diff options
| author | Mimi Zohar <zohar@linux.ibm.com> | 2019-12-12 08:59:26 -0500 |
|---|---|---|
| committer | Mimi Zohar <zohar@linux.ibm.com> | 2019-12-12 08:59:26 -0500 |
| commit | f47825c694851955fa4c492dd56809621529b086 (patch) | |
| tree | f915be6917614dd8cb67d9aae697740551b35f73 /include/linux/ima.h | |
| parent | 96c9e1de99545ce4be1b5e7dff217a896ba96d06 (diff) | |
| parent | 2b60c0ecedf8d43b35a3c8554e72e8daca93fbcf (diff) | |
Merge branch 'next-integrity.measure-keys' into next-integrity
From "KEYS: Measure keys when they are created or updated" cover letter:
Keys created or updated in the system are currently not measured.
Therefore an attestation service, for instance, would not be able to
attest whether or not the trusted keys keyring(s), for instance, contain
only known good (trusted) keys.
IMA measures system files, command line arguments passed to kexec,
boot aggregate, etc. It can be used to measure keys as well.
But there is no mechanism available in the kernel for IMA to
know when a key is created or updated.
This change aims to address measuring keys created or updated
in the system.
To achieve the above the following changes have been made:
- Added a new IMA hook namely, ima_post_key_create_or_update, which
measures the key. This IMA hook is called from key_create_or_update
function. The key measurement can be controlled through IMA policy.
A new IMA policy function KEY_CHECK has been added to measure keys.
"keyrings=" option can be specified for KEY_CHECK to limit
measuring the keys loaded onto the specified keyrings only.
uid can be specified to further restrict key measurement for keys
created by specific user.
# measure keys loaded onto any keyring
measure func=KEY_CHECK
# measure keys loaded onto the IMA keyring only for root user
measure func=KEY_CHECK uid=0 keyring=".ima"
# measure keys on the BUILTIN and IMA keyrings into a different PCR
measure func=KEY_CHECK keyring=".builtin_trusted_keys|.ima" pcr=11
Diffstat (limited to 'include/linux/ima.h')
| -rw-r--r-- | include/linux/ima.h | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/include/linux/ima.h b/include/linux/ima.h index 6d904754d858..3b89136bc218 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -101,6 +101,20 @@ static inline void ima_add_kexec_buffer(struct kimage *image) {} #endif +#if defined(CONFIG_IMA) && defined(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) +extern void ima_post_key_create_or_update(struct key *keyring, + struct key *key, + const void *payload, size_t plen, + unsigned long flags, bool create); +#else +static inline void ima_post_key_create_or_update(struct key *keyring, + struct key *key, + const void *payload, + size_t plen, + unsigned long flags, + bool create) {} +#endif /* CONFIG_IMA && CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE */ + #ifdef CONFIG_IMA_APPRAISE extern bool is_ima_appraise_enabled(void); extern void ima_inode_post_setattr(struct dentry *dentry); |