Re: [PATCH v3 1/7] integrity: Introduce struct evm_hmac_xattr

Hello Mimi, Thanks for your review! The patch at the end of the email implements your suggestions, what do you think? Mimi Zohar writes: > On Thu, 2017-07-06 at 19:17 -0300, Thiago Jung Bauermann wrote: >> A separate struct evm_hmac_xattr is introduced, with the original >>

Re: [PATCH v3 7/7] ima: Support module-style appended signatures for appraisal

Mimi Zohar writes: > On Thu, 2017-07-06 at 19:17 -0300, Thiago Jung Bauermann wrote: >> --- a/security/integrity/ima/ima_appraise.c >> +++ b/security/integrity/ima/ima_appraise.c >> @@ -200,18 +200,40 @@ int ima_read_xattr(struct dentry *dentry, >> */ >>

Re: [PATCH v3 7/7] ima: Support module-style appended signatures for appraisal

Mimi Zohar writes: > On Wed, 2017-08-02 at 18:52 -0400, Mimi Zohar wrote: >> On Wed, 2017-08-02 at 14:42 -0300, Thiago Jung Bauermann wrote: >> > Mimi Zohar writes: > >> > >> @@ -229,8 +251,24 @@ int ima_appraise_measurement(enum ima_hooks fu

[PATCH v4 0/7] Appended signatures support for IMA appraisal

ted by Mimi) - Moved modsig code to its own file. (suggested by Mimi) - Added new xattr "subtype" IMA_MODSIG. (suggested by Mimi) - Check whether a hook supports modsig when the policy is being parsed. (suggested by Mimi) - If the modsig verification fails, look for an xattr signa

[PATCH v4 1/7] integrity: Introduce struct evm_xattr

, since in most places the array doesn't hold a digest. A separate struct evm_xattr is introduced, with the original definition of evm_ima_xattr_data to be used in the places that actually expect that definition. Signed-off-by: Thiago Jung Bauermann --- security/integrity/evm/evm_

[PATCH v4 5/7] integrity: Select CONFIG_KEYS instead of depending on it

This avoids a dependency cycle in CONFIG_IMA_APPRAISE_MODSIG (introduced by a later patch in this series): it will select CONFIG_MODULE_SIG_FORMAT which in turn selects CONFIG_KEYS. Kconfig then complains that CONFIG_INTEGRITY_SIGNATURE depends on CONFIG_KEYS. Signed-off-by: Thiago Jung Bauermann

[PATCH v4 7/7] ima: Support module-style appended signatures for appraisal

. Signed-off-by: Thiago Jung Bauermann --- security/integrity/ima/Kconfig| 13 +++ security/integrity/ima/Makefile | 1 + security/integrity/ima/ima.h | 70 +++- security/integrity/ima/ima_appraise.c | 178 +- security

[PATCH v4 6/7] ima: Store measurement after appraisal

then the measure step was already completed and would need to be done again in case the template includes the signature. To avoid this problem, do the appraisal first so that the correct signature is stored by the template in the measure step. Signed-off-by: Thiago Jung Bauermann --- sec

[PATCH v4 4/7] integrity: Introduce integrity_keyring_from_id

IMA will need to obtain the keyring used to verify file signatures so that it can verify the module-style signature appended to files. Signed-off-by: Thiago Jung Bauermann --- security/integrity/digsig.c| 28 +++- security/integrity/integrity.h | 1 + 2 files

[PATCH v4 2/7] MODSIGN: Export module signature definitions

validate_module_signature without having to depend on CONFIG_MODULE_SIG. Signed-off-by: Thiago Jung Bauermann --- include/linux/module.h | 3 -- include/linux/module_signature.h | 47 + init/Kconfig | 6 +++- kernel/Makefile | 2 +- kernel

[PATCH v4 3/7] PKCS#7: Introduce pkcs7_get_message_sig and verify_pkcs7_message_sig

verify_pkcs7_message_signature which takes a struct pkcs7_message for verification instead of the raw bytes that verify_pkcs7_signature takes. Signed-off-by: Thiago Jung Bauermann --- certs/system_keyring.c| 60 +-- crypto/asymmetric_keys/pkcs7_parser.c | 12

[PATCH v5 09/18] ima: Don't pass xattr value to EVM xattr verification.

d not actually required, just don't do it. Suggested-by: Mimi Zohar Signed-off-by: Thiago Jung Bauermann --- security/integrity/ima/ima_appraise.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_apprai

