Merge tag 'integrity-v5.13' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity

+3 -3

Makefile

··· 1507 1507 debian snap tar-install \ 1508 1508 .config .config.old .version \ 1509 1509 Module.symvers \ 1510 - signing_key.pem signing_key.priv signing_key.x509 \ 1511 - x509.genkey extra_certificates signing_key.x509.keyid \ 1512 - signing_key.x509.signer vmlinux-gdb.py \ 1510 + certs/signing_key.pem certs/signing_key.x509 \ 1511 + certs/x509.genkey \ 1512 + vmlinux-gdb.py \ 1513 1513 *.spec 1514 1514 1515 1515 # Directories & files removed with 'make distclean'

+1 -1

certs/Kconfig

··· 4 4 config MODULE_SIG_KEY 5 5 string "File name or PKCS#11 URI of module signing key" 6 6 default "certs/signing_key.pem" 7 - depends on MODULE_SIG 7 + depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES) 8 8 help 9 9 Provide the file name of a private key/certificate in PEM format, 10 10 or a PKCS#11 URI according to RFC7512. The file should contain, or

+10

certs/Makefile

··· 33 33 clean-files := x509_certificate_list .x509.list x509_revocation_list 34 34 35 35 ifeq ($(CONFIG_MODULE_SIG),y) 36 + SIGN_KEY = y 37 + endif 38 + 39 + ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y) 40 + ifeq ($(CONFIG_MODULES),y) 41 + SIGN_KEY = y 42 + endif 43 + endif 44 + 45 + ifdef SIGN_KEY 36 46 ############################################################################### 37 47 # 38 48 # If module signing is requested, say by allyesconfig, but a key has not been

+13 -1

certs/system_certificates.S

··· 8 8 .globl system_certificate_list 9 9 system_certificate_list: 10 10 __cert_list_start: 11 - #ifdef CONFIG_MODULE_SIG 11 + __module_cert_start: 12 + #if defined(CONFIG_MODULE_SIG) || (defined(CONFIG_IMA_APPRAISE_MODSIG) \ 13 + && defined(CONFIG_MODULES)) 12 14 .incbin "certs/signing_key.x509" 13 15 #endif 16 + __module_cert_end: 14 17 .incbin "certs/x509_certificate_list" 15 18 __cert_list_end: 16 19 ··· 37 34 .quad __cert_list_end - __cert_list_start 38 35 #else 39 36 .long __cert_list_end - __cert_list_start 37 + #endif 38 + 39 + .align 8 40 + .globl module_cert_size 41 + module_cert_size: 42 + #ifdef CONFIG_64BIT 43 + .quad __module_cert_end - __module_cert_start 44 + #else 45 + .long __module_cert_end - __module_cert_start 40 46 #endif

+23 -2

certs/system_keyring.c

··· 28 28 29 29 extern __initconst const u8 system_certificate_list[]; 30 30 extern __initconst const unsigned long system_certificate_list_size; 31 + extern __initconst const unsigned long module_cert_size; 31 32 32 33 /** 33 34 * restrict_link_to_builtin_trusted - Restrict keyring addition by built in CA ··· 134 133 */ 135 134 device_initcall(system_trusted_keyring_init); 136 135 136 + __init int load_module_cert(struct key *keyring) 137 + { 138 + if (!IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG)) 139 + return 0; 140 + 141 + pr_notice("Loading compiled-in module X.509 certificates\n"); 142 + 143 + return load_certificate_list(system_certificate_list, module_cert_size, keyring); 144 + } 145 + 137 146 /* 138 147 * Load the compiled-in list of X.509 certificates. 139 148 */ 140 149 static __init int load_system_certificate_list(void) 141 150 { 151 + const u8 *p; 152 + unsigned long size; 153 + 142 154 pr_notice("Loading compiled-in X.509 certificates\n"); 143 155 144 - return load_certificate_list(system_certificate_list, system_certificate_list_size, 145 - builtin_trusted_keys); 156 + #ifdef CONFIG_MODULE_SIG 157 + p = system_certificate_list; 158 + size = system_certificate_list_size; 159 + #else 160 + p = system_certificate_list + module_cert_size; 161 + size = system_certificate_list_size - module_cert_size; 162 + #endif 163 + 164 + return load_certificate_list(p, size, builtin_trusted_keys); 146 165 } 147 166 late_initcall(load_system_certificate_list); 148 167

+7

include/keys/system_keyring.h

··· 16 16 const struct key_type *type, 17 17 const union key_payload *payload, 18 18 struct key *restriction_key); 19 + extern __init int load_module_cert(struct key *keyring); 19 20 20 21 #else 21 22 #define restrict_link_by_builtin_trusted restrict_link_reject 23 + 24 + static inline __init int load_module_cert(struct key *keyring) 25 + { 26 + return 0; 27 + } 28 + 22 29 #endif 23 30 24 31 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING

