diff options
30 files changed, 1402 insertions, 0 deletions
diff --git a/meta-integrity/README.md b/meta-integrity/README.md new file mode 100644 index 0000000..ba96d8e --- /dev/null +++ b/meta-integrity/README.md @@ -0,0 +1,253 @@ +This README file contains information on the contents of the +integrity layer. + +Please see the corresponding sections below for details. + + +Dependencies +============ + +This layer depends on: + + URI: git://git.openembedded.org/bitbake + branch: master + + URI: git://git.openembedded.org/openembedded-core + layers: meta + branch: master + + URI: git://github.com/01org/meta-security/meta-integrate + layers: security-framework + branch: master + + +Patches +======= + +Please submit any patches against the integrity layer via Github +pull requests. + +For discussion or patch submission via email, use the +yocto@yoctoproject.org mailing list. When submitting patches that way, +make sure to copy the maintainer and add a "[meta-]" +prefix to the subject of the mails. + +Maintainer: Armin Kuster <akuster808@gmail.com> + + +Table of Contents +================= + +1. Adding the integrity layer to your build +2. Usage +3. Known Issues + + +1. Adding the integrity layer to your build +=========================================== + +In order to use this layer, you need to make the build system aware of +it. + +Assuming the security repository exists at the top-level of your +yocto build tree, you can add it to the build system by adding the +location of the integrity layer to bblayers.conf, along with any +other layers needed. e.g.: + + BBLAYERS ?= " \ + /path/to/yocto/meta \ + /path/to/yocto/meta-yocto \ + /path/to/yocto/meta-yocto-bsp \ + /path/to/yocto/meta-security/meta-integrity \ + " + +It has some dependencies on a suitable BSP; in particular the kernel +must have a recent enough IMA/EVM subsystem. The layer was tested with +Linux 3.19 and uses some features (like loading X509 certificates +directly from the kernel) which were added in that release. Your +mileage may vary with older kernels. + +The necessary kernel configuration parameters are added to all kernel +versions by this layer. Watch out for QA warnings about unused kernel +configuration parameters: those indicate that the kernel used by the BSP +does not have the necessary IMA/EVM features. + +Adding the layer only enables IMA (see below regarding EVM) during +compilation of the Linux kernel. To also activate it when building +the image, enable image signing in the local.conf like this: + + INHERIT += "ima-evm-rootfs" + IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys" + +This uses the default keys provided in the "data" directory of the layer. +Because everyone has access to these private keys, such an image +should never be used in production! + +For that, create your own keys first. All tools and scripts required +for that are included in the layer. This is also how the +``debug-keys`` were generated: + + # Choose a directory for storing keys. Preserve this + # across builds and keep its private keys secret! + export IMA_EVM_KEY_DIR=/tmp/imaevm + mkdir -p $IMA_EVM_KEY_DIR + # Build the required tools. + bitbake openssl-native + # Set up shell for use of the tools. + bitbake -c devshell openssl-native + cd $IMA_EVM_KEY_DIR + # In that shell, create the keys. Several options exist: + + # 1. Self-signed keys. + $IMA_EVM_BASE/scripts/ima-gen-self-signed.sh + + # 2. Keys signed by a new CA. + # When asked for a PEM passphrase, that will be for the root CA. + # Signing images then will not require entering that passphrase, + # only creating new certificates does. Most likely the default + # attributes for these certificates need to be adapted; modify + # the scripts as needed. + # $IMA_EVM_BASE/scripts/ima-gen-local-ca.sh + # $IMA_EVM_BASE/scripts/ima-gen-CA-signed.sh + + # 3. Keys signed by an existing CA. + # $IMA_EVM_BASE/scripts/ima-gen-CA-signed.sh <CA.pem> <CA.priv> + exit + +When using ``ima-self-signed.sh`` as described above, self-signed keys +are created. Alternatively, one can also use keys signed by a CA. The +``ima-gen-local-ca.sh`` and ``ima-gen.sh`` scripts create a root CA +and sign the signing keys with it. The ``ima-evm-rootfs.bbclass`` then +supports adding tha CA's public key to the kernel's system keyring by +compiling it directly into the kernel. Because it is unknown whether +that is necessary (for example, the CA might also get added to the +system key ring via UEFI Secure Boot), one has to enable compilation +into the kernel explicitly in a local.conf with: + + IMA_EVM_ROOT_CA = "<path to .x509 file, for example the ima-local-ca.x509 created by ima-gen-local-ca.sh>" + + + + +To use the personal keys, override the default IMA_EVM_KEY_DIR in your +local.conf and/or override the individual variables from +ima-evm-rootfs.bbclass: + + IMA_EVM_KEY_DIR = "<full path>" + IMA_EVM_PRIVKEY = "<some other path/privkey_ima.pem>" + +By default, the entire file system gets signed. When using a policy which +does not require that, the set of files to be labelled can be chosen +by overriding the default "find" expression, for example like this: + + IMA_EVM_ROOTFS_FILES = "usr sbin bin lib -type f" + + +2. Usage +======== + +After creating an image with IMA/EVM enabled, one needs to enable +the built-in policies before IMA/EVM is active at runtime. To do this, +add one or both of these boot parameters: + + ima_tcb # measures all files read as root and all files executed + ima_appraise_tcb # appraises all files owned by root, beware of + # the known issue mentioned below + +Instead of booting with default policies, one can also activate custom +policies in different ways. First, boot without any IMA policy and +then cat a policy file into +`/sys/kernel/security/ima/policy`. This can only be done once +after booting and is useful for debugging. + +In production, the long term goal is to load a verified policy +directly from the kernel, using a patch which still needs to be +included upstream ("ima: load policy from the kernel", +<https://lwn.net/Articles/595759/>). + +Loading via systemd also works with systemd, but is considered less +secure (policy file is not checked before activating it). Beware that +IMA policy loading became broken in systemd 2.18. The modified systemd +2.19 in meta-security-smack has a patch reverting the broken +changes. To activate policy loading via systemd, place a policy file +in `/etc/ima/ima-policy`, for example with: + + IMA_EVM_POLICY_SYSTEMD = "${IMA_EVM_BASE}/data/ima_policy_simple" + +To check that measuring works, look at `/sys/kernel/security/ima/ascii_runtime_measurements` + +To check that appraisal works, try modifying executables and ensure +that executing them fails: + + echo "foobar" >>/usr/bin/rpm + evmctl ima_verify /usr/bin/rpm + rpm --version + +Depending on the current appraisal policy, the `echo` command may +already fail because writing is not allowed. If the file was modified +and the current appraisal policy allows reading, then `evmctl` will +report (the errno value seems to be printed always and is