188e70da1SLakshmi Ramasubramanian // SPDX-License-Identifier: GPL-2.0+ 288e70da1SLakshmi Ramasubramanian /* 388e70da1SLakshmi Ramasubramanian * Copyright (C) 2019 Microsoft Corporation 488e70da1SLakshmi Ramasubramanian * 588e70da1SLakshmi Ramasubramanian * Author: Lakshmi Ramasubramanian (nramas@linux.microsoft.com) 688e70da1SLakshmi Ramasubramanian * 788e70da1SLakshmi Ramasubramanian * File: ima_asymmetric_keys.c 888e70da1SLakshmi Ramasubramanian * Defines an IMA hook to measure asymmetric keys on key 988e70da1SLakshmi Ramasubramanian * create or update. 1088e70da1SLakshmi Ramasubramanian */ 1188e70da1SLakshmi Ramasubramanian 1288e70da1SLakshmi Ramasubramanian #include <keys/asymmetric-type.h> 13a2d2329eSChristian Brauner #include <linux/user_namespace.h> 148c559415SRoberto Sassu #include <linux/ima.h> 1588e70da1SLakshmi Ramasubramanian #include "ima.h" 1688e70da1SLakshmi Ramasubramanian 1788e70da1SLakshmi Ramasubramanian /** 1888e70da1SLakshmi Ramasubramanian * ima_post_key_create_or_update - measure asymmetric keys 1988e70da1SLakshmi Ramasubramanian * @keyring: keyring to which the key is linked to 2088e70da1SLakshmi Ramasubramanian * @key: created or updated key 2188e70da1SLakshmi Ramasubramanian * @payload: The data used to instantiate or update the key. 2288e70da1SLakshmi Ramasubramanian * @payload_len: The length of @payload. 2388e70da1SLakshmi Ramasubramanian * @flags: key flags 2488e70da1SLakshmi Ramasubramanian * @create: flag indicating whether the key was created or updated 2588e70da1SLakshmi Ramasubramanian * 2688e70da1SLakshmi Ramasubramanian * Keys can only be measured, not appraised. 2788e70da1SLakshmi Ramasubramanian * The payload data used to instantiate or update the key is measured. 2888e70da1SLakshmi Ramasubramanian */ 2988e70da1SLakshmi Ramasubramanian void ima_post_key_create_or_update(struct key *keyring, struct key *key, 3088e70da1SLakshmi Ramasubramanian const void *payload, size_t payload_len, 3188e70da1SLakshmi Ramasubramanian unsigned long flags, bool create) 3288e70da1SLakshmi Ramasubramanian { 33450d0fd5SLakshmi Ramasubramanian bool queued = false; 34450d0fd5SLakshmi Ramasubramanian 3588e70da1SLakshmi Ramasubramanian /* Only asymmetric keys are handled by this hook. */ 3688e70da1SLakshmi Ramasubramanian if (key->type != &key_type_asymmetric) 3788e70da1SLakshmi Ramasubramanian return; 3888e70da1SLakshmi Ramasubramanian 3988e70da1SLakshmi Ramasubramanian if (!payload || (payload_len == 0)) 4088e70da1SLakshmi Ramasubramanian return; 4188e70da1SLakshmi Ramasubramanian 42450d0fd5SLakshmi Ramasubramanian if (ima_should_queue_key()) 43450d0fd5SLakshmi Ramasubramanian queued = ima_queue_key(keyring, payload, payload_len); 44450d0fd5SLakshmi Ramasubramanian 45450d0fd5SLakshmi Ramasubramanian if (queued) 46450d0fd5SLakshmi Ramasubramanian return; 47450d0fd5SLakshmi Ramasubramanian 4888e70da1SLakshmi Ramasubramanian /* 4988e70da1SLakshmi Ramasubramanian * keyring->description points to the name of the keyring 5088e70da1SLakshmi Ramasubramanian * (such as ".builtin_trusted_keys", ".ima", etc.) to 5188e70da1SLakshmi Ramasubramanian * which the given key is linked to. 5288e70da1SLakshmi Ramasubramanian * 5388e70da1SLakshmi Ramasubramanian * The name of the keyring is passed in the "eventname" 5488e70da1SLakshmi Ramasubramanian * parameter to process_buffer_measurement() and is set 5588e70da1SLakshmi Ramasubramanian * in the "eventname" field in ima_event_data for 5688e70da1SLakshmi Ramasubramanian * the key measurement IMA event. 57e9085e0aSLakshmi Ramasubramanian * 58e9085e0aSLakshmi Ramasubramanian * The name of the keyring is also passed in the "keyring" 59e9085e0aSLakshmi Ramasubramanian * parameter to process_buffer_measurement() to check 60e9085e0aSLakshmi Ramasubramanian * if the IMA policy is configured to measure a key linked 61e9085e0aSLakshmi Ramasubramanian * to the given keyring. 6288e70da1SLakshmi Ramasubramanian */ 63a2d2329eSChristian Brauner process_buffer_measurement(&init_user_ns, NULL, payload, payload_len, 64e9085e0aSLakshmi Ramasubramanian keyring->description, KEY_CHECK, 0, 65ca3c9bdbSRoberto Sassu keyring->description, false, NULL, 0); 6688e70da1SLakshmi Ramasubramanian } 67