[PATCH v5 00/18] Appended signatures support for IMA appraisal

g verification fails. - Pass NULL xattr_value to evm_verifyxattr even in the case of xattr signature in ima_appraise_measurement (suggested by Mimi Zohar). - Use switch statement provided by Mimi Zohar to check result of evm_verifyxattr. - If the modsig verification succeeds, copy the

[PATCH v5 18/18] ima: Write modsig to the measurement list

Add modsig support for templates which require the contents of the file signature to be included in the measurement list. Suggested-by: Mimi Zohar Signed-off-by: Thiago Jung Bauermann --- security/integrity/ima/ima.h | 8 security/integrity/ima/ima_api.c | 8

[PATCH v5 07/18] integrity: Introduce struct evm_xattr

, since in most places the array doesn't hold a digest. A separate struct evm_xattr is introduced, with the original definition of evm_ima_xattr_data to be used in the places that actually expect that definition. Signed-off-by: Thiago Jung Bauermann --- security/integrity/evm/evm_

[PATCH v5 15/18] ima: Add modsig appraise_type option for module-style appended signatures

because the actual modsig implementation will be introduced in a separate patch. Suggested-by: Mimi Zohar Signed-off-by: Thiago Jung Bauermann --- Documentation/ABI/testing/ima_policy | 6 +- security/integrity/ima/Kconfig | 10 + security/integrity/ima/Makefile | 1

[PATCH v5 03/18] evm, ima: Remove superfluous parentheses

that it can be easily dropped if the churn and conflict potential is deemed not worth it. Confirmed that the patch is correct by comparing the object files from before and after the patch. They are identical. Signed-off-by: Thiago Jung Bauermann --- security/integrity/evm/evm_crypto.c

[PATCH v5 17/18] ima: Implement support for module-style appended signatures

This patch actually implements the appraise_type=modsig option, allowing IMA to read and verify modsig signatures Signed-off-by: Thiago Jung Bauermann --- security/integrity/ima/ima.h | 17 +++-- security/integrity/ima/ima_appraise.c | 119 -- security

[PATCH v5 12/18] MODSIGN: Export module signature definitions

validate_module_signature without having to depend on CONFIG_MODULE_SIG. Signed-off-by: Thiago Jung Bauermann --- include/linux/module.h | 3 -- include/linux/module_signature.h | 47 + init/Kconfig | 6 +++- kernel/Makefile | 2 +- kernel

[PATCH v5 16/18] ima: Add functions to read and verify a modsig signature

This is the code needed by IMA-appraise to work with modsig signatures. It will be used by the next patch. Signed-off-by: Thiago Jung Bauermann --- security/integrity/ima/Kconfig | 3 + security/integrity/ima/ima.h| 34 +++ security/integrity/ima/ima_modsig.c | 119

[PATCH v5 14/18] integrity: Introduce integrity_keyring_from_id

IMA will need to obtain the keyring used to verify file signatures so that it can verify the module-style signature appended to files. Signed-off-by: Thiago Jung Bauermann --- security/integrity/digsig.c| 28 +++- security/integrity/integrity.h | 1 + 2 files

[PATCH v5 13/18] PKCS#7: Introduce pkcs7_get_message_sig and verify_pkcs7_message_sig

verify_pkcs7_message_signature which takes a struct pkcs7_message for verification instead of the raw bytes that verify_pkcs7_signature takes. Signed-off-by: Thiago Jung Bauermann --- certs/system_keyring.c| 60 +-- crypto/asymmetric_keys/pkcs7_parser.c | 12

[PATCH v5 11/18] ima: Export func_tokens

ima_read_modsig will need it so that it can show an error message. Signed-off-by: Thiago Jung Bauermann --- security/integrity/ima/ima.h| 2 ++ security/integrity/ima/ima_policy.c | 12 ++-- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/security/integrity/ima

[PATCH v5 10/18] ima: Store measurement after appraisal

then the measure step was already completed and would need to be done again in case the template includes the signature. To avoid this problem, do the appraisal first so that the correct signature is stored by the template in the measure step. Suggested-by: Mimi Zohar Signed-off-by: Thiago

[PATCH v5 08/18] integrity: Select CONFIG_KEYS instead of depending on it

This avoids a dependency cycle in CONFIG_IMA_APPRAISE_MODSIG (introduced by a later patch in this series): it will select CONFIG_MODULE_SIG_FORMAT which in turn selects CONFIG_KEYS. Kconfig then complains that CONFIG_INTEGRITY_SIGNATURE depends on CONFIG_KEYS. Signed-off-by: Thiago Jung Bauermann

