Re: [PATCH 3/6] ima: Simplify policy_func_show.

Am Donnerstag, 20. April 2017, 08:13:23 BRT schrieb Mimi Zohar: > On Tue, 2017-04-18 at 17:17 -0300, Thiago Jung Bauermann wrote: > > If the func_tokens array uses the same indices as enum ima_hooks, > > policy_func_show can be a lot simpler, and the func_* enum becomes > >

Re: [PATCH 5/6] MODSIGN: Export module signature definitions.

Am Donnerstag, 20. April 2017, 15:37:37 BRT schrieb David Howells: > Mimi Zohar <zo...@linux.vnet.ibm.com> wrote: > > On Tue, 2017-04-18 at 17:17 -0300, Thiago Jung Bauermann wrote: > > > IMA will use the module_signature format for append signatures, so > > > expo

Re: [PATCH 6/6] ima: Support appended signatures for appraisal

eferencing pointer to > >> incomplete type 'const struct key' > return key->payload.data[asym_key_ids]; >^~ This happens with CONFIG_IMA_APPRAISE=y and CONFIG_KEYS=n. Fixed by only including the new header files in ima_appraise.c if CONFIG_IMA_APPRAISE_APPENDED_SIG=y

[PATCH 0/6] Appended signatures support for IMA appraisal

are cleanups and improvements that can be taken independently from the others (and from each other as well). The last two are the ones actually focused on this feature. These patches apply on top of today's linux-security/next. Thiago Jung Bauermann (6): integrity: Small code improvements ima

[PATCH 5/6] MODSIGN: Export module signature definitions.

validate_module_signature without having to depend on CONFIG_MODULE_SIG. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> --- include/linux/module_signature.h | 45 init/Kconfig | 6 +++- kernel/Makefile | 2 +- kernel/module_sig

[PATCH 2/6] ima: Tidy up constant strings

Strictly speaking, boot_aggregate_name is a constant string, not a modifiable pointer to a constant string. Also, constify mask_tokens and func_tokens arrays. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> --- security/integrity/ima/ima_init.c | 2 +- security/int

[PATCH 4/6] ima: Log the same audit cause whenever a file has no signature

If the file doesn't have an xattr, ima_appraise_measurement sets cause to "missing-hash" while if there's an xattr but it's a digest instead of a signature it sets cause to "IMA-signature-required". Fix it by setting cause to "IMA-signature-required" in both case

[PATCH 6/6] ima: Support appended signatures for appraisal

in CONFIG_IMA_APPRAISE_APPENDED_SIG, because CONFIG_MODULE_SIG_FORMAT selects CONFIG_KEYS and Kconfig complains that CONFIG_INTEGRITY_SIGNATURE depends on it. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> --- crypto/asymmetric_keys/asymmetric_type.c | 1 + crypto/asymmetri

[PATCH 3/6] ima: Simplify policy_func_show.

If the func_tokens array uses the same indices as enum ima_hooks, policy_func_show can be a lot simpler, and the func_* enum becomes unnecessary. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> --- security/integrity/ima/ima_policy.

[PATCH 1/6] integrity: Small code improvements

to use a cast if they provide a buffer that isn't a char *. Also, add missing fall through comment in ima_appraise.c. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> --- security/integrity/digsig_asymmetric.c | 4 ++-- security/integrity/iint.c | 2 +- se

Re: [PATCH 3/6] ima: Simplify policy_func_show.

Am Freitag, 21. April 2017, 09:57:56 BRT schrieb Mimi Zohar: > On Thu, 2017-04-20 at 17:40 -0300, Thiago Jung Bauermann wrote: > > @@ -949,49 +936,16 @@ void ima_policy_stop(struct seq_file *m, void *v) > > > > #define pt(token) policy_tokens[token + Opt_err].pattern

Re: [PATCH v3 7/7] ima: Support module-style appended signatures for appraisal

Mimi Zohar <zo...@linux.vnet.ibm.com> writes: > On Wed, 2017-08-02 at 18:52 -0400, Mimi Zohar wrote: >> On Wed, 2017-08-02 at 14:42 -0300, Thiago Jung Bauermann wrote: >> > Mimi Zohar <zo...@linux.vnet.ibm.com> writes: > >> > >> @@ -229,8 +251,2

