IMA: Use the the system trusted keyrings instead of .ima_mok

Add a config option (IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY)
that, when enabled, allows keys to be added to the IMA keyrings by
userspace - with the restriction that each must be signed by a key in the
system trusted keyrings.

EPERM will be returned if this option is disabled, ENOKEY will be returned if
no authoritative key can be found and EKEYREJECTED will be returned if the
signature doesn't match.  Other errors such as ENOPKG may also be returned.

If this new option is enabled, the builtin system keyring is searched, as is
the secondary system keyring if that is also enabled.  Intermediate keys
between the builtin system keyring and the key being added can be added to
the secondary keyring (which replaces .ima_mok) to form a trust chain -
provided they are also validly signed by a key in one of the trusted keyrings.

The .ima_mok keyring is then removed and the IMA blacklist keyring gets its
own config option (IMA_BLACKLIST_KEYRING).

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
This commit is contained in:
David Howells 2016-04-07 09:45:23 +01:00
parent d3bfe84129
commit 56104cf2b8
5 changed files with 34 additions and 64 deletions

View File

@ -33,28 +33,19 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
#define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
#endif #endif
#ifdef CONFIG_IMA_MOK_KEYRING #ifdef CONFIG_IMA_BLACKLIST_KEYRING
extern struct key *ima_mok_keyring;
extern struct key *ima_blacklist_keyring; extern struct key *ima_blacklist_keyring;
static inline struct key *get_ima_mok_keyring(void)
{
return ima_mok_keyring;
}
static inline struct key *get_ima_blacklist_keyring(void) static inline struct key *get_ima_blacklist_keyring(void)
{ {
return ima_blacklist_keyring; return ima_blacklist_keyring;
} }
#else #else
static inline struct key *get_ima_mok_keyring(void)
{
return NULL;
}
static inline struct key *get_ima_blacklist_keyring(void) static inline struct key *get_ima_blacklist_keyring(void)
{ {
return NULL; return NULL;
} }
#endif /* CONFIG_IMA_MOK_KEYRING */ #endif /* CONFIG_IMA_BLACKLIST_KEYRING */
#endif /* _KEYS_SYSTEM_KEYRING_H */ #endif /* _KEYS_SYSTEM_KEYRING_H */

View File

@ -42,32 +42,10 @@ static bool init_keyring __initdata = true;
static bool init_keyring __initdata; static bool init_keyring __initdata;
#endif #endif
#ifdef CONFIG_SYSTEM_TRUSTED_KEYRING #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
/* #define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted
* Restrict the addition of keys into the IMA keyring.
*
* Any key that needs to go in .ima keyring must be signed by CA in
* either .system or .ima_mok keyrings.
*/
static int restrict_link_by_ima_mok(struct key *keyring,
const struct key_type *type,
const union key_payload *payload)
{
int ret;
ret = restrict_link_by_builtin_trusted(keyring, type, payload);
if (ret != -ENOKEY)
return ret;
return restrict_link_by_signature(get_ima_mok_keyring(),
type, payload);
}
#else #else
/* #define restrict_link_to_ima restrict_link_by_builtin_trusted
* If there's no system trusted keyring, then keys cannot be loaded into
* .ima_mok and added keys cannot be marked trusted.
*/
#define restrict_link_by_ima_mok restrict_link_reject
#endif #endif
int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
@ -114,7 +92,7 @@ int __init integrity_init_keyring(const unsigned int id)
KEY_USR_VIEW | KEY_USR_READ | KEY_USR_VIEW | KEY_USR_READ |
KEY_USR_WRITE | KEY_USR_SEARCH), KEY_USR_WRITE | KEY_USR_SEARCH),
KEY_ALLOC_NOT_IN_QUOTA, KEY_ALLOC_NOT_IN_QUOTA,
restrict_link_by_ima_mok, NULL); restrict_link_to_ima, NULL);
if (IS_ERR(keyring[id])) { if (IS_ERR(keyring[id])) {
err = PTR_ERR(keyring[id]); err = PTR_ERR(keyring[id]);
pr_info("Can't allocate %s keyring (%d)\n", pr_info("Can't allocate %s keyring (%d)\n",