[PATCH v5 06/18] ima: Improvements in ima_appraise_measurement

Replace nested ifs in the EVM xattr verification logic with a switch statement, making the code easier to understand. Also, add comments to the if statements in the out section. Signed-off-by: Mimi Zohar Signed-off-by: Thiago Jung Bauermann --- security/integrity/ima/ima.h | 5

[PATCH v5 05/18] ima: Simplify ima_eventsig_init

The "goto out" statement doesn't have any purpose since there's no cleanup to be done when returning early, so remove it. This also makes the rc variable unnecessary so remove it as well. Also, the xattr_len and fmt variables are redundant so remove them as well. Signed

[PATCH v5 02/18] ima: Remove some superfluous parentheses

. Confirmed that the patch is correct by comparing the object files from before and after the patch. They are identical. Signed-off-by: Thiago Jung Bauermann --- security/integrity/ima/ima_appraise.c | 11 +-- security/integrity/ima/ima_template_lib.c | 2 +- 2 files changed, 6

[PATCH v5 04/18] evm, ima: Remove more superfluous parentheses

object files from before and after the patch. They are identical. Signed-off-by: Thiago Jung Bauermann --- security/integrity/evm/evm_posix_acl.c | 8 security/integrity/ima/ima_fs.c| 6 +++--- security/integrity/ima/ima_queue.c | 6 +++--- 3 files changed, 10 insertions

[PATCH v5 01/18] ima: Remove redundant conditional operator

correct by comparing the object file from before and after the patch. They are identical. Signed-off-by: Thiago Jung Bauermann --- security/integrity/ima/ima_appraise.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity

Re: [PATCH v5 18/18] ima: Write modsig to the measurement list

Hello Mimi, Thanks for your review. Mimi Zohar writes: > On Tue, 2017-10-17 at 22:53 -0200, Thiago Jung Bauermann wrote: > >> diff --git a/security/integrity/ima/ima_main.c >> b/security/integrity/ima/ima_main.c >> index 6a2d960fbd92..0d3390de7432 100644 >>

Re: [PATCH v5 12/18] MODSIGN: Export module signature definitions

Mimi Zohar writes: > On Tue, 2017-10-17 at 22:53 -0200, Thiago Jung Bauermann wrote: >> IMA will use the module_signature format for append signatures, so export >> the relevant definitions and factor out the code which verifies that the >> appended signature trailer

[PATCH 0/6] Appended signatures support for IMA appraisal

are cleanups and improvements that can be taken independently from the others (and from each other as well). The last two are the ones actually focused on this feature. These patches apply on top of today's linux-security/next. Thiago Jung Bauermann (6): integrity: Small code improvements

[PATCH 4/6] ima: Log the same audit cause whenever a file has no signature

If the file doesn't have an xattr, ima_appraise_measurement sets cause to "missing-hash" while if there's an xattr but it's a digest instead of a signature it sets cause to "IMA-signature-required". Fix it by setting cause to "IMA-signature-required&quo

[PATCH 6/6] ima: Support appended signatures for appraisal

CONFIG_IMA_APPRAISE_APPENDED_SIG, because CONFIG_MODULE_SIG_FORMAT selects CONFIG_KEYS and Kconfig complains that CONFIG_INTEGRITY_SIGNATURE depends on it. Signed-off-by: Thiago Jung Bauermann --- crypto/asymmetric_keys/asymmetric_type.c | 1 + crypto/asymmetric_keys/pkcs7_parser.c| 12 + crypto

[PATCH 3/6] ima: Simplify policy_func_show.

If the func_tokens array uses the same indices as enum ima_hooks, policy_func_show can be a lot simpler, and the func_* enum becomes unnecessary. Signed-off-by: Thiago Jung Bauermann --- security/integrity/ima/ima_policy.c | 47 ++--- 1 file changed, 7 insertions

[PATCH 1/6] integrity: Small code improvements

ve to use a cast if they provide a buffer that isn't a char *. Also, add missing fall through comment in ima_appraise.c. Signed-off-by: Thiago Jung Bauermann --- security/integrity/digsig_asymmetric.c | 4 ++-- security/integrity/iint.c | 2 +- security/integrity/ima/ima_appra

[PATCH 5/6] MODSIGN: Export module signature definitions.

validate_module_signature without having to depend on CONFIG_MODULE_SIG. Signed-off-by: Thiago Jung Bauermann --- include/linux/module_signature.h | 45 init/Kconfig | 6 +++- kernel/Makefile | 2 +- kernel/module_signing.c | 74

[PATCH 2/6] ima: Tidy up constant strings

Strictly speaking, boot_aggregate_name is a constant string, not a modifiable pointer to a constant string. Also, constify mask_tokens and func_tokens arrays. Signed-off-by: Thiago Jung Bauermann --- security/integrity/ima/ima_init.c | 2 +- security/integrity/ima/ima_policy.c | 4 ++-- 2

Re: [PATCH 3/6] ima: Simplify policy_func_show.