unrelated to +the actual verification failure here): + + Verification failed: 35 + errno: No such file or directory (2) + +After enabling a suitable IMA appraisal policy, reading and/or +executing the file is no longer allowed: + + # evmctl ima_verify /usr/bin/rpm + Failed to open: /usr/bin/rpm + errno: Permission denied (13) + # rpm --version + -sh: /usr/bin/rpm: Permission denied + +Enabling the audit kernel subsystem may help to debug appraisal +issues. Enable it by adding the meta-security-framework layer and +changing your local.conf: + SRC_URI_append_pn-linux-yocto = " file://audit.cfg" + CORE_IMAGE_EXTRA_INSTALL += "auditd" + +Then boot with "ima_appraise=log ima_appraise_tcb". + +Adding auditd is not strictly necessary but helps to capture a +more complete set of events in /var/log/audit/ and search in +them with ausearch. + + +3. Known Issues +=============== + +EVM is not enabled, for multiple reasons: +* Signing files in advance with a X509 certificate and then not having + any confidential keys on the device would be the most useful mode, + but is not supported by EVM [1]. +* EVM signing in advance would only work on the final file system and thus + will require further integration work with image creation. The content + of the files can be signed for IMA in the rootfs, with the extended + attributes remaining valid when copying the files to the final image. + But for EVM that copy operation changes relevant parameters (for example, + inode) and thus invalidates the EVM hash. +* On device creation of EVM hashes depends on secure key handling on the + device (TPM) and booting at least once in a special mode (file system + writable, evm=fix as boot parameter, reboot after opening all files); + such a mode is too device specific to be implemented in a generic way. + +IMA appraisal with "ima_appraise_tcb" enables rules which are too strict +for most distros. For example, systemd needs to write certain files +as root, which is prevented by the ima_appraise_tcb appraise rules. As +a result, the system fails to boot: + + [FAILED] Failed to start Commit a transient machine-id on disk. + See "systemctl status systemd-machine-id-commit.service" for details. + ... + [FAILED] Failed to start Network Service. + See "systemctl status systemd-networkd.service" for details. + [FAILED] Failed to start Login Service. + See "systemctl status systemd-logind.service" for details. + +No package manager is integrated with IMA/EVM. When updating packages, +files will end up getting installed without correct IMA/EVM attributes +and thus will not be usable when appraisal is turned on. + +[1] http://permalink.gmane.org/gmane.comp.handhelds.tizen.devel/6281 +[2] http://permalink.gmane.org/gmane.comp.handhelds.tizen.devel/6275 diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass new file mode 100644 index 0000000..8aec388 --- /dev/null +++ b/meta-integrity/classes/ima-evm-rootfs.bbclass @@ -0,0 +1,92 @@ +# No default! Either this or IMA_EVM_PRIVKEY/IMA_EVM_X509 have to be +# set explicitly in a local.conf before activating ima-evm-rootfs. +# To use the insecure (because public) example keys, use +# IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys" +IMA_EVM_KEY_DIR ?= "IMA_EVM_KEY_DIR_NOT_SET" + +# Private key for IMA signing. The default is okay when +# using the example key directory. +IMA_EVM_PRIVKEY ?= "${IMA_EVM_KEY_DIR}/privkey_ima.pem" + +# Public part of certificates (used for both IMA and EVM). +# The default is okay when using the example key directory. +IMA_EVM_X509 ?= "${IMA_EVM_KEY_DIR}/x509_ima.der" + +# Root CA to be compiled into the kernel, none by default. +# Must be the absolute path to a der-encoded x509 CA certificate +# with a .x509 suffix. See linux-%.bbappend for details. +# +# ima-local-ca.x509 is what ima-gen-local-ca.sh creates. +IMA_EVM_ROOT_CA ?= "" + +# Sign all regular files by default. +IMA_EVM_ROOTFS_SIGNED ?= ". -type f" +# Hash nothing by default. +IMA_EVM_ROOTFS_HASHED ?= ". -depth 0 -false" + +# Mount these file systems (identified via their mount point) with +# the iversion flags (needed by IMA when allowing writing). +IMA_EVM_ROOTFS_IVERSION ?= "" + +ima_evm_sign_rootfs () { + cd ${IMAGE_ROOTFS} + + # Beware that all operations below must also work when + # ima_evm_sign_rootfs was already called earlier for the same + # rootfs. That's because do_image might again run for various + # reasons (including a change of the signing keys) without also + # re-running do_rootfs. + + # Copy file(s) which must be on the device. Note that + # evmctl uses x509_evm.der also for "ima_verify", which is probably + # a bug (should default to x509_ima.der). Does not matter for us + # because we use the same key for both. + install -d ./${sysconfdir}/keys + rm -f ./${sysconfdir}/keys/x509_evm.der + install "${IMA_EVM_X509}" ./${sysconfdir}/keys/x509_evm.der + ln -sf x509_evm.der ./${sysconfdir}/keys/x509_ima.der + + # Fix /etc/fstab: it must include the "i_version" mount option for + # those file systems where writing files is allowed, otherwise + # these changes will not get detected at runtime. + # + # Note that "i_version" is documented in "man mount" only for ext4, + # whereas "iversion" is said to be filesystem-independent. In practice, + # there is only one MS_I_VERSION flag in the syscall and ext2/ext3/ext4 + # all support it. + # + # coreutils translates "iversion" into MS_I_VERSION. busybox rejects + # "iversion" and only understands "i_version". systemd only understands + # "iversion". We pick "iversion" here for systemd, whereas rootflags + # for initramfs must use "i_version" for busybox. + # + # Deduplicates iversion in case that this gets called more than once. + if [ -f etc/fstab ]; then + perl -pi -e 's;(\S+)(\s+)(${@"|".join((d.getVar("IMA_EVM_ROOTFS_IVERSION", True) or "no-such-mount-point").split())})(\s+)(\S+)(\s+)(\S+);\1\2\3\4\5\6\7,iversion;; s/(,iversion)+/,iversion/;' etc/fstab + fi + + # Sign file with private IMA key. EVM not supported at the moment. + bbnote "IMA/EVM: signing files 'find ${IMA_EVM_ROOTFS_SIGNED}' with private key '${IMA_EVM_PRIVKEY}'" + find ${IMA_EVM_ROOTFS_SIGNED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_sign --key ${IMA_EVM_PRIVKEY} + bbnote "IMA/EVM: hashing files 'find ${IMA_EVM_ROOTFS_HASHED}'" + find ${IMA_EVM_ROOTFS_HASHED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_hash + + # Optionally install custom policy for loading by systemd. + if [ "${IMA_EVM_POLICY_SYSTEMD}" ]; then + install -d ./${sysconfdir}/ima + rm -f ./${sysconfdir}/ima/ima-policy + install "${IMA_EVM_POLICY_SYSTEMD}" ./${sysconfdir}/ima/ima-policy + fi +} + +# Signing must run as late as possible in the do_rootfs task. +# IMAGE_PREPROCESS_COMMAND runs after ROOTFS_POSTPROCESS_COMMAND, so +# append (not prepend!) to IMAGE_PREPROCESS_COMMAND, and do it with +# _append instead of += because _append gets evaluated later. In +# particular, we must run after prelink_image in +# IMAGE_PREPROCESS_COMMAND, because prelinking changes executables. + +IMAGE_PREPROCESS_COMMAND_append = " ima_evm_sign_rootfs ; " + +# evmctl