Re: [PATCH v5 2/3] Create IMA machine owner and blacklist keyrings;

[Dmitry Kasatkin]

On Mon, Nov 16, 2015 at 3:10 PM, Mimi Zohar  wrote:
> On Mon, 2015-11-02 at 00:32 +0200, Petko Manolov wrote:
>> This option creates IMA MOK and blacklist keyrings.  IMA MOK is an
>> intermediate keyring that sits between .system and .ima keyrings,
>> effectively forming a simple CA hierarchy.  To successfully import a key
>> into .ima_mok it must be signed by a key which CA is in .system keyring.
>> On turn any key that needs to go in .ima keyring must be signed by CA in
>> either .system or .ima_mok keyrings. IMA MOK is empty at kernel boot.
>>
>> IMA blacklist keyring contains all revoked IMA keys.  It is consulted
>> before any other keyring.  If the search is successful the requested
>> operation is rejected and error is returned to the caller.
>
> Adding a key to the black list will prevent any new file integrity
> verification from succeeding.  This does not address files that have
> already been verified and the results are already in the iint cache.
>
> The iint is a red-black tree.  One method would be to walk the entire
> tree clearing the cache info.  Another method would be to include a
> timestamp in the iint and lazily clear the iint cache info when next
> accessed.  Are there any other solutions?
>
> Mimi
>

It would be possible compare verification timestamp to "blacklist"
update timestamp.
And if it was updated after, invalidate file verification


Dmitry

>
>> Signed-off-by: Petko Manolov 
>> ---
>>  crypto/asymmetric_keys/x509_public_key.c |  2 ++
>>  include/keys/system_keyring.h| 24 ++
>>  security/integrity/digsig_asymmetric.c   | 14 +
>>  security/integrity/ima/Kconfig   | 18 +++
>>  security/integrity/ima/Makefile  |  1 +
>>  security/integrity/ima/ima_mok.c | 54 
>> 
>>  6 files changed, 113 insertions(+)
>>  create mode 100644 security/integrity/ima/ima_mok.c
>>
>> diff --git a/crypto/asymmetric_keys/x509_public_key.c 
>> b/crypto/asymmetric_keys/x509_public_key.c
>> index 1970966..66dcf30 100644
>> --- a/crypto/asymmetric_keys/x509_public_key.c
>> +++ b/crypto/asymmetric_keys/x509_public_key.c
>> @@ -319,6 +319,8 @@ static int x509_key_preparse(struct 
>> key_preparsed_payload *prep)
>>   goto error_free_cert;
>>   } else if (!prep->trusted) {
>>   ret = x509_validate_trust(cert, get_system_trusted_keyring());
>> + if (ret)
>> + ret = x509_validate_trust(cert, get_ima_mok_keyring());
>>   if (!ret)
>>   prep->trusted = 1;
>>   }
>> diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
>> index b20cd88..39fd38c 100644
>> --- a/include/keys/system_keyring.h
>> +++ b/include/keys/system_keyring.h
>> @@ -35,4 +35,28 @@ extern int system_verify_data(const void *data, unsigned 
>> long len,
>> enum key_being_used_for usage);
>>  #endif
>>
>> +#ifdef CONFIG_IMA_MOK_KEYRING
>> +extern struct key *ima_mok_keyring;
>> +extern struct key *ima_blacklist_keyring;
>> +
>> +static inline struct key *get_ima_mok_keyring(void)
>> +{
>> + return ima_mok_keyring;
>> +}
>> +static inline struct key *get_ima_blacklist_keyring(void)
>> +{
>> + return ima_blacklist_keyring;
>> +}
>> +#else
>> +static inline struct key *get_ima_mok_keyring(void)
>> +{
>> + return NULL;
>> +}
>> +static inline struct key *get_ima_blacklist_keyring(void)
>> +{
>> + return NULL;
>> +}
>> +#endif /* CONFIG_IMA_MOK_KEYRING */
>> +
>> +
>>  #endif /* _KEYS_SYSTEM_KEYRING_H */
>> diff --git a/security/integrity/digsig_asymmetric.c 
>> b/security/integrity/digsig_asymmetric.c
>> index 4fec181..5ade2a7 100644
>> --- a/security/integrity/digsig_asymmetric.c
>> +++ b/security/integrity/digsig_asymmetric.c
>> @@ -17,6 +17,7 @@
>>  #include 
>>  #include 
>>  #include 
>> +#include 
>>
>>  #include "integrity.h"
>>
>> @@ -32,9 +33,22 @@ static struct key *request_asymmetric_key(struct key 
>> *keyring, uint32_t keyid)
>>
>>   pr_debug("key search: \"%s\"\n", name);
>>
>> + key = get_ima_blacklist_keyring();
>> + if (key) {
>> + key_ref_t kref;
>> +
>> + kref = keyring_search(make_key_ref(key, 1),
>> +  _type_asymmetric, name);
>> + if (!IS_ERR(kref)) {
>> + pr_err("Key '%s' is in ima_blacklist_keyring\n", name);
>> + return ERR_PTR(-EKEYREJECTED);
>> + }
>> + }
>> +
>>   if (keyring) {
>>   /* search in specific keyring */
>>   key_ref_t kref;
>> +
>>   kref = keyring_search(make_key_ref(keyring, 1),
>> _type_asymmetric, name);
>>   if (IS_ERR(kref))
>> diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
>> index 59e215f..a489340 100644
>> --- a/security/integrity/ima/Kconfig

