[PATCH v2.2 0/7] evm: digital signature verification extension

[Dmitry Kasatkin]

Hello,

Changes in version 2.2:
* uses EXPORT_SYMBOL_GPL
* disabled code removed
* removed casting after kmalloc

Changes to version 2.1:
* MPI lib moved to /lib directory.
* added configuration option CONFIG_MPILIB_EXTRA to exclude building
a part of MPI library, which is not used in RSA impelementation.
* added API documentation
* added Documentation for digsig
* splitted evm digital signature verification patch into 2.
Common code will be used by IMA digital singnature verification.

Changes to version 2.0:
* MPI patch has been split to smaller in order to go to mailing lists.
First 2 patches include only source and header files which are needed
to build ksign verification. Headers and sources are split just to
meet 100k kernel.org limit.
Last patch adds all rest soures from original ported MPI library.

Changes to version 1.1:
* GnuPG MPI library has been refactored with lindent and checkpatch errors
and warnings has been fixed.
* creation of evm keyring has been remove. It is done now in user space.
* related ksign and evm patches has been squashed.
* patch descriptions has been updated.

As EVM patches were recently merged to security-testing-2.6#next,
it is a good time to resend evm signature verification patches for active
discussion. Last time I forgot --cc linux-crypto. Here it is.

This patchset introduces digital signature extensions for the IMA/EVM kernel
integrity subsystem and is applied on the top of the EVM patches posted to
LSM mailing list earlier.

Currently EVM stores the HMAC in security.evm to verify integrity of the
file's metadata. This is quite sufficient for individually installed systems,
where a system unique HMAC key can be provisioned and the initial filesystem
labeling can be done.

Software installation for consumer electronics or embedded devices is usually
done via flashing a filesystem image. Initial filesystem image labeling is done
during image creation process. It either has to be done (1) using a system
unique HMAC key or (2) using an image specific HMAC key. In first case, those
keys are either unknown, or a unique image has to be created for thousand or
millions of devices, which is not feasible. The second case, using an image
specific HMAC key, would require (2.1) provisioning of the key to millions of
devices, which is not easily feasible or (2.1) encrypting the key with a shared
symmetric key which is not a strong security measure.

Digital signature extension for EVM provides a solution to perform labeling of
the image using a single digital private key and use a known public key to
verify the signature. For performance reasons, after verification, signature is
replaced with local HMAC.

Digital signature verification uses RSA algorithm, implemented using cut-down
port of multi-precision integers (MPI) library from GnuPG and has been taken
from RedHat Enterprise Linux kernel (MODSIGN patches). Decision to use this
library was made, because its performance was 2 times better than other ports
such as libtommath library.

The GnuPG MPI library patch was posted here on linux-crypto back in
http://www.mail-archive.com/linux-...@vger.kernel.org/msg05613.html.
Reason for upstreaming was that it to be a solid in-kernel user of the API.
Now with the recent merging of the EVM patches in linux-next via
security-testing-2.6/#next, MPI library is required for EVM digital signature
verification extension.

The motivation for integrity protection, in general, is to protect against
offline modifications. The runtime protection is ensured via access control
mechanisms. Of particular importance is protecting users or owners from being
sold or given tampered devices, which can do nasty things such as spying or
stealing personal data. Integrity protection ensures that modifications of the
system will not remain undetected. The EVM digital signature extension makes
this feasible for consumerelectronics/embedded devices.

There is also a second patchset which implements digital signature support for
IMA-appraisal patchset, which is planned to be reviewed right after the
IMA-appaisal review.

All patches on the top of ima-2.6 (3.x.x) kernel are available here:
git://git.kernel.org/pub/scm/linux/kernel/git/kasatkin/ima-ksign.git
http://meego.gitorious.org/meego-platform-security/ima-ksign

Supporting utility for key handling and signing is available here:
http://meego.gitorious.org/meego-platform-security/evm-utils

Regards,
Dmitry

Dmitry Kasatkin (7):
crypto: GnuPG based MPI lib - source files (part 1)
crypto: GnuPG based MPI lib - header files (part 2)
crypto: GnuPG based MPI lib - make files (part 3)
crypto: GnuPG based MPI lib - additional sources (part 4)
crypto: digital signature verification support
integrity: digital signature verification using multiple keyrings
evm: digital signature verification support