must have been installed first. +do_rootfs[depends] += "ima-evm-utils-native:do_populate_sysroot" diff --git a/meta-integrity/conf/layer.conf b/meta-integrity/conf/layer.conf new file mode 100644 index 0000000..e8bb268 --- /dev/null +++ b/meta-integrity/conf/layer.conf @@ -0,0 +1,22 @@ +# We have a conf and classes directory, add to BBPATH +BBPATH =. "${LAYERDIR}:" + +# We have a packages directory, add to BBFILES +BBFILES := "${BBFILES} \ + ${LAYERDIR}/recipes-*/*/*.bb \ + ${LAYERDIR}/recipes-*/*/*.bbappend" + +BBFILE_COLLECTIONS += "integrity" +BBFILE_PATTERN_integrity := "^${LAYERDIR}/" +BBFILE_PRIORITY_integrity = "6" + +# Set a variable to get to the top of the metadata location. Needed +# for finding scripts (when following the README.md instructions) and +# default debug keys (in ima-evm-rootfs.bbclass). +IMA_EVM_BASE := '${LAYERDIR}' + +# We must not export this path to all shell scripts (as in "export +# IMA_EVM_BASE"), because that causes problems with sstate (becames +# dependent on location of the layer). Exporting it to just the +# interactive shell is enough. +OE_TERMINAL_EXPORTS += "IMA_EVM_BASE" diff --git a/meta-integrity/data/debug-keys/privkey_ima.pem b/meta-integrity/data/debug-keys/privkey_ima.pem new file mode 100644 index 0000000..502a0b6 --- /dev/null +++ b/meta-integrity/data/debug-keys/privkey_ima.pem @@ -0,0 +1,16 @@ +-----BEGIN PRIVATE KEY----- +MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAJw2G3d0fM36rcQU +Bt8V/SapJe0lxWJ+CY+HcMx8AhWY9XQ66AXcqBsRHiUnYCaFGXFI35VKGC6d/Gs6 +IWlHgI0tcTyzy5eul+BKRLy/3PNjkK2jJETlbetQy+gE6gUtg4RmPV5ALGksK74p +OrAfKnahoMi82NVIiBitwmRimms1AgMBAAECgYBTxciRFU1hAVBy2PKebKJoO0n1 +lc329fSWnmHlp5NOlcr8XCLWEfGtIk7ySd2MitCMKjKNU0EIrv0RXAlS9l9/gBYW +HY+eEaa6l80sp8q4aPKImSi0pb3LVNqWKXJg8qr4AZ45/TEL/fzILFv5QcY8xDjV +aj6DOlEnNDjlBlBbQQJBAMyYDlKItes/Rnmtp9roXj3XUfiBDHTLY2HVgDBe87sA +TOSnbgIv+6urd1h9XvBmJlRYH7YKJmBSZWcSlfdC6XkCQQDDdfkUMxQZo9PC/Eue +WYzytx4xUm3ItWcuKILtFgcNh3c4s4dMx4X/WhQj5/H/nVOIWDioQ0mrW3ap/qcb +SBydAkAf/gb/UPFhf9t9W3JMANn7wZfHzCYufT9lJQWOisqCC2H6v1Osc+Rey8k1 +xST7Yn3L4pvS03N8zGWe4IEi0QvBAkAWdTWbNos2rvYjzy05Enz5XkTf0eK/Tuh+ +CzWP3BoPWeM+5pHDJqGkx0rNHVdW0VLJtak83A5Y2/d0bMfygISZAkBFGui4HW+Q +1BlpmDeslsE11wm5jSmm6Ti12a2dVKGFo9QLQcSj4bfgxtqU2dQaYRmajXtSBrGQ +3vVaxg2EfqB1 +-----END PRIVATE KEY----- diff --git a/meta-integrity/data/debug-keys/x509_ima.der b/meta-integrity/data/debug-keys/x509_ima.der Binary files differnew file mode 100644 index 0000000..087ca6b --- /dev/null +++ b/meta-integrity/data/debug-keys/x509_ima.der diff --git a/meta-integrity/data/ima_policy_appraise_all b/meta-integrity/data/ima_policy_appraise_all new file mode 100644 index 0000000..36e71a7 --- /dev/null +++ b/meta-integrity/data/ima_policy_appraise_all @@ -0,0 +1,29 @@ +# +# Integrity measure policy (http://sourceforge.net/p/linux-ima/wiki/Home/#measure-nothing-appraise-everything) +# +# Do not measure anything, but appraise everything +# +# PROC_SUPER_MAGIC +dont_appraise fsmagic=0x9fa0 +# SYSFS_MAGIC +dont_appraise fsmagic=0x62656572 +# DEBUGFS_MAGIC +dont_appraise fsmagic=0x64626720 +# TMPFS_MAGIC +dont_appraise fsmagic=0x01021994 +# RAMFS_MAGIC +dont_appraise fsmagic=0x858458f6 +# DEVPTS_SUPER_MAGIC +dont_appraise fsmagic=0x1cd1 +# BIFMT +dont_appraise fsmagic=0x42494e4d +# SECURITYFS_MAGIC +dont_appraise fsmagic=0x73636673 +# SELINUXFS_MAGIC +dont_appraise fsmagic=0xf97cff8c +# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel) +dont_appraise fsmagic=0x6e736673 +# EFIVARFS_MAGIC +dont_appraise fsmagic=0xde5e81e4 + +appraise diff --git a/meta-integrity/data/ima_policy_hashed b/meta-integrity/data/ima_policy_hashed new file mode 100644 index 0000000..7f89c8d --- /dev/null +++ b/meta-integrity/data/ima_policy_hashed @@ -0,0 +1,77 @@ +# With this policy, all files on regular partitions are +# appraised. Files with signed IMA hash and normal hash are +# accepted. Signed files cannot be modified while hashed files can be +# (which will also update the hash). However, signed files can +# be deleted, so in practice it is still possible to replace them +# with a modified version. +# +# Without EVM, this is obviously not very secure, so this policy is +# just an example and/or basis for further improvements. For that +# purpose, some comments show what could be added to make the policy +# more secure. +# +# With EVM the situation might be different because access +# to the EVM key can be restricted. +# +# Files which are appraised are also measured. This allows +# debugging whether a file is in policy by looking at +# /sys/kernel/security/ima/ascii_runtime_measurements + +# PROC_SUPER_MAGIC +dont_appraise fsmagic=0x9fa0 +dont_measure fsmagic=0x9fa0 +# SYSFS_MAGIC +dont_appraise fsmagic=0x62656572 +dont_measure fsmagic=0x62656572 +# DEBUGFS_MAGIC +dont_appraise fsmagic=0x64626720 +dont_measure fsmagic=0x64626720 +# TMPFS_MAGIC +dont_appraise fsmagic=0x01021994 +dont_measure fsmagic=0x01021994 +# RAMFS_MAGIC +dont_appraise fsmagic=0x858458f6 +dont_measure fsmagic=0x858458f6 +# DEVPTS_SUPER_MAGIC +dont_appraise fsmagic=0x1cd1 +dont_measure fsmagic=0x1cd1 +# BIFMT +dont_appraise fsmagic=0x42494e4d +dont_measure fsmagic=0x42494e4d +# SECURITYFS_MAGIC +dont_appraise fsmagic=0x73636673 +dont_measure fsmagic=0x73636673 +# SELINUXFS_MAGIC +dont_appraise fsmagic=0xf97cff8c +dont_measure fsmagic=0xf97cff8c +# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel) +dont_appraise fsmagic=0x6e736673 +dont_measure fsmagic=0x6e736673 +# SMACK_MAGIC +dont_appraise fsmagic=0x43415d53 +dont_measure fsmagic=0x43415d53 +# CGROUP_SUPER_MAGIC +dont_appraise fsmagic=0x27e0eb +dont_measure fsmagic=0x27e0eb +# EFIVARFS_MAGIC +dont_appraise fsmagic=0xde5e81e4 +dont_measure fsmagic=0xde5e81e4 + +# Special partition, no checking done. +# dont_measure fsuuid=a11234... +# dont_appraise fsuuid=a11243... + +# Special immutable group. +# appraise appraise_type=imasig func=FILE_CHECK mask=MAY_READ fgroup=200 + +# All executables must be signed - too strict, we need to +# allow installing executables on the device. +# appraise appraise_type=imasig func=FILE_MMAP mask=MAY_EXEC +# appraise appraise_type=imasig func=BPRM_CHECK mask=MAY_EXEC + +# Default rule. Would be needed also when other rules were added that +# determine what to do in case of reading (mask=MAY_READ or +# mask=MAY_EXEC) because otherwise writing does not update the file +# hash. +appraise +measure diff --git a/meta-integrity/data/ima_policy_simple b/meta-integrity/data/ima_policy_simple new file mode 100644 index 0000000..38ca8f5 --- /dev/null +++ b/meta-integrity/data/ima_policy_simple @@ -0,0 +1,4 @@ +# Very simple policy demonstrating the systemd policy loading bug +# (policy with one line works, two lines don't). +dont_appraise fsmagic=0x9fa0 +dont_appraise fsmagic=0x62656572 diff --git a/meta-integrity/lib/oeqa/runtime/__init__.py b/meta-integrity/lib/oeqa/runtime/__init__.py new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/meta-integrity/lib/oeqa/runtime/__init__.py diff --git a/meta-integrity/lib/oeqa/runtime/ima.py b/meta-integrity/lib/oeqa/runtime/ima.py new file mode 100644 index 0000000..2e5b258 --- /dev/null +++ b/meta-integrity/lib/oeqa/runtime/ima.py @@ -0,0 +1,82 @@ +#!