Re: [PATCH v5 2/3] Create IMA machine owner and blacklist keyrings;

[Mimi Zohar]

On Mon, 2015-11-02 at 00:32 +0200, Petko Manolov wrote:
> This option creates IMA MOK and blacklist keyrings.  IMA MOK is an
> intermediate keyring that sits between .system and .ima keyrings,
> effectively forming a simple CA hierarchy.  To successfully import a key
> into .ima_mok it must be signed by a key which CA is in .system keyring.
> On turn any key that needs to go in .ima keyring must be signed by CA in
> either .system or .ima_mok keyrings. IMA MOK is empty at kernel boot.
> 
> IMA blacklist keyring contains all revoked IMA keys.  It is consulted
> before any other keyring.  If the search is successful the requested
> operation is rejected and error is returned to the caller.

Adding a key to the black list will prevent any new file integrity
verification from succeeding.  This does not address files that have
already been verified and the results are already in the iint cache.

The iint is a red-black tree.  One method would be to walk the entire
tree clearing the cache info.  Another method would be to include a
timestamp in the iint and lazily clear the iint cache info when next
accessed.  Are there any other solutions?

Mimi


> Signed-off-by: Petko Manolov 
> ---
>  crypto/asymmetric_keys/x509_public_key.c |  2 ++
>  include/keys/system_keyring.h| 24 ++
>  security/integrity/digsig_asymmetric.c   | 14 +
>  security/integrity/ima/Kconfig   | 18 +++
>  security/integrity/ima/Makefile  |  1 +
>  security/integrity/ima/ima_mok.c | 54 
> 
>  6 files changed, 113 insertions(+)
>  create mode 100644 security/integrity/ima/ima_mok.c
> 
> diff --git a/crypto/asymmetric_keys/x509_public_key.c 
> b/crypto/asymmetric_keys/x509_public_key.c
> index 1970966..66dcf30 100644
> --- a/crypto/asymmetric_keys/x509_public_key.c
> +++ b/crypto/asymmetric_keys/x509_public_key.c
> @@ -319,6 +319,8 @@ static int x509_key_preparse(struct key_preparsed_payload 
> *prep)
>   goto error_free_cert;
>   } else if (!prep->trusted) {
>   ret = x509_validate_trust(cert, get_system_trusted_keyring());
> + if (ret)
> + ret = x509_validate_trust(cert, get_ima_mok_keyring());
>   if (!ret)
>   prep->trusted = 1;
>   }
> diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
> index b20cd88..39fd38c 100644
> --- a/include/keys/system_keyring.h
> +++ b/include/keys/system_keyring.h
> @@ -35,4 +35,28 @@ extern int system_verify_data(const void *data, unsigned 
> long len,
> enum key_being_used_for usage);
>  #endif
> 
> +#ifdef CONFIG_IMA_MOK_KEYRING
> +extern struct key *ima_mok_keyring;