Documentation/digsig.txt | 97 +++
include/linux/digsig.h | 64 ++
include/linux/mpi.h | 146 ++++
lib/Kconfig | 25 +
lib/Makefile | 3 +
lib/digsig.c | 283 +++++++
lib/mpi/Makefile | 33 +
lib/mpi/generic_mpi-asm-defs.h | 4 +
lib/mpi/generic_mpih-add1.c | 61 ++
lib/mpi/generic_mpih-lshift.c | 63 ++
lib/mpi/generic_mpih-mul1.c | 57 ++
lib/mpi/generic_mpih-mul2.c | 60 ++
lib/mpi/generic_mpih-mul3.c | 61 ++
lib/mpi/generic_mpih-rshift.c | 63 ++
lib/mpi/generic_mpih-sub1.c | 60 ++
lib/mpi/longlong.h | 1478 +++++++++++++++++++++++++++++++++++
lib/mpi/mpi-add.c | 234 ++++++
lib/mpi/mpi-bit.c | 236 ++++++
lib/mpi/mpi-cmp.c | 68 ++
lib/mpi/mpi-div.c | 333 ++++++++
lib/mpi/mpi-gcd.c | 59 ++
lib/mpi/mpi-inline.c | 31 +
lib/mpi/mpi-inline.h | 122 +++
lib/mpi/mpi-internal.h | 261 ++++++
lib/mpi/mpi-inv.c | 187 +++++
lib/mpi/mpi-mpow.c | 133 ++++
lib/mpi/mpi-mul.c | 194 +++++
lib/mpi/mpi-pow.c | 323 ++++++++
lib/mpi/mpi-scan.c | 136 ++++
lib/mpi/mpicoder.c | 365 +++++++++
lib/mpi/mpih-cmp.c | 56 ++
lib/mpi/mpih-div.c | 541 +++++++++++++
lib/mpi/mpih-mul.c | 527 +++++++++++++
lib/mpi/mpiutil.c | 208 +++++
security/integrity/Kconfig | 14 +
security/integrity/Makefile | 1 +
security/integrity/digsig.c | 48 ++
security/integrity/evm/evm.h | 12 +
security/integrity/evm/evm_crypto.c | 66 ++-
security/integrity/evm/evm_main.c | 94 ++-
security/integrity/integrity.h | 20 +
41 files changed, 6797 insertions(+), 30 deletions(-)
create mode 100644 Documentation/digsig.txt
create mode 100644 include/linux/digsig.h
create mode 100644 include/linux/mpi.h
create mode 100644 lib/digsig.c
create mode 100644 lib/mpi/Makefile
create mode 100644 lib/mpi/generic_mpi-asm-defs.h
create mode 100644 lib/mpi/generic_mpih-add1.c
create mode 100644 lib/mpi/generic_mpih-lshift.c
create mode 100644 lib/mpi/generic_mpih-mul1.c
create mode 100644 lib/mpi/generic_mpih-mul2.c
create mode 100644 lib/mpi/generic_mpih-mul3.c
create mode 100644 lib/mpi/generic_mpih-rshift.c
create mode 100644 lib/mpi/generic_mpih-sub1.c
create mode 100644 lib/mpi/longlong.h
create mode 100644 lib/mpi/mpi-add.c
create mode 100644 lib/mpi/mpi-bit.c
create mode 100644 lib/mpi/mpi-cmp.c
create mode 100644 lib/mpi/mpi-div.c
create mode 100644 lib/mpi/mpi-gcd.c
create mode 100644 lib/mpi/mpi-inline.c
create mode 100644 lib/mpi/mpi-inline.h
create mode 100644 lib/mpi/mpi-internal.h
create mode 100644 lib/mpi/mpi-inv.c
create mode 100644 lib/mpi/mpi-mpow.c
create mode 100644 lib/mpi/mpi-mul.c
create mode 100644 lib/mpi/mpi-pow.c
create mode 100644 lib/mpi/mpi-scan.c
create mode 100644 lib/mpi/mpicoder.c
create mode 100644 lib/mpi/mpih-cmp.c
create mode 100644 lib/mpi/mpih-div.c
create mode 100644 lib/mpi/mpih-mul.c
create mode 100644 lib/mpi/mpiutil.c
create mode 100644 security/integrity/digsig.c

--
1.7.4.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majo...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

[Mimi Zohar]

On Wed, 2011-10-19 at 14:51 +0300, Dmitry Kasatkin wrote:
> Define separate keyrings for each of the different use cases - evm, ima,
> and modules. Using different keyrings improves search performance, and also
> allows "locking" specific keyring to prevent adding new keys.
> This is useful for evm and module keyrings, when keys are usually only
> added from initramfs.
>
> Signed-off-by: Dmitry Kasatkin <dmitry....@intel.com>

Thanks Dmitry! Other than the couple of trailing whitespaces, the
patches look good. I think adding the word 'public', above, to 'adding
new keys' clarifies that the keyrings are only used for the digital
signatures.

