On Mon, 2019-11-25 at 09:33 -0800, Lakshmi Ramasubramanian wrote: > On 11/22/19 8:17 AM, James Bottomley wrote: > > > If you measure at time of insertion you should be able to measure the > > entire key because it's inserted as a complete certificate. If there's > > additional data you need to retrieve after the load, we might be able > > to store it in addition to the data we already save from the > > certificate. > > > > James > > You are right James - at the time of insertion the complete certificate > can be measured. Thanks for the information. > > I will update my patch set to include the certificate data in key > measurement. Please let me know if you have any comments\concerns. > > Please see below for details: > > In the file "security/keys/key.c" => > key_ref_t key_create_or_update(key_ref_t keyring_ref, > const char *type, > const char *description, > const void *payload, > size_t plen, > key_perm_t perm, > unsigned long flags) > > In the key measurement, instead of just the "public key", I included the > buffer pointed to by the "payload" parameter (buffer of size "plen" > bytes) in the call to key_create_or_update(). It is the entire certificate. > > thanks, > -lakshmi > > Please see the sequence of commands below to import a certificate (in > DER format) to ".ima" keyring and regenerate the certificate from the > IMA measurement log. > > ****** Import a DER certificate to .ima keyring ****** > > root@nramas:/home/nramas# keyctl show %:.ima > Keyring > 75295183 ---lswrv 0 0 keyring: .ima > > root@nramas:/home/nramas# evmctl import x509_ima.der 75295183 > 118886017 > > root@nramas:/home/nramas# keyctl show %:.ima > Keyring > 75295183 ---lswrv 0 0 keyring: .ima > 118886017 --als--v 0 0 \_ asymmetric: hostname: whoami > signing key: 052dd247dc3c36d6d60675fe7ae869790be56171 > > ****** View the IMA measurement log ****** > > root@nramas:/home/nramas# cat > /sys/kernel/security/integrity/ima/ascii_runtime_measurements > 10 faf3dd532114feed8b8215eb7b5d8c3107d5e702 ima-buf > sha256:ac8bd67bdaded63be9231c495585fd88edce0812d9b677e1e1e219e2dd3bcd60 > .ima > 30820286308201efa00302010202145be0234ff3adf050349b33b89465a6aab6e339f7300d06092a864886f70d01010b050030503111300f060355040a0c08686f73746e616d65311b301906035504030c1277686f616d69207369676e696e67206b6579311e301c06092a864886f70d010901160f77686f616d6940686f73746e616d65301e170d3139303832323032323930325a170d3230303832313032323930325a30503111300f060355040a0c08686f73746e616d65311b301906035504030c1277686f616d69207369676e696e67206b6579311e301c06092a864886f70d010901160f77686f616d6940686f73746e616d6530819f300d06092a864886f70d010101050003818d0030818902818100ee96b264072a42888f78a2f9b8198467a3ad97d126f3d1cc1c24d23e7185cc743b04d4a54254ca16e1e11ed4450deb98b1f7bb4288424570fabcfc6d5aa93a2a14fa2b7835ac877cfea761e5ff414c6ee274eff26f8bd6c484312e56619299acf0dbd224b87c3883b66a9393d21af8962458663b0ac1706c63773cd50e8236270203010001a35d305b300c0603551d130101ff04023000300b0603551d0f040403020780301d0603551d0e04160414052dd247dc3c36d6d60675fe7ae869790be56171301f0603551d23041830168014e36710f0834c973ed94a186fbcd22375b45e2454300d06092a864886f70d01010b050003818100b12faeff1e0e390cfd5eb7140af3b7a653cb49c6ab0a23be24c035331d7600c8f758f9df7fdfc5eeb6fec35859203eca0e4f01f9a79a58be630947cb959a52d3f2de96f210d49247c33a6226dc2a52ee541069ed3c621f8767fd36a061e9a61adb5d1dd34499d99a1ce6baa496b4f5e2268bfc52c3eea4a6b7b5181f08524aee > > ****** Regenerate the certificate from IMA measurement log ****** > > root@nramas:/home/nramas# cat > /sys/kernel/security/ima/ascii_runtime_measurements | grep " .ima" | cut > -d' ' -f 6 | xxd -r -p > ima-cert.der > > root@nramas:/home/nramas# openssl x509 -in ima-cert.der -inform DER > -text -noout Only the commands to validate the "key" measurement and extract the certificate need to be included in the patch description. You could combine these two commands using "tee". One would save the certificate, while the other would calculate the template data hash. Providing the openssl command to display the saved certificate is optional. Mimi
