Signed executables need to run locked in memory otherwise it might happen that they can be swapped out and then there is a possiblity that these can be attacked by directly writing to swap.
So add a memlock structure in security.ima xattr. Kernel will parse it and memlock the executable file if signature verification was successful.
Currently this will happen only for elf binaries.
Signed-off-by: Vivek Goyal vgoyal@redhat.com --- src/evmctl.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 57 insertions(+), 4 deletions(-)
diff --git a/src/evmctl.c b/src/evmctl.c index aa61338..e24b9ed 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -45,6 +45,7 @@ #include <attr/xattr.h> #include <dirent.h> #include <ctype.h> +#include <stdbool.h>
#include <openssl/sha.h> #include <openssl/rsa.h> @@ -165,6 +166,14 @@ struct signature_v2_hdr { uint8_t sig[0]; /* signature payload */ } __attribute__ ((packed));
+/* memlocking info header */ +#define MEMLOCK_MAGIC_STR "MEMLOCK" +struct memlock_hdr { + uint8_t magic_str[8]; /* magic to detect memlock hdr presence */ + uint8_t version; /* memlock info hdr version */ + uint8_t memlock_file; /* If set, run executable locked in memory */ +} __attribute__ ((packed)); +
/* * Hash algorithm OIDs plus ASN.1 DER wrappings [RFC4880 sec 5.2.2]. @@ -258,6 +267,7 @@ static char *uuid_str; static int x509; static int user_sig_type; static char *keyfile; +static bool memlock = false;
typedef int (*sign_hash_fn_t)(const char *algo, const unsigned char *hash, int size, const char *keyfile, unsigned char *sig);
@@ -1021,12 +1031,23 @@ static int cmd_hash_ima(struct command *cmd) return hash_ima(file); }
+static int add_memlock_info(unsigned char *ptr) +{ + struct memlock_hdr *memlock_hdr = (struct memlock_hdr *)ptr; + strcpy((char *)memlock_hdr->magic_str, MEMLOCK_MAGIC_STR); + + memlock_hdr->version = 1; + memlock_hdr->memlock_file = 1; + + return sizeof(struct memlock_hdr); +} + static int sign_ima(const char *file, const char *key) { unsigned char hash[64]; unsigned char sig[1024] = "\x03"; char magic[] = "This Is A Crypto Signed Module"; - int len, err; + int len, err, memlock_len = 0;
len = calc_hash(file, hash); if (len <= 1) @@ -1049,6 +1070,11 @@ static int sign_ima(const char *file, const char *key) return 0; }
+ if (memlock) { + memlock_len = add_memlock_info(sig + len); + len += memlock_len; + } + if (sigfile) bin2file(file, "sig", sig, len);
@@ -1262,11 +1288,27 @@ static int get_hash_algo_from_sig(unsigned char *sig) return -1; }
+static int get_digsig_len(const unsigned char *sig) +{ + uint16_t sz; + + if (sig[0] == 1) { + sz = *((uint16_t *)(sig + sizeof(struct signature_hdr))); + sz = __be16_to_cpu(sz); + return sizeof(struct signature_hdr) + 2 + (sz >> 3); + } else if (sig[0] == 2 ) { + sz = ((struct signature_v2_hdr *)sig)->sig_size; + return sizeof(struct signature_v2_hdr) + __be16_to_cpu(sz); + } + + return -EBADMSG; +} + static int verify_ima(const char *file) { unsigned char hash[64]; unsigned char sig[1024]; - int len, hashlen; + int len, hashlen, digsiglen; int sig_hash_algo; char *key;
@@ -1322,7 +1364,13 @@ static int verify_ima(const char *file) "/etc/keys/x509_evm.der" : "/etc/keys/pubkey_evm.pem";
- return verify_hash(hash, hashlen, sig + 1, len - 1, key); + digsiglen = get_digsig_len(sig + 1); + if (digsiglen < 0) { + log_err("Bad digital signature"); + return -1; + } + + return verify_hash(hash, hashlen, sig + 1, digsiglen, key); }
static int cmd_verify_ima(struct command *cmd) @@ -1629,6 +1677,7 @@ static void usage(void) " -p, --pass password for encrypted signing key\n" " -u, --uuid use file system UUID in HMAC calculation (EVM v2)\n" " -n print result to stdout instead of setting xattr\n" + " -l, --memlock run executable file locked in memory.\n" " -v increase verbosity level\n" " -h, --help display this help and exit\n" "\n"); @@ -1659,6 +1708,7 @@ static struct option opts[] = { {"uuid", 2, 0, 'u'}, {"x509", 0, 0, 'x'}, {"key", 1, 0, 'k'}, + {"memlock", 0, 0, 'l'}, {}
}; @@ -1674,7 +1724,7 @@ int main(int argc, char *argv[]) verify_hash = verify_hash_v1;
while (1) { - c = getopt_long(argc, argv, "hvnsda:p:fu::xk:", opts, &lind); + c = getopt_long(argc, argv, "hvnsda:p:fu::xk:l", opts, &lind); if (c == -1) break;
@@ -1724,6 +1774,9 @@ int main(int argc, char *argv[]) case 'k': keyfile = optarg; break; + case 'l': + memlock = true; + break; case '?': exit(1); break;