/usr/bin/env python +# +# Authors: Cristina Moraru <cristina.moraru@intel.com> +# Alexandru Cornea <alexandru.cornea@intel.com> + +import unittest +import string +from time import sleep +from oeqa.oetest import oeRuntimeTest, skipModule +from oeqa.utils.decorators import * + +@tag(TestType = 'FVT', FeatureID = 'IOTOS-617,IOTOS-619') +class IMACheck(oeRuntimeTest): + def test_ima_before_systemd(self): + ''' Test if IMA policy is loaded before systemd starts''' + + ima_search = "IMA: policy update completed" + systemd_search = "systemd .* running" + status, output = self.target.run("dmesg | grep -n '%s'" %ima_search) + self.assertEqual( status, 0, "Did not find '%s' in dmesg" %ima_search) + ima_id = int(output.split(":")[0]) + status, output = self.target.run("dmesg | grep -n '%s'" %systemd_search) + self.assertEqual(status, 0, "Did not find '%s' in dmesg" %systemd_search) + init_id = int(output.split(":")[0]) + if ima_id > init_id: + self.fail("IMA does not start before systemd") + + def test_ima_hash(self): + ''' Test if IMA stores correct file hash ''' + filename = "/etc/filetest" + ima_measure_file = "/sys/kernel/security/ima/ascii_runtime_measurements" + status, output = self.target.run("echo test > %s" %filename) + self.assertEqual(status, 0, "Cannot create file %s on target" %filename) + + # wait for the IMA system to update the entry + maximum_tries = 30 + tries = 0 + status, output = self.target.run("sha1sum %s" %filename) + current_hash = output.split()[0] + ima_hash = "" + + while tries < maximum_tries: + status, output = self.target.run("cat %s | grep %s" \ + %(ima_measure_file, filename)) + # get last entry, 4th field + if status == 0: + tokens = output.split("\n")[-1].split()[3] + ima_hash = tokens.split(":")[1] + if ima_hash == current_hash: + break + + tries += 1 + sleep(1) + + # clean target + self.target.run("rm %s" %filename) + if ima_hash != current_hash: + self.fail("Hash stored by IMA does not match actual hash") + + def test_ima_signature(self): + ''' Test if IMA stores correct signature for system binaries''' + locations = ["/bin", "/usr/bin"] + binaries = [] + for l in locations: + status, output = self.target.run("find %s -type f" %l) + binaries.extend(output.split("\n")) + + for b in binaries: + status, output = self.target.run("evmctl ima_verify %s" %b) + if "Verification is OK" not in output: + self.fail("IMA signature verification fails for file %s" %b) + + def test_ima_overwrite(self): + ''' Test if IMA prevents overwriting signed files ''' + status, output = self.target.run("find /bin -type f") + self.assertEqual(status, 0 , "ssh to device fail: %s" %output) + signed_file = output.strip().split()[0] + print("\n signed_file is %s" % signed_file) + status, output = self.target.run(" echo 'foo' >> %s" %signed_file) + self.assertNotEqual(status, 0 , "Signed file could be written") + self.assertIn("Permission denied", output, + "Did not find expected error message. Got: %s" %output) diff --git a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb new file mode 100644 index 0000000..aca38b7 --- /dev/null +++ b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb @@ -0,0 +1,32 @@ +# This recipe creates a module for the initramfs-framework in OE-core +# which initializes IMA by loading a policy before transferring +# control to the init process in the rootfs. The advantage over having +# that init process doing the policy loading (which systemd could do) +# is that already the integrity of the init binary itself will be +# checked by the kernel. + +SUMMARY = "IMA module for the modular initramfs system" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" +RDEPENDS_${PN} += "initramfs-framework-base" + +# This policy file will get installed as /etc/ima/ima-policy. +# It is located via the normal file search path, so a .bbappend +# to this recipe can just point towards one of its own files. +IMA_POLICY ?= "ima_policy_hashed" +FILESEXTRAPATHS =. "${IMA_EVM_BASE}/data:" + +SRC_URI = " \ + file://${IMA_POLICY} \ + file://ima \ +" + +do_install () { + install -d ${D}/${sysconfdir}/ima + install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima-policy + install -d ${D}/init.d + install ${WORKDIR}/ima ${D}/init.d/20-ima +} + +FILES_${PN} = "/init.d ${sysconfdir}" +RDEPENDS_${PN} = "keyutils" diff --git a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima new file mode 100644 index 0000000..8616f99 --- /dev/null +++ b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima @@ -0,0 +1,52 @@ +#!/bin/sh +# +# Loads IMA policy into the kernel. + +ima_enabled() { + if [ "$bootparam_no_ima" = "true" ]; then + return 1 + fi +} + +ima_run() { + info "Initializing IMA (can be skipped with no_ima boot parameter)." + if ! grep -w securityfs /proc/mounts >/dev/null; then + if ! mount -t securityfs securityfs /sys/kernel/security; then + fatal "Could not mount securityfs." + fi + fi + if [ ! -d /sys/kernel/security/ima ]; then + fatal "No /sys/kernel/security/ima. Cannot proceed without IMA enabled in the kernel." + fi + + # Instead of depending on the kernel to load the IMA X.509 certificate, + # use keyctl. This avoids a bug in certain kernels (https://lkml.org/lkml/2015/9/10/492) + # where the loaded key was not checked sufficiently. We use keyctl here because it is + # slightly smaller than evmctl and is needed anyway. + # (see http://sourceforge.net/p/linux-ima/ima-evm-utils/ci/v0.9/tree/README#l349). + for kind in ima evm; do + key=/etc/keys/x509_$kind.der + if [ -s $key ]; then + id=$(grep -w -e "\.$kind" /proc/keys | cut -d ' ' -f1 | head -n 1) + if [ "$id" ]; then + id=$(printf "%d" 0x$id) + fi + if [ -z "$id" ]; then + id=`keyctl search @u keyring _$kind 2>/dev/null` + if [ -z "$id" ]; then + id=`keyctl newring _$kind @u` + fi + fi + info "Loading $key into $kind keyring $id" + keyctl padd asymmetric "" $id <$key + fi + done + + # In theory, a simple "cat" should be enough. In practice, loading sometimes fails randomly + # ("[Linux-ima-user] IMA policy loading via cat") and we get better error reporting when + # checking the write of each line. To minimize the risk of policy loading going wrong we + # also remove comments and blank lines ourselves. + if ! (set -e; while read i; do if echo "$i" | grep -q -e '^#' -e '^ *$'; then debug "Skipping IMA policy: $i"; else debug "Writing IMA policy: $i"; if echo $i; then sleep ${bootparam_ima_delay:-0}; else fatal "Invalid line in IMA policy: $i"; exit 1; fi; fi; done) </etc/ima-policy >/sys/kernel/security/ima/policy; then + fatal "Could not load IMA policy." + fi +} diff --git a/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb b/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb new file mode 100644 index 0000000..18acc9d --- /dev/null +++ b/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb @@ -0,0 +1,9 @@ +SUMMARY = "IMA/EVM userspace tools" +LICENSE = "MIT" + +inherit packagegroup + +# Only one at the moment, but perhaps more will come in the