Am Donnerstag, 20. April 2017, 08:13:23 BRT schrieb Mimi Zohar: > On Tue, 2017-04-18 at 17:17 -0300, Thiago Jung Bauermann wrote: > > If the func_tokens array uses the same indices as enum ima_hooks, > > policy_func_show can be a lot simpler, and the func_* enum becomes > >

Re: [PATCH 5/6] MODSIGN: Export module signature definitions.

Am Donnerstag, 20. April 2017, 15:37:37 BRT schrieb David Howells: > Mimi Zohar wrote: > > On Tue, 2017-04-18 at 17:17 -0300, Thiago Jung Bauermann wrote: > > > IMA will use the module_signature format for append signatures, so > > > export > > > the relevant

Re: [PATCH 6/6] ima: Support appended signatures for appraisal

or: dereferencing pointer to > >> incomplete type 'const struct key' > return key->payload.data[asym_key_ids]; >^~ This happens with CONFIG_IMA_APPRAISE=y and CONFIG_KEYS=n. Fixed by only including the new header files in ima_appraise.c if CONFIG_IMA_APPR

Re: [PATCH 3/6] ima: Simplify policy_func_show.

Am Freitag, 21. April 2017, 09:57:56 BRT schrieb Mimi Zohar: > On Thu, 2017-04-20 at 17:40 -0300, Thiago Jung Bauermann wrote: > > @@ -949,49 +936,16 @@ void ima_policy_stop(struct seq_file *m, void *v) > > > > #define pt(token) policy_tokens[token + Opt_err].pattern

Re: [PATCH 6/6] ima: Support appended signatures for appraisal

Hello Mimi, Thanks for your review. Am Mittwoch, 26. April 2017, 07:21:19 BRT schrieb Mimi Zohar: > On Tue, 2017-04-18 at 17:17 -0300, Thiago Jung Bauermann wrote: > > This patch introduces the appended_imasig keyword to the IMA policy syntax > > to specify that a given hook sh

Re: [PATCH 6/6] ima: Support appended signatures for appraisal

Am Mittwoch, 26. April 2017, 18:18:34 BRT schrieb Mehmet Kayaalp: > > On Apr 20, 2017, at 7:41 PM, Thiago Jung Bauermann > > wrote: > > > > This patch introduces the appended_imasig keyword to the IMA policy syntax > > to specify that a given hook should e

[PATCH v2 1/6] integrity: Small code improvements

s. Signed-off-by: Thiago Jung Bauermann --- security/integrity/digsig_asymmetric.c | 4 ++-- security/integrity/iint.c | 2 +- security/integrity/ima/ima.h | 2 +- security/integrity/ima/ima_appraise.c | 1 + security/integrity/ima/ima_policy.c| 4 ++-- security

[PATCH v2 0/6] Appended signatures support for IMA appraisal

- Add integrity_keyring_from_id function. - Put modsig to measurement list if the template requires the signature contents. (suggested by Mimi). Thiago Jung Bauermann (6): integrity: Small code improvements ima: Simplify policy_func_show. ima: Log the same audit cause whenever a file has

[PATCH v2 5/6] MODSIGN: Export module signature definitions.

the raw bytes that verify_pkcs7_signature takes. Finally, create a CONFIG_MODULE_SIG_FORMAT option so that IMA can select it and be able to use validate_module_signature without having to depend on CONFIG_MODULE_SIG. Signed-off-by: Thiago Jung Bauermann --- certs/system_keyring.c | 62

[PATCH v2 2/6] ima: Simplify policy_func_show.

are always in sync (suggested by Mimi Zohar). Finally, by using the printf pattern for the function token directly instead of using the pt macro we can simplify policy_func_show even further and avoid needing a temporary buffer. Signed-off-by: Thiago Jung Bauermann --- security/integrity/ima

[PATCH v2 6/6] ima: Support module-style appended signatures for appraisal

GRITY_SIGNATURE to select CONFIG_KEYS instead of depending on it is to avoid a dependency recursion in CONFIG_IMA_APPRAISE_MODSIG, because CONFIG_MODULE_SIG_FORMAT selects CONFIG_KEYS and Kconfig complains that CONFIG_INTEGRITY_SIGNATURE depends on it. Signed-off-by: Thiago Jung Bauermann --