View File

@ -155,23 +155,33 @@ config IMA_TRUSTED_KEYRING
This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING
config IMA_MOK_KEYRING config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
bool "Create IMA machine owner keys (MOK) and blacklist keyrings" bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)"
depends on SYSTEM_TRUSTED_KEYRING
depends on SECONDARY_TRUSTED_KEYRING
depends on INTEGRITY_ASYMMETRIC_KEYS
select INTEGRITY_TRUSTED_KEYRING
default n
help
Keys may be added to the IMA or IMA blacklist keyrings, if the
key is validly signed by a CA cert in the system built-in or
secondary trusted keyrings.
Intermediate keys between those the kernel has compiled in and the
IMA keys to be added may be added to the system secondary keyring,
provided they are validly signed by a key already resident in the
built-in or secondary trusted keyrings.
config IMA_BLACKLIST_KEYRING
bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)"
depends on SYSTEM_TRUSTED_KEYRING depends on SYSTEM_TRUSTED_KEYRING
depends on IMA_TRUSTED_KEYRING depends on IMA_TRUSTED_KEYRING
default n default n
help help
This option creates IMA MOK and blacklist keyrings. IMA MOK is an This option creates an IMA blacklist keyring, which contains all
intermediate keyring that sits between .system and .ima keyrings, revoked IMA keys. It is consulted before any other keyring. If
effectively forming a simple CA hierarchy. To successfully import a the search is successful the requested operation is rejected and
key into .ima_mok it must be signed by a key which CA is in .system an error is returned to the caller.
keyring. On turn any key that needs to go in .ima keyring must be
signed by CA in either .system or .ima_mok keyrings. IMA MOK is empty
at kernel boot.
IMA blacklist keyring contains all revoked IMA keys. It is consulted
before any other keyring. If the search is successful the requested
operation is rejected and error is returned to the caller.
config IMA_LOAD_X509 config IMA_LOAD_X509
bool "Load X509 certificate onto the '.ima' trusted keyring" bool "Load X509 certificate onto the '.ima' trusted keyring"

View File

@ -8,4 +8,4 @@ obj-$(CONFIG_IMA) += ima.o
ima-y := ima_fs.o ima_queue.o ima_init.o ima_main.o ima_crypto.o ima_api.o \ ima-y := ima_fs.o ima_queue.o ima_init.o ima_main.o ima_crypto.o ima_api.o \
ima_policy.o ima_template.o ima_template_lib.o ima_policy.o ima_template.o ima_template_lib.o
ima-$(CONFIG_IMA_APPRAISE) += ima_appraise.o ima-$(CONFIG_IMA_APPRAISE) += ima_appraise.o
obj-$(CONFIG_IMA_MOK_KEYRING) += ima_mok.o obj-$(CONFIG_IMA_BLACKLIST_KEYRING) += ima_mok.o

View File

@ -20,23 +20,14 @@
#include <keys/system_keyring.h> #include <keys/system_keyring.h>
struct key *ima_mok_keyring;
struct key *ima_blacklist_keyring; struct key *ima_blacklist_keyring;
/* /*
* Allocate the IMA MOK and blacklist keyrings * Allocate the IMA blacklist keyring
*/ */
__init int ima_mok_init(void) __init int ima_mok_init(void)
{ {
pr_notice("Allocating IMA MOK and blacklist keyrings.\n"); pr_notice("Allocating IMA blacklist keyring.\n");
ima_mok_keyring = keyring_alloc(".ima_mok",
KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
(KEY_POS_ALL & ~KEY_POS_SETATTR) |
KEY_USR_VIEW | KEY_USR_READ |
KEY_USR_WRITE | KEY_USR_SEARCH,
KEY_ALLOC_NOT_IN_QUOTA,
restrict_link_by_builtin_trusted, NULL);
ima_blacklist_keyring = keyring_alloc(".ima_blacklist", ima_blacklist_keyring = keyring_alloc(".ima_blacklist",
KUIDT_INIT(0), KGIDT_INIT(0), current_cred(), KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
@ -46,8 +37,8 @@ __init int ima_mok_init(void)
KEY_ALLOC_NOT_IN_QUOTA, KEY_ALLOC_NOT_IN_QUOTA,
restrict_link_by_builtin_trusted, NULL); restrict_link_by_builtin_trusted, NULL);
if (IS_ERR(ima_mok_keyring) || IS_ERR(ima_blacklist_keyring)) if (IS_ERR(ima_blacklist_keyring))
panic("Can't allocate IMA MOK or blacklist keyrings."); panic("Can't allocate IMA blacklist keyring.");
set_bit(KEY_FLAG_KEEP, &ima_blacklist_keyring->flags); set_bit(KEY_FLAG_KEEP, &ima_blacklist_keyring->flags);
return 0; return 0;