future. +RDEPENDS_${PN} = " \ + ima-evm-utils \ +" diff --git a/meta-integrity/recipes-core/systemd/files/machine-id-commit-sync.conf b/meta-integrity/recipes-core/systemd/files/machine-id-commit-sync.conf new file mode 100644 index 0000000..d6d3240 --- /dev/null +++ b/meta-integrity/recipes-core/systemd/files/machine-id-commit-sync.conf @@ -0,0 +1,2 @@ +[Service] +ExecStartPost=/bin/sync diff --git a/meta-integrity/recipes-core/systemd/files/random-seed-sync.conf b/meta-integrity/recipes-core/systemd/files/random-seed-sync.conf new file mode 100644 index 0000000..f4c170b --- /dev/null +++ b/meta-integrity/recipes-core/systemd/files/random-seed-sync.conf @@ -0,0 +1,3 @@ +[Service] +ExecStopPost=/bin/sync +ExecStartPost=/bin/sync diff --git a/meta-integrity/recipes-core/systemd/systemd_%.bbappend b/meta-integrity/recipes-core/systemd/systemd_%.bbappend new file mode 100644 index 0000000..3b45541 --- /dev/null +++ b/meta-integrity/recipes-core/systemd/systemd_%.bbappend @@ -0,0 +1,13 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" + +SRC_URI += " \ + file://machine-id-commit-sync.conf \ + file://random-seed-sync.conf \ +" + +do_install_append () { + for i in machine-id-commit random-seed; do + install -d ${D}/${systemd_system_unitdir}/systemd-$i.service.d + install -m 0644 ${WORKDIR}/$i-sync.conf ${D}/${systemd_system_unitdir}/systemd-$i.service.d + done +} diff --git a/meta-integrity/recipes-kernel/linux/linux-%.bbappend b/meta-integrity/recipes-kernel/linux/linux-%.bbappend new file mode 100644 index 0000000..48560b1 --- /dev/null +++ b/meta-integrity/recipes-kernel/linux/linux-%.bbappend @@ -0,0 +1,116 @@ +IMA_ENABLED_HERE := "${@'yes' if bb.data.inherits_class('kernel', d) and 'ima' in d.getVar('DISTRO_FEATURES', True).split() else 'no'}" + +IMA_FILESEXTRAPATHS_yes := "${THISDIR}/linux:" +IMA_FILESEXTRAPATHS_no := "" +FILESEXTRAPATHS_prepend := "${IMA_FILESEXTRAPATHS_${IMA_ENABLED_HERE}}" + +# These two patches are necessary to unpack archives with security.ima xattr +# such that security.ima is taken from the archive. If the policy +# allows hashing, unpatched kernels (at least up to 4.3) will replace +# a signed hash in security.ima with a locally computed hash. +# +# Note that only bsdtar/libarchive are known to work; GNU tar sets +# the security.ima on an empty file and the tries re-opening it for +# writing its content, which then fails due to the IMA hash mismatch. +# +# Kernels >= 4.7 have the patches, while older kernels are likely to +# need the patches. So apply them by default. To avoid that, +# set IMA_EVM_SETATTR_PATCH_x.y.z (where x.y.z == linux kernel version) +# to an empty string (to avoid patching) or some other patch files +# suitable for that kernel. +def ima_evm_setattr_patch(d): + result = [] + linux_version = d.getVar('LINUX_VERSION', True) or '' + # These two patches are known to be included upstream. + if bb.utils.vercmp_string_op(linux_version, '4.7', '<'): + patches = d.getVar('IMA_EVM_SETATTR_PATCH_' + linux_version, True) + if patches != None: + # Patches explicitly chosen, may be empty. + result.append(patches) + else: + # Enabled by default. + result.append('file://0001-ima-fix-ima_inode_post_setattr.patch file://0002-ima-add-support-for-creating-files-using-the-mknodat.patch') + # This one addresses a problem added in 4.2. The upstream revert will land + # in some future kernel. We need to extend version check once we know + # which kernels have the patch. + if bb.utils.vercmp_string_op(linux_version, '4.2', '>='): + patches = d.getVar('IMA_EVM_SETATTR_REVERT_PATCH_' + linux_version, True) + if patches != None: + # Patches explicitly chosen, may be empty. + result.append(patches) + else: + # Enabled by default. + result.append('file://Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch') + return ' '.join(result) + +# Edison kernel too old, patch not applicable -> swupd is broken in Ostro OS for Edison. +IMA_EVM_SETATTR_PATCH_3.10.98 = "" + +# Kernel config fragment enabling IMA/EVM and (where necessary and possible) +# also patching the kernel. +IMA_EVM_CFG_yes = " file://ima.cfg \ + ${@ ima_evm_setattr_patch(d)} \ + " +IMA_EVM_CFG_no = "" +SRC_URI_append = "${IMA_EVM_CFG_${IMA_ENABLED_HERE}}" + +# IMA_EVM_ROOT_CA, if set, is the absolute path to a der-encoded +# x509 CA certificate which will get compiled into the kernel. +# The kernel will then use it to validate additional certificates, +# like the one loaded dynamically for IMA. +# +# Depending on the kernel version, there are two ways to add the +# CA certificate: +# - For Linux < 4.3, we put the x509 file into the source directory +# where the kernel compilation will find it automatically +# (http://lxr.free-electrons.com/source/kernel/Makefile?v=4.2#L115). +# - For Linux >= 4.3, we set SYSTEM_TRUSTED_KEYS +# (http://lxr.free-electrons.com/source/certs/Kconfig?v=4.3#L29). +# The ima_evm_root_ca.cfg only contains a blank file name. +# The actual file name gets patched in after the file was used +# to configure the kernel (see do_kernel_configme_append). +# This has to point to a single file, i.e. using it for IMA has to +# be coordinated with other usages. +# +# The IMA_EVM_ROOT_CA default is set globally in ima-evm-rootfs.bbclass. +# Need weaker default here in case that ima-evm-rootfs.bbclass is not +# inherited. +IMA_EVM_ROOT_CA ??= "" + +# Add CONFIG_SYSTEM_TRUSTED_KEYS (for recent kernels) and +# copy the root certificate into the build directory. By using +# the normal fetcher mechanism for the certificate we ensure that +# a rebuild is triggered when the file name or content change. +# +# Recompiling on name change is a bit too aggressive and causes +# unnecessary rebuilds when only the location of the file, but not its +# content change. This may need further work, should it become a problem +# in practice. For example, IMA_EVM_ROOT_CA could be redefined as +# an URL that then gets found via the normal file lookup. +# +# The fetcher does not expand SRC_URI. We have to enforce that here. +IMA_EVM_ROOT_CA_CFG_yes = "${@ \ + ((' file://ima_evm_root_ca.cfg' if bb.utils.vercmp_string_op('${LINUX_VERSION}', '4.3', '>=') else '') + \ + ' file://${IMA_EVM_ROOT_CA}') \ + if '${IMA_EVM_ROOT_CA}' else ''}" +IMA_EVM_ROOT_CA_CFG_no = "" + +SRC_URI_append = "${IMA_EVM_ROOT_CA_CFG_${IMA_ENABLED_HERE}}" + +do_kernel_configme_append () { + if [ '${IMA_EVM_ROOT_CA}' ] && grep -q '^CONFIG_SYSTEM_TRUSTED_KEYS=' ${B}/.config; then + # We can replace a blank value from ima_evm_root_ca.cfg, + # but when we find some other value, then we have to abort + # because we can't set more than one value. + eval `grep '^CONFIG_SYSTEM_TRUSTED_KEYS='` + if [ "$CONFIG_SYSTEM_TRUSTED_KEYS" ] && [ "$CONFIG_SYSTEM_TRUSTED_KEYS" != "${IMA_EVM_ROOT_CA}" ]; then + bbfatal "CONFIG_SYSTEM_TRUSTED_KEYS already set to $CONFIG_SYSTEM_TRUSTED_KEYS, cannot replace with IMA_EVM_ROOT_CA = ${IMA_EVM_ROOT_CA}" + exit 1 + fi + pemcert=${B}/`basename ${IMA_EVM_ROOT_CA}`.pem + openssl x509 -inform der -in ${IMA_EVM_ROOT_CA} -out $pemcert + sed -i -e "s;^CONFIG_SYSTEM_TRUSTED_KEYS=.