[PATCH v2 4/6] integrity: Introduce struct evm_hmac_xattr

, since in most places the array doesn't hold a digest. A separate struct evm_hmac_xattr is introduced, with the original definition of evm_ima_xattr_data to be used in the places that actually expect that definition. Signed-off-by: Thiago Jung Bauermann --- security/integrity/evm/evm

[PATCH v2 3/6] ima: Log the same audit cause whenever a file has no signature

If the file doesn't have an xattr, ima_appraise_measurement sets cause to "missing-hash" while if there's an xattr but it's a digest instead of a signature it sets cause to "IMA-signature-required". Fix it by setting cause to "IMA-signature-required&quo

Re: [PATCH v2 0/6] Appended signatures support for IMA appraisal

Michael Ellerman writes: > Thiago Jung Bauermann writes: > >> On the OpenPOWER platform, secure boot and trusted boot are being >> implemented using IMA for taking measurements and verifying signatures. > > I still want you to implement arch_kexec_kernel_verify_sig()

Re: [PATCH v2 6/6] ima: Support module-style appended signatures for appraisal

Hello Mimi, Thanks for your review, and for queuing the other patches in this series. Mimi Zohar writes: > On Wed, 2017-06-07 at 22:49 -0300, Thiago Jung Bauermann wrote: >> This patch introduces the modsig keyword to the IMA policy syntax to >> specify that a given hook should

Re: [PATCH v2 6/6] ima: Support module-style appended signatures for appraisal

Mimi Zohar writes: > On Wed, 2017-06-21 at 14:45 -0300, Thiago Jung Bauermann wrote: >> Mimi Zohar writes: >> > On Wed, 2017-06-07 at 22:49 -0300, Thiago Jung Bauermann wrote: >> >> @@ -267,11 +276,18 @@ int ima_appraise_measurement(enum ima_hooks func, >>

[PATCH v3 7/7] ima: Support module-style appended signatures for appraisal

. Signed-off-by: Thiago Jung Bauermann --- security/integrity/ima/Kconfig| 13 +++ security/integrity/ima/Makefile | 1 + security/integrity/ima/ima.h | 60 ++-- security/integrity/ima/ima_appraise.c | 102 ++--- security/integrity/ima

[PATCH v3 6/7] ima: Store measurement after appraisal

then the measure step was already completed and would need to be done again in case the template includes the signature. To avoid this problem, do the appraisal first so that the correct signature is stored by the template in the measure step. Signed-off-by: Thiago Jung Bauermann --- sec

[PATCH v3 4/7] integrity: Introduce integrity_keyring_from_id

IMA will need to obtain the keyring used to verify file signatures so that it can verify the module-style signature appended to files. Signed-off-by: Thiago Jung Bauermann --- security/integrity/digsig.c| 28 +++- security/integrity/integrity.h | 1 + 2 files

[PATCH v3 2/7] MODSIGN: Export module signature definitions.

validate_module_signature without having to depend on CONFIG_MODULE_SIG. Signed-off-by: Thiago Jung Bauermann --- include/linux/module.h | 3 -- include/linux/module_signature.h | 47 + init/Kconfig | 6 +++- kernel/Makefile | 2 +- kernel

[PATCH v3 5/7] integrity: Select CONFIG_KEYS instead of depending on it

This avoids a dependency cycle in CONFIG_IMA_APPRAISE_MODSIG (introduced by a later patch in this series): it will select CONFIG_MODULE_SIG_FORMAT which in turn selects CONFIG_KEYS. Kconfig then complains that CONFIG_INTEGRITY_SIGNATURE depends on CONFIG_KEYS. Signed-off-by: Thiago Jung Bauermann

[PATCH v3 1/7] integrity: Introduce struct evm_hmac_xattr

, since in most places the array doesn't hold a digest. A separate struct evm_hmac_xattr is introduced, with the original definition of evm_ima_xattr_data to be used in the places that actually expect that definition. Signed-off-by: Thiago Jung Bauermann --- security/integrity/evm/evm

[PATCH v3 0/7] Appended signatures support for IMA appraisal

- If the modsig verification fails, look for an xattr signature. (suggested by Mimi) - Add integrity_keyring_from_id function. - Put modsig to measurement list if the template requires the signature contents. (suggested by Mimi). Thiago Jung Bauermann (7): integrity: Introduce struct

[PATCH v3 3/7] PKCS#7: Introduce verify_pkcs7_message_sig

Add function verify_pkcs7_message_signature which takes a struct pkcs7_message for verification isntead of the raw bytes that verify_pkcs7_signature takes. This will be used by IMA to verify files with module-style appended signatures. Signed-off-by: Thiago Jung Bauermann --- certs

