integ/kernel/kernel-modules/integrity/centos/files
Scott Little d252dfc541 Relocate integrity to stx-integ/kernel/kernel-modules/integrity
Move content from stx-gplv2 into stx-integ

Packages will be relocated to

stx-integ:
    base/
        bash
        cgcs-users
        cluster-resource-agents
        dpkg
        haproxy
        libfdt
        netpbm
        rpm

    database/
        mariadb

    filesystem/
        iscsi-initiator-utils

    filesystem/drbd/
        drbd-tools

    kernel/kernel-modules/
        drbd
        integrity
        intel-e1000e
        intel-i40e
        intel-i40evf
        intel-ixgbe
        intel-ixgbevf
        qat17
        tpmdd

    ldap/
        ldapscripts

    networking/
        iptables
        net-tools

Change-Id: I899ba2b3a354e4f1be7fcb1f2a99a46356634a55
Story: 2002801
Task: 22687
Signed-off-by: Scott Little <scott.little@windriver.com>
2018-08-01 15:31:38 -04:00
..
COPYING Relocate integrity to stx-integ/kernel/kernel-modules/integrity 2018-08-01 15:31:38 -04:00
ima.conf Relocate integrity to stx-integ/kernel/kernel-modules/integrity 2018-08-01 15:31:38 -04:00
ima.policy Relocate integrity to stx-integ/kernel/kernel-modules/integrity 2018-08-01 15:31:38 -04:00
integrity.conf Relocate integrity to stx-integ/kernel/kernel-modules/integrity 2018-08-01 15:31:38 -04:00
modules-load.conf Relocate integrity to stx-integ/kernel/kernel-modules/integrity 2018-08-01 15:31:38 -04:00
README Relocate integrity to stx-integ/kernel/kernel-modules/integrity 2018-08-01 15:31:38 -04:00

Integrity and IMA Modules for CentOS 7 (Linux version 3.10)
===============================================================================

===============================================================================

Kam Nasim <kam.nasim@windriver.com>
Copyright (c) 2017 Wind River Systems, Inc.

SPDX-License-Identifier: Apache-2.0


August, 2017

===============================================================================

Contents
--------

- Overview
- Rebasing Guidelines
- Changesets

================================================================================


Important Notes
---------------

No support for APPENDING IMA policies
----------------------------------------------

A provision was introduced in April 2014 to allow multiple IMA policies to be
appended.This change involved setting up inode hooks which could not be
backported in the 3.10 Kernel. Therefore we do not allow the following operation
types:
echo /etc/ima/ima_policy > /sys/kernel/security/ima/policy

only an overwrite is possible:
cat policy-file > <securityfs>/ima/policy

EVM support disabled in Kernel
------------------------------------------------

The EVM Kernel Configuration option was mutually exclusive to the CONFIG_INTEGRITY
Kernel configuration option. Since Integrity is being disabled in the Kernel, EVM
would also need to be built out-of-tree as a Kernel module and would require some
refactoring if it is to be used with this module pack.


IMA Keyring allocated inside the Kernel
-----------------------------------------

Normally, the _ima Keyring is allocated from user space, but this has the 
added disadvantage of persisting the public key on the file system. Corruption
of this public key may cripple the system by triggering APPRAISAL failures if
ima 'Enforcement' is enabled. To prevent this, the IMA public key is compiled
into the Kernel and is placed in the Kernel SOURCE (ima_signing_key.pub)


Overview
--------

This module pack builds Integrity and IMA kernel modules for the 3.10 kernel version.
If newer kernel version are to be supported in the future then the COMPAT
layer (kcompat.h) will need to be adjusted to address kernel-driver compatibility
issues. As well as certain LINUX_VERSION_CODE <= KERNEL_VERSION(3,10,0) ifdefs 

It supports Linux supported x86_64 systems.

These drivers are only supported as a loadable module at this time.


Rebasing Guidelines
--------------------

On rebasing TiC software heed the following:
- always rebase the Kernel first before rebasing this package
- get the HEAD from the tpmdd repo and generate a tarball, the tarball
should follow the naming convention: tpm-kmod-<gitHEAD>; use the short-hand
form of the git commit ID (8 characters)
- update the integrity-kmod spec to Source the new tarball
- apply all existing patches against the new tarball, and adjust the kcompat
layer (LINUX_VERSION_CODE ifdefs, kcompat.h and common.mk) accordingly

IMA Signing Key Generation Guidelines
--------------------------------------

The following may be used to generate an IMA key pair:
openssl req -newkey rsa:2048 -nodes -days 10950 -x509 -outform DER -out ima_signing_key.pub -keyout ima_signing_key.priv

The "ima_signing_key.pub" MUST be placed in the Kernel source (files/) so that the 
Kernel build can pick it up and compile it in.


