Re: [PATCH v3 0/6] ima: provide signature based 'init' appraisal
From: Mimi Zohar
Date: Mon Oct 13 2014 - 13:33:05 EST
On Fri, 2014-10-10 at 17:09 +0300, Dmitry Kasatkin wrote:
> Currently secure IMA/EVM initialization has to be done from the initramfs,
> embedded in the signed kernel image. Many systems do not want to use
> initramfs or usage of embedded initramfs makes it difficult to have
> multi-target kernels.
> This is a very simple patchset which makes it possible to perform secure
> initialization by requiring initial user-space to be signed.
> It does it by:
> - introducing a hook to load keys
> - loading IMA signed public key certificate into the '.ima' trusted keyring
> - making default IMA appraisal policy to require everything to be signed
> When builtin initramfs is not in use, keys cannot be read from initcalls,
> because root filesystem is not yet mounted. In order to read keys before
> executing init process, ima_prepare_keys() hook is introduced. Reading
> public keys from the kernel is justified because signature verification
> key is needed in order to verify anything else which is read from the
> file system. Public keys are X509 certificates and itself signed by the
> trusted key from the .system keyring. Kernel BIG KEYS support is an example
> of reading keys directly by the kernel.
> CONFIG_IMA_APPRAISE_SIGNED_INIT kernel option is provided to make the IMA
> default appraisal policy to required signature validation. Signed init
> process need to initialize EVM key and load appropriate IMA policy which
> would not require everything to be signed.
> Unless real '/sbin/init' is signed, a simple and practical way is to place
> all signed programs, libraries, scripts and configuration files under
> dedicated directory, for example '/ima', and run signed init process by
> providing a kernel command line parameter 'init=/ima/init'.
> In the first post of these patches Andrew Morton noted that
> integrity_read_file() is a very simple open-file-and-slurp-it-into-memory
> and if there are other similar functions that can be made in ./lib.
> I found out that only sound:sound_firmware.c:do_mod_firmware_load(),
> which is enabled by CONFIG_SOUND_PRIME which is related to deprecated OSS
> interface and is not enabled anymore in latest Ubuntu kernels, at least.
> So I am keeping integrity_read_file() in integrity subsystem.
> cpio based initramfs currently does not support extended attributes.
> There is an initial agreement to introduce light-weight tar parser to
> the kernel to support extended attributes which will make it possible to
> use IMA appraisal with external initramfs. It will benefit from this
> patchset and allow to update initramfs with signed files also on the
> running system as distros do.
Thanks, Dmitry. The patches look good, but I still will need to test.
(Once I figure out how to build a kernel without an initramfs, that
boots a distro kernel.) Only some minor suggested patch descriptions
> Changes in v3:
> * ima_prepare_keys() renamed to integrity_load_keys() to be the hook
> for both modules of integrity subsystem IMA/EVM.
> * removed unnecessary configuration options and declared init functions
> with '__init'.
> * updated to lately introduced 'ima_policy_flag' variable to disabled and
> enable IMA appraisal.
> * separated key loading patch from policy change patch
> * added patch which refactor vfs_read(). Agreed with Mimi to offer to
> move calling file operations hooks to a separate helper function which
> is then used by vfs_read() and integrity_kernel_read(). Applying this
> patch does not affect functionality and can be applied if agreed so.
> Changes in v2:
> * ima_kernel_read() moved as integrity_kernel_read() from ima_crypto.c to
> iint.c for use by integrity_read_file. The reason for keeping internal
> version is because 'integrity' version does not call fsnotify_access(),
> add_rchar() and inc_syscr().
> * integrity_read_file() moved from digsig.c to iint.c because it is used
> by IMA crypto subsystem and should not depend on digsig support being
> Dmitry Kasatkin (6):
> integrity: provide integrity_read_file()
> integrity: provide x509 certificate loading from the kernel
> ima: load x509 certificate from the kernel
> integrity: provide hook to load keys when rootfs is ready
> ima: require signature based appraisal
> VFS: refactor vfs_read()
> fs/read_write.c | 24 ++++++++---
> include/linux/fs.h | 1 +
> include/linux/integrity.h | 6 +++
> init/main.c | 6 ++-
> security/integrity/digsig.c | 37 +++++++++++++++-
> security/integrity/iint.c | 85 +++++++++++++++++++++++++++++++++++++
> security/integrity/ima/Kconfig | 22 ++++++++++
> security/integrity/ima/ima_crypto.c | 35 ++-------------
> security/integrity/ima/ima_init.c | 17 ++++++++
> security/integrity/ima/ima_policy.c | 5 +++
> security/integrity/integrity.h | 14 ++++++
> 11 files changed, 212 insertions(+), 40 deletions(-)
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/