[PATCH v6 02/12] PKCS#7: Introduce pkcs7_get_message_sig() and verify_pkcs7_message_sig()

verify_pkcs7_signature() takes. Signed-off-by: Thiago Jung Bauermann Cc: David Howells Cc: David Woodhouse Cc: Herbert Xu Cc: "David S. Miller" --- certs/system_keyring.c| 61 ++- crypto/asymmetric_keys/pkcs7_parser.c | 16 + incl

[PATCH v6 10/12] ima: Add functions to read and verify a modsig signature

This is the code needed by IMA-appraise to work with modsig signatures. It will be used by the next two patches. Signed-off-by: Thiago Jung Bauermann --- security/integrity/ima/Kconfig | 3 + security/integrity/ima/ima.h| 41 security/integrity/ima/ima_modsig.c | 181

[PATCH v6 06/12] integrity: Introduce asymmetric_sig_has_known_key()

function. Signed-off-by: Thiago Jung Bauermann --- security/integrity/digsig_asymmetric.c | 44 +- security/integrity/integrity.h | 8 +++ 2 files changed, 41 insertions(+), 11 deletions(-) diff --git a/security/integrity/digsig_asymmetric.c b/security

[PATCH v6 08/12] ima: Export func_tokens

ima_read_modsig() will need it so that it can show an error message. Signed-off-by: Thiago Jung Bauermann --- security/integrity/ima/ima.h| 2 ++ security/integrity/ima/ima_policy.c | 12 ++-- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/security/integrity/ima

[PATCH v6 12/12] ima: Write modsig to the measurement list

igned-off-by: Thiago Jung Bauermann --- Documentation/security/IMA-templates.rst | 5 security/integrity/ima/ima_template.c | 4 ++- security/integrity/ima/ima_template_lib.c | 47 +-- security/integrity/ima/ima_template_lib.h | 2 ++ 4 files changed,

[PATCH v6 09/12] ima: Add modsig appraise_type option for module-style appended signatures

ew file mode 100644 index ..d8ea811b6f74 --- /dev/null +++ b/security/integrity/ima/ima_modsig.c @@ -0,0 +1,31 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * IMA support for appraising module-style appended signatures. + * + * Copyright (C) 2018 IBM Corporation + * + * Author: + * Thiago J

[PATCH v6 11/12] ima: Implement support for module-style appended signatures

signature. Signed-off-by: Thiago Jung Bauermann --- security/integrity/ima/ima.h | 11 +++- security/integrity/ima/ima_appraise.c | 53 +++ security/integrity/ima/ima_main.c | 21 +++--- 3 files changed, 74 insertions(+), 11 deletions

[PATCH v6 07/12] integrity: Select CONFIG_KEYS instead of depending on it

This avoids a dependency cycle in CONFIG_IMA_APPRAISE_MODSIG (introduced by a later patch in this series): it will select CONFIG_MODULE_SIG_FORMAT which in turn selects CONFIG_KEYS. Kconfig then complains that CONFIG_INTEGRITY_SIGNATURE depends on CONFIG_KEYS. Signed-off-by: Thiago Jung Bauermann

[PATCH v6 05/12] integrity: Introduce integrity_keyring_from_id()

IMA will need to obtain the keyring used to verify file signatures so that it can verify the module-style signature appended to files. Signed-off-by: Thiago Jung Bauermann --- security/integrity/digsig.c| 28 +--- security/integrity/integrity.h | 6 ++ 2 files

[PATCH v6 01/12] MODSIGN: Export module signature definitions

() without having to depend on CONFIG_MODULE_SIG. Signed-off-by: Thiago Jung Bauermann Reviewed-by: Mimi Zohar Cc: Jessica Yu --- include/linux/module.h | 3 -- include/linux/module_signature.h | 44 +++ init/Kconfig | 6 +++- kernel/Makefile

[PATCH v6 00/12] Appended signatures support for IMA appraisal

g of ima_read_xattr return value into process_xattr_error in ima_appraise_measurement so that it can be used if the modsig verification fails. - Pass NULL xattr_value to evm_verifyxattr even in the case of xattr signature in ima_appraise_measurement (suggested by Mimi Zohar). - Use switch stat

[PATCH v6 03/12] PKCS#7: Introduce pkcs7_get_digest()

work. Verifying that sinfo->sig->digest isn't NULL is sufficient because both places which allocate sinfo->sig (pkcs7_parse_message() and pkcs7_note_signed_info()) use kzalloc() so sig->digest is always initialized to zero. Signed-off-by: Thiago Jung Bauermann Cc: David Howells Cc: He

