• Nayna Jain's avatar
    ima: Check against blacklisted hashes for files with modsig · 273df864
    Nayna Jain authored
    Asymmetric private keys are used to sign multiple files. The kernel
    currently supports checking against blacklisted keys. However, if the
    public key is blacklisted, any file signed by the blacklisted key will
    automatically fail signature verification. Blacklisting the public key
    is not fine enough granularity, as we might want to only blacklist a
    particular file.
    
    This patch adds support for checking against the blacklisted hash of
    the file, without the appended signature, based on the IMA policy. It
    defines a new policy option "appraise_flag=check_blacklist".
    
    In addition to the blacklisted binary hashes stored in the firmware
    "dbx" variable, the Linux kernel may be configured to load blacklisted
    binary hashes onto the .blacklist keyring as well. The following
    example shows how to blacklist a specific kernel module hash.
    
      $ sha256sum kernel/kheaders.ko
      77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3
      kernel/kheaders.ko
    
      $ grep BLACKLIST .config
      CONFIG_SYSTEM_BLACKLIST_KEYRING=y
      CONFIG_SYSTEM_BLACKLIST_HASH_LIST="blacklist-hash-list"
    
      $ cat certs/blacklist-hash-list
      "bin:77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3"
    
    Update the IMA custom measurement and appraisal policy
    rules (/etc/ima-policy):
    
      measure func=MODULE_CHECK template=ima-modsig
      appraise func=MODULE_CHECK appraise_flag=check_blacklist
      appraise_type=imasig|modsig
    
    After building, installing, and rebooting the kernel:
    
       545660333 ---lswrv      0     0   \_ blacklist:
      bin:77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3
    
      measure func=MODULE_CHECK template=ima-modsig
      appraise func=MODULE_CHECK appraise_flag=check_blacklist
      appraise_type=imasig|modsig
    
      modprobe: ERROR: could not insert 'kheaders': Permission denied
    
      10 0c9834db5a0182c1fb0cdc5d3adcf11a11fd83dd ima-sig
      sha256:3bc6ed4f0b4d6e31bc1dbc9ef844605abc7afdc6d81a57d77a1ec9407997c40
      2 /usr/lib/modules/5.4.0-rc3+/kernel/kernel/kheaders.ko
    
      10 82aad2bcc3fa8ed94762356b5c14838f3bcfa6a0 ima-modsig
      sha256:3bc6ed4f0b4d6e31bc1dbc9ef844605abc7afdc6d81a57d77a1ec9407997c40
      2 /usr/lib/modules/5.4.0rc3+/kernel/kernel/kheaders.ko  sha256:77fa889b3
      5a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3
      3082029a06092a864886f70d010702a082028b30820287020101310d300b0609608648
      016503040201300b06092a864886f70d01070131820264....
    
      10 25b72217cc1152b44b134ce2cd68f12dfb71acb3 ima-buf
      sha256:8b58427fedcf8f4b20bc8dc007f2e232bf7285d7b93a66476321f9c2a3aa132
      b blacklisted-hash
      77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3
    Signed-off-by: default avatarNayna Jain <nayna@linux.ibm.com>
    [zohar@linux.ibm.com: updated patch description]
    Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
    Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/1572492694-6520-8-git-send-email-zohar@linux.ibm.com
    273df864
ima.h 11.7 KB