[PATCH v3 7/7] ima: Support module-style appended signatures for appraisal

. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> --- security/integrity/ima/Kconfig| 13 +++ security/integrity/ima/Makefile | 1 + security/integrity/ima/ima.h | 60 ++-- security/integrity/ima/ima_appraise.c

[PATCH v3 6/7] ima: Store measurement after appraisal

, and by then the measure step was already completed and would need to be done again in case the template includes the signature. To avoid this problem, do the appraisal first so that the correct signature is stored by the template in the measure step. Signed-off-by: Thiago Jung Bauermann <ba

[PATCH v3 4/7] integrity: Introduce integrity_keyring_from_id

IMA will need to obtain the keyring used to verify file signatures so that it can verify the module-style signature appended to files. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> --- security/integrity/digsig.c| 28 +++- security/int

[PATCH v3 2/7] MODSIGN: Export module signature definitions.

validate_module_signature without having to depend on CONFIG_MODULE_SIG. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> --- include/linux/module.h | 3 -- include/linux/module_signature.h | 47 + init/Kconfig | 6 +++- kernel/Ma

[PATCH v3 5/7] integrity: Select CONFIG_KEYS instead of depending on it

This avoids a dependency cycle in CONFIG_IMA_APPRAISE_MODSIG (introduced by a later patch in this series): it will select CONFIG_MODULE_SIG_FORMAT which in turn selects CONFIG_KEYS. Kconfig then complains that CONFIG_INTEGRITY_SIGNATURE depends on CONFIG_KEYS. Signed-off-by: Thiago Jung Bauermann

[PATCH v3 1/7] integrity: Introduce struct evm_hmac_xattr

ata, since in most places the array doesn't hold a digest. A separate struct evm_hmac_xattr is introduced, with the original definition of evm_ima_xattr_data to be used in the places that actually expect that definition. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> --- se

[PATCH v3 0/7] Appended signatures support for IMA appraisal

yring_from_id function. - Put modsig to measurement list if the template requires the signature contents. (suggested by Mimi). Thiago Jung Bauermann (7): integrity: Introduce struct evm_hmac_xattr MODSIGN: Export module signature definitions. PKCS#7: Introduce verify_pkcs7_message_sig

[PATCH v3 3/7] PKCS#7: Introduce verify_pkcs7_message_sig

Add function verify_pkcs7_message_signature which takes a struct pkcs7_message for verification isntead of the raw bytes that verify_pkcs7_signature takes. This will be used by IMA to verify files with module-style appended signatures. Signed-off-by: Thiago Jung Bauermann <ba

Re: [PATCH v2 6/6] ima: Support module-style appended signatures for appraisal

Mimi Zohar <zo...@linux.vnet.ibm.com> writes: > On Wed, 2017-06-21 at 14:45 -0300, Thiago Jung Bauermann wrote: >> Mimi Zohar <zo...@linux.vnet.ibm.com> writes: >> > On Wed, 2017-06-07 at 22:49 -0300, Thiago Jung Bauermann wrote: >> >> @@ -267,11 +2

Re: [PATCH 6/6] ima: Support appended signatures for appraisal

Hello Mimi, Thanks for your review. Am Mittwoch, 26. April 2017, 07:21:19 BRT schrieb Mimi Zohar: > On Tue, 2017-04-18 at 17:17 -0300, Thiago Jung Bauermann wrote: > > This patch introduces the appended_imasig keyword to the IMA policy syntax > > to specify that a given hoo

Re: [PATCH 6/6] ima: Support appended signatures for appraisal

Am Mittwoch, 26. April 2017, 18:18:34 BRT schrieb Mehmet Kayaalp: > > On Apr 20, 2017, at 7:41 PM, Thiago Jung Bauermann > > <bauer...@linux.vnet.ibm.com> wrote: > > > > This patch introduces the appended_imasig keyword to the IMA policy syntax > > to spe

[PATCH v4 0/7] Appended signatures support for IMA appraisal

d new xattr "subtype" IMA_MODSIG. (suggested by Mimi) - Check whether a hook supports modsig when the policy is being parsed. (suggested by Mimi) - If the modsig verification fails, look for an xattr signature. (suggested by Mimi) - Add integrity_keyring_from_id function. - Pu

[PATCH v4 1/7] integrity: Introduce struct evm_xattr

ata, since in most places the array doesn't hold a digest. A separate struct evm_xattr is introduced, with the original definition of evm_ima_xattr_data to be used in the places that actually expect that definition. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> --- securi