Acked-by: Mimi Zohar <zo...@us.ibm.com>

> ---
> security/integrity/Kconfig | 14 +++++++++++
> security/integrity/Makefile | 1 +
> security/integrity/digsig.c | 48 ++++++++++++++++++++++++++++++++++++++++
> security/integrity/integrity.h | 20 ++++++++++++++++
> 4 files changed, 83 insertions(+), 0 deletions(-)
> create mode 100644 security/integrity/digsig.c
>
> diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
> index 4bf00ac..d87fa2a 100644
> --- a/security/integrity/Kconfig
> +++ b/security/integrity/Kconfig
> @@ -3,5 +3,19 @@ config INTEGRITY
> def_bool y
> depends on IMA || EVM
>
> +config INTEGRITY_DIGSIG
> + boolean "Digital signature verification using multiple keyrings"
> + depends on INTEGRITY
> + default n
> + select DIGSIG
> + help
> + This option enables digital signature verification support
> + using multiple keyrings. It defines separate keyrings for each
> + of the different use cases - evm, ima, and modules.
> + Different keyrings improves search performance, but also allow
> + to "lock" certain keyring to prevent adding new keys.
> + This is useful for evm and module keyrings, when keys are
> + usually only added from initramfs.
> +
> source security/integrity/ima/Kconfig
> source security/integrity/evm/Kconfig
> diff --git a/security/integrity/Makefile b/security/integrity/Makefile
> index 0ae44ae..bece056 100644
> --- a/security/integrity/Makefile
> +++ b/security/integrity/Makefile
> @@ -3,6 +3,7 @@
> #
>
> obj-$(CONFIG_INTEGRITY) += integrity.o
> +obj-$(CONFIG_INTEGRITY_DIGSIG) += digsig.o
>
> integrity-y := iint.o
>
> diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
> new file mode 100644
> index 0000000..b5d1e01
> --- /dev/null
> +++ b/security/integrity/digsig.c
> @@ -0,0 +1,48 @@
> +/*
> + * Copyright (C) 2011 Intel Corporation
> + *
> + * Author:
> + * Dmitry Kasatkin <dmitry....@intel.com>
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License as published by
> + * the Free Software Foundation, version 2 of the License.
> + *
> + */
> +
> +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
> +
> +#include <linux/err.h>
> +#include <linux/rbtree.h>
> +#include <linux/key-type.h>
> +#include <linux/digsig.h>
> +
> +#include "integrity.h"
> +
> +static struct key *keyring[INTEGRITY_KEYRING_MAX];
> +
> +static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
> + "_evm",
> + "_module",
> + "_ima",
> +};
> +
> +int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
> + const char *digest, int digestlen)
> +{
> + if (id >= INTEGRITY_KEYRING_MAX)
> + return -EINVAL;
> +
> + if (!keyring[id]) {
> + keyring[id] =
> + request_key(&key_type_keyring, keyring_name[id], NULL);
> + if (IS_ERR(keyring[id])) {
> + pr_err("no %s keyring: %ld\n", keyring_name[id],
> + PTR_ERR(keyring[id]));
> + keyring[id] = NULL;
> + return PTR_ERR(keyring[id]);
> + }
> + }
> +
> + return digsig_verify(keyring[id], sig, siglen, digest, digestlen);
> +}
> diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
> index e898094..9fc723b 100644
> --- a/security/integrity/integrity.h
> +++ b/security/integrity/integrity.h
> @@ -51,5 +51,25 @@ struct integrity_iint_cache {
> struct integrity_iint_cache *integrity_iint_insert(struct inode *inode);
> struct integrity_iint_cache *integrity_iint_find(struct inode *inode);
>
> +#define INTEGRITY_KEYRING_EVM 0
> +#define INTEGRITY_KEYRING_MODULE 1
> +#define INTEGRITY_KEYRING_IMA 2
> +#define INTEGRITY_KEYRING_MAX 3
> +
> +#ifdef CONFIG_INTEGRITY_DIGSIG
> +
> +int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
> + const char *digest, int digestlen);
> +
> +#else
> +
> +static inline int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
> + const char *digest, int digestlen)
> +{
> + return -EOPNOTSUPP;
> +}
> +
> +#endif /* CONFIG_INTEGRITY_DIGSIG */
> +
> /* set during initialization */
> extern int iint_initialized;

[Kasatkin, Dmitry]

