ima: Implement support for module-style appended signatures

Implement the appraise_type=imasig|modsig option, allowing IMA to read and
verify modsig signatures.

In case a file has both an xattr signature and an appended modsig, IMA will
only use the appended signature if the key used by the xattr signature
isn't present in the IMA or platform keyring.

Because modsig verification needs to convert from an integrity keyring id
to the keyring itself, add an integrity_keyring_from_id() function in
digsig.c so that integrity_modsig_verify() can use it.

Signed-off-by: Thiago Jung Bauermann <bauerman@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This commit is contained in:
Thiago Jung Bauermann 2019-06-27 23:19:30 -03:00 committed by Mimi Zohar
parent a5fbeb615c
commit 39b0709636
8 changed files with 209 additions and 23 deletions

View File

@ -39,11 +39,10 @@ static const char * const keyring_name[INTEGRITY_KEYRING_MAX] = {
#define restrict_link_to_ima restrict_link_by_builtin_trusted #define restrict_link_to_ima restrict_link_by_builtin_trusted
#endif #endif
int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, static struct key *integrity_keyring_from_id(const unsigned int id)
const char *digest, int digestlen)
{ {
if (id >= INTEGRITY_KEYRING_MAX || siglen < 2) if (id >= INTEGRITY_KEYRING_MAX)
return -EINVAL; return ERR_PTR(-EINVAL);
if (!keyring[id]) { if (!keyring[id]) {
keyring[id] = keyring[id] =
@ -52,23 +51,49 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
int err = PTR_ERR(keyring[id]); int err = PTR_ERR(keyring[id]);
pr_err("no %s keyring: %d\n", keyring_name[id], err); pr_err("no %s keyring: %d\n", keyring_name[id], err);
keyring[id] = NULL; keyring[id] = NULL;
return err; return ERR_PTR(err);
} }
} }
return keyring[id];
}
int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
const char *digest, int digestlen)
{
struct key *keyring;
if (siglen < 2)
return -EINVAL;
keyring = integrity_keyring_from_id(id);
if (IS_ERR(keyring))
return PTR_ERR(keyring);
switch (sig[1]) { switch (sig[1]) {
case 1: case 1:
/* v1 API expect signature without xattr type */ /* v1 API expect signature without xattr type */
return digsig_verify(keyring[id], sig + 1, siglen - 1, return digsig_verify(keyring, sig + 1, siglen - 1, digest,
digest, digestlen); digestlen);
case 2: case 2:
return asymmetric_verify(keyring[id], sig, siglen, return asymmetric_verify(keyring, sig, siglen, digest,
digest, digestlen); digestlen);
} }
return -EOPNOTSUPP; return -EOPNOTSUPP;
} }
int integrity_modsig_verify(const unsigned int id, const struct modsig *modsig)
{
struct key *keyring;
keyring = integrity_keyring_from_id(id);
if (IS_ERR(keyring))
return PTR_ERR(keyring);
return ima_modsig_verify(keyring, modsig);
}
static int __init __integrity_init_keyring(const unsigned int id, static int __init __integrity_init_keyring(const unsigned int id,
key_perm_t perm, key_perm_t perm,
struct key_restriction *restriction) struct key_restriction *restriction)

View File

@ -236,6 +236,9 @@ config IMA_APPRAISE_BOOTPARAM
config IMA_APPRAISE_MODSIG config IMA_APPRAISE_MODSIG
bool "Support module-style signatures for appraisal" bool "Support module-style signatures for appraisal"
depends on IMA_APPRAISE depends on IMA_APPRAISE
depends on INTEGRITY_ASYMMETRIC_KEYS
select PKCS7_MESSAGE_PARSER
select MODULE_SIG_FORMAT
default n default n
help help
Adds support for signatures appended to files. The format of the Adds support for signatures appended to files. The format of the

