lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <4d570e4339eda826f204722403794d2761469285.1445539084.git.dmitry.kasatkin@huawei.com>
Date:	Thu, 22 Oct 2015 21:49:26 +0300
From:	Dmitry Kasatkin <dmitry.kasatkin@...il.com>
To:	zohar@...ux.vnet.ibm.com, linux-ima-devel@...ts.sourceforge.net,
	linux-security-module@...r.kernel.org
Cc:	linux-kernel@...r.kernel.org,
	Dmitry Kasatkin <dmitry.kasatkin@...wei.com>
Subject: [PATCHv3 2/6] evm: load x509 certificate from the kernel

This patch defines configuration option and the evm_load_x509() hook
to load X509 certificate into the EVM trusted kernel keyring.

Changes in v4:
* Patch description updated

Changes in v3:
* Removed EVM_X509_PATH definition. CONFIG_EVM_X509_PATH is used
  directly.

Changes in v2:
* default key patch changed to /etc/keys

Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@...wei.com>
---
 security/integrity/evm/Kconfig    | 17 +++++++++++++++++
 security/integrity/evm/evm_main.c |  7 +++++++
 security/integrity/iint.c         |  1 +
 security/integrity/integrity.h    |  8 ++++++++
 4 files changed, 33 insertions(+)

diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig
index bf19723..b1433e9 100644
--- a/security/integrity/evm/Kconfig
+++ b/security/integrity/evm/Kconfig
@@ -42,3 +42,20 @@ config EVM_EXTRA_SMACK_XATTRS
 	  additional info to the calculation, requires existing EVM
 	  labeled file systems to be relabeled.
 
+config EVM_LOAD_X509
+	bool "Load X509 certificate to the '.evm' trusted keyring"
+	depends on INTEGRITY_TRUSTED_KEYRING
+	default n
+	help
+	   Load X509 certificate to the '.evm' trusted keyring.
+
+	   This option enables X509 certificate loading from the kernel
+	   to the '.evm' trusted keyring. Public key can be used to
+	   verify EVM integrity starting from 'init' process.
+
+config EVM_X509_PATH
+	string "EVM X509 certificate path"
+	depends on EVM_LOAD_X509
+	default "/etc/keys/x509_evm.der"
+	help
+	   This option defines X509 certificate path.
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 75b7e30..519de0a 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -472,6 +472,13 @@ out:
 }
 EXPORT_SYMBOL_GPL(evm_inode_init_security);
 
+#ifdef CONFIG_EVM_LOAD_X509
+void __init evm_load_x509(void)
+{
+	integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH);
+}
+#endif
+
 static int __init init_evm(void)
 {
 	int error;
diff --git a/security/integrity/iint.c b/security/integrity/iint.c
index 3d2f5b4..2de9c82 100644
--- a/security/integrity/iint.c
+++ b/security/integrity/iint.c
@@ -254,4 +254,5 @@ out:
 void __init integrity_load_keys(void)
 {
 	ima_load_x509();
+	evm_load_x509();
 }
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 07726a7..5efe2ec 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -170,6 +170,14 @@ static inline void ima_load_x509(void)
 }
 #endif
 
+#ifdef CONFIG_EVM_LOAD_X509
+void __init evm_load_x509(void);
+#else
+static inline void evm_load_x509(void)
+{
+}
+#endif
+
 #ifdef CONFIG_INTEGRITY_AUDIT
 /* declarations */
 void integrity_audit_msg(int audit_msgno, struct inode *inode,
-- 
2.1.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