18c2ecf20Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0+
28c2ecf20Sopenharmony_ci/*
38c2ecf20Sopenharmony_ci * Copyright (C) 2019 Microsoft Corporation
48c2ecf20Sopenharmony_ci *
58c2ecf20Sopenharmony_ci * Author: Lakshmi Ramasubramanian (nramas@linux.microsoft.com)
68c2ecf20Sopenharmony_ci *
78c2ecf20Sopenharmony_ci * File: ima_asymmetric_keys.c
88c2ecf20Sopenharmony_ci *       Defines an IMA hook to measure asymmetric keys on key
98c2ecf20Sopenharmony_ci *       create or update.
108c2ecf20Sopenharmony_ci */
118c2ecf20Sopenharmony_ci
128c2ecf20Sopenharmony_ci#include <keys/asymmetric-type.h>
138c2ecf20Sopenharmony_ci#include "ima.h"
148c2ecf20Sopenharmony_ci
158c2ecf20Sopenharmony_ci/**
168c2ecf20Sopenharmony_ci * ima_post_key_create_or_update - measure asymmetric keys
178c2ecf20Sopenharmony_ci * @keyring: keyring to which the key is linked to
188c2ecf20Sopenharmony_ci * @key: created or updated key
198c2ecf20Sopenharmony_ci * @payload: The data used to instantiate or update the key.
208c2ecf20Sopenharmony_ci * @payload_len: The length of @payload.
218c2ecf20Sopenharmony_ci * @flags: key flags
228c2ecf20Sopenharmony_ci * @create: flag indicating whether the key was created or updated
238c2ecf20Sopenharmony_ci *
248c2ecf20Sopenharmony_ci * Keys can only be measured, not appraised.
258c2ecf20Sopenharmony_ci * The payload data used to instantiate or update the key is measured.
268c2ecf20Sopenharmony_ci */
278c2ecf20Sopenharmony_civoid ima_post_key_create_or_update(struct key *keyring, struct key *key,
288c2ecf20Sopenharmony_ci				   const void *payload, size_t payload_len,
298c2ecf20Sopenharmony_ci				   unsigned long flags, bool create)
308c2ecf20Sopenharmony_ci{
318c2ecf20Sopenharmony_ci	bool queued = false;
328c2ecf20Sopenharmony_ci
338c2ecf20Sopenharmony_ci	/* Only asymmetric keys are handled by this hook. */
348c2ecf20Sopenharmony_ci	if (key->type != &key_type_asymmetric)
358c2ecf20Sopenharmony_ci		return;
368c2ecf20Sopenharmony_ci
378c2ecf20Sopenharmony_ci	if (!payload || (payload_len == 0))
388c2ecf20Sopenharmony_ci		return;
398c2ecf20Sopenharmony_ci
408c2ecf20Sopenharmony_ci	if (ima_should_queue_key())
418c2ecf20Sopenharmony_ci		queued = ima_queue_key(keyring, payload, payload_len);
428c2ecf20Sopenharmony_ci
438c2ecf20Sopenharmony_ci	if (queued)
448c2ecf20Sopenharmony_ci		return;
458c2ecf20Sopenharmony_ci
468c2ecf20Sopenharmony_ci	/*
478c2ecf20Sopenharmony_ci	 * keyring->description points to the name of the keyring
488c2ecf20Sopenharmony_ci	 * (such as ".builtin_trusted_keys", ".ima", etc.) to
498c2ecf20Sopenharmony_ci	 * which the given key is linked to.
508c2ecf20Sopenharmony_ci	 *
518c2ecf20Sopenharmony_ci	 * The name of the keyring is passed in the "eventname"
528c2ecf20Sopenharmony_ci	 * parameter to process_buffer_measurement() and is set
538c2ecf20Sopenharmony_ci	 * in the "eventname" field in ima_event_data for
548c2ecf20Sopenharmony_ci	 * the key measurement IMA event.
558c2ecf20Sopenharmony_ci	 *
568c2ecf20Sopenharmony_ci	 * The name of the keyring is also passed in the "keyring"
578c2ecf20Sopenharmony_ci	 * parameter to process_buffer_measurement() to check
588c2ecf20Sopenharmony_ci	 * if the IMA policy is configured to measure a key linked
598c2ecf20Sopenharmony_ci	 * to the given keyring.
608c2ecf20Sopenharmony_ci	 */
618c2ecf20Sopenharmony_ci	process_buffer_measurement(NULL, payload, payload_len,
628c2ecf20Sopenharmony_ci				   keyring->description, KEY_CHECK, 0,
638c2ecf20Sopenharmony_ci				   keyring->description);
648c2ecf20Sopenharmony_ci}
65