lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 14 May 2019 10:14:15 -0700
From:   Lakshmi <nramas@...ux.microsoft.com>
To:     Linux Integrity <linux-integrity@...r.kernel.org>,
        Mimi Zohar <zohar@...ux.ibm.com>,
        David Howells <dhowells@...hat.com>,
        James Morris <jamorris@...ux.microsoft.com>,
        Linux Kernel <linux-kernel@...r.kernel.org>
Cc:     Balaji Balasubramanyan <balajib@...ux.microsoft.com>,
        Prakhar Srivastava <prsriva@...ux.microsoft.com>
Subject: [PATCH 0/2] public key: IMA signer logging: Log public key of IMA
 Signature signer in IMA log

The motive behind this patch series is to measure the public key
of the IMA signature signer in the IMA log.

The IMA signature of the file, logged using ima-sig template, contains
the key identifier of the key that was used to generate the signature.
But outside the client machine this key id is not sufficient to
uniquely determine which key the signature corresponds to.
Providing the public key of the signer in the IMA log would
allow, for example, an attestation service to securely verify
if the key used to generate the IMA signature is a valid and
trusted one, and that the key has not been revoked or expired.

An attestation service would just need to maintain a list of
valid public keys and using the data from the IMA log can attest
the system files loaded on the client machine.

To achieve the above the patch series does the following:
   - Adds a new method in asymmetric_key_subtype to query
     the public key of the given key
   - Adds a new IMA template namely "ima-sigkey" to store\read
     the public key of the IMA signature signer. This template
     extends the existing template "ima-sig"

Lakshmi (2):
   add support for querying public key from a given key
   add a new template ima-sigkey to store/read the public, key of ima
     signature signer

  .../admin-guide/kernel-parameters.txt         |  2 +-
  Documentation/crypto/asymmetric-keys.txt      |  1 +
  Documentation/security/IMA-templates.rst      |  5 +-
  crypto/asymmetric_keys/public_key.c           |  7 +++
  crypto/asymmetric_keys/signature.c            | 24 +++++++++
  include/crypto/public_key.h                   |  1 +
  include/keys/asymmetric-subtype.h             |  3 ++
  security/integrity/digsig.c                   | 54 +++++++++++++++++--
  security/integrity/digsig_asymmetric.c        | 44 +++++++++++++++
  security/integrity/ima/Kconfig                |  3 ++
  security/integrity/ima/ima_template.c         |  3 ++
  security/integrity/ima/ima_template_lib.c     | 43 +++++++++++++++
  security/integrity/ima/ima_template_lib.h     |  4 ++
  security/integrity/integrity.h                | 29 +++++++++-
  14 files changed, 216 insertions(+), 7 deletions(-)

-- 
2.17.1

Powered by blists - more mailing lists