lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <20220208014140.483447-6-zohar@linux.ibm.com> Date: Mon, 7 Feb 2022 20:41:37 -0500 From: Mimi Zohar <zohar@...ux.ibm.com> To: linux-integrity@...r.kernel.org Cc: Mimi Zohar <zohar@...ux.ibm.com>, Eric Biggers <ebiggers@...nel.org>, Stefan Berger <stefanb@...ux.ibm.com>, linux-fscrypt@...r.kernel.org, linux-kernel@...r.kernel.org Subject: [PATCH v4 5/8] ima: permit fsverity's file digests in the IMA measurement list Permit fsverity's file digest (a hash of struct fsverity_digest) to be included in the 'd-ng' field of the IMA measurement list, based on the new measurement policy rule 'digest_type=verity' option. To differentiate between an unsigned regular IMA file hash and an unsigned fsverity's file digest stored in the 'd-ng' field of the measurement list, it is recommended to include the 'd-type' template field. The following policy rule requires fsverity file digests and specifies the new 'ima-ngv2' template, which contains the new 'd-type' field. The policy rule may be constrained, for example based on a fsuuid or LSM label. measure func=FILE_CHECK digest_type=verity template=ima-ngv2 Signed-off-by: Mimi Zohar <zohar@...ux.ibm.com> --- Documentation/ABI/testing/ima_policy | 10 ++++++ Documentation/security/IMA-templates.rst | 7 ++++ security/integrity/ima/ima_api.c | 39 +++++++++++++++++++++-- security/integrity/ima/ima_policy.c | 38 +++++++++++++++++++++- security/integrity/ima/ima_template_lib.c | 9 +++++- security/integrity/integrity.h | 4 ++- 6 files changed, 102 insertions(+), 5 deletions(-) diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy index 839fab811b18..ff3c906738cb 100644 --- a/Documentation/ABI/testing/ima_policy +++ b/Documentation/ABI/testing/ima_policy @@ -51,6 +51,9 @@ Description: appraise_flag:= [check_blacklist] Currently, blacklist check is only for files signed with appended signature. + digest_type:= verity + Require fs-verity's file digest instead of the + regular IMA file hash. keyrings:= list of keyrings (eg, .builtin_trusted_keys|.ima). Only valid when action is "measure" and func is KEY_CHECK. @@ -149,3 +152,10 @@ Description: security.ima xattr of a file: appraise func=SETXATTR_CHECK appraise_algos=sha256,sha384,sha512 + + Example of 'measure' rule requiring fs-verity's digests on a + particular filesystem with indication of type of digest in + the measurement list. + + measure func=FILE_CHECK digest_type=verity \ + fsuuid=... template=ima-ngv2 diff --git a/Documentation/security/IMA-templates.rst b/Documentation/security/IMA-templates.rst index 1a91d92950a7..1e3fe986764e 100644 --- a/Documentation/security/IMA-templates.rst +++ b/Documentation/security/IMA-templates.rst @@ -69,6 +69,8 @@ descriptors by adding their identifier to the format string algorithm (field format: [<hash algo>:]digest, where the digest prefix is shown only if the hash algorithm is not SHA1 or MD5); - 'd-modsig': the digest of the event without the appended modsig; + - 'd-type': differentiate between fs-verity's Merkle tree based file hash + from a regular IMA file hash measurement. - 'n-ng': the name of the event, without size limitations; - 'sig': the file signature, or the EVM portable signature if the file signature is not found; @@ -106,3 +108,8 @@ currently the following methods are supported: the ``ima_template=`` parameter; - register a new template descriptor with custom format through the kernel command line parameter ``ima_template_fmt=``. + + +References +========== +[1] Documentation/filesystems/fsverity.rst diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 45294f18dabc..c359c4d50a1e 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -14,6 +14,7 @@ #include <linux/xattr.h> #include <linux/evm.h> #include <linux/iversion.h> +#include <linux/fsverity.h> #include "ima.h" @@ -200,6 +201,23 @@ int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode, allowed_algos); } +static int ima_get_verity_digest(struct integrity_iint_cache *iint, + struct ima_max_digest_data *hash) +{ + u8 verity_digest[FS_VERITY_MAX_DIGEST_SIZE]; + enum hash_algo verity_alg; + int ret; + + ret = fsverity_get_digest(iint->inode, verity_digest, &verity_alg); + if (ret) + return ret; + if (hash->algo != verity_alg) + return -EINVAL; + hash->length = hash_digest_size[verity_alg]; + memcpy(hash->digest, verity_digest, hash->length); + return 0; +} + /* * ima_collect_measurement - collect file measurement * @@ -246,12 +264,29 @@ int ima_collect_measurement(struct integrity_iint_cache *iint, /* Initialize hash digest to 0's in case of failure */ memset(&hash.digest, 0, sizeof(hash.digest)); - if (buf) + if (buf) { result = ima_calc_buffer_hash(buf, size, (struct ima_digest_data *)&hash); - else + } else if (iint->flags & IMA_VERITY_REQUIRED) { + result = ima_get_verity_digest(iint, &hash); + switch (result) { + case 