[ima-evm-utils 1/5] evmctl: Allow adding a memlock information in security.ima
Vivek Goyal
vgoyal at redhat.com
Fri Sep 6 19:38:20 UTC 2013
Signed executables need to run locked in memory otherwise it might happen
that they can be swapped out and then there is a possiblity that these
can be attacked by directly writing to swap.
So add a memlock structure in security.ima xattr. Kernel will parse it
and memlock the executable file if signature verification was successful.
Currently this will happen only for elf binaries.
Signed-off-by: Vivek Goyal <vgoyal at redhat.com>
---
src/evmctl.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++----
1 file changed, 57 insertions(+), 4 deletions(-)
diff --git a/src/evmctl.c b/src/evmctl.c
index aa61338..e24b9ed 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -45,6 +45,7 @@
#include <attr/xattr.h>
#include <dirent.h>
#include <ctype.h>
+#include <stdbool.h>
#include <openssl/sha.h>
#include <openssl/rsa.h>
@@ -165,6 +166,14 @@ struct signature_v2_hdr {
uint8_t sig[0]; /* signature payload */
} __attribute__ ((packed));
+/* memlocking info header */
+#define MEMLOCK_MAGIC_STR "MEMLOCK"
+struct memlock_hdr {
+ uint8_t magic_str[8]; /* magic to detect memlock hdr presence */
+ uint8_t version; /* memlock info hdr version */
+ uint8_t memlock_file; /* If set, run executable locked in memory */
+} __attribute__ ((packed));
+
/*
* Hash algorithm OIDs plus ASN.1 DER wrappings [RFC4880 sec 5.2.2].
@@ -258,6 +267,7 @@ static char *uuid_str;
static int x509;
static int user_sig_type;
static char *keyfile;
+static bool memlock = false;
typedef int (*sign_hash_fn_t)(const char *algo, const unsigned char *hash, int size, const char *keyfile, unsigned char *sig);
@@ -1021,12 +1031,23 @@ static int cmd_hash_ima(struct command *cmd)
return hash_ima(file);
}
+static int add_memlock_info(unsigned char *ptr)
+{
+ struct memlock_hdr *memlock_hdr = (struct memlock_hdr *)ptr;
+ strcpy((char *)memlock_hdr->magic_str, MEMLOCK_MAGIC_STR);
+
+ memlock_hdr->version = 1;
+ memlock_hdr->memlock_file = 1;
+
+ return sizeof(struct memlock_hdr);
+}
+
static int sign_ima(const char *file, const char *key)
{
unsigned char hash[64];
unsigned char sig[1024] = "\x03";
char magic[] = "This Is A Crypto Signed Module";
- int len, err;
+ int len, err, memlock_len = 0;
len = calc_hash(file, hash);
if (len <= 1)
@@ -1049,6 +1070,11 @@ static int sign_ima(const char *file, const char *key)
return 0;
}
+ if (memlock) {
+ memlock_len = add_memlock_info(sig + len);
+ len += memlock_len;
+ }
+
if (sigfile)
bin2file(file, "sig", sig, len);
@@ -1262,11 +1288,27 @@ static int get_hash_algo_from_sig(unsigned char *sig)
return -1;
}
+static int get_digsig_len(const unsigned char *sig)
+{
+ uint16_t sz;
+
+ if (sig[0] == 1) {
+ sz = *((uint16_t *)(sig + sizeof(struct signature_hdr)));
+ sz = __be16_to_cpu(sz);
+ return sizeof(struct signature_hdr) + 2 + (sz >> 3);
+ } else if (sig[0] == 2 ) {
+ sz = ((struct signature_v2_hdr *)sig)->sig_size;
+ return sizeof(struct signature_v2_hdr) + __be16_to_cpu(sz);
+ }
+
+ return -EBADMSG;
+}
+
static int verify_ima(const char *file)
{
unsigned char hash[64];
unsigned char sig[1024];
- int len, hashlen;
+ int len, hashlen, digsiglen;
int sig_hash_algo;
char *key;
@@ -1322,7 +1364,13 @@ static int verify_ima(const char *file)
"/etc/keys/x509_evm.der" :
"/etc/keys/pubkey_evm.pem";
- return verify_hash(hash, hashlen, sig + 1, len - 1, key);
+ digsiglen = get_digsig_len(sig + 1);
+ if (digsiglen < 0) {
+ log_err("Bad digital signature");
+ return -1;
+ }
+
+ return verify_hash(hash, hashlen, sig + 1, digsiglen, key);
}
static int cmd_verify_ima(struct command *cmd)
@@ -1629,6 +1677,7 @@ static void usage(void)
" -p, --pass password for encrypted signing key\n"
" -u, --uuid use file system UUID in HMAC calculation (EVM v2)\n"
" -n print result to stdout instead of setting xattr\n"
+ " -l, --memlock run executable file locked in memory.\n"
" -v increase verbosity level\n"
" -h, --help display this help and exit\n"
"\n");
@@ -1659,6 +1708,7 @@ static struct option opts[] = {
{"uuid", 2, 0, 'u'},
{"x509", 0, 0, 'x'},
{"key", 1, 0, 'k'},
+ {"memlock", 0, 0, 'l'},
{}
};
@@ -1674,7 +1724,7 @@ int main(int argc, char *argv[])
verify_hash = verify_hash_v1;
while (1) {
- c = getopt_long(argc, argv, "hvnsda:p:fu::xk:", opts, &lind);
+ c = getopt_long(argc, argv, "hvnsda:p:fu::xk:l", opts, &lind);
if (c == -1)
break;
@@ -1724,6 +1774,9 @@ int main(int argc, char *argv[])
case 'k':
keyfile = optarg;
break;
+ case 'l':
+ memlock = true;
+ break;
case '?':
exit(1);
break;
--
1.8.3.1
More information about the kernel
mailing list