[ima-evm-utils 1/5] evmctl: Allow adding a memlock information in security.ima

Vivek Goyal vgoyal at redhat.com
Fri Sep 6 19:38:20 UTC 2013 

Signed executables need to run locked in memory otherwise it might happen
that they can be swapped out and then there is a possiblity that these
can be attacked by directly writing to swap.

So add a memlock structure in security.ima xattr. Kernel will parse it
and memlock the executable file if signature verification was successful.

Currently this will happen only for elf binaries.

Signed-off-by: Vivek Goyal <vgoyal at redhat.com>
---
 src/evmctl.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 57 insertions(+), 4 deletions(-)

diff --git a/src/evmctl.c b/src/evmctl.c
index aa61338..e24b9ed 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -45,6 +45,7 @@
 #include <attr/xattr.h>
 #include <dirent.h>
 #include <ctype.h>
+#include <stdbool.h>
 
 #include <openssl/sha.h>
 #include <openssl/rsa.h>
@@ -165,6 +166,14 @@ struct signature_v2_hdr {
 	uint8_t sig[0];		/* signature payload */
 } __attribute__ ((packed));
 
+/* memlocking info header */
+#define MEMLOCK_MAGIC_STR	"MEMLOCK"
+struct memlock_hdr {
+	uint8_t magic_str[8];	/* magic to detect memlock hdr presence */
+	uint8_t version;	/* memlock info hdr version */
+	uint8_t memlock_file;	/* If set, run executable locked in memory */
+} __attribute__ ((packed));
+
 
 /*
  * Hash algorithm OIDs plus ASN.1 DER wrappings [RFC4880 sec 5.2.2].
@@ -258,6 +267,7 @@ static char *uuid_str;
 static int x509;
 static int user_sig_type;
 static char *keyfile;
+static bool memlock = false;
 
 typedef int (*sign_hash_fn_t)(const char *algo, const unsigned char *hash, int size, const char *keyfile, unsigned char *sig);
 
@@ -1021,12 +1031,23 @@ static int cmd_hash_ima(struct command *cmd)
 	return hash_ima(file);
 }
 
+static int add_memlock_info(unsigned char *ptr)
+{
+	struct memlock_hdr *memlock_hdr = (struct memlock_hdr *)ptr;
+	strcpy((char *)memlock_hdr->magic_str, MEMLOCK_MAGIC_STR);
+
+	memlock_hdr->version = 1;
+	memlock_hdr->memlock_file = 1;
+
+	return sizeof(struct memlock_hdr);
+}
+
 static int sign_ima(const char *file, const char *key)
 {
 	unsigned char hash[64];
 	unsigned char sig[1024] = "\x03";
 	char magic[] = "This Is A Crypto Signed Module";
-	int len, err;
+	int len, err, memlock_len = 0;
 
 	len = calc_hash(file, hash);
 	if (len <= 1)
@@ -1049,6 +1070,11 @@ static int sign_ima(const char *file, const char *key)
 		return 0;
 	}
 
+	if (memlock) {
+		memlock_len = add_memlock_info(sig + len);
+		len += memlock_len;
+	}
+
 	if (sigfile)
 		bin2file(file, "sig", sig, len);
 
@@ -1262,11 +1288,27 @@ static int get_hash_algo_from_sig(unsigned char *sig)
 		return -1;
 }
 
+static int get_digsig_len(const unsigned char *sig)
+{
+	uint16_t sz;
+
+	if (sig[0] == 1) {
+		sz = *((uint16_t *)(sig + sizeof(struct signature_hdr)));
+		sz = __be16_to_cpu(sz);
+		return sizeof(struct signature_hdr) + 2 + (sz >> 3);
+	} else if (sig[0] == 2 ) {
+		sz = ((struct signature_v2_hdr *)sig)->sig_size;
+		return sizeof(struct signature_v2_hdr) + __be16_to_cpu(sz);
+	}
+
+	return -EBADMSG;
+}
+
 static int verify_ima(const char *file)
 {
 	unsigned char hash[64];
 	unsigned char sig[1024];
-	int len, hashlen;
+	int len, hashlen, digsiglen;
 	int sig_hash_algo;
 	char *key;
 
@@ -1322,7 +1364,13 @@ static int verify_ima(const char *file)
 			"/etc/keys/x509_evm.der" :
 			"/etc/keys/pubkey_evm.pem";
 
-	return verify_hash(hash, hashlen, sig + 1, len - 1, key);
+	digsiglen = get_digsig_len(sig + 1);
+	if (digsiglen < 0) {
+		log_err("Bad digital signature");
+		return -1;
+	}
+
+	return verify_hash(hash, hashlen, sig + 1, digsiglen, key);
 }
 
 static int cmd_verify_ima(struct command *cmd)
@@ -1629,6 +1677,7 @@ static void usage(void)
 		"  -p, --pass         password for encrypted signing key\n"
 		"  -u, --uuid         use file system UUID in HMAC calculation (EVM v2)\n"
 		"  -n                 print result to stdout instead of setting xattr\n"
+		"  -l, --memlock      run executable file locked in memory.\n"
 		"  -v                 increase verbosity level\n"
 		"  -h, --help         display this help and exit\n"
 		"\n");
@@ -1659,6 +1708,7 @@ static struct option opts[] = {
 	{"uuid", 2, 0, 'u'},
 	{"x509", 0, 0, 'x'},
 	{"key", 1, 0, 'k'},
+	{"memlock", 0, 0, 'l'},
 	{}
 
 };
@@ -1674,7 +1724,7 @@ int main(int argc, char *argv[])
 	verify_hash = verify_hash_v1;
 
 	while (1) {
-		c = getopt_long(argc, argv, "hvnsda:p:fu::xk:", opts, &lind);
+		c = getopt_long(argc, argv, "hvnsda:p:fu::xk:l", opts, &lind);
 		if (c == -1)
 			break;
 
@@ -1724,6 +1774,9 @@ int main(int argc, char *argv[])
 		case 'k':
 			keyfile = optarg;
 			break;
+		case 'l':
+			memlock = true;
+			break;
 		case '?':
 			exit(1);
 			break;
-- 
1.8.3.1

More information about the kernel mailing list