+3 -3

init/Kconfig

··· 2182 2182 config MODULE_SIG_ALL 2183 2183 bool "Automatically sign all modules" 2184 2184 default y 2185 - depends on MODULE_SIG 2185 + depends on MODULE_SIG || IMA_APPRAISE_MODSIG 2186 2186 help 2187 2187 Sign all modules during make modules_install. Without this option, 2188 2188 modules must be signed manually, using the scripts/sign-file tool. ··· 2192 2192 2193 2193 choice 2194 2194 prompt "Which hash algorithm should modules be signed with?" 2195 - depends on MODULE_SIG 2195 + depends on MODULE_SIG || IMA_APPRAISE_MODSIG 2196 2196 help 2197 2197 This determines which sort of hashing algorithm will be used during 2198 2198 signature generation. This algorithm _must_ be built into the kernel ··· 2224 2224 2225 2225 config MODULE_SIG_HASH 2226 2226 string 2227 - depends on MODULE_SIG 2227 + depends on MODULE_SIG || IMA_APPRAISE_MODSIG 2228 2228 default "sha1" if MODULE_SIG_SHA1 2229 2229 default "sha224" if MODULE_SIG_SHA224 2230 2230 default "sha256" if MODULE_SIG_SHA256

+2

security/integrity/digsig.c

··· 111 111 } else { 112 112 if (id == INTEGRITY_KEYRING_PLATFORM) 113 113 set_platform_trusted_keys(keyring[id]); 114 + if (id == INTEGRITY_KEYRING_IMA) 115 + load_module_cert(keyring[id]); 114 116 } 115 117 116 118 return err;

+1 -1

security/integrity/iint.c

··· 160 160 161 161 static void init_once(void *foo) 162 162 { 163 - struct integrity_iint_cache *iint = foo; 163 + struct integrity_iint_cache *iint = (struct integrity_iint_cache *) foo; 164 164 165 165 memset(iint, 0, sizeof(*iint)); 166 166 iint->ima_file_status = INTEGRITY_UNKNOWN;

+8 -1

security/integrity/ima/ima_main.c

··· 482 482 } 483 483 484 484 /** 485 - * ima_path_check - based on policy, collect/store measurement. 485 + * ima_file_check - based on policy, collect/store measurement. 486 486 * @file: pointer to the file to be measured 487 487 * @mask: contains MAY_READ, MAY_WRITE, MAY_EXEC or MAY_APPEND 488 488 * ··· 606 606 struct integrity_iint_cache *iint; 607 607 int must_appraise; 608 608 609 + if (!ima_policy_flag || !S_ISREG(inode->i_mode)) 610 + return; 611 + 609 612 must_appraise = ima_must_appraise(mnt_userns, inode, MAY_ACCESS, 610 613 FILE_CHECK); 611 614 if (!must_appraise) ··· 638 635 struct integrity_iint_cache *iint; 639 636 struct inode *inode = dentry->d_inode; 640 637 int must_appraise; 638 + 639 + if (!ima_policy_flag || !S_ISREG(inode->i_mode)) 640 + return; 641 641 642 642 must_appraise = ima_must_appraise(mnt_userns, inode, MAY_ACCESS, 643 643 FILE_CHECK); ··· 786 780 pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n"); 787 781 return -EACCES; /* INTEGRITY_UNKNOWN */ 788 782 } 783 + break; 789 784 default: 790 785 break; 791 786 }

+2

security/integrity/ima/ima_policy.c

··· 599 599 rc = ima_filter_rule_match(secid, rule->lsm[i].type, 600 600 Audit_equal, 601 601 rule->lsm[i].rule); 602 + break; 602 603 default: 603 604 break; 604 605 } ··· 837 836 add_rules(default_measurement_rules, 838 837 ARRAY_SIZE(default_measurement_rules), 839 838 IMA_DEFAULT_POLICY); 839 + break; 840 840 default: 841 841 break; 842 842 }

+2 -2

security/integrity/ima/ima_template.c

··· 494 494 } 495 495 } 496 496 497 - entry->pcr = !ima_canonical_fmt ? *(hdr[HDR_PCR].data) : 498 - le32_to_cpu(*(hdr[HDR_PCR].data)); 497 + entry->pcr = !ima_canonical_fmt ? *(u32 *)(hdr[HDR_PCR].data) : 498 + le32_to_cpu(*(u32 *)(hdr[HDR_PCR].data)); 499 499 ret = ima_restore_measurement_entry(entry); 500 500 if (ret < 0) 501 501 break;

Configure Feed

Configure Feed