• Lakshmi Ramasubramanian's avatar
    IMA: Read keyrings= option from the IMA policy · 2b60c0ec
    Lakshmi Ramasubramanian authored
    Read "keyrings=" option, if specified in the IMA policy, and store in
    the list of IMA rules when the configured IMA policy is read.
    
    This patch defines a new policy token enum namely Opt_keyrings
    and an option flag IMA_KEYRINGS for reading "keyrings=" option
    from the IMA policy.
    
    Updated ima_parse_rule() to parse "keyrings=" option in the policy.
    Updated ima_policy_show() to display "keyrings=" option.
    
    The following example illustrates how key measurement can be verified.
    
    Sample "key" measurement rule in the IMA policy:
    
    measure func=KEY_CHECK uid=0 keyrings=.ima|.evm template=ima-buf
    
    Display "key" measurement in the IMA measurement list:
    
    cat /sys/kernel/security/ima/ascii_runtime_measurements
    
    10 faf3...e702 ima-buf sha256:27c915b8ddb9fae7214cf0a8a7043cc3eeeaa7539bcb136f8427067b5f6c3b7b .ima 308202863082...4aee
    
    Verify "key" measurement data for a key added to ".ima" keyring:
    
    cat /sys/kernel/security/integrity/ima/ascii_runtime_measurements | grep -m 1 "\.ima" | cut -d' ' -f 6 | xxd -r -p |tee ima-cert.der | sha256sum | cut -d' ' -f 1
    
    The output of the above command should match the template hash
    of the first "key" measurement entry in the IMA measurement list for
    the key added to ".ima" keyring.
    
    The file namely "ima-cert.der" generated by the above command
    should be a valid x509 certificate (in DER format) and should match
    the one that was used to import the key to the ".ima" keyring.
    The certificate file can be verified using openssl tool.
    Signed-off-by: default avatarLakshmi Ramasubramanian <nramas@linux.microsoft.com>
    Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
    2b60c0ec
ima_policy.c 43.9 KB