View File

@ -196,6 +196,10 @@ enum ima_hooks {
__ima_hooks(__ima_hook_enumify) __ima_hooks(__ima_hook_enumify)
}; };
extern const char *const func_tokens[];
struct modsig;
/* LIM API function definitions */ /* LIM API function definitions */
int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid, int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid,
int mask, enum ima_hooks func, int *pcr, int mask, enum ima_hooks func, int *pcr,
@ -249,7 +253,7 @@ int ima_appraise_measurement(enum ima_hooks func,
struct integrity_iint_cache *iint, struct integrity_iint_cache *iint,
struct file *file, const unsigned char *filename, struct file *file, const unsigned char *filename,
struct evm_ima_xattr_data *xattr_value, struct evm_ima_xattr_data *xattr_value,
int xattr_len); int xattr_len, const struct modsig *modsig);
int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func); int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func);
void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file); void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file);
enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint, enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
@ -265,7 +269,8 @@ static inline int ima_appraise_measurement(enum ima_hooks func,
struct file *file, struct file *file,
const unsigned char *filename, const unsigned char *filename,
struct evm_ima_xattr_data *xattr_value, struct evm_ima_xattr_data *xattr_value,
int xattr_len) int xattr_len,
const struct modsig *modsig)
{ {
return INTEGRITY_UNKNOWN; return INTEGRITY_UNKNOWN;
} }
@ -304,11 +309,24 @@ static inline int ima_read_xattr(struct dentry *dentry,
#ifdef CONFIG_IMA_APPRAISE_MODSIG #ifdef CONFIG_IMA_APPRAISE_MODSIG
bool ima_hook_supports_modsig(enum ima_hooks func); bool ima_hook_supports_modsig(enum ima_hooks func);
int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len,
struct modsig **modsig);
void ima_free_modsig(struct modsig *modsig);
#else #else
static inline bool ima_hook_supports_modsig(enum ima_hooks func) static inline bool ima_hook_supports_modsig(enum ima_hooks func)
{ {
return false; return false;
} }
static inline int ima_read_modsig(enum ima_hooks func, const void *buf,
loff_t buf_len, struct modsig **modsig)
{
return -EOPNOTSUPP;
}
static inline void ima_free_modsig(struct modsig *modsig)
{
}
#endif /* CONFIG_IMA_APPRAISE_MODSIG */ #endif /* CONFIG_IMA_APPRAISE_MODSIG */
/* LSM based policy rules require audit */ /* LSM based policy rules require audit */

View File

@ -276,6 +276,33 @@ static int xattr_verify(enum ima_hooks func, struct integrity_iint_cache *iint,
return rc; return rc;
} }
/*
* modsig_verify - verify modsig signature
*
* Verify whether the signature matches the file contents.
*
* Return 0 on success, error code otherwise.
*/
static int modsig_verify(enum ima_hooks func, const struct modsig *modsig,
enum integrity_status *status, const char **cause)
{
int rc;
rc = integrity_modsig_verify(INTEGRITY_KEYRING_IMA, modsig);
if (IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING) && rc &&
func == KEXEC_KERNEL_CHECK)
rc = integrity_modsig_verify(INTEGRITY_KEYRING_PLATFORM,
modsig);
if (rc) {
*cause = "invalid-signature";
*status = INTEGRITY_FAIL;
} else {
*status = INTEGRITY_PASS;
}
return rc;
}
/* /*
* ima_appraise_measurement - appraise file measurement * ima_appraise_measurement - appraise file measurement
* *
@ -288,7 +315,7 @@ int ima_appraise_measurement(enum ima_hooks func,
struct integrity_iint_cache *iint, struct integrity_iint_cache *iint,
struct file *file, const unsigned char *filename, struct file *file, const unsigned char *filename,
struct evm_ima_xattr_data *xattr_value, struct evm_ima_xattr_data *xattr_value,
int xattr_len) int xattr_len, const struct modsig *modsig)
{ {
static const char op[] = "appraise_data"; static const char op[] = "appraise_data";
const char *cause = "unknown"; const char *cause = "unknown";
@ -296,11 +323,14 @@ int ima_appraise_measurement(enum ima_hooks func,
struct inode *inode = d_backing_inode(dentry); struct inode *inode = d_backing_inode(dentry);
enum integrity_status status = INTEGRITY_UNKNOWN; enum integrity_status status = INTEGRITY_UNKNOWN;
int rc = xattr_len; int rc = xattr_len;
bool try_modsig = iint->flags & IMA_MODSIG_ALLOWED && modsig;
if (!(inode->i_opflags & IOP_XATTR)) /* If not appraising a modsig, we need an xattr. */
if (!(inode->i_opflags & IOP_XATTR) && !try_modsig)
return INTEGRITY_UNKNOWN; return INTEGRITY_UNKNOWN;
if (rc <= 0) { /* If reading the xattr failed and there's no modsig, error out. */
if (rc <= 0 && !try_modsig) {
if (rc && rc != -ENODATA) if (rc && rc != -ENODATA)
goto out; goto out;
@ -323,6 +353,10 @@ int ima_appraise_measurement(enum ima_hooks func,
case INTEGRITY_UNKNOWN: case INTEGRITY_UNKNOWN:
break; break;
case INTEGRITY_NOXATTRS: /* No EVM protected xattrs. */ case INTEGRITY_NOXATTRS: /* No EVM protected xattrs. */
/* It's fine not to have xattrs when using a modsig. */
if (try_modsig)
break;
/* fall through */
case INTEGRITY_NOLABEL: /* No security.evm xattr. */ case INTEGRITY_NOLABEL: /* No security.evm xattr. */
cause = "missing-HMAC"; cause = "missing-HMAC";
goto out; goto out;
@ -337,6 +371,15 @@ int ima_appraise_measurement(enum ima_hooks func,
rc = xattr_verify(func, iint, xattr_value, xattr_len, &status, rc = xattr_verify(func, iint, xattr_value, xattr_len, &status,
&cause); &cause);
/*
* If we have a modsig and either no imasig or the imasig's key isn't
* known, then try verifying the modsig.
*/
if (try_modsig &&
(!xattr_value || xattr_value->type == IMA_XATTR_DIGEST_NG ||
rc == -ENOKEY))
rc = modsig_verify(func, modsig, &status, &cause);
out: out:
/* /*
* File signatures on some filesystems can not be properly verified. * File signatures on some filesystems can not be properly verified.
@ -353,7 +396,7 @@ out:
op, cause, rc, 0); op, cause, rc, 0);
} else if (status != INTEGRITY_PASS) { } else if (status != INTEGRITY_PASS) {
/* Fix mode, but don't replace file signatures. */ /* Fix mode, but don't replace file signatures. */
if ((ima_appraise & IMA_APPRAISE_FIX) && if ((ima_appraise & IMA_APPRAISE_FIX) && !try_modsig &&
(!xattr_value || (!xattr_value ||
xattr_value->type != EVM_IMA_XATTR_DIGSIG)) { xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
if (!ima_fix_xattr(dentry, iint)) if (!ima_fix_xattr(dentry, iint))

