From 0165f4ca223b04bb032095753fadd28816dc435f Mon Sep 17 00:00:00 2001 From: Nayna Jain Date: Fri, 9 Apr 2021 10:35:06 -0400 Subject: ima: enable signing of modules with build time generated key The kernel build process currently only signs kernel modules when MODULE_SIG is enabled. Also, sign the kernel modules at build time when IMA_APPRAISE_MODSIG is enabled. Signed-off-by: Nayna Jain Acked-by: Stefan Berger Signed-off-by: Mimi Zohar --- certs/Kconfig | 2 +- certs/Makefile | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) (limited to 'certs') diff --git a/certs/Kconfig b/certs/Kconfig index c94e93d8bccf..48675ad319db 100644 --- a/certs/Kconfig +++ b/certs/Kconfig @@ -4,7 +4,7 @@ menu "Certificates for signature checking" config MODULE_SIG_KEY string "File name or PKCS#11 URI of module signing key" default "certs/signing_key.pem" - depends on MODULE_SIG + depends on MODULE_SIG || IMA_APPRAISE_MODSIG help Provide the file name of a private key/certificate in PEM format, or a PKCS#11 URI according to RFC7512. The file should contain, or diff --git a/certs/Makefile b/certs/Makefile index f4c25b67aad9..e3185c57fbd8 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -32,6 +32,14 @@ endif # CONFIG_SYSTEM_TRUSTED_KEYRING clean-files := x509_certificate_list .x509.list ifeq ($(CONFIG_MODULE_SIG),y) + SIGN_KEY = y +endif + +ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y) + SIGN_KEY = y +endif + +ifdef SIGN_KEY ############################################################################### # # If module signing is requested, say by allyesconfig, but a key has not been -- cgit From 6cbdfb3d91bab122033bd2ecae8c259cb6e4f7d0 Mon Sep 17 00:00:00 2001 From: Nayna Jain Date: Fri, 9 Apr 2021 10:35:07 -0400 Subject: ima: enable loading of build time generated key on .ima keyring The kernel currently only loads the kernel module signing key onto the builtin trusted keyring. Load the module signing key onto the IMA keyring as well. Signed-off-by: Nayna Jain Acked-by: Stefan Berger Signed-off-by: Mimi Zohar --- certs/system_certificates.S | 13 +++++++++++- certs/system_keyring.c | 50 ++++++++++++++++++++++++++++++++++++--------- 2 files changed, 52 insertions(+), 11 deletions(-) (limited to 'certs') diff --git a/certs/system_certificates.S b/certs/system_certificates.S index 8f29058adf93..dcad27ea8527 100644 --- a/certs/system_certificates.S +++ b/certs/system_certificates.S @@ -8,9 +8,11 @@ .globl system_certificate_list system_certificate_list: __cert_list_start: -#ifdef CONFIG_MODULE_SIG +__module_cert_start: +#if defined(CONFIG_MODULE_SIG) || defined(CONFIG_IMA_APPRAISE_MODSIG) .incbin "certs/signing_key.x509" #endif +__module_cert_end: .incbin "certs/x509_certificate_list" __cert_list_end: @@ -35,3 +37,12 @@ system_certificate_list_size: #else .long __cert_list_end - __cert_list_start #endif + + .align 8 + .globl module_cert_size +module_cert_size: +#ifdef CONFIG_64BIT + .quad __module_cert_end - __module_cert_start +#else + .long __module_cert_end - __module_cert_start +#endif diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 4b693da488f1..2b3ad375ecc1 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -27,6 +27,7 @@ static struct key *platform_trusted_keys; extern __initconst const u8 system_certificate_list[]; extern __initconst const unsigned long system_certificate_list_size; +extern __initconst const unsigned long module_cert_size; /** * restrict_link_to_builtin_trusted - Restrict keyring addition by built in CA @@ -132,19 +133,11 @@ static __init int system_trusted_keyring_init(void) */ device_initcall(system_trusted_keyring_init); -/* - * Load the compiled-in list of X.509 certificates. - */ -static __init int load_system_certificate_list(void) +static __init int load_cert(const u8 *p, const u8 *end, struct key *keyring) { key_ref_t key; - const