Commit e5f7904f authored by Huaxin Lu's avatar Huaxin Lu
Browse files

ima: Support modsig verify using trusted keys 

euleros inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I99VV3


CVE: NA

-----------------------------------------

Now the ima keyring is only allowed loading the end certificate because
of the restriction restrict_link_by_digsig(). However, the period of
validity of end certificates is usually short and cannot meet the
lifecycle requirements of the LTS distribution.

This commit modifies the verification process of modsig used by the IMA
digest list feature. When the verification with the IMA keyring is
failed, a further verification with the trusted keyring is attempted.

Signed-off-by: default avatarHuaxin Lu <luhuaxin1@huawei.com>
parent 9169abbb

security/integrity/ima/ima_modsig.c

+16 −2
Original line number Diff line number Diff line
@@ -118,8 +118,22 @@ void ima_collect_modsig(struct modsig *modsig, const void *buf, loff_t size) 


int ima_modsig_verify(struct key *keyring, const struct modsig *modsig)

{

	return verify_pkcs7_message_sig(NULL, 0, modsig->pkcs7_msg, keyring,

	int ret;



	ret = verify_pkcs7_message_sig(NULL, 0, modsig->pkcs7_msg, keyring,

				       VERIFYING_MODULE_SIGNATURE, NULL, NULL);

#ifdef CONFIG_IMA_DIGEST_LIST

	if (ret < 0) {

#ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY

		keyring = VERIFY_USE_SECONDARY_KEYRING;

#else

		keyring = NULL;

#endif

		return verify_pkcs7_message_sig(NULL, 0, modsig->pkcs7_msg,

			keyring, VERIFYING_MODULE_SIGNATURE, NULL, NULL);

	}

#endif

	return ret;

}



int ima_get_modsig_digest(const struct modsig *modsig, enum hash_algo *algo,