ima: load x509 certificate from the kernel
Define configuration option to load X509 certificate into the IMA trusted kernel keyring. It implements ima_load_x509() hook to load X509 certificate into the .ima trusted kernel keyring from the root filesystem. Changes in v3: * use ima_policy_flag in ima_get_action() ima_load_x509 temporarily clears ima_policy_flag to disable appraisal to load key. Use it to skip appraisal rules. * Key directory path changed to /etc/keys (Mimi) * Expand IMA_LOAD_X509 Kconfig help Changes in v2: * added '__init' * use ima_policy_flag to disable appraisal to load keys Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
This commit is contained in:
parent
65d543b233
commit
fd5f4e9054
|
@ -131,3 +131,21 @@ config IMA_TRUSTED_KEYRING
|
|||
help
|
||||
This option requires that all keys added to the .ima
|
||||
keyring be signed by a key on the system trusted keyring.
|
||||
|
||||
config IMA_LOAD_X509
|
||||
bool "Load X509 certificate onto the '.ima' trusted keyring"
|
||||
depends on IMA_TRUSTED_KEYRING
|
||||
default n
|
||||
help
|
||||
File signature verification is based on the public keys
|
||||
loaded on the .ima trusted keyring. These public keys are
|
||||
X509 certificates signed by a trusted key on the
|
||||
.system keyring. This option enables X509 certificate
|
||||
loading from the kernel onto the '.ima' trusted keyring.
|
||||
|
||||
config IMA_X509_PATH
|
||||
string "IMA X509 certificate path"
|
||||
depends on IMA_LOAD_X509
|
||||
default "/etc/keys/x509_ima.der"
|
||||
help
|
||||
This option defines IMA X509 certificate path.
|
||||
|
|
|
@ -173,8 +173,7 @@ int ima_get_action(struct inode *inode, int mask, int function)
|
|||
{
|
||||
int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE;
|
||||
|
||||
if (!ima_appraise)
|
||||
flags &= ~IMA_APPRAISE;
|
||||
flags &= ima_policy_flag;
|
||||
|
||||
return ima_match_policy(inode, function, mask, flags);
|
||||
}
|
||||
|
|
|
@ -24,6 +24,12 @@
|
|||
#include <crypto/hash_info.h>
|
||||
#include "ima.h"
|
||||
|
||||
#ifdef CONFIG_IMA_X509_PATH
|
||||
#define IMA_X509_PATH CONFIG_IMA_X509_PATH
|
||||
#else
|
||||
#define IMA_X509_PATH "/etc/keys/x509_ima.der"
|
||||
#endif
|
||||
|
||||
/* name for boot aggregate entry */
|
||||
static const char *boot_aggregate_name = "boot_aggregate";
|
||||
int ima_used_chip;
|
||||
|
@ -91,6 +97,17 @@ err_out:
|
|||
return result;
|
||||
}
|
||||
|
||||
#ifdef CONFIG_IMA_LOAD_X509
|
||||
void __init ima_load_x509(void)
|
||||
{
|
||||
int unset_flags = ima_policy_flag & IMA_APPRAISE;
|
||||
|
||||
ima_policy_flag &= ~unset_flags;
|
||||
integrity_load_x509(INTEGRITY_KEYRING_IMA, IMA_X509_PATH);
|
||||
ima_policy_flag |= unset_flags;
|
||||
}
|
||||
#endif
|
||||
|
||||
int __init ima_init(void)
|
||||
{
|
||||
u8 pcr_i[TPM_DIGEST_SIZE];
|
||||
|
|
|
@ -162,6 +162,14 @@ static inline int asymmetric_verify(struct key *keyring, const char *sig,
|
|||
}
|
||||
#endif
|
||||
|
||||
#ifdef CONFIG_IMA_LOAD_X509
|
||||
void __init ima_load_x509(void);
|
||||
#else
|
||||
static inline void ima_load_x509(void)
|
||||
{
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef CONFIG_INTEGRITY_AUDIT
|
||||
/* declarations */
|
||||
void integrity_audit_msg(int audit_msgno, struct inode *inode,
|
||||
|
|
Loading…
Reference in New Issue