1. 13 Nov, 2018 1 commit
    • Mimi Zohar's avatar
      integrity: support new struct public_key_signature encoding field · fd35f192
      Mimi Zohar authored
      On systems with IMA-appraisal enabled with a policy requiring file
      signatures, the "good" signature values are stored on the filesystem as
      extended attributes (security.ima).  Signature verification failure
      would normally be limited to just a particular file (eg. executable),
      but during boot signature verification failure could result in a system
      Defining and requiring a new public_key_signature field requires all
      callers of asymmetric signature verification to be updated to reflect
      the change.  This patch updates the integrity asymmetric_verify()
      Fixes: 82f94f24
       ("KEYS: Provide software public key query function [ver #2]")
      Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
      Cc: David Howells <dhowells@redhat.com>
      Acked-by: default avatarDenis Kenzior <denkenz@gmail.com>
      Signed-off-by: default avatarJames Morris <james.morris@microsoft.com>
  2. 18 Jul, 2018 1 commit
    • Mikhail Kurinnoi's avatar
      integrity: prevent deadlock during digsig verification. · 6eb864c1
      Mikhail Kurinnoi authored
      This patch aimed to prevent deadlock during digsig verification.The point
      of issue - user space utility modprobe and/or it's dependencies (ld-*.so,
      libz.so.*, libc-*.so and /lib/modules/ files) that could be used for
      kernel modules load during digsig verification and could be signed by
      digsig in the same time.
      First at all, look at crypto_alloc_tfm() work algorithm:
      crypto_alloc_tfm() will first attempt to locate an already loaded
      algorithm. If that fails and the kernel supports dynamically loadable
      modules, it will then attempt to load a module of the same name or alias.
      If that fails it will send a query to any loaded crypto manager to
      construct an algorithm on the fly.
      We have situation, when public_key_verify_signature() in case of RSA
      algorithm use alg_name to store internal information in order to construct
      an algorithm on the fly, but crypto_larval_lookup() will try to use
      alg_name in order to load kernel module with same name.
      1) we can't do anything with crypto module work, since it designed to work
      exactly in this way;
      2) we can't globally filter module requests for modprobe, since it
      designed to work with any requests.
      In this patch, I propose add an exception for "crypto-pkcs1pad(rsa,*)"
      module requests only in case of enabled integrity asymmetric keys support.
      Since we don't have any real "crypto-pkcs1pad(rsa,*)" kernel modules for
      sure, we are safe to fail such module request from crypto_larval_lookup().
      In this way we prevent modprobe execution during digsig verification and
      avoid possible deadlock if modprobe and/or it's dependencies also signed
      with digsig.
      Requested "crypto-pkcs1pad(rsa,*)" kernel module name formed by:
      1) "pkcs1pad(rsa,%s)" in public_key_verify_signature();
      2) "crypto-%s" / "crypto-%s-all" in crypto_larval_lookup().
      "crypto-pkcs1pad(rsa," part of request is a constant and unique and could
      be used as filter.
      Signed-off-by: default avatarMikhail Kurinnoi <viewizard@viewizard.com>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
       include/linux/integrity.h              | 13 +++++++++++++
       security/integrity/digsig_asymmetric.c | 23 +++++++++++++++++++++++
       security/security.c                    |  7 ++++++-
       3 files changed, 42 insertions(+), 1 deletion(-)
  3. 21 Jun, 2017 1 commit
    • Thiago Jung Bauermann's avatar
      integrity: Small code improvements · bb543e39
      Thiago Jung Bauermann authored
      These changes are too small to warrant their own patches:
      The keyid and sig_size members of struct signature_v2_hdr are in BE format,
      so use a type that makes this assumption explicit. Also, use beXX_to_cpu
      instead of __beXX_to_cpu to read them.
      Change integrity_kernel_read to take a void * buffer instead of char *
      buffer, so that callers don't have to use a cast if they provide a buffer
      that isn't a char *.
      Add missing #endif comment in ima.h pointing out which macro it refers to.
      Add missing fall through comment in ima_appraise.c.
      Constify mask_tokens and func_tokens arrays.
      Signed-off-by: default avatarThiago Jung Bauermann <bauerman@linux.vnet.ibm.com>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
  4. 03 Mar, 2016 2 commits
    • David Howells's avatar
      X.509: Make algo identifiers text instead of enum · 4e8ae72a
      David Howells authored
      Make the identifier public key and digest algorithm fields text instead of
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    • David Howells's avatar
      akcipher: Move the RSA DER encoding check to the crypto layer · d43de6c7
      David Howells authored
      Move the RSA EMSA-PKCS1-v1_5 encoding from the asymmetric-key public_key
      subtype to the rsa crypto module's pkcs1pad template.  This means that the
      public_key subtype no longer has any dependencies on public key type.
