from the IMA policy 2019-12-12 08:53:50 -05:00
ima_queue.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441 2019-06-05 17:37:17 +02:00
ima_template_lib.c ima: Define ima-modsig template 2019-08-05 18:40:25 -04:00
ima_template_lib.h ima: Define ima-modsig template 2019-08-05 18:40:25 -04:00
ima_template.c ima: use struct_size() in kzalloc() 2019-08-29 14:23:22 -04:00
ima.h IMA: Add support to limit measuring keys 2019-12-12 08:53:50 -05:00
Kconfig Merge branch 'next-lockdown' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2019-09-28 08:14:15 -07:00
Makefile IMA: Define an IMA hook to measure keys 2019-12-12 08:53:50 -05:00