0: + iint->flags |= IMA_VERITY_DIGEST; + break; + case -ENODATA: + audit_cause = "no-verity-digest"; + hash.length = hash_digest_size[algo]; + result = -EINVAL; + break; + case -EINVAL: + default: + audit_cause = "invalid-verity-digest"; + break; + } + } else { result = ima_calc_file_hash(file, (struct ima_digest_data *)&hash); + } if (result && result != -EBADF && result != -EINVAL) goto out; diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index a0f3775cbd82..28aca1f9633b 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -1024,6 +1024,7 @@ enum policy_opt { Opt_fowner_gt, Opt_fgroup_gt, Opt_uid_lt, Opt_euid_lt, Opt_gid_lt, Opt_egid_lt, Opt_fowner_lt, Opt_fgroup_lt, + Opt_digest_type, Opt_appraise_type, Opt_appraise_flag, Opt_appraise_algos, Opt_permit_directio, Opt_pcr, Opt_template, Opt_keyrings, Opt_label, Opt_err @@ -1066,6 +1067,7 @@ static const match_table_t policy_tokens = { {Opt_egid_lt, "egid<%s"}, {Opt_fowner_lt, "fowner<%s"}, {Opt_fgroup_lt, "fgroup<%s"}, + {Opt_digest_type, "digest_type=%s"}, {Opt_appraise_type, "appraise_type=%s"}, {Opt_appraise_flag, "appraise_flag=%s"}, {Opt_appraise_algos, "appraise_algos=%s"}, @@ -1173,6 +1175,21 @@ static void check_template_modsig(const struct ima_template_desc *template) #undef MSG } +/* + * Make sure the policy rule and template format are in sync. + */ +static void check_template_field(const struct ima_template_desc *template, + const char *field, const char *msg) +{ + int i; + + for (i = 0; i < template->num_fields; i++) + if (!strcmp(template->fields[i]->field_id, field)) + return; + + pr_notice_once("%s", msg); +} + static bool ima_validate_rule(struct ima_rule_entry *entry) { /* Ensure that the action is set and is compatible with the flags */ @@ -1215,7 +1232,8 @@ static bool ima_validate_rule(struct ima_rule_entry *entry) IMA_INMASK | IMA_EUID | IMA_PCR | IMA_FSNAME | IMA_GID | IMA_EGID | IMA_FGROUP | IMA_DIGSIG_REQUIRED | - IMA_PERMIT_DIRECTIO | IMA_VALIDATE_ALGOS)) + IMA_PERMIT_DIRECTIO | IMA_VALIDATE_ALGOS | + IMA_VERITY_REQUIRED)) return false; break; @@ -1708,6 +1726,13 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) LSM_SUBJ_TYPE, AUDIT_SUBJ_TYPE); break; + case Opt_digest_type: + ima_log_string(ab, "digest_type", args[0].from); + if ((strcmp(args[0].from, "verity")) == 0) + entry->flags |= IMA_VERITY_REQUIRED; + else + result = -EINVAL; + break; case Opt_appraise_type: ima_log_string(ab, "appraise_type", args[0].from); if ((strcmp(args[0].from, "imasig")) == 0) @@ -1798,6 +1823,15 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) check_template_modsig(template_desc); } + /* d-type template field recommended for unsigned fs-verity digests */ + if (!result && entry->action == MEASURE && + entry->flags & IMA_VERITY_REQUIRED) { + template_desc = entry->template ? entry->template : + ima_template_desc_current(); + check_template_field(template_desc, "d-type", + "verity rules should include d-type"); + } + audit_log_format(ab, "res=%d", !result); audit_log_end(ab); return result; @@ -2155,6 +2189,8 @@ int ima_policy_show(struct seq_file *m, void *v) else seq_puts(m, "appraise_type=imasig "); } + if (entry->flags & IMA_VERITY_REQUIRED) + seq_puts(m, "digest_type=verity "); if (entry->flags & IMA_CHECK_BLACKLIST) seq_puts(m, "appraise_flag=check_blacklist "); if (entry->flags & IMA_PERMIT_DIRECTIO) diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c index 48c2fcbefacf..31573b4c7763 100644 --- a/security/integrity/ima/ima_template_lib.c +++ b/security/integrity/ima/ima_template_lib.c @@ -392,7 +392,14 @@ int ima_eventdigest_ng_init(struct ima_event_data *event_data, int ima_eventdigest_type_init(struct ima_event_data *event_data, struct ima_field_data *field_data) { - static const char * const digest_type[] = {"ima"}; + static const char * const digest_type[] = {"ima", "verity"}; + + if (event_data->iint->flags & IMA_VERITY_DIGEST) { + return ima_write_template_field_data(digest_type[1], + strlen(digest_type[1]), + DATA_FMT_STRING, + field_data); + } return ima_write_template_field_data(digest_type[0], strlen(digest_type[0]), diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index ee2e6b7c7575..cbc41d4288ed 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -32,7 +32,7 @@ #define IMA_HASHED 0x00000200 /* iint policy rule cache flags */ -#define IMA_NONACTION_FLAGS 0xff000000 +#define IMA_NONACTION_FLAGS 0xff800000 #define IMA_DIGSIG_REQUIRED 0x01000000 #define IMA_PERMIT_DIRECTIO 0x02000000 #define IMA_NEW_FILE 0x04000000 @@ -40,6 +40,8 @@ #define IMA_FAIL_UNVERIFIABLE_SIGS 0x10000000 #define IMA_MODSIG_ALLOWED 0x20000000 #define IMA_CHECK_BLACKLIST 0x40000000 +#define IMA_VERITY_REQUIRED 0x80000000 +#define IMA_VERITY_DIGEST 0x00800000 #define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \ IMA_HASH | IMA_APPRAISE_SUBMASK) -- 2.27.0
Powered by blists - more mailing lists