From 41ac16b26fe05c8291d3467b8a7bee1bc2445393 Mon Sep 17 00:00:00 2001
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
Date: Wed, 29 Apr 2015 11:05:25 -0400
Subject: [PATCH] Define new script to load keys on the IMA keyring (update)
This patch supports loading keys either on the _ima keyring or, as of
Linux 3.17, on the trusted .ima keyring. Only certificates signed by
a key on the system keyring can be loaded onto the trusted .ima keyring.
Changelog:
- Update 98integrity/README
---
modules.d/98integrity/README | 28 +++++++++++++++
modules.d/98integrity/ima-keys-load.sh | 62 ++++++++++++++++++++++++++++++++++
modules.d/98integrity/module-setup.sh | 2 ++
3 files changed, 92 insertions(+)
create mode 100755 modules.d/98integrity/ima-keys-load.sh
diff --git a/modules.d/98integrity/README b/modules.d/98integrity/README
index d74e063..64de0ae 100644
--- a/modules.d/98integrity/README
+++ b/modules.d/98integrity/README
@@ -38,3 +38,31 @@ line.
------------- '/etc/sysconfig/ima' (with the default value) -------------
IMAPOLICY="/etc/sysconfig/ima-policy"
-------------------------------------------------------------------------
+
+
+# Information on loading distro, third party or local keys on the trusted IMA keyring
+
+# Loading distro, third party or local keys on the trusted IMA keyring requires
+# creating a local certificate authority(local-CA), installing the local-CA's
+# public key on the system-keyring and signing the certificates with the local-CA
+# key.
+#
+# Many directions for creating a mini certificate authority exist on the web
+# (eg. openssl, yubikey). (Reminder: safely storing the private key offline is
+# really important, especially in the case of the local-CA's private key.) The
+# local-CA's public key can be loaded onto the system keyring either by building
+# the key into the kernel or, on Fedora, storing it in the UEFI/Mok keyring. (As
+# of writing, the patches for loading the UEFI/Mok keys on the system-keyring
+# have not been upstreamed.)
+#
+# To view the system keyring: keyctl show %keyring:.system_keyring
+#
+# Most on-line directions for signing certificates requires creating a Certificate
+# Signing Request (CSR). Creating such a request requires access to the private
+# key, which would not be available when signing distro or 3rd party certificates.
+# Openssl provides the "-ss_cert" option for directly signing certificates.
+
+# 98integrity/ima-keys-load.sh script loads the signed certificates stored
+# in the $IMAKEYSDIR onto the trusted IMA keyring. The default $IMAKEYSDIR
+# directory is /etc/keys/ima, but can be specified in the /etc/sysconfig/ima
+# policy.
diff --git a/modules.d/98integrity/ima-keys-load.sh b/modules.d/98integrity/ima-keys-load.sh
new file mode 100755
index 0000000..659b722
--- /dev/null
+++ b/modules.d/98integrity/ima-keys-load.sh
@@ -0,0 +1,62 @@
+#!/bin/sh
+
+SECURITYFSDIR="/sys/kernel/security"
+IMASECDIR="${SECURITYFSDIR}/ima"
+IMACONFIG="${NEWROOT}/etc/sysconfig/ima"
+
+load_x509_keys()
+{
+ KEYRING_ID=$1
+
+ # override the default configuration
+ if [ -f "${IMACONFIG}" ]; then
+ . ${IMACONFIG}
+ fi
+
+ if [ -z "${IMAKEYDIR}" ]; then
+ IMAKEYSDIR="/etc/keys/ima"
+ fi
+
+ PUBKEY_LIST=`ls ${NEWROOT}${IMAKEYSDIR}/*`
+ for PUBKEY in ${PUBKEY_LIST}; do
+ # check for public key's existence
+ if [ ! -f "${PUBKEY}" ]; then
+ if [ "${RD_DEBUG}" = "yes" ]; then
+ info "integrity: IMA x509 cert file not found: ${PUBKEY}"
+ fi
+ continue
+ fi
+
+ X509ID=$(evmctl import ${PUBKEY} ${KEYRING_ID})
+ if [ $? -ne 0 ]; then
+ info "integrity: IMA x509 cert not loaded on keyring: ${PUBKEY}"
+ fi
+ done
+
+ if [ "${RD_DEBUG}" = "yes" ]; then
+ keyctl show ${KEYRING_ID}
+ fi
+ return 0
+}
+
+# check kernel support for IMA
+if [ ! -e "${IMASECDIR}" ]; then
+ if [ "${RD_DEBUG}" = "yes" ]; then
+ info "integrity: IMA kernel support is disabled"
+ fi
+ return 0
+fi
+
+# get the IMA keyring id
+line=$(keyctl describe %keyring:.ima)
+if [ $? -eq 0 ]; then
+ _ima_id=${line%%:*}
+else
+ _ima_id=`keyctl search @u keyring _ima`
+ if [ -z "${_ima_id}" ]; then
+ _ima_id=`keyctl newring _ima @u`
+ fi
+fi
+
+# load the IMA public key(s)
+load_x509_keys ${_ima_id}
diff --git a/modules.d/98integrity/module-setup.sh b/modules.d/98integrity/module-setup.sh
index 2d4d2ed..34b33cd 100755
--- a/modules.d/98integrity/module-setup.sh
+++ b/modules.d/98integrity/module-setup.sh
@@ -13,6 +13,8 @@ depends() {
# called by dracut
install() {
+ dracut_install evmctl keyctl ls
inst_hook pre-pivot 61 "$moddir/evm-enable.sh"
+ inst_hook pre-pivot 61 "$moddir/ima-keys-load.sh"
inst_hook pre-pivot 62 "$moddir/ima-policy-load.sh"
}