[PATCH v4 5/7] integrity: Select CONFIG_KEYS instead of depending on it

This avoids a dependency cycle in CONFIG_IMA_APPRAISE_MODSIG (introduced by a later patch in this series): it will select CONFIG_MODULE_SIG_FORMAT which in turn selects CONFIG_KEYS. Kconfig then complains that CONFIG_INTEGRITY_SIGNATURE depends on CONFIG_KEYS. Signed-off-by: Thiago Jung Bauermann

[PATCH v4 7/7] ima: Support module-style appended signatures for appraisal

. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> --- security/integrity/ima/Kconfig| 13 +++ security/integrity/ima/Makefile | 1 + security/integrity/ima/ima.h | 70 +++- security/integrity/ima/ima_appraise.c

[PATCH v4 6/7] ima: Store measurement after appraisal

, and by then the measure step was already completed and would need to be done again in case the template includes the signature. To avoid this problem, do the appraisal first so that the correct signature is stored by the template in the measure step. Signed-off-by: Thiago Jung Bauermann <ba

[PATCH v4 4/7] integrity: Introduce integrity_keyring_from_id

IMA will need to obtain the keyring used to verify file signatures so that it can verify the module-style signature appended to files. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> --- security/integrity/digsig.c| 28 +++- security/int

[PATCH v4 2/7] MODSIGN: Export module signature definitions

validate_module_signature without having to depend on CONFIG_MODULE_SIG. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> --- include/linux/module.h | 3 -- include/linux/module_signature.h | 47 + init/Kconfig | 6 +++- kernel/Ma

[PATCH v4 3/7] PKCS#7: Introduce pkcs7_get_message_sig and verify_pkcs7_message_sig

verify_pkcs7_message_signature which takes a struct pkcs7_message for verification instead of the raw bytes that verify_pkcs7_signature takes. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> --- certs/system_keyring.c| 60 +-- crypto/asymmetri

Re: [PATCH v3 1/7] integrity: Introduce struct evm_hmac_xattr

Hello Mimi, Thanks for your review! The patch at the end of the email implements your suggestions, what do you think? Mimi Zohar <zo...@linux.vnet.ibm.com> writes: > On Thu, 2017-07-06 at 19:17 -0300, Thiago Jung Bauermann wrote: >> A separate struct evm_hmac_xatt

Re: [PATCH v3 7/7] ima: Support module-style appended signatures for appraisal

Mimi Zohar <zo...@linux.vnet.ibm.com> writes: > On Thu, 2017-07-06 at 19:17 -0300, Thiago Jung Bauermann wrote: >> --- a/security/integrity/ima/ima_appraise.c >> +++ b/security/integrity/ima/ima_appraise.c >> @@ -200,18 +200,40 @@ int ima_read_xattr(struct dent

Re: [PATCH v2 0/6] Appended signatures support for IMA appraisal

Michael Ellerman <m...@ellerman.id.au> writes: > Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> writes: > >> On the OpenPOWER platform, secure boot and trusted boot are being >> implemented using IMA for taking measurements and verifying signatures. >

Re: [PATCH v2 6/6] ima: Support module-style appended signatures for appraisal

Hello Mimi, Thanks for your review, and for queuing the other patches in this series. Mimi Zohar <zo...@linux.vnet.ibm.com> writes: > On Wed, 2017-06-07 at 22:49 -0300, Thiago Jung Bauermann wrote: >> This patch introduces the modsig keyword to the IMA policy syntax to >>

[PATCH v2 4/6] integrity: Introduce struct evm_hmac_xattr

ata, since in most places the array doesn't hold a digest. A separate struct evm_hmac_xattr is introduced, with the original definition of evm_ima_xattr_data to be used in the places that actually expect that definition. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> --- se

[PATCH v2 3/6] ima: Log the same audit cause whenever a file has no signature

If the file doesn't have an xattr, ima_appraise_measurement sets cause to "missing-hash" while if there's an xattr but it's a digest instead of a signature it sets cause to "IMA-signature-required". Fix it by setting cause to "IMA-signature-required" in both case