> +extern struct key *ima_blacklist_keyring;
> +
> +static inline struct key *get_ima_mok_keyring(void)
> +{
> + return ima_mok_keyring;
> +}
> +static inline struct key *get_ima_blacklist_keyring(void)
> +{
> + return ima_blacklist_keyring;
> +}
> +#else
> +static inline struct key *get_ima_mok_keyring(void)
> +{
> + return NULL;
> +}
> +static inline struct key *get_ima_blacklist_keyring(void)
> +{
> + return NULL;
> +}
> +#endif /* CONFIG_IMA_MOK_KEYRING */
> +
> +
>  #endif /* _KEYS_SYSTEM_KEYRING_H */
> diff --git a/security/integrity/digsig_asymmetric.c 
> b/security/integrity/digsig_asymmetric.c
> index 4fec181..5ade2a7 100644
> --- a/security/integrity/digsig_asymmetric.c
> +++ b/security/integrity/digsig_asymmetric.c
> @@ -17,6 +17,7 @@
>  #include 
>  #include 
>  #include 
> +#include 
> 
>  #include "integrity.h"
> 
> @@ -32,9 +33,22 @@ static struct key *request_asymmetric_key(struct key 
> *keyring, uint32_t keyid)
> 
>   pr_debug("key search: \"%s\"\n", name);
> 
> + key = get_ima_blacklist_keyring();
> + if (key) {
> + key_ref_t kref;
> +
> + kref = keyring_search(make_key_ref(key, 1),
> +  _type_asymmetric, name);
> + if (!IS_ERR(kref)) {
> + pr_err("Key '%s' is in ima_blacklist_keyring\n", name);
> + return ERR_PTR(-EKEYREJECTED);
> + }
> + }
> +
>   if (keyring) {
>   /* search in specific keyring */
>   key_ref_t kref;
> +
>   kref = keyring_search(make_key_ref(keyring, 1),
> _type_asymmetric, name);
>   if (IS_ERR(kref))
> diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
> index 59e215f..a489340 100644
> --- a/security/integrity/ima/Kconfig
> +++ b/security/integrity/ima/Kconfig
> @@ -142,6 +142,24 @@ config IMA_TRUSTED_KEYRING
>  This option requires that all keys added to the .ima
>  keyring be signed by a key on the system trusted keyring.
> 
> +config IMA_MOK_KEYRING
> + bool "Create IMA machine owner keys (MOK) and blacklist keyrings"
> + select SYSTEM_TRUSTED_KEYRING

[PATCH v5 2/3] Create IMA machine owner and blacklist keyrings;

[Petko Manolov]

This option creates IMA MOK and blacklist keyrings.  IMA MOK is an
intermediate keyring that sits between .system and .ima keyrings,
effectively forming a simple CA hierarchy.  To successfully import a key
into .ima_mok it must be signed by a key which CA is in .system keyring.
On turn any key that needs to go in .ima keyring must be signed by CA in
either .system or .ima_mok keyrings. IMA MOK is empty at kernel boot.

IMA blacklist keyring contains all revoked IMA keys.  It is consulted
before any other keyring.  If the search is successful the requested
operation is rejected and error is returned to the caller.

