From: Mimi Zohar Date: Thu, 12 Dec 2019 13:59:26 +0000 (-0500) Subject: Merge branch 'next-integrity.measure-keys' into next-integrity X-Git-Tag: v5.6-rc1~144^2~6 X-Git-Url: https://asedeno.scripts.mit.edu/gitweb/?a=commitdiff_plain;h=f47825c694851955fa4c492dd56809621529b086;p=linux.git Merge branch 'next-integrity.measure-keys' into next-integrity From "KEYS: Measure keys when they are created or updated" cover letter: Keys created or updated in the system are currently not measured. Therefore an attestation service, for instance, would not be able to attest whether or not the trusted keys keyring(s), for instance, contain only known good (trusted) keys. IMA measures system files, command line arguments passed to kexec, boot aggregate, etc. It can be used to measure keys as well. But there is no mechanism available in the kernel for IMA to know when a key is created or updated. This change aims to address measuring keys created or updated in the system. To achieve the above the following changes have been made: - Added a new IMA hook namely, ima_post_key_create_or_update, which measures the key. This IMA hook is called from key_create_or_update function. The key measurement can be controlled through IMA policy. A new IMA policy function KEY_CHECK has been added to measure keys. "keyrings=" option can be specified for KEY_CHECK to limit measuring the keys loaded onto the specified keyrings only. uid can be specified to further restrict key measurement for keys created by specific user. # measure keys loaded onto any keyring measure func=KEY_CHECK # measure keys loaded onto the IMA keyring only for root user measure func=KEY_CHECK uid=0 keyring=".ima" # measure keys on the BUILTIN and IMA keyrings into a different PCR measure func=KEY_CHECK keyring=".builtin_trusted_keys|.ima" pcr=11 --- f47825c694851955fa4c492dd56809621529b086