[PATCH v2 6/6] ima: Support module-style appended signatures for appraisal

GRITY_SIGNATURE to select CONFIG_KEYS instead of depending on it is to avoid a dependency recursion in CONFIG_IMA_APPRAISE_MODSIG, because CONFIG_MODULE_SIG_FORMAT selects CONFIG_KEYS and Kconfig complains that CONFIG_INTEGRITY_SIGNATURE depends on it. Signed-off-by: Thiago Jung Bauermann <bauer...@lin

[PATCH v2 1/6] integrity: Small code improvements

-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> --- security/integrity/digsig_asymmetric.c | 4 ++-- security/integrity/iint.c | 2 +- security/integrity/ima/ima.h | 2 +- security/integrity/ima/ima_appraise.c | 1 + security/integrity/ima/ima_policy.c

[PATCH v2 0/6] Appended signatures support for IMA appraisal

function. - Put modsig to measurement list if the template requires the signature contents. (suggested by Mimi). Thiago Jung Bauermann (6): integrity: Small code improvements ima: Simplify policy_func_show. ima: Log the same audit cause whenever a file has no signature integrity: Introduc

[PATCH v2 5/6] MODSIGN: Export module signature definitions.

of the raw bytes that verify_pkcs7_signature takes. Finally, create a CONFIG_MODULE_SIG_FORMAT option so that IMA can select it and be able to use validate_module_signature without having to depend on CONFIG_MODULE_SIG. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> ---

[PATCH v2 2/6] ima: Simplify policy_func_show.

they are always in sync (suggested by Mimi Zohar). Finally, by using the printf pattern for the function token directly instead of using the pt macro we can simplify policy_func_show even further and avoid needing a temporary buffer. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.

[PATCH v5 05/18] ima: Simplify ima_eventsig_init

The "goto out" statement doesn't have any purpose since there's no cleanup to be done when returning early, so remove it. This also makes the rc variable unnecessary so remove it as well. Also, the xattr_len and fmt variables are redundant so remove them as well. Signed-off-by: T

[PATCH v5 04/18] evm, ima: Remove more superfluous parentheses

the object files from before and after the patch. They are identical. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> --- security/integrity/evm/evm_posix_acl.c | 8 security/integrity/ima/ima_fs.c| 6 +++--- security/integrity/ima/ima_queue.c | 6 +++

[PATCH v5 08/18] integrity: Select CONFIG_KEYS instead of depending on it

This avoids a dependency cycle in CONFIG_IMA_APPRAISE_MODSIG (introduced by a later patch in this series): it will select CONFIG_MODULE_SIG_FORMAT which in turn selects CONFIG_KEYS. Kconfig then complains that CONFIG_INTEGRITY_SIGNATURE depends on CONFIG_KEYS. Signed-off-by: Thiago Jung Bauermann

[PATCH v5 06/18] ima: Improvements in ima_appraise_measurement

Replace nested ifs in the EVM xattr verification logic with a switch statement, making the code easier to understand. Also, add comments to the if statements in the out section. Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com> Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vne

[PATCH v5 02/18] ima: Remove some superfluous parentheses

. Confirmed that the patch is correct by comparing the object files from before and after the patch. They are identical. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> --- security/integrity/ima/ima_appraise.c | 11 +-- security/integrity/ima/ima_template_lib.

[PATCH v5 14/18] integrity: Introduce integrity_keyring_from_id

IMA will need to obtain the keyring used to verify file signatures so that it can verify the module-style signature appended to files. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> --- security/integrity/digsig.c| 28 +++- security/int

[PATCH v5 13/18] PKCS#7: Introduce pkcs7_get_message_sig and verify_pkcs7_message_sig

verify_pkcs7_message_signature which takes a struct pkcs7_message for verification instead of the raw bytes that verify_pkcs7_signature takes. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> --- certs/system_keyring.c| 60 +-- crypto/asymmetri

[PATCH v5 11/18] ima: Export func_tokens

ima_read_modsig will need it so that it can show an error message. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> --- security/integrity/ima/ima.h| 2 ++ security/integrity/ima/ima_policy.c | 12 ++-- 2 files changed, 8 insertions(+), 6 deletions(-)

[PATCH v5 10/18] ima: Store measurement after appraisal

Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> --- security/integrity/ima/ima_main.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 747a4fd9e2de..8e96450e27f5 100644 --

[PATCH v5 01/18] ima: Remove redundant conditional operator

is correct by comparing the object file from before and after the patch. They are identical. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> --- security/integrity/ima/ima_appraise.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/security/integri

