ima: load x509 certificate from the kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Define configuration option to load X509 certificate into the
IMA trusted kernel keyring. It implements ima_load_x509() hook
to load X509 certificate into the .ima trusted kernel keyring
from the root filesystem.

Changes in v3:
* use ima_policy_flag in ima_get_action()
ima_load_x509 temporarily clears ima_policy_flag to disable
appraisal to load key. Use it to skip appraisal rules.
* Key directory path changed to /etc/keys (Mimi)
* Expand IMA_LOAD_X509 Kconfig help

Changes in v2:
* added '__init'
* use ima_policy_flag to disable appraisal to load keys

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>

authored by

Dmitry Kasatkin and committed by

Mimi Zohar 11 years ago fd5f4e90 65d543b2

+44 -2

4 changed files

expand all

security

integrity

ima

Kconfig

ima_api.c

ima_init.c

integrity.h

+18

security/integrity/ima/Kconfig

··· 131 131 help 132 132 This option requires that all keys added to the .ima 133 133 keyring be signed by a key on the system trusted keyring. 134 + 135 + config IMA_LOAD_X509 136 + bool "Load X509 certificate onto the '.ima' trusted keyring" 137 + depends on IMA_TRUSTED_KEYRING 138 + default n 139 + help 140 + File signature verification is based on the public keys 141 + loaded on the .ima trusted keyring. These public keys are 142 + X509 certificates signed by a trusted key on the 143 + .system keyring. This option enables X509 certificate 144 + loading from the kernel onto the '.ima' trusted keyring. 145 + 146 + config IMA_X509_PATH 147 + string "IMA X509 certificate path" 148 + depends on IMA_LOAD_X509 149 + default "/etc/keys/x509_ima.der" 150 + help 151 + This option defines IMA X509 certificate path.

+1 -2

security/integrity/ima/ima_api.c

··· 173 173 { 174 174 int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE; 175 175 176 - if (!ima_appraise) 177 - flags &= ~IMA_APPRAISE; 176 + flags &= ima_policy_flag; 178 177 179 178 return ima_match_policy(inode, function, mask, flags); 180 179 }

+17

security/integrity/ima/ima_init.c

··· 24 24 #include <crypto/hash_info.h> 25 25 #include "ima.h" 26 26 27 + #ifdef CONFIG_IMA_X509_PATH 28 + #define IMA_X509_PATH CONFIG_IMA_X509_PATH 29 + #else 30 + #define IMA_X509_PATH "/etc/keys/x509_ima.der" 31 + #endif 32 + 27 33 /* name for boot aggregate entry */ 28 34 static const char *boot_aggregate_name = "boot_aggregate"; 29 35 int ima_used_chip; ··· 96 90 audit_cause, result, 0); 97 91 return result; 98 92 } 93 + 94 + #ifdef CONFIG_IMA_LOAD_X509 95 + void __init ima_load_x509(void) 96 + { 97 + int unset_flags = ima_policy_flag & IMA_APPRAISE; 98 + 99 + ima_policy_flag &= ~unset_flags; 100 + integrity_load_x509(INTEGRITY_KEYRING_IMA, IMA_X509_PATH); 101 + ima_policy_flag |= unset_flags; 102 + } 103 + #endif 99 104 100 105 int __init ima_init(void) 101 106 {

security/integrity/integrity.h

··· 162 162 } 163 163 #endif 164 164 165 + #ifdef CONFIG_IMA_LOAD_X509 166 + void __init ima_load_x509(void); 167 + #else 168 + static inline void ima_load_x509(void) 169 + { 170 + } 171 + #endif 172 + 165 173 #ifdef CONFIG_INTEGRITY_AUDIT 166 174 /* declarations */ 167 175 void integrity_audit_msg(int audit_msgno, struct inode *inode,