Signed executables need to run locked in memory otherwise it might happen that they can be swapped out and then there is a possiblity that these can be attacked by directly writing to swap.
So add a memlock structure in security.ima xattr. Kernel will parse it and memlock the executable file if signature verification was successful. Currently this will happen only for elf binaries. Signed-off-by: Vivek Goyal <[email protected]> --- src/evmctl.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 57 insertions(+), 4 deletions(-) diff --git a/src/evmctl.c b/src/evmctl.c index aa61338..e24b9ed 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -45,6 +45,7 @@ #include <attr/xattr.h> #include <dirent.h> #include <ctype.h> +#include <stdbool.h> #include <openssl/sha.h> #include <openssl/rsa.h> @@ -165,6 +166,14 @@ struct signature_v2_hdr { uint8_t sig[0]; /* signature payload */ } __attribute__ ((packed)); +/* memlocking info header */ +#define MEMLOCK_MAGIC_STR "MEMLOCK" +struct memlock_hdr { + uint8_t magic_str[8]; /* magic to detect memlock hdr presence */ + uint8_t version; /* memlock info hdr version */ + uint8_t memlock_file; /* If set, run executable locked in memory */ +} __attribute__ ((packed)); + /* * Hash algorithm OIDs plus ASN.1 DER wrappings [RFC4880 sec 5.2.2]. @@ -258,6 +267,7 @@ static char *uuid_str; static int x509; static int user_sig_type; static char *keyfile; +static bool memlock = false; typedef int (*sign_hash_fn_t)(const char *algo, const unsigned char *hash, int size, const char *keyfile, unsigned char *sig); @@ -1021,12 +1031,23 @@ static int cmd_hash_ima(struct command *cmd) return hash_ima(file); } +static int add_memlock_info(unsigned char *ptr) +{ + struct memlock_hdr *memlock_hdr = (struct memlock_hdr *)ptr; + strcpy((char *)memlock_hdr->magic_str, MEMLOCK_MAGIC_STR); + + memlock_hdr->version = 1; + memlock_hdr->memlock_file = 1; + + return sizeof(struct memlock_hdr); +} + static int sign_ima(const char *file, const char *key) { unsigned char hash[64]; unsigned char sig[1024] = "\x03"; char magic[] = "This Is A Crypto Signed Module"; - int len, err; + int len, err, memlock_len = 0; len = calc_hash(file, hash); if (len <= 1) @@ -1049,6 +1070,11 @@ static int sign_ima(const char *file, const char *key) return 0; } + if (memlock) { + memlock_len = add_memlock_info(sig + len); + len += memlock_len; + } + if (sigfile) bin2file(file, "sig", sig, len); @@ -1262,11 +1288,27 @@ static int get_hash_algo_from_sig(unsigned char *sig) return -1; } +static int get_digsig_len(const unsigned char *sig) +{ + uint16_t sz; + + if (sig[0] == 1) { + sz = *((uint16_t *)(sig + sizeof(struct signature_hdr))); + sz = __be16_to_cpu(sz); + return sizeof(struct signature_hdr) + 2 + (sz >> 3); + } else if (sig[0] == 2 ) { + sz = ((struct signature_v2_hdr *)sig)->sig_size; + return sizeof(struct signature_v2_hdr) + __be16_to_cpu(sz); + } + + return -EBADMSG; +} + static int verify_ima(const char *file) { unsigned char hash[64]; unsigned char sig[1024]; - int len, hashlen; + int len, hashlen, digsiglen; int sig_hash_algo; char *key; @@ -1322,7 +1364,13 @@ static int verify_ima(const char *file) "/etc/keys/x509_evm.der" : "/etc/keys/pubkey_evm.pem"; - return verify_hash(hash, hashlen, sig + 1, len - 1, key); + digsiglen = get_digsig_len(sig + 1); + if (digsiglen < 0) { + log_err("Bad digital signature"); + return -1; + } + + return verify_hash(hash, hashlen, sig + 1, digsiglen, key); } static int cmd_verify_ima(struct command *cmd) @@ -1629,6 +1677,7 @@ static void usage(void) " -p, --pass password for encrypted signing key\n" " -u, --uuid use file system UUID in HMAC calculation (EVM v2)\n" " -n print result to stdout instead of setting xattr\n" + " -l, --memlock run executable file locked in memory.\n" " -v increase verbosity level\n" " -h, --help display this help and exit\n" "\n"); @@ -1659,6 +1708,7 @@ static struct option opts[] = { {"uuid", 2, 0, 'u'}, {"x509", 0, 0, 'x'}, {"key", 1, 0, 'k'}, + {"memlock", 0, 0, 'l'}, {} }; @@ -1674,7 +1724,7 @@ int main(int argc, char *argv[]) verify_hash = verify_hash_v1; while (1) { - c = getopt_long(argc, argv, "hvnsda:p:fu::xk:", opts, &lind); + c = getopt_long(argc, argv, "hvnsda:p:fu::xk:l", opts, &lind); if (c == -1) break; @@ -1724,6 +1774,9 @@ int main(int argc, char *argv[]) case 'k': keyfile = optarg; break; + case 'l': + memlock = true; + break; case '?': exit(1); break; -- 1.8.3.1 _______________________________________________ kernel mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/kernel