[PATCH v5 15/18] ima: Add modsig appraise_type option for module-style appended signatures

because the actual modsig implementation will be introduced in a separate patch. Suggested-by: Mimi Zohar <zo...@linux.vnet.ibm.com> Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> --- Documentation/ABI/testing/ima_policy | 6 +- security/integrity/ima/Kconfi

[PATCH v5 03/18] evm, ima: Remove superfluous parentheses

that it can be easily dropped if the churn and conflict potential is deemed not worth it. Confirmed that the patch is correct by comparing the object files from before and after the patch. They are identical. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> --- se

[PATCH v5 17/18] ima: Implement support for module-style appended signatures

This patch actually implements the appraise_type=modsig option, allowing IMA to read and verify modsig signatures Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> --- security/integrity/ima/ima.h | 17 +++-- security/integrity/ima/ima_appraise.c

[PATCH v5 00/18] Appended signatures support for IMA appraisal

yxattr even in the case of xattr signature in ima_appraise_measurement (suggested by Mimi Zohar). - Use switch statement provided by Mimi Zohar to check result of evm_verifyxattr. - If the modsig verification succeeds, copy the hash calculated during the verification to the iint cac

[PATCH v5 18/18] ima: Write modsig to the measurement list

Add modsig support for templates which require the contents of the file signature to be included in the measurement list. Suggested-by: Mimi Zohar <zo...@linux.vnet.ibm.com> Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> --- security/integrity/ima/ima.h

[PATCH v5 07/18] integrity: Introduce struct evm_xattr

ata, since in most places the array doesn't hold a digest. A separate struct evm_xattr is introduced, with the original definition of evm_ima_xattr_data to be used in the places that actually expect that definition. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> --- securi

[PATCH v5 12/18] MODSIGN: Export module signature definitions

validate_module_signature without having to depend on CONFIG_MODULE_SIG. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> --- include/linux/module.h | 3 -- include/linux/module_signature.h | 47 + init/Kconfig | 6 +++- kernel/Ma

[PATCH v5 16/18] ima: Add functions to read and verify a modsig signature

This is the code needed by IMA-appraise to work with modsig signatures. It will be used by the next patch. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> --- security/integrity/ima/Kconfig | 3 + security/integrity/ima/ima.h| 34 +++ security/int

[PATCH v5 09/18] ima: Don't pass xattr value to EVM xattr verification.

and not actually required, just don't do it. Suggested-by: Mimi Zohar <zo...@linux.vnet.ibm.com> Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> --- security/integrity/ima/ima_appraise.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/i

[PATCH v7 09/14] ima: Export func_tokens

ima_read_modsig() will need it so that it can show an error message. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.ibm.com> --- security/integrity/ima/ima.h| 2 ++ security/integrity/ima/ima_policy.c | 12 ++-- 2 files changed, 8 insertions(+), 6 deletions(-) diff

[PATCH v7 08/14] ima: Introduce is_signed()

ed-off-by: Thiago Jung Bauermann <bauer...@linux.ibm.com> --- security/integrity/ima/ima.h | 5 + security/integrity/ima/ima_appraise.c | 7 +++ security/integrity/ima/ima_template_lib.c | 2 +- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/security/integrity

[PATCH v7 07/14] integrity: Select CONFIG_KEYS instead of depending on it

This avoids a dependency cycle in soon-to-be-introduced CONFIG_IMA_APPRAISE_MODSIG: it will select CONFIG_MODULE_SIG_FORMAT which in turn selects CONFIG_KEYS. Kconfig then complains that CONFIG_INTEGRITY_SIGNATURE depends on CONFIG_KEYS. Signed-off-by: Thiago Jung Bauermann <ba

[PATCH v7 06/14] integrity: Introduce asymmetric_sig_has_known_key()

function. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.ibm.com> Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com> --- security/integrity/digsig_asymmetric.c | 44 +- security/integrity/integrity.h | 8 +++ 2 files changed, 41 inser

[PATCH v7 10/14] ima: Add modsig appraise_type option for module-style appended signatures

egrity/ima/ima_modsig.c new file mode 100644 index ..d8ea811b6f74 --- /dev/null +++ b/security/integrity/ima/ima_modsig.c @@ -0,0 +1,31 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * IMA support for appraising module-style appended signatures. + * + * Copyright (C) 2018 IBM Corporatio

[PATCH v7 03/14] PKCS#7: Introduce pkcs7_get_digest()

