On Wed, 2019-06-05 at 17:16 -0700, Lakshmi wrote: > The motive behind this patch series is to measure the public key > of keys in BuiltIn_Trusted_Keys keyring to IMA log. > > The kernel could be built with the config parameter > CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY enabled. > If this is done only those "IMA Signer Keys" that are signed by a key in > the "BuiltIn Trusted Keys" or the "Secondary Trusted Keys" can be added > to the "IMA Keyring". > > In other words, "IMA Signer Keys" are attested by the "Trusted Keys" > on the client machines if the above config parameter is enabled. > > IMA will enumerate the keys in the Trusted Keys keyring, and measure > them in the IMA log. On file read, IMA will validate the signature of > the system files using "IMA Signer Key" present in "IMA Keyring". > > An attestation service would receive the "Trusted Keys" from > a trusted source (which is different from the client machines it is > attesting). The service would compare the Trusted Keys reported by > the client with the list of known Trusted Keys. A client would be > marked trusted by the service if and only if the keys reported > by the client are all trusted. > > Using the above approach the attestation service will be attesting > the "IMA Signer" while the clients attest the IMA Signature of > the system files. This enables the service to attest the client > machines by maintaining only a list of "Trusted Keys". These keys > change much less frequently than "IMA Signer Keys". It also frees > the service from having to maintain the "Hash of System Files" > which would change very frequently. This approach would significantly > reduce the maintenance cost of the service with respect to the data used > for attesting clients. Instead of measuring all the files in policy, Roberto's "digest lists" proposed patch set measures only "unknown" files. Why bother with all those messy measurements?! In your use case scenario, will the measurement list only contain the builtin and secondary keys? Mimi > > To achieve the above the patch series does the following: > - Adds a new method in asymmetric_key_subtype to query > the public key of the given key > - Enumerate the keys in "BuiltIn Trusted Keys" and measure > them to IMA log. > > Lakshmi (2): > Added a new interface method namely query_public_key to > asymmetric_key_subtype interface > Measure keys in BuiltIn Trusted Keys keyring > > Documentation/crypto/asymmetric-keys.txt | 1 + > certs/system_keyring.c | 7 ++ > crypto/asymmetric_keys/public_key.c | 7 ++ > crypto/asymmetric_keys/signature.c | 24 +++++++ > include/crypto/public_key.h | 1 + > include/keys/asymmetric-subtype.h | 3 + > include/keys/system_keyring.h | 9 +++ > include/linux/key.h | 32 +++++++++ > security/integrity/digsig.c | 58 +++++++++++++++++ > security/integrity/ima/Kconfig | 9 +++ > security/integrity/ima/ima_init.c | 62 ++++++++++++++++++ > security/integrity/integrity.h | 25 ++++++++ > security/keys/keyring.c | 82 ++++++++++++++++++++++++ > 13 files changed, 320 insertions(+) >