View File

@ -202,6 +202,7 @@ static int process_measurement(struct file *file, const struct cred *cred,
int rc = 0, action, must_appraise = 0; int rc = 0, action, must_appraise = 0;
int pcr = CONFIG_IMA_MEASURE_PCR_IDX; int pcr = CONFIG_IMA_MEASURE_PCR_IDX;
struct evm_ima_xattr_data *xattr_value = NULL; struct evm_ima_xattr_data *xattr_value = NULL;
struct modsig *modsig = NULL;
int xattr_len = 0; int xattr_len = 0;
bool violation_check; bool violation_check;
enum hash_algo hash_algo; enum hash_algo hash_algo;
@ -302,10 +303,15 @@ static int process_measurement(struct file *file, const struct cred *cred,
} }
if ((action & IMA_APPRAISE_SUBMASK) || if ((action & IMA_APPRAISE_SUBMASK) ||
strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0) strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0) {
/* read 'security.ima' */ /* read 'security.ima' */
xattr_len = ima_read_xattr(file_dentry(file), &xattr_value); xattr_len = ima_read_xattr(file_dentry(file), &xattr_value);
/* Read the appended modsig if allowed by the policy. */
if (iint->flags & IMA_MODSIG_ALLOWED)
ima_read_modsig(func, buf, size, &modsig);
}
hash_algo = ima_get_hash_algo(xattr_value, xattr_len); hash_algo = ima_get_hash_algo(xattr_value, xattr_len);
rc = ima_collect_measurement(iint, file, buf, size, hash_algo); rc = ima_collect_measurement(iint, file, buf, size, hash_algo);
@ -322,7 +328,7 @@ static int process_measurement(struct file *file, const struct cred *cred,
if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) { if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) {
inode_lock(inode); inode_lock(inode);
rc = ima_appraise_measurement(func, iint, file, pathname, rc = ima_appraise_measurement(func, iint, file, pathname,
xattr_value, xattr_len); xattr_value, xattr_len, modsig);
inode_unlock(inode); inode_unlock(inode);
if (!rc) if (!rc)
rc = mmap_violation_check(func, file, &pathbuf, rc = mmap_violation_check(func, file, &pathbuf,
@ -339,6 +345,7 @@ out_locked:
rc = -EACCES; rc = -EACCES;
mutex_unlock(&iint->mutex); mutex_unlock(&iint->mutex);
kfree(xattr_value); kfree(xattr_value);
ima_free_modsig(modsig);
out: out:
if (pathbuf) if (pathbuf)
__putname(pathbuf); __putname(pathbuf);

