tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull integrity updates from James Morris:
"Mimi Zohar says:

'Linux 5.0 introduced the platform keyring to allow verifying the IMA
kexec kernel image signature using the pre-boot keys. This pull
request similarly makes keys on the platform keyring accessible for
verifying the PE kernel image signature.

Also included in this pull request is a new IMA hook that tags tmp
files, in policy, indicating the file hash needs to be calculated.
The remaining patches are cleanup'"

* 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
evm: Use defined constant for UUID representation
ima: define ima_post_create_tmpfile() hook and add missing call
evm: remove set but not used variable 'xattr'
encrypted-keys: fix Opt_err/Opt_error = -1
kexec, KEYS: Make use of platform keyring for signature verify
integrity, KEYS: add a reference to platform keyring

Linus Torvalds c3665a6b 12ad143e

+88 -15
+11 -3
arch/x86/kernel/kexec-bzimage64.c
··· 538 538 #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG 539 539 static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len) 540 540 { 541 - return verify_pefile_signature(kernel, kernel_len, 542 - VERIFY_USE_SECONDARY_KEYRING, 543 - VERIFYING_KEXEC_PE_SIGNATURE); 541 + int ret; 542 + 543 + ret = verify_pefile_signature(kernel, kernel_len, 544 + VERIFY_USE_SECONDARY_KEYRING, 545 + VERIFYING_KEXEC_PE_SIGNATURE); 546 + if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) { 547 + ret = verify_pefile_signature(kernel, kernel_len, 548 + VERIFY_USE_PLATFORM_KEYRING, 549 + VERIFYING_KEXEC_PE_SIGNATURE); 550 + } 551 + return ret; 544 552 } 545 553 #endif 546 554
+22 -1
certs/system_keyring.c
··· 24 24 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING 25 25 static struct key *secondary_trusted_keys; 26 26 #endif 27 + #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING 28 + static struct key *platform_trusted_keys; 29 + #endif 27 30 28 31 extern __initconst const u8 system_certificate_list[]; 29 32 extern __initconst const unsigned long system_certificate_list_size; ··· 240 237 #else 241 238 trusted_keys = builtin_trusted_keys; 242 239 #endif 240 + } else if (trusted_keys == VERIFY_USE_PLATFORM_KEYRING) { 241 + #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING 242 + trusted_keys = platform_trusted_keys; 243 + #else 244 + trusted_keys = NULL; 245 + #endif 246 + if (!trusted_keys) { 247 + ret = -ENOKEY; 248 + pr_devel("PKCS#7 platform keyring is not available\n"); 249 + goto error; 250 + } 243 251 } 244 252 ret = pkcs7_validate_trust(pkcs7, trusted_keys); 245 253 if (ret < 0) { 246 254 if (ret == -ENOKEY) 247 - pr_err("PKCS#7 signature not signed with a trusted key\n"); 255 + pr_devel("PKCS#7 signature not signed with a trusted key\n"); 248 256 goto error; 249 257 } 250 258 ··· 280 266 EXPORT_SYMBOL_GPL(verify_pkcs7_signature); 281 267 282 268 #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */ 269 + 270 + #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING 271 + void __init set_platform_trusted_keys(struct key *keyring) 272 + { 273 + platform_trusted_keys = keyring; 274 + } 275 + #endif
+1
fs/namei.c
··· 3460 3460 inode->i_state |= I_LINKABLE; 3461 3461 spin_unlock(&inode->i_lock); 3462 3462 } 3463 + ima_post_create_tmpfile(inode); 3463 3464 return child; 3464 3465 3465 3466 out_err:
+8
include/keys/system_keyring.h
··· 61 61 } 62 62 #endif /* CONFIG_IMA_BLACKLIST_KEYRING */ 63 63 64 + #if defined(CONFIG_INTEGRITY_PLATFORM_KEYRING) && \ 65 + defined(CONFIG_SYSTEM_TRUSTED_KEYRING) 66 + extern void __init set_platform_trusted_keys(struct key *keyring); 67 + #else 68 + static inline void set_platform_trusted_keys(struct key *keyring) 69 + { 70 + } 71 + #endif 64 72 65 73 #endif /* _KEYS_SYSTEM_KEYRING_H */
+5
include/linux/ima.h
