On Fri, 2019-10-11 at 10:35 -0700, Lakshmi Ramasubramanian wrote:
> IMA hook TRUSTED_KEYS to measure keys added to builtin or secondary
> trusted keys keyring. This can be enabled through IMA policy.
>
> The key data is queued up if IMA is not yet initialized and measured
> when IMA is initialized. If IMA is initialized then the key is
> measured immediately.
>
> Signed-off-by: Lakshmi Ramasubramanian <nramas@xxxxxxxxxxxxxxxxxxx>
This patch needs to be broken up into multiple, smaller patches. As
discussed, measuring keys should be separate from the early
measurement workqueue, at minimum as separate patches, if not separate
patch sets. A new LSM hook definitely needs to be defined in a
separate patch.
> /*
> - * process_buffer_measurement - Measure the buffer to ima log.
> - * @buf: pointer to the buffer that needs to be added to the log.
> - * @size: size of buffer(in bytes).
> - * @eventname: event name to be used for the buffer entry.
> - * @cred: a pointer to a credentials structure for user validation.
> - * @secid: the secid of the task to be validated.
> + * ima_post_key_create_or_update
> + * @keyring points to the keyring to which the key belongs
> + * @key points to the key being created or updated
> + * @builtin_or_secondary flag indicating whether
> + * the keyring to which the key belongs is the builtin
> + * or secondary trusted keys keyring
> + * Measure keys added to the builtin or secondary trusted keyring
> *
> - * Based on policy, the buffer is measured into the ima log.
> + * On success return 0.
> + * Return appropriate error code on error
> */
> -static void process_buffer_measurement(const void *buf, int size,
> - const char *eventname,
> - const struct cred *cred, u32 secid)
> +int ima_post_key_create_or_update(struct key *keyring,
> + struct key *key,
> + bool builtin_or_secondary)
> {
> - int ret = 0;
> - struct ima_template_entry *entry = NULL;
> - struct integrity_iint_cache iint = {};
> - struct ima_event_data event_data = {.iint = &iint,
> - .filename = eventname,
> - .buf = buf,
> - .buf_len = size};
> - struct ima_template_desc *template_desc = NULL;
> - struct {
> - struct ima_digest_data hdr;
> - char digest[IMA_MAX_DIGEST_SIZE];
> - } hash = {};
> - int violation = 0;
> - int pcr = CONFIG_IMA_MEASURE_PCR_IDX;
> - int action = 0;
> + int rc = 0;
> + struct ima_trusted_key_entry *entry = NULL;
> + const struct public_key *pk;
> + u32 secid;
> + bool queued = false;
>
> - action = ima_get_action(NULL, cred, secid, 0, KEXEC_CMDLINE, &pcr,
> - &template_desc);
> - if (!(action & IMA_MEASURE))
> - return;
> + /*
> + * We only measure asymmetric keys added to either
> + * the builtin or the secondary trusted keys keyring.
> + */
> + if (!builtin_or_secondary ||
> + (key->type != &key_type_asymmetric))
> + return 0;
Measuring keys should be generic, independent of the keyring that it
is being added to. Please do not hard code policy.
Mimi
>
> - iint.ima_hash = &hash.hdr;
> - iint.ima_hash->algo = ima_hash_algo;
> - iint.ima_hash->length = hash_digest_size[ima_hash_algo];
> + mutex_lock(&ima_trusted_keys_mutex);
