ima: enable loading of build time generated key on .ima keyring

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The kernel currently only loads the kernel module signing key onto the
builtin trusted keyring. Load the module signing key onto the IMA keyring
as well.

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
Acked-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

authored by

Nayna Jain and committed by

Mimi Zohar 5 years ago 6cbdfb3d 0165f4ca

+61 -11

4 changed files

expand all

certs

system_certificates.S

system_keyring.c

include

keys

system_keyring.h

security

integrity

digsig.c

+12 -1

certs/system_certificates.S

··· 8 8 .globl system_certificate_list 9 9 system_certificate_list: 10 10 __cert_list_start: 11 - #ifdef CONFIG_MODULE_SIG 11 + __module_cert_start: 12 + #if defined(CONFIG_MODULE_SIG) || defined(CONFIG_IMA_APPRAISE_MODSIG) 12 13 .incbin "certs/signing_key.x509" 13 14 #endif 15 + __module_cert_end: 14 16 .incbin "certs/x509_certificate_list" 15 17 __cert_list_end: 16 18 ··· 36 34 .quad __cert_list_end - __cert_list_start 37 35 #else 38 36 .long __cert_list_end - __cert_list_start 37 + #endif 38 + 39 + .align 8 40 + .globl module_cert_size 41 + module_cert_size: 42 + #ifdef CONFIG_64BIT 43 + .quad __module_cert_end - __module_cert_start 44 + #else 45 + .long __module_cert_end - __module_cert_start 39 46 #endif

+40 -10

certs/system_keyring.c

··· 27 27 28 28 extern __initconst const u8 system_certificate_list[]; 29 29 extern __initconst const unsigned long system_certificate_list_size; 30 + extern __initconst const unsigned long module_cert_size; 30 31 31 32 /** 32 33 * restrict_link_to_builtin_trusted - Restrict keyring addition by built in CA ··· 133 132 */ 134 133 device_initcall(system_trusted_keyring_init); 135 134 136 - /* 137 - * Load the compiled-in list of X.509 certificates. 138 - */ 139 - static __init int load_system_certificate_list(void) 135 + static __init int load_cert(const u8 *p, const u8 *end, struct key *keyring) 140 136 { 141 137 key_ref_t key; 142 - const u8 *p, *end; 143 138 size_t plen; 144 139 145 - pr_notice("Loading compiled-in X.509 certificates\n"); 146 - 147 - p = system_certificate_list; 148 - end = p + system_certificate_list_size; 149 140 while (p < end) { 150 141 /* Each cert begins with an ASN.1 SEQUENCE tag and must be more 151 142 * than 256 bytes in size. ··· 152 159 if (plen > end - p) 153 160 goto dodgy_cert; 154 161 155 - key = key_create_or_update(make_key_ref(builtin_trusted_keys, 1), 162 + key = key_create_or_update(make_key_ref(keyring, 1), 156 163 "asymmetric", 157 164 NULL, 158 165 p, ··· 178 185 dodgy_cert: 179 186 pr_err("Problem parsing in-kernel X.509 certificate list\n"); 180 187 return 0; 188 + } 189 + 190 + __init int load_module_cert(struct key *keyring) 191 + { 192 + const u8 *p, *end; 193 + 194 + if (!IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG)) 195 + return 0; 196 + 197 + pr_notice("Loading compiled-in module X.509 certificates\n"); 198 + 199 + p = system_certificate_list; 200 + end = p + module_cert_size; 201 + 202 + return load_cert(p, end, keyring); 203 + } 204 + 205 + /* 206 + * Load the compiled-in list of X.509 certificates. 207 + */ 208 + static __init int load_system_certificate_list(void) 209 + { 210 + const u8 *p, *end; 211 + unsigned long size; 212 + 213 + pr_notice("Loading compiled-in X.509 certificates\n"); 214 + 215 + #ifdef CONFIG_MODULE_SIG 216 + p = system_certificate_list; 217 + size = system_certificate_list_size; 218 + #else 219 + p = system_certificate_list + module_cert_size; 220 + size = system_certificate_list_size - module_cert_size; 221 + #endif 222 + 223 + end = p + size; 224 + return load_cert(p, end, builtin_trusted_keys); 181 225 } 182 226 late_initcall(load_system_certificate_list); 183 227

include/keys/system_keyring.h

··· 16 16 const struct key_type *type, 17 17 const union key_payload *payload, 18 18 struct key *restriction_key); 19 + extern __init int load_module_cert(struct key *keyring); 19 20 20 21 #else 21 22 #define restrict_link_by_builtin_trusted restrict_link_reject 23 + 24 + static inline __init int load_module_cert(struct key *keyring) 25 + { 26 + return 0; 27 + } 28 + 22 29 #endif 23 30 24 31 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING

security/integrity/digsig.c

··· 111 111 } else { 112 112 if (id == INTEGRITY_KEYRING_PLATFORM) 113 113 set_platform_trusted_keys(keyring[id]); 114 + if (id == INTEGRITY_KEYRING_IMA) 115 + load_module_cert(keyring[id]); 114 116 } 115 117 116 118 return err;