On Sat, Nov 19, 2011 at 5:33 AM, Stephen Rothwell <s...@canb.auug.org.au> wrote:
> Hi all,
>
> On Wed, 19 Oct 2011 14:51:30 +0300 Dmitry Kasatkin <dmitry....@intel.com> wrote:
>>
>> Adds the multi-precision-integer maths library which was originally taken
>> from GnuPG and ported to the kernel by (among others) David Howells.
>> This version is taken from Fedora kernel 2.6.32-71.14.1.el6.
>> The difference is that checkpatch reported errors and warnings have been fixed.
>>
>> This library is used to implemenet RSA digital signature verification
>> used in IMA/EVM integrity protection subsystem.
>>
>> Due to patch size limitation, the patch is divided into 4 parts.
>
> I just noticed that this has been added to the "next" branch of the
> security tree (and thus into the next release of linux-next).  I think
> that these patches should be rearranged as in their current form, they
> break bisection (since the files in this patch reference include files in
> a latter patch).   We generally prefer large patches to be broken up into
> logical sub patches rather than just along file boundaries.
>
> In this case, even though it was broken up for review, it could have been
> committed as one large commit (assuming that there is no sensible way to
> break it up).

Hi,

It can be easily split into 2 commits and one of them would not comply
with mailing list limits.

James, should I do anything about it?

Thanks,

- Dmitry

> --
> Cheers,
> Stephen Rothwell                    s...@canb.auug.org.au
> http://www.canb.auug.org.au/~sfr/

[Kasatkin, Dmitry]

On Mon, Nov 21, 2011 at 1:27 PM, James Morris <jmo...@namei.org> wrote:

> On Mon, 21 Nov 2011, Kasatkin, Dmitry wrote:
>
>> It can be easily split into 2 commits and one of them would not comply
>> with mailing list limits.
>>
>> James, should I do anything about it?
>

> No, it's in my public tree now.
>

Ok.

In fact it does not break bisect, because compilation is enabled in
the 3rd patch.

BR,
Dmitry

>
> - James
> --
> James Morris
> <jmo...@namei.org>

[Geert Uytterhoeven]

On Wed, 19 Oct 2011, Dmitry Kasatkin wrote:
> Adds the multi-precision-integer maths library which was originally taken
> from GnuPG and ported to the kernel by (among others) David Howells.
> This version is taken from Fedora kernel 2.6.32-71.14.1.el6.
> The difference is that checkpatch reported errors and warnings have been fixed.
>
> This library is used to implemenet RSA digital signature verification
> used in IMA/EVM integrity protection subsystem.

> --- /dev/null
> +++ b/lib/mpi/longlong.h

> + /* If udiv_qrnnd was not defined for this processor, use __udiv_qrnnd_c. */
> +#if !defined(udiv_qrnnd)
> +#define UDIV_NEEDS_NORMALIZATION 1
> +#define udiv_qrnnd __udiv_qrnnd_c
> +#endif
> +
> +#undef count_leading_zeros

Why is this #undef here? It's not present in mpi/longlong.h from Ubuntu's
gnupg-1.4.10, and causing ...

> +#if !defined(count_leading_zeros)
> + extern
> +#ifdef __STDC__
> + const
> +#endif
> + unsigned char __clz_tab[];
> +#define count_leading_zeros(count, x) \
> +do { \
> + UWtype __xr = (x); \
> + UWtype __a; \
> + \
> + if (W_TYPE_SIZE <= 32) { \
> + __a = __xr < ((UWtype) 1 << 2*__BITS4) \
> + ? (__xr < ((UWtype) 1 << __BITS4) ? 0 : __BITS4) \
> + : (__xr < ((UWtype) 1 << 3*__BITS4) ? 2*__BITS4 : 3*__BITS4); \
> + } \
> + else { \
> + for (__a = W_TYPE_SIZE - 8; __a > 0; __a -= 8) \
> + if (((__xr >> __a) & 0xff) != 0) \
> + break; \
> + } \
> + \
> + (count) = W_TYPE_SIZE - (__clz_tab[__xr >> __a] + __a); \
> +} while (0)
> + /* This version gives a well-defined value for zero. */
> +#define COUNT_LEADING_ZEROS_0 W_TYPE_SIZE

lib/mpi/longlong.h:1483:1: warning: "COUNT_LEADING_ZEROS_0" redefined
lib/mpi/longlong.h:610:1: warning: this is the location of the previous definition

on m68k/allmodconfig.

I'm also wondering why this warning is not seen on other arches, e.g. PPC
#defines COUNT_LEADING_ZEROS_0 to 32, just like m68k.

> +#endif

I suppose the plan is to clean up this header file, as lots of its
functionality is already present in the kernel sources in some other way
(e.g. arch/m68k/lib/muldi3.c)?

Gr{oetje,eeting}s,

Geert

--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- ge...@linux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds

[Geert Uytterhoeven]

Ping?

[Kasatkin, Dmitry]

Hello,

There are things to cleanup...
It takes a bit of time.

- Dmitry