[PATCH v6 04/12] ima: Introduce is_ima_sig()

With the introduction of another IMA signature type (modsig), some places will need to check for both of them. It is cleaner to do that if there's a helper function to tell whether an xattr_value represents an IMA signature. Suggested-by: Mimi Zohar Signed-off-by: Thiago Jung Baue

Re: [PATCH v6 00/12] Appended signatures support for IMA appraisal

Thiago Jung Bauermann writes: > Now the modsig is only ignored if it references a signature that is not > present in IMA's keyring (or if there's a parsing error, obviously). If the The above should read "Now the modsig is only ignored if it references a *key* that is

[PATCH v7 01/14] MODSIGN: Export module signature definitions

() without having to depend on CONFIG_MODULE_SIG. Signed-off-by: Thiago Jung Bauermann Reviewed-by: Mimi Zohar Cc: Jessica Yu --- include/linux/module.h | 3 -- include/linux/module_signature.h | 44 +++ init/Kconfig | 6 +++- kernel/Makefile

[PATCH v7 03/14] PKCS#7: Introduce pkcs7_get_digest()

work. Verifying that sinfo->sig->digest isn't NULL is sufficient because both places which allocate sinfo->sig (pkcs7_parse_message() and pkcs7_note_signed_info()) use kzalloc() so sig->digest is always initialized to zero. Signed-off-by: Thiago Jung Bauermann Reviewed-by: Mimi Zohar

[PATCH v7 00/14] Appended signatures support for IMA appraisal

s xattr_value to evm_verifyxattr() unless xattr_value is a modsig. - Patch "ima: Write modsig to the measurement list" - Since now we determine whether we'll use an xattr sig or a modsig at the time they are read, there's no need to store a measurement again in the m

[PATCH v7 05/14] integrity: Introduce integrity_keyring_from_id()

IMA will need to obtain the keyring used to verify file signatures so that it can verify the module-style signature appended to files. Signed-off-by: Thiago Jung Bauermann Signed-off-by: Mimi Zohar --- security/integrity/digsig.c| 28 +--- security/integrity

[PATCH v7 04/14] integrity: Introduce struct evm_xattr

ost places the array doesn't hold a digest. A separate struct evm_xattr is introduced, with the original definition of evm_ima_xattr_data to be used in the places that actually expect that definition. Signed-off-by: Thiago Jung Bauermann --- security/integrity/evm/evm_crypto.c | 4

[PATCH v7 13/14] ima: Write modsig to the measurement list

Add modsig support to the "sig" template field, allowing the the contents of the modsig to be included in the measurement list. Suggested-by: Mimi Zohar Signed-off-by: Thiago Jung Bauermann --- security/integrity/ima/ima.h | 7 +++ security/integrity/ima/im

[PATCH v7 11/14] ima: Implement support for module-style appended signatures

-off-by: Thiago Jung Bauermann --- security/integrity/ima/Kconfig| 3 + security/integrity/ima/ima.h | 36 - security/integrity/ima/ima_appraise.c | 64 +-- security/integrity/ima/ima_main.c | 17 +++- security/integrity/ima/ima_modsig.c | 145

[PATCH v7 12/14] ima: Add new "d-sig" template field

Define new "d-sig" template field which holds the digest that is expected to match the one contained in the modsig. Suggested-by: Mimi Zohar Signed-off-by: Thiago Jung Bauermann --- Documentation/security/IMA-templates.rst | 5 + security/integrity/ima/ima.h

[PATCH v7 14/14] ima: Store the measurement again when appraising a modsig

nal measurement with the modsig. This is done by defining the appraise subaction flag IMA_READ_MEASURE and testing for it in process_measurement(). Suggested-by: Mimi Zohar Signed-off-by: Thiago Jung Bauermann --- security/integrity/ima/ima.h | 1 + security/integrity/ima/ima_

[PATCH v7 08/14] ima: Introduce is_signed()

With the introduction of another IMA signature type (modsig), some places will need to check for both of them. It is cleaner to do that if there's a helper function to tell whether an xattr_value represents an IMA signature. Suggested-by: Mimi Zohar Signed-off-by: Thiago Jung Baue

[PATCH v7 10/14] ima: Add modsig appraise_type option for module-style appended signatures

signature stored in the extended attribute or an appended signature. For now, the rule above will behave exactly the same as if appraise_type=imasig was specified. The actual modsig implementation will be introduced separately. Suggested-by: Mimi Zohar Signed-off-by: Thiago Jung Bauermann