================================================================================


Change Sets
-------------------------

This driver is a fork from the tpmdd repo:
https://sourceforge.net/projects/tpmdd/
http://git.infradead.org/users/jjs/linux-tpmdd.git/

Sync Head: 668a827057187403999b7ecfcf86b59979c8c3b2

COMPAT NOTES:

1. In newer kernels, VFS layer read operations have been refactored:
    VFS: refactor vfs_read()

    integrity_kernel_read() duplicates the file read operations code
    in vfs_read(). This patch refactors vfs_read() code creating a
    helper function __vfs_read(). It is used by both vfs_read() and
    integrity_kernel_read().

    Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
    Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>

   The compat layer therefore needs to redefine the integrity vfs code to use
   the original implementation


2. In newer kernels, a wrapper has been developed around inode mutex un/lock
   
        commit 5955102c9984fa081b2d570cfac75c97eecf8f3b
        Author: Al Viro <viro@zeniv.linux.org.uk>
        Date:   Fri Jan 22 15:40:57 2016 -0500

        wrappers for ->i_mutex access

        parallel to mutex_{lock,unlock,trylock,is_locked,lock_nested},
        inode_foo(inode) being mutex_foo(&inode->i_mutex).

        Please, use those for access to ->i_mutex; over the coming cycle
        ->i_mutex will become rwsem, with ->lookup() done with it held
        only shared.

        Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

    The compat layer needs to replace all instances of inode locking
    with the underlying mutex locking/unlocking calls    


3. In newer kernels, security PRE and POST Hooks are defined which 
have their seperate appraisal calls

    commit 39eeb4fb97f60dbdfc823c1a673a8844b9226b60
    Author: Mimi Zohar <zohar@linux.vnet.ibm.com>
    Date:   Sat Jan 30 22:23:26 2016 -0500

    security: define kernel_read_file hook

    The kernel_read_file security hook is called prior to reading the file
    into memory.

    Changelog v4+:
    - export security_kernel_read_file()

    Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
    Acked-by: Kees Cook <keescook@chromium.org>
    Acked-by: Luis R. Rodriguez <mcgrof@kernel.org>
    Acked-by: Casey Schaufler <casey@schaufler-ca.com>
        
   The compat layer needs to ignore all PRE and POST File hooks and 
   cannot support such PRE and POST appraisals


4. In newer kernels, IMA policies can be applied by path as opposed to
content allowing multiple policies to be appended

    commit 7429b092811fb20c6a5b261c2c116a6a90cb9a29
Author: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
Date:   Fri Apr 11 17:47:01 2014 +0300

    ima: load policy using path

    We currently cannot do appraisal or signature vetting of IMA policies
    since we currently can only load IMA policies by writing the contents
    of the policy directly in, as follows:

    cat policy-file > <securityfs>/ima/policy

    If we provide the kernel the path to the IMA policy so it can load
    the policy itself it'd be able to later appraise or vet the file
    signature if it has one.  This patch adds support to load the IMA
    policy with a given path as follows:

    echo /etc/ima/ima_policy > /sys/kernel/security/ima/policy

    Changelog v4+:
    - moved kernel_read_file_from_path() error messages to callers
    v3:
    - moved kernel_read_file_from_path() to a separate patch
    v2:
    - after re-ordering the patches, replace calling integrity_kernel_read()
      to read the file with kernel_read_file_from_path() (Mimi)
    - Patch description re-written by Luis R. Rodriguez

    Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>

    This feature was removed from the IMA modules since it required extensive
backporting to the INODE and VFS layers inthe base kernel

5. In newer kernels, IMA allows measurement lists to be preserved over
Kernel reinstalls or kexecs

    commit d9ddf077bb85b54200dfcb5f2edec4f0d6a7c2ca
Author: Mimi Zohar <zohar@linux.vnet.ibm.com>
Date:   Thu Jan 14 20:59:14 2016 -0500

    ima: support for kexec image and initramfs

    Add IMA policy support for measuring/appraising the kexec image and
    initramfs. Two new IMA policy identifiers KEXEC_KERNEL_CHECK and
    KEXEC_INITRAMFS_CHECK are defined.

    Example policy rules:
    measure func=KEXEC_KERNEL_CHECK
    appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig
    measure func=KEXEC_INITRAMFS_CHECK
    appraise func=KEXEC_INITRAMFS_CHECK appraise_type=imasig

    Moving the enumeration to the vfs layer simplified the patches, allowing
    the IMA changes, for the most part, to be separated from the other
    changes.  Unfortunately, passing either a kernel_read_file_id or a
    ima_hooks enumeration within IMA is messy.

    This feature was removed from the IMA modules since it required defining a
new Kexec cache in the base Kernel which was an extensive backporting effort