*;CONFIG_SYSTEM_TRUSTED_KEYS=\"$pemcert\";" ${B}/.config + fi +} + +do_kernel_configme[depends] += "${@ 'openssl-native:do_populate_sysroot' if '${IMA_ENABLED_HERE}' == 'yes' and '${IMA_EVM_ROOT_CA}' else '' }" diff --git a/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch b/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch new file mode 100644 index 0000000..64016dd --- /dev/null +++ b/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch @@ -0,0 +1,51 @@ +From 45ea681ebc0dd44aaec5d3cc4143b9722070d3ac Mon Sep 17 00:00:00 2001 +From: Mimi Zohar <zohar@linux.vnet.ibm.com> +Date: Tue, 8 Mar 2016 16:43:55 -0500 +Subject: [PATCH] ima: fix ima_inode_post_setattr + +Changing file metadata (eg. uid, guid) could result in having to +re-appraise a file's integrity, but does not change the "new file" +status nor the security.ima xattr. The IMA_PERMIT_DIRECTIO and +IMA_DIGSIG_REQUIRED flags are policy rule specific. This patch +only resets these flags, not the IMA_NEW_FILE or IMA_DIGSIG flags. + +With this patch, changing the file timestamp will not remove the +file signature on new files. + +Upstream-Status: Accepted [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_appraise.c?id=42a4c603198f0d45b7aa936d3ac6ba1b8bd14a1b] + +Reported-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com> +Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> +--- + security/integrity/ima/ima_appraise.c | 2 +- + security/integrity/integrity.h | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c +index 4df493e..a384ba1 100644 +--- a/security/integrity/ima/ima_appraise.c ++++ b/security/integrity/ima/ima_appraise.c +@@ -327,7 +327,7 @@ void ima_inode_post_setattr(struct dentry *dentry) + if (iint) { + iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED | + IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK | +- IMA_ACTION_FLAGS); ++ IMA_ACTION_RULE_FLAGS); + if (must_appraise) + iint->flags |= IMA_APPRAISE; + } +diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h +index 0fc9519..f9decae 100644 +--- a/security/integrity/integrity.h ++++ b/security/integrity/integrity.h +@@ -28,6 +28,7 @@ + + /* iint cache flags */ + #define IMA_ACTION_FLAGS 0xff000000 ++#define IMA_ACTION_RULE_FLAGS 0x06000000 + #define IMA_DIGSIG 0x01000000 + #define IMA_DIGSIG_REQUIRED 0x02000000 + #define IMA_PERMIT_DIRECTIO 0x04000000 +-- +2.5.0 + diff --git a/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch b/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch new file mode 100644 index 0000000..6ab7ce2 --- /dev/null +++ b/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch @@ -0,0 +1,138 @@ +From baaec960e9e7be0b526eaf831b079ddfe5c15124 Mon Sep 17 00:00:00 2001 +From: Mimi Zohar <zohar@linux.vnet.ibm.com> +Date: Thu, 10 Mar 2016 18:19:20 +0200 +Subject: [PATCH] ima: add support for creating files using the mknodat + syscall + +Commit 3034a14 "ima: pass 'opened' flag to identify newly created files" +stopped identifying empty files as new files. However new empty files +can be created using the mknodat syscall. On systems with IMA-appraisal +enabled, these empty files are not labeled with security.ima extended +attributes properly, preventing them from subsequently being opened in +order to write the file data contents. This patch marks these empty +files, created using mknodat, as new in order to allow the file data +contents to be written. + +Files with security.ima xattrs containing a file signature are considered +"immutable" and can not be modified. The file contents need to be +written, before signing the file. This patch relaxes this requirement +for new files, allowing the file signature to be written before the file +contents. + +Upstream-Status: Accepted [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_appraise.c?id=05d1a717ec0430c916a749b94eb90ab74bbfa356] + +Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> +--- + fs/namei.c | 2 ++ + include/linux/ima.h | 7 ++++++- + security/integrity/ima/ima_appraise.c | 3 +++ + security/integrity/ima/ima_main.c | 32 +++++++++++++++++++++++++++++++- + 4 files changed, 42 insertions(+), 2 deletions(-) + +diff --git a/fs/namei.c b/fs/namei.c +index ccd7f98..19502da 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -3526,6 +3526,8 @@ retry: + switch (mode & S_IFMT) { + case 0: case S_IFREG: + error = vfs_create(path.dentry->d_inode,dentry,mode,true); ++ if (!error) ++ ima_post_path_mknod(dentry); + break; + case S_IFCHR: case S_IFBLK: + error = vfs_mknod(path.dentry->d_inode,dentry,mode, +diff --git a/include/linux/ima.h b/include/linux/ima.h +index 120ccc5..7f51971 100644 +--- a/include/linux/ima.h ++++ b/include/linux/ima.h +@@ -20,7 +20,7 @@ extern void ima_file_free(struct file *file); + extern int ima_file_mmap(struct file *file, unsigned long prot); + extern int ima_module_check(struct file *file); + extern int ima_fw_from_file(struct file *file, char *buf, size_t size); +- ++extern void ima_post_path_mknod(struct dentry *dentry); + #else + static inline int ima_bprm_check(struct linux_binprm *bprm) + { +@@ -52,6 +52,11 @@ static inline int ima_fw_from_file(struct file *file, char *buf, size_t size) + return 0; + } + ++static inline void ima_post_path_mknod(struct dentry *dentry) ++{ ++ return; ++} ++ + #endif /* CONFIG_IMA */ + + #ifdef CONFIG_IMA_APPRAISE +diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c +index 4df493e..20806ea 100644 +--- a/security/integrity/ima/ima_appraise.c ++++ b/security/integrity/ima/ima_appraise.c +@@ -274,6 +274,11 @@ out: + xattr_value->type != EVM_IMA_XATTR_DIGSIG)) { + if (!ima_fix_xattr(dentry, iint)) + status = INTEGRITY_PASS; ++ } else if ((inode->i_size == 0) && ++ (iint->flags & IMA_NEW_FILE) && ++ (xattr_value && ++ xattr_value->type == EVM_IMA_XATTR_DIGSIG)) { ++ status = INTEGRITY_PASS; + } + integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename, + op, cause, rc, 0); +diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c +index eeee00dc..705bf78 100644 +--- a/security/integrity/ima/ima_main.c ++++ b/security/integrity/ima/ima_main.c +@@ -242,7 +242,8 @@ static int process_measurement(struct file *file, int mask, int function, + ima_audit_measurement(iint, pathname); + + out_digsig: +- if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG)) ++ if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG) && ++ !