Re: [PATCH v8 6/7] ima: support fs-verity file digest based version 3 signatures

From: Mimi Zohar
Date: Mon May 02 2022 - 08:16:22 EST


> > @@ -225,6 +232,40 @@ int ima_read_xattr(struct dentry *dentry,
> > return ret;
> > }
> >
> > +/*
> > + * calc_file_id_hash - calculate the hash of the ima_file_id struct data
> > + * @type: xattr type [enum evm_ima_xattr_type]
> > + * @algo: hash algorithm [enum hash_algo]
> > + * @digest: pointer to the digest to be hashed
> > + * @hash: (out) pointer to the hash
> > + *
> > + * IMA signature version 3 disambiguates the data that is signed by
> > + * indirectly signing the hash of the ima_file_id structure data.
> > + *
> > + * Signing the ima_file_id struct is currently only supported for
> > + * IMA_VERITY_DIGSIG type xattrs.
> > + *
> > + * Return 0 on success, error code otherwise.
> > + */
> > +static int calc_file_id_hash(enum evm_ima_xattr_type type,
> > + enum hash_algo algo, const u8 *digest,
> > + struct ima_digest_data *hash)
> > +{
> > + struct ima_file_id file_id = {
> > + .hash_type = IMA_VERITY_DIGSIG, .hash_algorithm = algo};
> > + unsigned int unused = HASH_MAX_DIGESTSIZE - hash_digest_size[algo];
> > +
> > + if (type != IMA_VERITY_DIGSIG)
> > + return -EINVAL;
> > +
> > + memcpy(file_id.hash, digest, hash_digest_size[algo]);
> > +
> > + hash->algo = algo;
> > + hash->length = hash_digest_size[algo];
> > +
> > + return ima_calc_buffer_hash(&file_id, sizeof(file_id) - unused, hash);
>
> +struct ima_file_id {
> + __u8 hash_type; /* xattr type [enum evm_ima_xattr_type] */
> + __u8 hash_algorithm; /* Digest algorithm [enum hash_algo] */
> + __u8 hash[HASH_MAX_DIGESTSIZE];
> +} __packed;
>
> did you maybe mean 'sizeof(file_id.hash) - unused' ?

No, the hash includes the other fields as well. Instead of including a
flexible array in struct ima_file_id and dynamically allocating the
memory for the struct with the specific hash size, the maximum sized
hash is included in the struct.
>
>
> > +}
> > +


> > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> > index 390a8faa77f9..e24531db95cd 100644
> > --- a/security/integrity/ima/ima_policy.c
> > +++ b/security/integrity/ima/ima_policy.c
> > @@ -1310,6 +1310,15 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
> > !(entry->flags & IMA_MODSIG_ALLOWED))
> > return false;
> >
> > + /*
> > + * Ensure verity appraise rules require signature format v3 signatures
> > + * ('appraise_type=sigv3').
>
> This comment doesn't seem to reflect what is actually checked below ...
> at least for me it's difficult to see that.
>
> It's more like 'ensure that appraise rules for verity signature type
> also have the IMA_DIGSIG_REQUIRED flag set.'

Generally code should be understandable without requiring a comment.
In this case, the purpose of the comment is to require a file
signature. Here's the updated comment:

+ * Unlike for regular IMA 'appraise' policy rules where
security.ima
+ * xattr may contain either a file hash or signature, the
security.ima
+ * xattr for fsverity must contain a file signature
(sigv3). Ensure
+ * that 'appraise' rules for fsverity require file signatures
by
+ * checking the IMA_DIGSIG_REQUIRED flag is set.


> > + */
> > + if (entry->action == APPRAISE &&
> > + (entry->flags & IMA_VERITY_REQUIRED) &&
> > + !(entry->flags & IMA_DIGSIG_REQUIRED))
> > + return false;
> > +
> > return true;
> > }
> >

thanks,

Mimi