[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20200828160021.11537-1-nramas@linux.microsoft.com>
Date: Fri, 28 Aug 2020 09:00:18 -0700
From: Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>
To: zohar@...ux.ibm.com, stephen.smalley.work@...il.com,
casey@...aufler-ca.com
Cc: tyhicks@...ux.microsoft.com, tusharsu@...ux.microsoft.com,
sashal@...nel.org, jmorris@...ei.org,
linux-integrity@...r.kernel.org, selinux@...r.kernel.org,
linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH v2 0/3] IMA: Generalize early boot data measurement
The current implementation of early boot measurement in the IMA
subsystem is very specific to asymmetric keys. It does not handle
early boot measurement of data from other subsystems such as
Linux Security Module (LSM), Device-Mapper, etc. As a result, data
provided by these subsystems during system boot are not measured by IMA.
This patch series makes the early boot key measurement functions generic
such that they can be used to measure any early boot data. The functions
in ima_queue_keys.c are refactored to a new file ima_queue_data.c.
The kernel configuration CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS is renamed to
CONFIG_IMA_QUEUE_EARLY_BOOT_DATA so it can be used for enabling any
early boot data measurement. Since measurement of asymmetric keys is
the first consumer of early boot measurement, this kernel configuration
is enabled if IMA_MEASURE_ASYMMETRIC_KEYS and SYSTEM_TRUSTED_KEYRING are
both enabled.
The IMA hook to measure kernel critical data ima_measure_critical_data()
is updated to utilize early boot measurement support.
This series is based on the following repo/branch:
repo: https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
branch: next-integrity
commit d012a7190fc1 ("Linux 5.9-rc2")
This patch is dependent on the following patch series:
https://patchwork.kernel.org/patch/11709527/
https://patchwork.kernel.org/patch/11742047/
Change Log:
v2:
=> Split the patches to first rename the file and functions,
and then introduce new arguments, followed by adding queuing
support in ima_measure_critical_data().
Lakshmi Ramasubramanian (3):
IMA: Generalize early boot measurement of asymmetric keys
IMA: Support measurement of generic data during early boot
IMA: Support early boot measurement of critical data
security/integrity/ima/Kconfig | 2 +-
security/integrity/ima/Makefile | 2 +-
security/integrity/ima/ima.h | 39 ++--
security/integrity/ima/ima_asymmetric_keys.c | 7 +-
security/integrity/ima/ima_init.c | 2 +-
security/integrity/ima/ima_main.c | 10 +
security/integrity/ima/ima_policy.c | 2 +-
security/integrity/ima/ima_queue_data.c | 191 +++++++++++++++++++
security/integrity/ima/ima_queue_keys.c | 175 -----------------
9 files changed, 232 insertions(+), 198 deletions(-)
create mode 100644 security/integrity/ima/ima_queue_data.c
delete mode 100644 security/integrity/ima/ima_queue_keys.c
--
2.28.0
Powered by blists - more mailing lists