(iint->flags & IMA_NEW_FILE)) + rc = -EACCES; + kfree(xattr_value); + out_free: +@@ -310,6 +311,35 @@ int ima_file_check(struct file *file, int mask, int opened) + EXPORT_SYMBOL_GPL(ima_file_check); + + /** ++ * ima_post_path_mknod - mark as a new inode ++ * @dentry: newly created dentry ++ * ++ * Mark files created via the mknodat syscall as new, so that the ++ * file data can be written later. ++ */ ++void ima_post_path_mknod(struct dentry *dentry) ++{ ++ struct integrity_iint_cache *iint; ++ struct inode *inode; ++ int must_appraise; ++ ++ if (!dentry || !dentry->d_inode) ++ return; ++ ++ inode = dentry->d_inode; ++ if (inode->i_size != 0) ++ return; ++ ++ must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK); ++ if (!must_appraise) ++ return; ++ ++ iint = integrity_inode_get(inode); ++ if (iint) ++ iint->flags |= IMA_NEW_FILE; ++} ++ ++/** + * ima_module_check - based on policy, collect/store/appraise measurement. + * @file: pointer to the file to be measured/appraised + * +-- +2.5.0 + diff --git a/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch b/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch new file mode 100644 index 0000000..157c007 --- /dev/null +++ b/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch @@ -0,0 +1,60 @@ +From a34d61850b680c152e1dcc958ee83c3ab3261c3d Mon Sep 17 00:00:00 2001 +From: Patrick Ohly <patrick.ohly@intel.com> +Date: Tue, 15 Nov 2016 10:10:23 +0100 +Subject: [PATCH] Revert "ima: limit file hash setting by user to fix and log + modes" + +This reverts commit c68ed80c97d9720f51ef31fe91560fdd1e121533. + +The original motivation was security hardening ("File hashes are +automatically set and updated and should not be manually set.") + +However, that hardening ignores and breaks some valid use cases: +- File hashes might not be set because the file is currently + outside of the policy and therefore have to be set by the + creator. Examples: + - Booting into an initramfs with an IMA-enabled kernel but + without setting an IMA policy, then installing + the OS onto the target partition by unpacking a rootfs archive + which has the file hashes pre-computed. + - Unpacking a file into a staging area with meta data (like owner) + that leaves the file outside of the current policy, then changing + the meta data such that it becomes part of the current policy. +- "should not be set manually" implies that the creator is aware + of IMA semantic, the current system's configuration, and then + skips setting file hashes in security.ima if (and only if) the + kernel would prevent it. That's not the case for standard, unmodified + tools. Example: unpacking an archive with security.ima xattrs with + bsdtar or GNU tar. + +Upstream-Status: Submitted [https://sourceforge.net/p/linux-ima/mailman/message/35492824/] + +Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> +--- + security/integrity/ima/ima_appraise.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c +index 4b9b4a4..b8b2dd9 100644 +--- a/security/integrity/ima/ima_appraise.c ++++ b/security/integrity/ima/ima_appraise.c +@@ -385,14 +385,10 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, + result = ima_protect_xattr(dentry, xattr_name, xattr_value, + xattr_value_len); + if (result == 1) { +- bool digsig; +- + if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST)) + return -EINVAL; +- digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG); +- if (!digsig && (ima_appraise & IMA_APPRAISE_ENFORCE)) +- return -EPERM; +- ima_reset_appraise_flags(d_backing_inode(dentry), digsig); ++ ima_reset_appraise_flags(d_backing_inode(dentry), ++ (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0); + result = 0; + } + return result; +-- +2.1.4 + diff --git a/meta-integrity/recipes-kernel/linux/linux/ima.cfg b/meta-integrity/recipes-kernel/linux/linux/ima.cfg new file mode 100644 index 0000000..02381aa --- /dev/null +++ b/meta-integrity/recipes-kernel/linux/linux/ima.cfg @@ -0,0 +1,16 @@ +# Enable bare minimum IMA measurement and appraisal as needed by this layer. + +CONFIG_SECURITY=y +CONFIG_INTEGRITY=y + +# measurement +CONFIG_IMA=y + +# appraisal +CONFIG_IMA_APPRAISE=y +CONFIG_INTEGRITY_SIGNATURE=y +CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y + +# Kernel will get built with embedded X.509 root CA key and all keys +# need to be signed with that. +CONFIG_IMA_TRUSTED_KEYRING=y diff --git a/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg b/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg new file mode 100644 index 0000000..7338232 --- /dev/null +++ b/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg @@ -0,0 +1,3 @@ +CONFIG_KEYS=y +CONFIG_SYSTEM_TRUSTED_KEYRING=y +CONFIG_SYSTEM_TRUSTED_KEYS="" diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils.inc b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils.inc new file mode 100644 index 0000000..72a13f7 --- /dev/null +++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils.inc @@ -0,0 +1,19 @@ +DESCRIPTION = "IMA/EVM control utility" +LICENSE = "GPL-2.0-with-OpenSSL-exception" +LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" + +DEPENDS = " \ +openssl \ +attr \ +keyutils \ +pkgconfig \ +" + +# blkid is called by evmctl when creating evm checksums. +# This is less useful when signing files on the build host, +# so disable it when compiling on the host. +RDEPENDS_${PN}_append_class-target = " util-linux-blkid" + +inherit autotools + +BBCLASSEXTEND = "native" diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch new file mode 100644 index 0000000..35c3162 --- /dev/null +++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch @@ -0,0 +1,68 @@ +From 5834216fb3aa4e5e59ee13e871c70db1b4e13f02 Mon Sep 17 00:00:00 2001 +From: Patrick Ohly <patrick.ohly@intel.com> +Date: Fri, 30 Sep 2016 10:22:16 +0200 +Subject: [PATCH] command line: apply operation to all paths + +Previously, invocations like "evmctl ima_hash foo bar" silently +ignored all parameters after the first path name ("foo" in this +example). + +Now evmctl iterates over all specified paths. It aborts with an +error as soon as the selected operation fails for a path. + +Supporting more than one parameter is useful in combination with +"find" and "xargs" because it is noticably faster than invoking +evmutil separately for each file, in particular when run under pseudo +(a fakeroot environment used by the OpenEmbedded build system). + +This complements the recursive mode and can be used when more control +over file selection is needed. + +Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> +--- + src/evmctl.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/src/evmctl.c b/src/evmctl.c +index 23cf54c..2072034 100644 +--- a/src/evmctl.c ++++ b/src/evmctl.c +@@ -626,7 +626,7 @@ static int get_file_type(const char *path, const char *search_type) + static int do_cmd(struct command *cmd, find_cb_t func) + { + char *path = g_argv[optind++]; +- int err, dts = REG_MASK; /* only regular files by default */ ++ int err = 0, dts = REG_MASK; /* only regular files by default */ + + if (!path) { + log_err("Parameters missing\n"); +@@ -634,15 +634,18 @@ static int do_cmd(struct command *cmd, find_cb_t func) + return -1; + } + +- if (recursive) { +- if (search_type) { +- dts = get_file_type(path, search_type); +- if (dts < 0) +- return dts; ++ while (path && !err) { ++ if (recursive) { ++ if (search_type) { ++ dts = get_file_type(path, search_type); ++ if (dts < 0) ++ return dts; ++ } ++ err = find(path, dts, func); ++ } else { ++ err = func(path); + } +- err = find(path, dts, func); +- } else { +- err = func(path); ++ path = g_argv[optind++]; + } + + return err; +-- +2.1.4 + diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch new file mode 100644 index 0000000..75076f5 --- /dev/null +++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch @@ -0,0 +1,50 @@ +From 321a602098d11ee712ebd01f51033b5fd369eae9 Mon Sep 17 00:00:00 2001 +From: Patrick Ohly <patrick.ohly@intel.com> +Date: Wed, 13 May 2015 03:41:02 -0700 +Subject: [PATCH] Makefile.am: disable man page creation + +Depends on asciidoc, which is not available. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> +--- + Makefile.am | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/Makefile.am b/Makefile.am +index 06ebf59..4ddd52c 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -1,5 +1,5 @@ + SUBDIRS = src +-dist_man_MANS = evmctl.1 ++# dist_man_MANS = evmctl.1 + + doc_DATA = examples/ima-genkey-self.sh examples/ima-genkey.sh examples/ima-gen-local-ca.sh + EXTRA_DIST = autogen.sh $(doc_DATA) +@@ -39,4 +39,21 @@ rmman: + + doc: evmctl.1.html rmman evmctl.1 + ++# requires asciidoc, xslproc, docbook-xsl ++# FIXME Disabled until docbook-xsl is unavaliable on tizen.org ++#MANPAGE_DOCBOOK_XSL = /usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl ++# ++#evmctl.1.html: README ++# @asciidoc -o $@ $< ++# ++#evmctl.1: ++# asciidoc -d manpage -b docbook -o evmctl.1.xsl README ++# xsltproc --nonet -o $@ $(MANPAGE_DOCBOOK_XSL) evmctl.1.xsl ++# rm -f evmctl.1.xsl ++# ++#rmman: ++# rm -f evmctl.1 ++# ++#doc: evmctl.1.html rmman evmctl.1 ++ + .PHONY: $(tarname) +-- +1.8.4.5 + diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch new file mode 100644 index 0000000..c0bdd9b --- /dev/null +++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch @@ -0,0 +1,47 @@ +From 2dec9199f8a8a2c84b25a3d3e7e2f41b71e07834 Mon Sep 17 00:00:00 2001 +From: Patrick Ohly <patrick.ohly@intel.com> +Date: Wed, 17 Jun 2015 14:28:18 +0200 +Subject: [PATCH 20/20] evmctl.c: do not depend on xattr.h with IMA defines + +Compilation on older Linux distros (like Ubuntu 12.04) fails +because linux/xattr.h does not yet have the IMA defines. Compiling +there makes sense when only the tools are needed, for example when +signing an image in cross-compile mode. + +To support this, add fallbacks for the two defines which are needed. +Their value is part of the Linux ABI and thus fixed. + +Upstream-status: Submitted [linux-ima-devel@lists.sourceforge.net] + +Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> + +--- + src/evmctl.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/src/evmctl.c b/src/evmctl.c +index c54efbb..23cf54c 100644 +--- a/src/evmctl.c ++++ b/src/evmctl.c +@@ -56,6 +56,18 @@ + #include <ctype.h> + #include <termios.h> + ++/* ++ * linux/xattr.h might be old to have this. Allow compilation on older ++ * Linux distros (like Ubuntu 12.04) by falling back to our own ++ * definition. ++ */ ++#ifndef XATTR_IMA_SUFFIX ++# define XATTR_IMA_SUFFIX "ima" ++#endif ++#ifndef XATTR_NAME_IMA ++# define XATTR_NAME_IMA XATTR_SECURITY_PREFIX XATTR_IMA_SUFFIX ++#endif ++ + #include <openssl/sha.h> + #include <openssl/pem.h> + #include <openssl/hmac.h> +-- +2.1.4 + diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb new file mode 100644 index 0000000..8a9999f --- /dev/null +++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb @@ -0,0 +1,17 @@ +require ima-evm-utils.inc + +PV = "1.0+git${SRCPV}" +SRCREV = "3e2a67bdb0673581a97506262e62db098efef6d7" +SRC_URI = "git://git.code.sf.net/p/linux-ima/ima-evm-utils" +S = "${WORKDIR}/git" + +# Documentation depends on asciidoc, which we do not have, so +# do not build documentation. +SRC_URI += "file://disable-doc-creation.patch" + +# Workaround for upstream incompatibility with older Linux distros. +# Relevant for us when compiling ima-evm-utils-native. +SRC_URI += "file://evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch" + +# Required for xargs with more than one path as argument (better for performance). +SRC_URI += "file://command-line-apply-operation-to-all-paths.patch" diff --git a/meta-integrity/scripts/ima-gen-CA-signed.sh b/meta-integrity/scripts/ima-gen-CA-signed.sh new file mode 100755 index 0000000..5f3a728 --- /dev/null +++ b/meta-integrity/scripts/ima-gen-CA-signed.sh @@ -0,0 +1,48 @@ +#!/bin/sh +# +# Copied from ima-evm-utils. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# version 2 as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +GENKEY=ima.genkey +CA=${1:-ima-local-ca.pem} +CAKEY=${2:-ima-local-ca.priv} + +cat << __EOF__ >$GENKEY +[ req ] +default_bits = 1024 +distinguished_name = req_distinguished_name +prompt = no +string_mask = utf8only +x509_extensions = v3_usr + +[ req_distinguished_name ] +O = example.com +CN = meta-intel-iot-security example signing key +emailAddress = john.doe@example.com + +[ v3_usr ] +basicConstraints=critical,CA:FALSE +#basicConstraints=CA:FALSE +keyUsage=digitalSignature +#keyUsage = nonRepudiation, digitalSignature, keyEncipherment +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid +#authorityKeyIdentifier=keyid,issuer +__EOF__ + +openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \ + -out csr_ima.pem -keyout privkey_ima.pem +openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \ + -CA $CA -CAkey $CAKEY -CAcreateserial \ + -outform DER -out x509_ima.der diff --git a/meta-integrity/scripts/ima-gen-local-ca.sh b/meta-integrity/scripts/ima-gen-local-ca.sh new file mode 100755 index 0000000..b600761 --- /dev/null +++ b/meta-integrity/scripts/ima-gen-local-ca.sh @@ -0,0 +1,42 @@ +#!/bin/sh +# +# Copied from ima-evm-utils. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# version 2 as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +GENKEY=ima-local-ca.genkey + +cat << __EOF__ >$GENKEY +[ req ] +default_bits = 2048 +distinguished_name = req_distinguished_name +prompt = no +string_mask = utf8only +x509_extensions = v3_ca + +[ req_distinguished_name ] +O = example.com +CN = meta-intel-iot-security example certificate signing key +emailAddress = john.doe@example.com + +[ v3_ca ] +basicConstraints=CA:TRUE +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer +# keyUsage = cRLSign, keyCertSign +__EOF__ + +openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \ + -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv + +openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem diff --git a/meta-integrity/scripts/ima-gen-self-signed.sh b/meta-integrity/scripts/ima-gen-self-signed.sh new file mode 100755 index 0000000..5ee876c --- /dev/null +++ b/meta-integrity/scripts/ima-gen-self-signed.sh @@ -0,0 +1,41 @@ +#!/bin/sh +# +# Copied from ima-evm-utils. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# version 2 as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +GENKEY=ima.genkey + +cat << __EOF__ >$GENKEY +[ req ] +default_bits = 1024 +distinguished_name = req_distinguished_name +prompt = no +string_mask = utf8only +x509_extensions = myexts + +[ req_distinguished_name ] +O = example.com +CN = meta-intel-iot-security example signing key +emailAddress = john.doe@example.com + +[ myexts ] +basicConstraints=critical,CA:FALSE +keyUsage=digitalSignature +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid +__EOF__ + +openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \ + -x509 -config $GENKEY \ + -outform DER -out x509_ima.der -keyout privkey_ima.pem |