evm: Enforce signatures version 3 with new EVM policy 'bit 3'

Enable the configuration of EVM so that it requires that asymmetric
signatures it accepts are of version 3 (sigv3). To enable this, introduce
bit 3 (value 0x0008) that the user may write to EVM's securityfs policy
configuration file 'evm' for sigv3 enforcement.

Mention bit 3 in the documentation.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

diff --git a/Documentation/ABI/testing/evm b/Documentation/ABI/testing/evm
index 44750a933db498a833791aa29a461a2623aab39c..db3007babb58cbf268028a65c867236ca3791e8f 100644 (file)
--- a/Documentation/ABI/testing/evm
+++ b/Documentation/ABI/testing/evm
@@ -26,6 +26,7 @@ Description:
                2         Permit modification of EVM-protected metadata at
                          runtime. Not supported if HMAC validation and
                          creation is enabled (deprecated).
+               3         Require asymmetric signatures to be version 3
                31        Disable further runtime modification of EVM policy
                ===       ==================================================
 

diff --git a/security/integrity/evm/evm.h b/security/integrity/evm/evm.h
index 51aba5a542750d33b0435366a369731716f1f291..694552aceaf8da2ce149b46096faf72fac2f36e0 100644 (file)
--- a/security/integrity/evm/evm.h
+++ b/security/integrity/evm/evm.h
@@ -20,11 +20,12 @@
 #define EVM_INIT_HMAC  0x0001
 #define EVM_INIT_X509  0x0002
 #define EVM_ALLOW_METADATA_WRITES      0x0004
+#define EVM_SIGV3_REQUIRED             0x0008
 #define EVM_SETUP_COMPLETE 0x80000000 /* userland has signaled key load */
 
 #define EVM_KEY_MASK (EVM_INIT_HMAC | EVM_INIT_X509)
 #define EVM_INIT_MASK (EVM_INIT_HMAC | EVM_INIT_X509 | EVM_SETUP_COMPLETE | \
-                      EVM_ALLOW_METADATA_WRITES)
+                      EVM_ALLOW_METADATA_WRITES | EVM_SIGV3_REQUIRED)
 
 struct xattr_list {
        struct list_head list;

diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index b15d9d933b8463faedbd5c0bfd114d28e7cdb631..b59e3f121b8a89edb14d811351ec393a69de8ff7 100644 (file)
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -136,6 +136,14 @@ static bool evm_hmac_disabled(void)
        return true;
 }
 
+static bool evm_sigv3_required(void)
+{
+       if (evm_initialized & EVM_SIGV3_REQUIRED)
+               return true;
+
+       return false;
+}
+
 static int evm_find_protected_xattrs(struct dentry *dentry)
 {
        struct inode *inode = d_backing_inode(dentry);
@@ -258,6 +266,12 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
                }
 
                hdr = (struct signature_v2_hdr *)xattr_data;
+
+               if (evm_sigv3_required() && hdr->version != 3) {
+                       evm_status = INTEGRITY_FAIL;
+                       goto out;
+               }
+
                digest.hdr.algo = hdr->hash_algo;
                rc = evm_calc_hash(dentry, xattr_name, xattr_value,
                                   xattr_value_len, xattr_data->type, &digest,