      To make this work, the following changes have been made:
       (1) The rsa pkcs1pad template is now used for RSA keys.  This strips off the
           padding and returns just the message hash.
       (2) In a previous patch, the pkcs1pad template gained an optional second
           parameter that, if given, specifies the hash used.  We now give this,
           and pkcs1pad checks the encoded message E(M) for the EMSA-PKCS1-v1_5
           encoding and verifies that the correct digest OID is present.
       (3) The crypto driver in crypto/asymmetric_keys/rsa.c is now reduced to
           something that doesn't care about what the encryption actually does
           and and has been merged into public_key.c.
       (4) CONFIG_PUBLIC_KEY_ALGO_RSA is gone.  Module signing must set
           CONFIG_CRYPTO_RSA=y instead.
       (*) Should the encoding style (eg. raw, EMSA-PKCS1-v1_5) also be passed to
           the padding template?  Should there be multiple padding templates
           registered that share most of the code?
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarTadeusz Struk <tadeusz.struk@intel.com>
      Acked-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  5. 18 Feb, 2016 1 commit
  6. 09 Feb, 2016 1 commit
  7. 06 Feb, 2016 1 commit
  8. 15 Dec, 2015 1 commit
    • Petko Manolov's avatar
      IMA: create machine owner and blacklist keyrings · 41c89b64
      Petko Manolov authored
      This option creates IMA MOK and blacklist keyrings.  IMA MOK is an
      intermediate keyring that sits between .system and .ima keyrings,
      effectively forming a simple CA hierarchy.  To successfully import a key
      into .ima_mok it must be signed by a key which CA is in .system keyring.
      On turn any key that needs to go in .ima keyring must be signed by CA in
      either .system or .ima_mok keyrings. IMA MOK is empty at kernel boot.
      IMA blacklist keyring contains all revoked IMA keys.  It is consulted
      before any other keyring.  If the search is successful the requested
      operation is rejected and error is returned to the caller.
      Signed-off-by: default avatarPetko Manolov <petkan@mip-labs.com>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
  9. 06 Oct, 2014 1 commit
  10. 09 Sep, 2014 1 commit
  11. 25 Oct, 2013 1 commit
    • Dmitry Kasatkin's avatar
      ima: read and use signature hash algorithm · d3634d0f
      Dmitry Kasatkin authored
      All files on the filesystem, currently, are hashed using the same hash
      algorithm.  In preparation for files from different packages being
      signed using different hash algorithms, this patch adds support for
      reading the signature hash algorithm from the 'security.ima' extended
      attribute and calculates the appropriate file data hash based on it.
      - fix scripts Lindent and checkpatch msgs - Mimi
      - fix md5 support for older version, which occupied 20 bytes in the
        xattr, not the expected 16 bytes.  Fix the comparison to compare
        only the first 16 bytes.
      Signed-off-by: default avatarDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
  12. 07 Feb, 2013 1 commit
    • Dmitry Kasatkin's avatar
      ima: digital signature verification using asymmetric keys · e0751257
      Dmitry Kasatkin authored
      Asymmetric keys were introduced in linux-3.7 to verify the signature on
      signed kernel modules. The asymmetric keys infrastructure abstracts the
      signature verification from the crypto details. This patch adds IMA/EVM
      signature verification using asymmetric keys. Support for additional
      signature verification methods can now be delegated to the asymmetric
      key infrastructure.
      Although the module signature header and the IMA/EVM signature header
      could use the same format, to minimize the signature length and save
      space in the extended attribute, this patch defines a new IMA/EVM
      header format.  The main difference is that the key identifier is a
      sha1[12 - 19] hash of the key modulus and exponent, similar to the
      current implementation.  The only purpose of the key identifier is to
      identify the corresponding key in the kernel keyring.  ima-evm-utils
      was updated to support the new signature format.
      While asymmetric signature verification functionality supports many
      different hash algorithms, the hash used in this patch is calculated
      during the IMA collection phase, based on the configured algorithm.
      The default algorithm is sha1, but for backwards compatibility md5
      is supported.  Due to this current limitation, signatures should be
      generated using a sha1 hash algorithm.
      Changes in this patch:
      - Functionality has been moved to separate source file in order to get rid of
        in source #ifdefs.
      - keyid is derived according to the RFC 3280. It does not require to assign
        IMA/EVM specific "description" when loading X509 certificate. Kernel
        asymmetric key subsystem automatically generate the description. Also
        loading a certificate does not require using of ima-evm-utils and can be
        done using keyctl only.
      - keyid size is reduced to 32 bits to save xattr space.  Key search is done
        using partial match functionality of asymmetric_key_match().
      - Kconfig option title was changed
      Signed-off-by: default avatarDmitry Kasatkin <dmitry.kasatkin@intel.com>
      Acked-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>