Re: [PATCH v2.2 6/7] integrity: digital signature verification using multiple keyrings

Mimi Zohar Fri, 04 Nov 2011 04:31:18 -0700

On Wed, 2011-10-19 at 14:51 +0300, Dmitry Kasatkin wrote:
> Define separate keyrings for each of the different use cases - evm, ima,
> and modules. Using different keyrings improves search performance, and also
> allows "locking" specific keyring to prevent adding new keys.
> This is useful for evm and module keyrings, when keys are usually only
> added from initramfs.
> 
> Signed-off-by: Dmitry Kasatkin <dmitry.kasat...@intel.com>


Thanks Dmitry!  Other than the couple of trailing whitespaces, the
patches look good.  I think adding the word 'public', above, to 'adding
new keys' clarifies that the keyrings are only used for the digital
signatures.

Acked-by: Mimi Zohar <zo...@us.ibm.com>

> ---
>  security/integrity/Kconfig     |   14 +++++++++++
>  security/integrity/Makefile    |    1 +
>  security/integrity/digsig.c    |   48 
> ++++++++++++++++++++++++++++++++++++++++
>  security/integrity/integrity.h |   20 ++++++++++++++++
>  4 files changed, 83 insertions(+), 0 deletions(-)
>  create mode 100644 security/integrity/digsig.c
> 
> diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
> index 4bf00ac..d87fa2a 100644
> --- a/security/integrity/Kconfig
> +++ b/security/integrity/Kconfig
> @@ -3,5 +3,19 @@ config INTEGRITY
>       def_bool y
>       depends on IMA || EVM
> 
> +config INTEGRITY_DIGSIG
> +     boolean "Digital signature verification using multiple keyrings"
> +     depends on INTEGRITY
> +     default n
> +     select DIGSIG
> +     help
> +       This option enables digital signature verification support
> +       using multiple keyrings. It defines separate keyrings for each
> +       of the different use cases - evm, ima, and modules.
> +       Different keyrings improves search performance, but also allow
> +       to "lock" certain keyring to prevent adding new keys.
> +       This is useful for evm and module keyrings, when keys are
> +       usually only added from initramfs.
> +
>  source security/integrity/ima/Kconfig
>  source security/integrity/evm/Kconfig
> diff --git a/security/integrity/Makefile b/security/integrity/Makefile
> index 0ae44ae..bece056 100644
> --- a/security/integrity/Makefile
> +++ b/security/integrity/Makefile
> @@ -3,6 +3,7 @@
>  #
> 
>  obj-$(CONFIG_INTEGRITY) += integrity.o
> +obj-$(CONFIG_INTEGRITY_DIGSIG) += digsig.o
> 
>  integrity-y := iint.o
> 
> diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
> new file mode 100644
> index 0000000..b5d1e01
> --- /dev/null
> +++ b/security/integrity/digsig.c
> @@ -0,0 +1,48 @@
> +/*
> + * Copyright (C) 2011 Intel Corporation
> + *
> + * Author:
> + * Dmitry Kasatkin <dmitry.kasat...@intel.com>
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License as published by
> + * the Free Software Foundation, version 2 of the License.
> + *
> + */
> +
> +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
> +
> +#include <linux/err.h>
> +#include <linux/rbtree.h>
> +#include <linux/key-type.h>
> +#include <linux/digsig.h>
> +
> +#include "integrity.h"
> +
> +static struct key *keyring[INTEGRITY_KEYRING_MAX];
> +
> +static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
> +     "_evm",
> +     "_module",
> +     "_ima",
> +};
> +
> +int integrity_digsig_verify(const unsigned int id, const char *sig, int 
> siglen,
> +                                     const char *digest, int digestlen)
> +{
> +     if (id >= INTEGRITY_KEYRING_MAX)
> +             return -EINVAL;
> +
> +     if (!keyring[id]) {
> +             keyring[id] =
> +                     request_key(&key_type_keyring, keyring_name[id], NULL);
> +             if (IS_ERR(keyring[id])) {
> +                     pr_err("no %s keyring: %ld\n", keyring_name[id],
> +                                                     PTR_ERR(keyring[id]));
> +                     keyring[id] = NULL;
> +                     return PTR_ERR(keyring[id]);
> +             }
> +     }
> +
> +     return digsig_verify(keyring[id], sig, siglen, digest, digestlen);
> +}
> diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
> index e898094..9fc723b 100644
> --- a/security/integrity/integrity.h
> +++ b/security/integrity/integrity.h
> @@ -51,5 +51,25 @@ struct integrity_iint_cache {
>  struct integrity_iint_cache *integrity_iint_insert(struct inode *inode);
>  struct integrity_iint_cache *integrity_iint_find(struct inode *inode);
> 
> +#define INTEGRITY_KEYRING_EVM                0
> +#define INTEGRITY_KEYRING_MODULE     1
> +#define INTEGRITY_KEYRING_IMA                2
> +#define INTEGRITY_KEYRING_MAX                3
> +
> +#ifdef CONFIG_INTEGRITY_DIGSIG
> +
> +int integrity_digsig_verify(const unsigned int id, const char *sig, int 
> siglen,
> +                                     const char *digest, int digestlen);
> +
> +#else
> +
> +static inline int integrity_digsig_verify(const unsigned int id, const char 
> *sig, int siglen,
> +                                     const char *digest, int digestlen)
> +{
> +     return -EOPNOTSUPP;
> +}
> +
> +#endif /* CONFIG_INTEGRITY_DIGSIG */
> +
>  /* set during initialization */
>  extern int iint_initialized;


--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v2.2 6/7] integrity: digital signature verification using multiple keyrings

Reply via email to