1. 07 10月, 2014 1 次提交
  2. 09 9月, 2014 1 次提交
  3. 26 10月, 2013 1 次提交
    • D
      ima: read and use signature hash algorithm · d3634d0f
      Dmitry Kasatkin 提交于
      All files on the filesystem, currently, are hashed using the same hash
      algorithm.  In preparation for files from different packages being
      signed using different hash algorithms, this patch adds support for
      reading the signature hash algorithm from the 'security.ima' extended
      attribute and calculates the appropriate file data hash based on it.
      
      Changelog:
      - fix scripts Lindent and checkpatch msgs - Mimi
      - fix md5 support for older version, which occupied 20 bytes in the
        xattr, not the expected 16 bytes.  Fix the comparison to compare
        only the first 16 bytes.
      Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      d3634d0f
  4. 07 2月, 2013 1 次提交
    • D
      ima: digital signature verification using asymmetric keys · e0751257
      Dmitry Kasatkin 提交于
      Asymmetric keys were introduced in linux-3.7 to verify the signature on
      signed kernel modules. The asymmetric keys infrastructure abstracts the
      signature verification from the crypto details. This patch adds IMA/EVM
      signature verification using asymmetric keys. Support for additional
      signature verification methods can now be delegated to the asymmetric
      key infrastructure.
      
      Although the module signature header and the IMA/EVM signature header
      could use the same format, to minimize the signature length and save
      space in the extended attribute, this patch defines a new IMA/EVM
      header format.  The main difference is that the key identifier is a
      sha1[12 - 19] hash of the key modulus and exponent, similar to the
      current implementation.  The only purpose of the key identifier is to
      identify the corresponding key in the kernel keyring.  ima-evm-utils
      was updated to support the new signature format.
      
      While asymmetric signature verification functionality supports many
      different hash algorithms, the hash used in this patch is calculated
      during the IMA collection phase, based on the configured algorithm.
      The default algorithm is sha1, but for backwards compatibility md5
      is supported.  Due to this current limitation, signatures should be
      generated using a sha1 hash algorithm.
      
      Changes in this patch:
      - Functionality has been moved to separate source file in order to get rid of
        in source #ifdefs.
      - keyid is derived according to the RFC 3280. It does not require to assign
        IMA/EVM specific "description" when loading X509 certificate. Kernel
        asymmetric key subsystem automatically generate the description. Also
        loading a certificate does not require using of ima-evm-utils and can be
        done using keyctl only.
      - keyid size is reduced to 32 bits to save xattr space.  Key search is done
        using partial match functionality of asymmetric_key_match().
      - Kconfig option title was changed
      Signed-off-by: NDmitry Kasatkin <dmitry.kasatkin@intel.com>
      Acked-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      e0751257