. Verifying that sinfo->sig->digest isn't NULL is sufficient because both places which allocate sinfo->sig (pkcs7_parse_message() and pkcs7_note_signed_info()) use kzalloc() so sig->digest is always initialized to zero. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.ibm.com> Revie

[PATCH v7 00/14] Appended signatures support for IMA appraisal

t;ima: Write modsig to the measurement list" - Since now we determine whether we'll use an xattr sig or a modsig at the time they are read, there's no need to store a measurement again in the modsig case. Thus, this patch doesn't need to change ima_store_measurement() nor proces

[PATCH v7 05/14] integrity: Introduce integrity_keyring_from_id()

IMA will need to obtain the keyring used to verify file signatures so that it can verify the module-style signature appended to files. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.ibm.com> Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com> --- security/integrity/digs

[PATCH v7 04/14] integrity: Introduce struct evm_xattr

ost places the array doesn't hold a digest. A separate struct evm_xattr is introduced, with the original definition of evm_ima_xattr_data to be used in the places that actually expect that definition. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.ibm.com> --- security/integrity/

[PATCH v7 01/14] MODSIGN: Export module signature definitions

() without having to depend on CONFIG_MODULE_SIG. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.ibm.com> Reviewed-by: Mimi Zohar <zo...@linux.vnet.ibm.com> Cc: Jessica Yu <j...@kernel.org> --- include/linux/module.h | 3 -- include/linux/modul

[PATCH v7 02/14] PKCS#7: Refactor verify_pkcs7_signature() and add pkcs7_get_message_sig()

message, so add pkcs7_get_message_sig(). Signed-off-by: Thiago Jung Bauermann <bauer...@linux.ibm.com> Reviewed-by: Mimi Zohar <zo...@linux.vnet.ibm.com> Cc: David Howells <dhowe...@redhat.com> Cc: David Woodhouse <dw...@infradead.org> Cc: Herbert Xu <herb...@gondor

[PATCH v7 11/14] ima: Implement support for module-style appended signatures

-off-by: Thiago Jung Bauermann <bauer...@linux.ibm.com> --- security/integrity/ima/Kconfig| 3 + security/integrity/ima/ima.h | 36 - security/integrity/ima/ima_appraise.c | 64 +-- security/integrity/ima/ima_main.c | 17 +++- security/integri

[PATCH v7 12/14] ima: Add new "d-sig" template field

Define new "d-sig" template field which holds the digest that is expected to match the one contained in the modsig. Suggested-by: Mimi Zohar <zo...@linux.vnet.ibm.com> Signed-off-by: Thiago Jung Bauermann <bauer...@linux.ibm.com> --- Documentation/security/IMA-templates.rst

[PATCH v7 14/14] ima: Store the measurement again when appraising a modsig

with the modsig. This is done by defining the appraise subaction flag IMA_READ_MEASURE and testing for it in process_measurement(). Suggested-by: Mimi Zohar <zo...@linux.vnet.ibm.com> Signed-off-by: Thiago Jung Bauermann <bauer...@linux.ibm.com> --- security/integrity/ima/ima.h

[PATCH v7 13/14] ima: Write modsig to the measurement list

Add modsig support to the "sig" template field, allowing the the contents of the modsig to be included in the measurement list. Suggested-by: Mimi Zohar <zo...@linux.vnet.ibm.com> Signed-off-by: Thiago Jung Bauermann <bauer...@linux.ibm.com> --- security/integrity/ima/i

Re: [PATCH v5 18/18] ima: Write modsig to the measurement list

Hello Mimi, Thanks for your review. Mimi Zohar <zo...@linux.vnet.ibm.com> writes: > On Tue, 2017-10-17 at 22:53 -0200, Thiago Jung Bauermann wrote: > >> diff --git a/security/integrity/ima/ima_main.c >> b/security/integrity/ima/ima_main.c >> index 6a2

Re: [PATCH v5 12/18] MODSIGN: Export module signature definitions

Mimi Zohar <zo...@linux.vnet.ibm.com> writes: > On Tue, 2017-10-17 at 22:53 -0200, Thiago Jung Bauermann wrote: >> IMA will use the module_signature format for append signatures, so export >> the relevant definitions and factor out the code which verifies that the >>

[PATCH v6 03/12] PKCS#7: Introduce pkcs7_get_digest()

