| 1 | // SPDX-License-Identifier: GPL-2.0+ |
|---|
| 2 | /* |
|---|
| 3 | * Copyright (C) 2019 Microsoft Corporation |
|---|
| 4 | * |
|---|
| 5 | * Author: Lakshmi Ramasubramanian (nramas@linux.microsoft.com) |
|---|
| 6 | * |
|---|
| 7 | * File: ima_asymmetric_keys.c |
|---|
| 8 | * Defines an IMA hook to measure asymmetric keys on key |
|---|
| 9 | * create or update. |
|---|
| 10 | */ |
|---|
| 11 | |
|---|
| 12 | #include <keys/asymmetric-type.h> |
|---|
| 13 | #include <linux/user_namespace.h> |
|---|
| 14 | #include <linux/ima.h> |
|---|
| 15 | #include "ima.h" |
|---|
| 16 | |
|---|
| 17 | /** |
|---|
| 18 | * ima_post_key_create_or_update - measure asymmetric keys |
|---|
| 19 | * @keyring: keyring to which the key is linked to |
|---|
| 20 | * @key: created or updated key |
|---|
| 21 | * @payload: The data used to instantiate or update the key. |
|---|
| 22 | * @payload_len: The length of @payload. |
|---|
| 23 | * @flags: key flags |
|---|
| 24 | * @create: flag indicating whether the key was created or updated |
|---|
| 25 | * |
|---|
| 26 | * Keys can only be measured, not appraised. |
|---|
| 27 | * The payload data used to instantiate or update the key is measured. |
|---|
| 28 | */ |
|---|
| 29 | void ima_post_key_create_or_update(struct key *keyring, struct key *key, |
|---|
| 30 | const void *payload, size_t payload_len, |
|---|
| 31 | unsigned long flags, bool create) |
|---|
| 32 | { |
|---|
| 33 | bool queued = false; |
|---|
| 34 | |
|---|
| 35 | /* Only asymmetric keys are handled by this hook. */ |
|---|
| 36 | if (key->type != &key_type_asymmetric) |
|---|
| 37 | return; |
|---|
| 38 | |
|---|
| 39 | if (!payload || (payload_len == 0)) |
|---|
| 40 | return; |
|---|
| 41 | |
|---|
| 42 | if (ima_should_queue_key()) |
|---|
| 43 | queued = ima_queue_key(keyring, payload, payload_len); |
|---|
| 44 | |
|---|
| 45 | if (queued) |
|---|
| 46 | return; |
|---|
| 47 | |
|---|
| 48 | /* |
|---|
| 49 | * keyring->description points to the name of the keyring |
|---|
| 50 | * (such as ".builtin_trusted_keys", ".ima", etc.) to |
|---|
| 51 | * which the given key is linked to. |
|---|
| 52 | * |
|---|
| 53 | * The name of the keyring is passed in the "eventname" |
|---|
| 54 | * parameter to process_buffer_measurement() and is set |
|---|
| 55 | * in the "eventname" field in ima_event_data for |
|---|
| 56 | * the key measurement IMA event. |
|---|
| 57 | * |
|---|
| 58 | * The name of the keyring is also passed in the "keyring" |
|---|
| 59 | * parameter to process_buffer_measurement() to check |
|---|
| 60 | * if the IMA policy is configured to measure a key linked |
|---|
| 61 | * to the given keyring. |
|---|
| 62 | */ |
|---|
| 63 | process_buffer_measurement(idmap: &nop_mnt_idmap, NULL, buf: payload, size: payload_len, |
|---|
| 64 | eventname: keyring->description, func: KEY_CHECK, pcr: 0, |
|---|
| 65 | func_data: keyring->description, buf_hash: false, NULL, digest_len: 0); |
|---|
| 66 | } |
|---|
| 67 | |
|---|