··· 18 18 #ifdef CONFIG_IMA 19 19 extern int ima_bprm_check(struct linux_binprm *bprm); 20 20 extern int ima_file_check(struct file *file, int mask); 21 + extern void ima_post_create_tmpfile(struct inode *inode); 21 22 extern void ima_file_free(struct file *file); 22 23 extern int ima_file_mmap(struct file *file, unsigned long prot); 23 24 extern int ima_load_data(enum kernel_load_data_id id); ··· 55 54 static inline int ima_file_check(struct file *file, int mask) 56 55 { 57 56 return 0; 57 + } 58 + 59 + static inline void ima_post_create_tmpfile(struct inode *inode) 60 + { 58 61 } 59 62 60 63 static inline void ima_file_free(struct file *file)
+1
include/linux/verification.h
··· 17 17 * should be used. 18 18 */ 19 19 #define VERIFY_USE_SECONDARY_KEYRING ((struct key *)1UL) 20 + #define VERIFY_USE_PLATFORM_KEYRING ((struct key *)2UL) 20 21 21 22 /* 22 23 * The use to which an asymmetric key is being put.
+3
security/integrity/digsig.c
··· 87 87 pr_info("Can't allocate %s keyring (%d)\n", 88 88 keyring_name[id], err); 89 89 keyring[id] = NULL; 90 + } else { 91 + if (id == INTEGRITY_KEYRING_PLATFORM) 92 + set_platform_trusted_keys(keyring[id]); 90 93 } 91 94 92 95 return err;
+1 -2
security/integrity/evm/evm_crypto.c
··· 173 173 crypto_shash_update(desc, (const u8 *)&hmac_misc, sizeof(hmac_misc)); 174 174 if ((evm_hmac_attrs & EVM_ATTR_FSUUID) && 175 175 type != EVM_XATTR_PORTABLE_DIGSIG) 176 - crypto_shash_update(desc, &inode->i_sb->s_uuid.b[0], 177 - sizeof(inode->i_sb->s_uuid)); 176 + crypto_shash_update(desc, (u8 *)&inode->i_sb->s_uuid, UUID_SIZE); 178 177 crypto_shash_final(desc, digest); 179 178 } 180 179
+1 -5
security/integrity/evm/evm_main.c
··· 563 563 { 564 564 int error; 565 565 struct list_head *pos, *q; 566 - struct xattr_list *xattr; 567 566 568 567 evm_init_config(); 569 568 ··· 579 580 error: 580 581 if (error != 0) { 581 582 if (!list_empty(&evm_config_xattrnames)) { 582 - list_for_each_safe(pos, q, &evm_config_xattrnames) { 583 - xattr = list_entry(pos, struct xattr_list, 584 - list); 583 + list_for_each_safe(pos, q, &evm_config_xattrnames) 585 584 list_del(pos); 586 - } 587 585 } 588 586 } 589 587
+33 -2
security/integrity/ima/ima_main.c
··· 397 397 EXPORT_SYMBOL_GPL(ima_file_check); 398 398 399 399 /** 400 + * ima_post_create_tmpfile - mark newly created tmpfile as new 401 + * @file : newly created tmpfile 402 + * 403 + * No measuring, appraising or auditing of newly created tmpfiles is needed. 404 + * Skip calling process_measurement(), but indicate which newly, created 405 + * tmpfiles are in policy. 406 + */ 407 + void ima_post_create_tmpfile(struct inode *inode) 408 + { 409 + struct integrity_iint_cache *iint; 410 + int must_appraise; 411 + 412 + must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK); 413 + if (!must_appraise) 414 + return; 415 + 416 + /* Nothing to do if we can't allocate memory */ 417 + iint = integrity_inode_get(inode); 418 + if (!iint) 419 + return; 420 + 421 + /* needed for writing the security xattrs */ 422 + set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags); 423 + iint->ima_file_status = INTEGRITY_PASS; 424 + } 425 + 426 + /** 400 427 * ima_post_path_mknod - mark as a new inode 401 428 * @dentry: newly created dentry 402 429 * ··· 440 413 if (!must_appraise) 441 414 return; 442 415 416 + /* Nothing to do if we can't allocate memory */ 443 417 iint = integrity_inode_get(inode); 444 - if (iint) 445 - iint->flags |= IMA_NEW_FILE; 418 + if (!iint) 419 + return; 420 + 421 + /* needed for re-opening empty files */ 422 + iint->flags |= IMA_NEW_FILE; 446 423 } 447 424 448 425 /**
+2 -2
security/keys/encrypted-keys/encrypted.c
··· 60 60 static struct crypto_shash *hash_tfm; 61 61 62 62 enum { 63 - Opt_err = -1, Opt_new, Opt_load, Opt_update 63 + Opt_new, Opt_load, Opt_update, Opt_err 64 64 }; 65 65 66 66 enum { 67 - Opt_error = -1, Opt_default, Opt_ecryptfs, Opt_enc32 67 + Opt_default, Opt_ecryptfs, Opt_enc32, Opt_error 68 68 }; 69 69 70 70 static const match_table_t key_format_tokens = {