On Wed, 2019-12-04 at 14:41 -0800, Lakshmi Ramasubramanian wrote: > Read "keyrings=" option, if specified in the IMA policy, and store in > the list of IMA rules when the configured IMA policy is read. > > This patch defines a new policy token enum namely Opt_keyrings > and an option flag IMA_KEYRINGS for reading "keyrings=" option > from the IMA policy. > > Updated ima_parse_rule() to parse "keyrings=" option in the policy. > Updated ima_policy_show() to display "keyrings=" option. > > The following example illustrates how key measurement can be verified. > > Sample "key" measurement rule in the IMA policy: > > measure func=KEY_CHECK uid=0 keyrings=.ima|.evm template=ima-buf > > Display "key" measurement in the IMA measurement list: > > cat /sys/kernel/security/ima/ascii_runtime_measurements > > 10 faf3...e702 ima-buf > sha256:27c915b8ddb9fae7214cf0a8a7043cc3eeeaa7539bcb136f8427067b5f6c3 > b7b .ima 308202863082...4aee > > Verify "key" measurement data for a key added to ".ima" keyring: > > cat /sys/kernel/security/integrity/ima/ascii_runtime_measurements | > grep ".ima" | cut -d' ' -f 6 | xxd -r -p |tee ima-cert.der | > sha256sum | cut -d' ' -f 1 > The dot needs to be quoted, otherwise it matches any character. I would also limit the above command to the first instance (eg. grep -m 1 "\.ima). > The output of the above command should match the sha256 hash > in the "key" measurement entry in the IMA measurement list. There are multiple hashes in a measurement list record. Perhaps refer to the 2nd hash as the "template hash". Mimi > > The file namely "ima-cert.der" generated by the above command > should be a valid x509 certificate (in DER format) and should match > the one that was used to import the key to the .ima keyring. > The certificate file can be verified using openssl tool. > > Signed-off-by: Lakshmi Ramasubramanian <nramas@xxxxxxxxxxxxxxxxxxx>