u8 *p, *end; size_t plen; - pr_notice("Loading compiled-in X.509 certificates\n"); - - p = system_certificate_list; - end = p + system_certificate_list_size; while (p < end) { /* Each cert begins with an ASN.1 SEQUENCE tag and must be more * than 256 bytes in size. @@ -159,7 +152,7 @@ static __init int load_system_certificate_list(void) if (plen > end - p) goto dodgy_cert; - key = key_create_or_update(make_key_ref(builtin_trusted_keys, 1), + key = key_create_or_update(make_key_ref(keyring, 1), "asymmetric", NULL, p, @@ -186,6 +179,43 @@ dodgy_cert: pr_err("Problem parsing in-kernel X.509 certificate list\n"); return 0; } + +__init int load_module_cert(struct key *keyring) +{ + const u8 *p, *end; + + if (!IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG)) + return 0; + + pr_notice("Loading compiled-in module X.509 certificates\n"); + + p = system_certificate_list; + end = p + module_cert_size; + + return load_cert(p, end, keyring); +} + +/* + * Load the compiled-in list of X.509 certificates. + */ +static __init int load_system_certificate_list(void) +{ + const u8 *p, *end; + unsigned long size; + + pr_notice("Loading compiled-in X.509 certificates\n"); + +#ifdef CONFIG_MODULE_SIG + p = system_certificate_list; + size = system_certificate_list_size; +#else + p = system_certificate_list + module_cert_size; + size = system_certificate_list_size - module_cert_size; +#endif + + end = p + size; + return load_cert(p, end, builtin_trusted_keys); +} late_initcall(load_system_certificate_list); #ifdef CONFIG_SYSTEM_DATA_VERIFICATION -- cgit From 781a5739489949fd0f32432a9da17f7ddbccf1cc Mon Sep 17 00:00:00 2001 From: Nayna Jain Date: Thu, 22 Apr 2021 21:16:02 -0400 Subject: ima: ensure IMA_APPRAISE_MODSIG has necessary dependencies IMA_APPRAISE_MODSIG is used for verifying the integrity of both kernel and modules. Enabling IMA_APPRAISE_MODSIG without MODULES causes a build break. Ensure the build time kernel signing key is only generated if both IMA_APPRAISE_MODSIG and MODULES are enabled. Fixes: 0165f4ca223b ("ima: enable signing of modules with build time generated key") Reported-by: Randy Dunlap Reported-by: Stephen Rothwell Acked-by: Randy Dunlap # build-tested Signed-off-by: Nayna Jain Signed-off-by: Mimi Zohar --- certs/Kconfig | 2 +- certs/Makefile | 2 ++ certs/system_certificates.S | 3 ++- 3 files changed, 5 insertions(+), 2 deletions(-) (limited to 'certs') diff --git a/certs/Kconfig b/certs/Kconfig index 48675ad319db..e4d00348fd73 100644 --- a/certs/Kconfig +++ b/certs/Kconfig @@ -4,7 +4,7 @@ menu "Certificates for signature checking" config MODULE_SIG_KEY string "File name or PKCS#11 URI of module signing key" default "certs/signing_key.pem" - depends on MODULE_SIG || IMA_APPRAISE_MODSIG + depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES) help Provide the file name of a private key/certificate in PEM format, or a PKCS#11 URI according to RFC7512. The file should contain, or diff --git a/certs/Makefile b/certs/Makefile index e3185c57fbd8..2f369d6aa494 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -36,8 +36,10 @@ ifeq ($(CONFIG_MODULE_SIG),y) endif ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y) +ifeq ($(CONFIG_MODULES),y) SIGN_KEY = y endif +endif ifdef SIGN_KEY ############################################################################### diff --git a/certs/system_certificates.S b/certs/system_certificates.S index dcad27ea8527..e1645e6f4d97 100644 --- a/certs/system_certificates.S +++ b/certs/system_certificates.S @@ -9,7 +9,8 @@ system_certificate_list: __cert_list_start: __module_cert_start: -#if defined(CONFIG_MODULE_SIG) || defined(CONFIG_IMA_APPRAISE_MODSIG) +#if defined(CONFIG_MODULE_SIG) || (defined(CONFIG_IMA_APPRAISE_MODSIG) \ + && defined(CONFIG_MODULES)) .incbin "certs/signing_key.x509" #endif __module_cert_end: -- cgit