From 41ac16b26fe05c8291d3467b8a7bee1bc2445393 Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Wed, 29 Apr 2015 11:05:25 -0400 Subject: [PATCH] Define new script to load keys on the IMA keyring (update) This patch supports loading keys either on the _ima keyring or, as of Linux 3.17, on the trusted .ima keyring. Only certificates signed by a key on the system keyring can be loaded onto the trusted .ima keyring. Changelog: - Update 98integrity/README --- modules.d/98integrity/README | 28 +++++++++++++++ modules.d/98integrity/ima-keys-load.sh | 62 ++++++++++++++++++++++++++++++++++ modules.d/98integrity/module-setup.sh | 2 ++ 3 files changed, 92 insertions(+) create mode 100755 modules.d/98integrity/ima-keys-load.sh diff --git a/modules.d/98integrity/README b/modules.d/98integrity/README index d74e063..64de0ae 100644 --- a/modules.d/98integrity/README +++ b/modules.d/98integrity/README @@ -38,3 +38,31 @@ line. ------------- '/etc/sysconfig/ima' (with the default value) ------------- IMAPOLICY="/etc/sysconfig/ima-policy" ------------------------------------------------------------------------- + + +# Information on loading distro, third party or local keys on the trusted IMA keyring + +# Loading distro, third party or local keys on the trusted IMA keyring requires +# creating a local certificate authority(local-CA), installing the local-CA's +# public key on the system-keyring and signing the certificates with the local-CA +# key. +# +# Many directions for creating a mini certificate authority exist on the web +# (eg. openssl, yubikey). (Reminder: safely storing the private key offline is +# really important, especially in the case of the local-CA's private key.) The +# local-CA's public key can be loaded onto the system keyring either by building +# the key into the kernel or, on Fedora, storing it in the UEFI/Mok keyring. (As +# of writing, the patches for loading the UEFI/Mok keys on the system-keyring +# have not been upstreamed.) +# +# To view the system keyring: keyctl show %keyring:.system_keyring +# +# Most on-line directions for signing certificates requires creating a Certificate +# Signing Request (CSR). Creating such a request requires access to the private +# key, which would not be available when signing distro or 3rd party certificates. +# Openssl provides the "-ss_cert" option for directly signing certificates. + +# 98integrity/ima-keys-load.sh script loads the signed certificates stored +# in the $IMAKEYSDIR onto the trusted IMA keyring. The default $IMAKEYSDIR +# directory is /etc/keys/ima, but can be specified in the /etc/sysconfig/ima +# policy. diff --git a/modules.d/98integrity/ima-keys-load.sh b/modules.d/98integrity/ima-keys-load.sh new file mode 100755 index 0000000..659b722 --- /dev/null +++ b/modules.d/98integrity/ima-keys-load.sh @@ -0,0 +1,62 @@ +#!/bin/sh + +SECURITYFSDIR="/sys/kernel/security" +IMASECDIR="${SECURITYFSDIR}/ima" +IMACONFIG="${NEWROOT}/etc/sysconfig/ima" + +load_x509_keys() +{ + KEYRING_ID=$1 + + # override the default configuration + if [ -f "${IMACONFIG}" ]; then + . ${IMACONFIG} + fi + + if [ -z "${IMAKEYDIR}" ]; then + IMAKEYSDIR="/etc/keys/ima" + fi + + PUBKEY_LIST=`ls ${NEWROOT}${IMAKEYSDIR}/*` + for PUBKEY in ${PUBKEY_LIST}; do + # check for public key's existence + if [ ! -f "${PUBKEY}" ]; then + if [ "${RD_DEBUG}" = "yes" ]; then + info "integrity: IMA x509 cert file not found: ${PUBKEY}" + fi + continue + fi + + X509ID=$(evmctl import ${PUBKEY} ${KEYRING_ID}) + if [ $? -ne 0 ]; then + info "integrity: IMA x509 cert not loaded on keyring: ${PUBKEY}" + fi + done + + if [ "${RD_DEBUG}" = "yes" ]; then + keyctl show ${KEYRING_ID} + fi + return 0 +} + +# check kernel support for IMA +if [ ! -e "${IMASECDIR}" ]; then + if [ "${RD_DEBUG}" = "yes" ]; then + info "integrity: IMA kernel support is disabled" + fi + return 0 +fi + +# get the IMA keyring id +line=$(keyctl describe %keyring:.ima) +if [ $? -eq 0 ]; then + _ima_id=${line%%:*} +else + _ima_id=`keyctl search @u keyring _ima` + if [ -z "${_ima_id}" ]; then + _ima_id=`keyctl newring _ima @u` + fi +fi + +# load the IMA public key(s) +load_x509_keys ${_ima_id} diff --git a/modules.d/98integrity/module-setup.sh b/modules.d/98integrity/module-setup.sh index 2d4d2ed..34b33cd 100755 --- a/modules.d/98integrity/module-setup.sh +++ b/modules.d/98integrity/module-setup.sh @@ -13,6 +13,8 @@ depends() { # called by dracut install() { + dracut_install evmctl keyctl ls inst_hook pre-pivot 61 "$moddir/evm-enable.sh" + inst_hook pre-pivot 61 "$moddir/ima-keys-load.sh" inst_hook pre-pivot 62 "$moddir/ima-policy-load.sh" }