From 9391beaead4531afa1880394325efb76cfad8765 Mon Sep 17 00:00:00 2001 From: Dmitry Kasatkin Date: Wed, 5 Oct 2011 11:54:46 +0300 Subject: [PATCH] --- yaml --- r: 283245 b: refs/heads/master c: 8607c501478432b23654739c7321bc7456053cb6 h: refs/heads/master i: 283243: d56281deeda30445d8ec67b02b3225b3fe5557d5 v: v3 --- [refs] | 2 +- trunk/security/integrity/Kconfig | 14 ++++++++ trunk/security/integrity/Makefile | 1 + trunk/security/integrity/digsig.c | 48 ++++++++++++++++++++++++++++ trunk/security/integrity/integrity.h | 21 ++++++++++++ 5 files changed, 85 insertions(+), 1 deletion(-) create mode 100644 trunk/security/integrity/digsig.c diff --git a/[refs] b/[refs] index ab6e0428c625..f96675a25bad 100644 --- a/[refs] +++ b/[refs] @@ -1,2 +1,2 @@ --- -refs/heads/master: 051dbb918c7fb7da8e64a2cd0d804ba73399709f +refs/heads/master: 8607c501478432b23654739c7321bc7456053cb6 diff --git a/trunk/security/integrity/Kconfig b/trunk/security/integrity/Kconfig index 4bf00acf7937..d87fa2a8fa3b 100644 --- a/trunk/security/integrity/Kconfig +++ b/trunk/security/integrity/Kconfig @@ -3,5 +3,19 @@ config INTEGRITY def_bool y depends on IMA || EVM +config INTEGRITY_DIGSIG + boolean "Digital signature verification using multiple keyrings" + depends on INTEGRITY + default n + select DIGSIG + help + This option enables digital signature verification support + using multiple keyrings. It defines separate keyrings for each + of the different use cases - evm, ima, and modules. + Different keyrings improves search performance, but also allow + to "lock" certain keyring to prevent adding new keys. + This is useful for evm and module keyrings, when keys are + usually only added from initramfs. + source security/integrity/ima/Kconfig source security/integrity/evm/Kconfig diff --git a/trunk/security/integrity/Makefile b/trunk/security/integrity/Makefile index 0ae44aea6516..bece0563ee5e 100644 --- a/trunk/security/integrity/Makefile +++ b/trunk/security/integrity/Makefile @@ -3,6 +3,7 @@ # obj-$(CONFIG_INTEGRITY) += integrity.o +obj-$(CONFIG_INTEGRITY_DIGSIG) += digsig.o integrity-y := iint.o diff --git a/trunk/security/integrity/digsig.c b/trunk/security/integrity/digsig.c new file mode 100644 index 000000000000..2dc167d7cde9 --- /dev/null +++ b/trunk/security/integrity/digsig.c @@ -0,0 +1,48 @@ +/* + * Copyright (C) 2011 Intel Corporation + * + * Author: + * Dmitry Kasatkin + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, version 2 of the License. + * + */ + +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt + +#include +#include +#include +#include + +#include "integrity.h" + +static struct key *keyring[INTEGRITY_KEYRING_MAX]; + +static const char *keyring_name[INTEGRITY_KEYRING_MAX] = { + "_evm", + "_module", + "_ima", +}; + +int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, + const char *digest, int digestlen) +{ + if (id >= INTEGRITY_KEYRING_MAX) + return -EINVAL; + + if (!keyring[id]) { + keyring[id] = + request_key(&key_type_keyring, keyring_name[id], NULL); + if (IS_ERR(keyring[id])) { + int err = PTR_ERR(keyring[id]); + pr_err("no %s keyring: %d\n", keyring_name[id], err); + keyring[id] = NULL; + return err; + } + } + + return digsig_verify(keyring[id], sig, siglen, digest, digestlen); +} diff --git a/trunk/security/integrity/integrity.h b/trunk/security/integrity/integrity.h index 3143a3c39868..4da6ba81d153 100644 --- a/trunk/security/integrity/integrity.h +++ b/trunk/security/integrity/integrity.h @@ -46,5 +46,26 @@ struct integrity_iint_cache { struct integrity_iint_cache *integrity_iint_insert(struct inode *inode); struct integrity_iint_cache *integrity_iint_find(struct inode *inode); +#define INTEGRITY_KEYRING_EVM 0 +#define INTEGRITY_KEYRING_MODULE 1 +#define INTEGRITY_KEYRING_IMA 2 +#define INTEGRITY_KEYRING_MAX 3 + +#ifdef CONFIG_INTEGRITY_DIGSIG + +int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, + const char *digest, int digestlen); + +#else + +static inline int integrity_digsig_verify(const unsigned int id, + const char *sig, int siglen, + const char *digest, int digestlen) +{ + return -EOPNOTSUPP; +} + +#endif /* CONFIG_INTEGRITY_DIGSIG */ + /* set during initialization */ extern int iint_initialized;