Signed-off-by: Petko Manolov 
---
 crypto/asymmetric_keys/x509_public_key.c |  2 ++
 include/keys/system_keyring.h| 24 ++
 security/integrity/digsig_asymmetric.c   | 14 +
 security/integrity/ima/Kconfig   | 18 +++
 security/integrity/ima/Makefile  |  1 +
 security/integrity/ima/ima_mok.c | 54 
 6 files changed, 113 insertions(+)
 create mode 100644 security/integrity/ima/ima_mok.c

diff --git a/crypto/asymmetric_keys/x509_public_key.c 
b/crypto/asymmetric_keys/x509_public_key.c
index 1970966..66dcf30 100644
--- a/crypto/asymmetric_keys/x509_public_key.c
+++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -319,6 +319,8 @@ static int x509_key_preparse(struct key_preparsed_payload 
*prep)
goto error_free_cert;
} else if (!prep->trusted) {
ret = x509_validate_trust(cert, get_system_trusted_keyring());
+   if (ret)
+   ret = x509_validate_trust(cert, get_ima_mok_keyring());
if (!ret)
prep->trusted = 1;
}
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index b20cd88..39fd38c 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -35,4 +35,28 @@ extern int system_verify_data(const void *data, unsigned 
long len,
  enum key_being_used_for usage);
 #endif
 
+#ifdef CONFIG_IMA_MOK_KEYRING
+extern struct key *ima_mok_keyring;
+extern struct key *ima_blacklist_keyring;
+
+static inline struct key *get_ima_mok_keyring(void)
+{
+   return ima_mok_keyring;
+}
+static inline struct key *get_ima_blacklist_keyring(void)
+{
+   return ima_blacklist_keyring;
+}
+#else
+static inline struct key *get_ima_mok_keyring(void)
+{
+   return NULL;
+}
+static inline struct key *get_ima_blacklist_keyring(void)
+{
+   return NULL;
+}
+#endif /* CONFIG_IMA_MOK_KEYRING */
+
+
 #endif /* _KEYS_SYSTEM_KEYRING_H */
diff --git a/security/integrity/digsig_asymmetric.c 
b/security/integrity/digsig_asymmetric.c
index 4fec181..5ade2a7 100644
--- a/security/integrity/digsig_asymmetric.c
+++ b/security/integrity/digsig_asymmetric.c
@@ -17,6 +17,7 @@
 #include 
 #include 
 #include 
+#include 
 
 #include "integrity.h"
 
@@ -32,9 +33,22 @@ static struct key *request_asymmetric_key(struct key 
*keyring, uint32_t keyid)
 
pr_debug("key search: \"%s\"\n", name);
 
+   key = get_ima_blacklist_keyring();
+   if (key) {
+   key_ref_t kref;
+
+   kref = keyring_search(make_key_ref(key, 1),
+_type_asymmetric, name);
+   if (!IS_ERR(kref)) {
+   pr_err("Key '%s' is in ima_blacklist_keyring\n", name);
+   return ERR_PTR(-EKEYREJECTED);
+   }
+   }
+
if (keyring) {
/* search in specific keyring */
key_ref_t kref;
+
kref = keyring_search(make_key_ref(keyring, 1),
  _type_asymmetric, name);
if (IS_ERR(kref))
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 59e215f..a489340 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -142,6 +142,24 @@ config IMA_TRUSTED_KEYRING
   This option requires that all keys added to the .ima
   keyring be signed by a key on the system trusted keyring.
 
+config IMA_MOK_KEYRING
+   bool "Create IMA machine owner keys (MOK) and blacklist keyrings"
+   select SYSTEM_TRUSTED_KEYRING
+   select IMA_TRUSTED_KEYRING
+   default y
+   help
+  This option creates IMA MOK and blacklist keyrings.  IMA MOK is an
+  intermediate keyring that sits between .system and .ima keyrings,
+  effectively forming a simple CA hierarchy.  To successfully import a
+  key into .ima_mok it must be signed by a key which CA is in .system
+  keyring.  On turn any key that needs to go in .ima keyring must be
+  signed by CA in either .system or .ima_mok keyrings. IMA MOK is empty
+  at kernel boot.
+
+  IMA blacklist keyring contains all revoked IMA keys.  It is consulted
+  before any other