View File

@ -8,8 +8,17 @@
* Thiago Jung Bauermann <bauerman@linux.ibm.com> * Thiago Jung Bauermann <bauerman@linux.ibm.com>
*/ */
#include <linux/types.h>
#include <linux/module_signature.h>
#include <keys/asymmetric-type.h>
#include <crypto/pkcs7.h>
#include "ima.h" #include "ima.h"
struct modsig {
struct pkcs7_message *pkcs7_msg;
};
/** /**
* ima_hook_supports_modsig - can the policy allow modsig for this hook? * ima_hook_supports_modsig - can the policy allow modsig for this hook?
* *
@ -29,3 +38,65 @@ bool ima_hook_supports_modsig(enum ima_hooks func)
return false; return false;
} }
} }
/*
* ima_read_modsig - Read modsig from buf.
*
* Return: 0 on success, error code otherwise.
*/
int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len,
struct modsig **modsig)
{
const size_t marker_len = strlen(MODULE_SIG_STRING);
const struct module_signature *sig;
struct modsig *hdr;
size_t sig_len;
const void *p;
int rc;
if (buf_len <= marker_len + sizeof(*sig))
return -ENOENT;
p = buf + buf_len - marker_len;
if (memcmp(p, MODULE_SIG_STRING, marker_len))
return -ENOENT;
buf_len -= marker_len;
sig = (const struct module_signature *)(p - sizeof(*sig));
rc = mod_check_sig(sig, buf_len, func_tokens[func]);
if (rc)
return rc;
sig_len = be32_to_cpu(sig->sig_len);
buf_len -= sig_len + sizeof(*sig);
hdr = kmalloc(sizeof(*hdr), GFP_KERNEL);
if (!hdr)
return -ENOMEM;
hdr->pkcs7_msg = pkcs7_parse_message(buf + buf_len, sig_len);
if (IS_ERR(hdr->pkcs7_msg)) {
kfree(hdr);
return PTR_ERR(hdr->pkcs7_msg);
}
*modsig = hdr;
return 0;
}
int ima_modsig_verify(struct key *keyring, const struct modsig *modsig)
{
return verify_pkcs7_message_sig(NULL, 0, modsig->pkcs7_msg, keyring,
VERIFYING_MODULE_SIGNATURE, NULL, NULL);
}
void ima_free_modsig(struct modsig *modsig)
{
if (!modsig)
return;
pkcs7_free_message(modsig->pkcs7_msg);
kfree(modsig);
}

View File

@ -1258,6 +1258,12 @@ void ima_delete_rules(void)
} }
} }
#define __ima_hook_stringify(str) (#str),
const char *const func_tokens[] = {
__ima_hooks(__ima_hook_stringify)
};
#ifdef CONFIG_IMA_READ_POLICY #ifdef CONFIG_IMA_READ_POLICY
enum { enum {
mask_exec = 0, mask_write, mask_read, mask_append mask_exec = 0, mask_write, mask_read, mask_append
@ -1270,12 +1276,6 @@ static const char *const mask_tokens[] = {
"^MAY_APPEND" "^MAY_APPEND"
}; };
#define __ima_hook_stringify(str) (#str),
static const char *const func_tokens[] = {
__ima_hooks(__ima_hook_stringify)
};
void *ima_policy_start(struct seq_file *m, loff_t *pos) void *ima_policy_start(struct seq_file *m, loff_t *pos)
{ {
loff_t l = *pos; loff_t l = *pos;

View File

@ -148,10 +148,13 @@ int integrity_kernel_read(struct file *file, loff_t offset,
extern struct dentry *integrity_dir; extern struct dentry *integrity_dir;
struct modsig;
#ifdef CONFIG_INTEGRITY_SIGNATURE #ifdef CONFIG_INTEGRITY_SIGNATURE
int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
const char *digest, int digestlen); const char *digest, int digestlen);
int integrity_modsig_verify(unsigned int id, const struct modsig *modsig);
int __init integrity_init_keyring(const unsigned int id); int __init integrity_init_keyring(const unsigned int id);
int __init integrity_load_x509(const unsigned int id, const char *path); int __init integrity_load_x509(const unsigned int id, const char *path);
@ -166,6 +169,12 @@ static inline int integrity_digsig_verify(const unsigned int id,
return -EOPNOTSUPP; return -EOPNOTSUPP;
} }
static inline int integrity_modsig_verify(unsigned int id,
const struct modsig *modsig)
{
return -EOPNOTSUPP;
}
static inline int integrity_init_keyring(const unsigned int id) static inline int integrity_init_keyring(const unsigned int id)
{ {
return 0; return 0;
@ -191,6 +200,16 @@ static inline int asymmetric_verify(struct key *keyring, const char *sig,
} }
#endif #endif
#ifdef CONFIG_IMA_APPRAISE_MODSIG
int ima_modsig_verify(struct key *keyring, const struct modsig *modsig);
#else
static inline int ima_modsig_verify(struct key *keyring,
const struct modsig *modsig)
{
return -EOPNOTSUPP;
}
#endif
#ifdef CONFIG_IMA_LOAD_X509 #ifdef CONFIG_IMA_LOAD_X509
void __init ima_load_x509(void); void __init ima_load_x509(void);
#else #else