. Verifying that sinfo->sig->digest isn't NULL is sufficient because both places which allocate sinfo->sig (pkcs7_parse_message() and pkcs7_note_signed_info()) use kzalloc() so sig->digest is always initialized to zero. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>

[PATCH v6 04/12] ima: Introduce is_ima_sig()

ed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> --- security/integrity/ima/ima.h | 5 + security/integrity/ima/ima_appraise.c | 7 +++ security/integrity/ima/ima_template_lib.c | 2 +- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/security/i

Re: [PATCH v6 00/12] Appended signatures support for IMA appraisal

Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> writes: > Now the modsig is only ignored if it references a signature that is not > present in IMA's keyring (or if there's a parsing error, obviously). If the The above should read "Now the modsig is only ignored if it

[PATCH v6 11/12] ima: Implement support for module-style appended signatures

signature. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> --- security/integrity/ima/ima.h | 11 +++- security/integrity/ima/ima_appraise.c | 53 +++ security/integrity/ima/ima_main.c | 21 +++--- 3 files chang

[PATCH v6 12/12] ima: Write modsig to the measurement list

d-by: Mimi Zohar <zo...@linux.vnet.ibm.com> Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> --- Documentation/security/IMA-templates.rst | 5 security/integrity/ima/ima_template.c | 4 ++- security/integrity/ima/ima_template_lib.c | 47 +++

[PATCH v6 09/12] ima: Add modsig appraise_type option for module-style appended signatures

com> Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> --- Documentation/ABI/testing/ima_policy | 6 +- security/integrity/ima/Kconfig | 10 ++ security/integrity/ima/Makefile | 1 + security/integrity/ima/ima.h | 9 + security/i

[PATCH v6 06/12] integrity: Introduce asymmetric_sig_has_known_key()

function. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> --- security/integrity/digsig_asymmetric.c | 44 +- security/integrity/integrity.h | 8 +++ 2 files changed, 41 insertions(+), 11 deletions(-) diff --git a/security/int

[PATCH v6 08/12] ima: Export func_tokens

ima_read_modsig() will need it so that it can show an error message. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> --- security/integrity/ima/ima.h| 2 ++ security/integrity/ima/ima_policy.c | 12 ++-- 2 files changed, 8 insertions(+), 6 deletions(-)

[PATCH v6 10/12] ima: Add functions to read and verify a modsig signature

This is the code needed by IMA-appraise to work with modsig signatures. It will be used by the next two patches. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> --- security/integrity/ima/Kconfig | 3 + security/integrity/ima/ima.h| 41 se

[PATCH v6 02/12] PKCS#7: Introduce pkcs7_get_message_sig() and verify_pkcs7_message_sig()

that verify_pkcs7_signature() takes. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> Cc: David Howells <dhowe...@redhat.com> Cc: David Woodhouse <dw...@infradead.org> Cc: Herbert Xu <herb...@gondor.apana.org.au> Cc: "David S. Miller" <da...@davem

[PATCH v6 00/12] Appended signatures support for IMA appraisal

n fails. - Pass NULL xattr_value to evm_verifyxattr even in the case of xattr signature in ima_appraise_measurement (suggested by Mimi Zohar). - Use switch statement provided by Mimi Zohar to check result of evm_verifyxattr. - If the modsig verification succeeds, copy the hash calculated during

[PATCH v6 01/12] MODSIGN: Export module signature definitions

() without having to depend on CONFIG_MODULE_SIG. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> Reviewed-by: Mimi Zohar <zo...@linux.vnet.ibm.com> Cc: Jessica Yu <j...@kernel.org> --- include/linux/module.h | 3 -- include/linux/modul

[PATCH v6 05/12] integrity: Introduce integrity_keyring_from_id()

IMA will need to obtain the keyring used to verify file signatures so that it can verify the module-style signature appended to files. Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> --- security/integrity/digsig.c| 28 +--- security/int

[PATCH v6 07/12] integrity: Select CONFIG_KEYS instead of depending on it

This avoids a dependency cycle in CONFIG_IMA_APPRAISE_MODSIG (introduced by a later patch in this series): it will select CONFIG_MODULE_SIG_FORMAT which in turn selects CONFIG_KEYS. Kconfig then complains that CONFIG_INTEGRITY_SIGNATURE depends on CONFIG_KEYS. Signed-off-by: Thiago Jung Bauermann