[PATCH v7 07/14] integrity: Select CONFIG_KEYS instead of depending on it

This avoids a dependency cycle in soon-to-be-introduced CONFIG_IMA_APPRAISE_MODSIG: it will select CONFIG_MODULE_SIG_FORMAT which in turn selects CONFIG_KEYS. Kconfig then complains that CONFIG_INTEGRITY_SIGNATURE depends on CONFIG_KEYS. Signed-off-by: Thiago Jung Bauermann Signed-off-by: Mimi

[PATCH v7 09/14] ima: Export func_tokens

ima_read_modsig() will need it so that it can show an error message. Signed-off-by: Thiago Jung Bauermann --- security/integrity/ima/ima.h| 2 ++ security/integrity/ima/ima_policy.c | 12 ++-- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/security/integrity/ima

[PATCH v7 06/14] integrity: Introduce asymmetric_sig_has_known_key()

function. Signed-off-by: Thiago Jung Bauermann Signed-off-by: Mimi Zohar --- security/integrity/digsig_asymmetric.c | 44 +- security/integrity/integrity.h | 8 +++ 2 files changed, 41 insertions(+), 11 deletions(-) diff --git a/security/integrity

[PATCH v7 02/14] PKCS#7: Refactor verify_pkcs7_signature() and add pkcs7_get_message_sig()

message, so add pkcs7_get_message_sig(). Signed-off-by: Thiago Jung Bauermann Reviewed-by: Mimi Zohar Cc: David Howells Cc: David Woodhouse Cc: Herbert Xu Cc: "David S. Miller" --- certs/system_keyring.c| 61 ++- crypto/asymm

Re: [PATCH v10 01/12] MODSIGN: Export module signature definitions

Mimi Zohar writes: > On Thu, 2019-04-18 at 00:51 -0300, Thiago Jung Bauermann wrote: >> IMA will use the module_signature format for append signatures, so export >> the relevant definitions and factor out the code which verifies that the >> appended signature trailer

Re: [PATCH v10 11/12] ima: Define ima-modsig template

Mimi Zohar writes: > On Thu, 2019-04-18 at 00:51 -0300, Thiago Jung Bauermann wrote: >> Define new "d-modsig" template field which holds the digest that is >> expected to match the one contained in the modsig, and also new "modsig" >> template fiel

Re: [PATCH v10 12/12] ima: Store the measurement again when appraising a modsig

Mimi Zohar writes: > Hi Thiago, > > On Thu, 2019-04-18 at 00:51 -0300, Thiago Jung Bauermann wrote: >> If the IMA template contains the "modsig" or "d-modsig" field, then the >> modsig should be added to the measurement list when the file is appraised

Re: [PATCH v10 09/12] ima: Implement support for module-style appended signatures

rc = mod_check_sig(sig, buf_len, func_tokens[func]); And in mod_check_sig(): pr_err("%s: Module is not signed with expected PKCS#7 message\n", name); If you think it's not worth it to expose func_tokens, I can make ima_read_modsig() pass a more generic const string such as "IMA modsig" for example. > Other than this, the patch looks good. Nice! -- Thiago Jung Bauermann IBM Linux Technology Center

Re: [PATCH v10 09/12] ima: Implement support for module-style appended signatures

Mimi Zohar writes: > Hi Thiago, > > On Thu, 2019-04-18 at 00:51 -0300, Thiago Jung Bauermann wrote: >> >> @@ -326,6 +356,10 @@ int ima_appraise_measurement(enum ima_hooks func, >> case INTEGRITY_UNKNOWN: >> break; >> case INTEGRITY_NOXATTRS:/* No EVM pr

[PATCH v11 02/13] PKCS#7: Refactor verify_pkcs7_signature()

IMA will need to verify a PKCS#7 signature which has already been parsed. For this reason, factor out the code which does that from verify_pkcs7_signature() into a new function which takes a struct pkcs7_message instead of a data buffer. Signed-off-by: Thiago Jung Bauermann Reviewed-by: Mimi

[PATCH v11 00/13] Appended signatures support for IMA appraisal

data() since their callers already performs that check. - Moved check_current_template_modsig() to this patch, previously was in "ima: Store the measurement again when appraising a modsig". - Patch "ima: Store the measurement again when appraising a modsig" - Renam

[PATCH v11 01/13] MODSIGN: Export module signature definitions

() without having to depend on either CONFIG_MODULE_SIG or CONFIG_MODULES. Signed-off-by: Thiago Jung Bauermann Reviewed-by: Mimi Zohar Cc: Jessica Yu --- include/linux/module.h | 3 -- include/linux/module_signature.h | 44 + init/Kconfig | 6

  1   2   >