Blob Blame History Raw
From 41ac16b26fe05c8291d3467b8a7bee1bc2445393 Mon Sep 17 00:00:00 2001
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
Date: Wed, 29 Apr 2015 11:05:25 -0400
Subject: [PATCH] Define new script to load keys on the IMA keyring (update)

This patch supports loading keys either on the _ima keyring or, as of
Linux 3.17, on the trusted .ima keyring.  Only certificates signed by
a key on the system keyring can be loaded onto the trusted .ima keyring.

Changelog:
- Update 98integrity/README
---
 modules.d/98integrity/README           | 28 +++++++++++++++
 modules.d/98integrity/ima-keys-load.sh | 62 ++++++++++++++++++++++++++++++++++
 modules.d/98integrity/module-setup.sh  |  2 ++
 3 files changed, 92 insertions(+)
 create mode 100755 modules.d/98integrity/ima-keys-load.sh

diff --git a/modules.d/98integrity/README b/modules.d/98integrity/README
index d74e063..64de0ae 100644
--- a/modules.d/98integrity/README
+++ b/modules.d/98integrity/README
@@ -38,3 +38,31 @@ line.
 ------------- '/etc/sysconfig/ima' (with the default value) -------------
 IMAPOLICY="/etc/sysconfig/ima-policy"
 -------------------------------------------------------------------------
+
+
+# Information on loading distro, third party or local keys on the trusted IMA keyring
+
+# Loading distro, third party or local keys on the trusted IMA keyring requires
+# creating a local certificate authority(local-CA), installing the local-CA's
+# public key on the system-keyring and signing the certificates with the local-CA
+# key.
+#
+# Many directions for creating a mini certificate authority exist on the web
+# (eg. openssl, yubikey). (Reminder: safely storing the private key offline is
+# really important, especially in the case of the local-CA's private key.) The
+# local-CA's public key can be loaded onto the system keyring either by building
+# the key into the kernel or, on Fedora, storing it in the UEFI/Mok keyring. (As
+# of writing, the patches for loading the UEFI/Mok keys on the system-keyring
+# have not been upstreamed.)
+#
+# To view the system keyring: keyctl show %keyring:.system_keyring
+#
+# Most on-line directions for signing certificates requires creating a Certificate
+# Signing Request (CSR).  Creating such a request requires access to the private
+# key, which would not be available when signing distro or 3rd party certificates.
+# Openssl provides the "-ss_cert" option for directly signing certificates.
+
+# 98integrity/ima-keys-load.sh script loads the signed certificates stored 
+# in the $IMAKEYSDIR onto the trusted IMA keyring.  The default $IMAKEYSDIR
+# directory is /etc/keys/ima, but can be specified in the /etc/sysconfig/ima
+# policy.
diff --git a/modules.d/98integrity/ima-keys-load.sh b/modules.d/98integrity/ima-keys-load.sh
new file mode 100755
index 0000000..659b722
--- /dev/null
+++ b/modules.d/98integrity/ima-keys-load.sh
@@ -0,0 +1,62 @@
+#!/bin/sh
+
+SECURITYFSDIR="/sys/kernel/security"
+IMASECDIR="${SECURITYFSDIR}/ima"
+IMACONFIG="${NEWROOT}/etc/sysconfig/ima"
+
+load_x509_keys()
+{
+    KEYRING_ID=$1
+
+    # override the default configuration
+    if [ -f "${IMACONFIG}" ]; then
+        . ${IMACONFIG}
+    fi
+
+    if [ -z "${IMAKEYDIR}" ]; then
+        IMAKEYSDIR="/etc/keys/ima"
+    fi
+
+    PUBKEY_LIST=`ls ${NEWROOT}${IMAKEYSDIR}/*`
+    for PUBKEY in ${PUBKEY_LIST}; do
+        # check for public key's existence
+        if [ ! -f "${PUBKEY}" ]; then
+            if [ "${RD_DEBUG}" = "yes" ]; then
+                info "integrity: IMA x509 cert file not found: ${PUBKEY}"
+            fi
+            continue
+        fi
+
+        X509ID=$(evmctl import ${PUBKEY} ${KEYRING_ID})
+        if [ $? -ne 0 ]; then
+            info "integrity: IMA x509 cert not loaded on keyring: ${PUBKEY}"
+        fi 
+    done
+
+    if [ "${RD_DEBUG}" = "yes" ]; then
+        keyctl show  ${KEYRING_ID}
+    fi
+    return 0
+}
+
+# check kernel support for IMA
+if [ ! -e "${IMASECDIR}" ]; then
+    if [ "${RD_DEBUG}" = "yes" ]; then
+        info "integrity: IMA kernel support is disabled"
+    fi
+    return 0
+fi
+
+# get the IMA keyring id
+line=$(keyctl describe %keyring:.ima)
+if [ $? -eq 0 ]; then
+    _ima_id=${line%%:*}
+else
+    _ima_id=`keyctl search @u keyring _ima`
+    if [ -z "${_ima_id}" ]; then
+        _ima_id=`keyctl newring _ima @u`
+    fi
+fi
+
+# load the IMA public key(s)
+load_x509_keys ${_ima_id}
diff --git a/modules.d/98integrity/module-setup.sh b/modules.d/98integrity/module-setup.sh
index 2d4d2ed..34b33cd 100755
--- a/modules.d/98integrity/module-setup.sh
+++ b/modules.d/98integrity/module-setup.sh
@@ -13,6 +13,8 @@ depends() {
 
 # called by dracut
 install() {
+    dracut_install evmctl keyctl ls
     inst_hook pre-pivot 61 "$moddir/evm-enable.sh"
+    inst_hook pre-pivot 61 "$moddir/ima-keys-load.sh"
     inst_hook pre-pivot 62 "$moddir/ima-policy-load.sh"
 }