tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

dm-ima: use SHA-256 library

Make dm_ima_measure_on_table_load() use the SHA-256 library API instead
of crypto_shash to calculate the SHA-256 hash value that it needs. This
is simpler and more efficient. It also ensures that SHA-256 is actually
available and doesn't fail due to the unreliable loading by name.

While doing this, also use kasprintf() to simplify building the string
version of the digest.

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>

authored by

Eric Biggers and committed by
Mikulas Patocka 5282ac80 51d81e14

+11 -45
+1
drivers/md/Kconfig
··· 226 226 select BLOCK_HOLDER_DEPRECATED if SYSFS 227 227 select BLK_DEV_DM_BUILTIN 228 228 select BLK_MQ_STACKING 229 + select CRYPTO_LIB_SHA256 if IMA 229 230 depends on DAX || DAX=n 230 231 help 231 232 Device-mapper is a low level volume manager. It works by allowing
+10 -44
drivers/md/dm-ima.c
··· 12 12 13 13 #include <linux/ima.h> 14 14 #include <linux/sched/mm.h> 15 - #include <crypto/hash.h> 16 - #include <linux/crypto.h> 17 - #include <crypto/hash_info.h> 15 + #include <crypto/sha2.h> 18 16 19 17 #define DM_MSG_PREFIX "ima" 20 18 ··· 176 178 size_t device_data_buf_len, target_metadata_buf_len, target_data_buf_len, l = 0; 177 179 char *target_metadata_buf = NULL, *target_data_buf = NULL, *digest_buf = NULL; 178 180 char *ima_buf = NULL, *device_data_buf = NULL; 179 - int digest_size, last_target_measured = -1, r; 181 + int last_target_measured = -1; 180 182 status_type_t type = STATUSTYPE_IMA; 181 183 size_t cur_total_buf_len = 0; 182 184 unsigned int num_targets, i; 183 - SHASH_DESC_ON_STACK(shash, NULL); 184 - struct crypto_shash *tfm = NULL; 185 - u8 *digest = NULL; 185 + struct sha256_ctx hash_ctx; 186 + u8 digest[SHA256_DIGEST_SIZE]; 186 187 bool noio = false; 187 - /* 188 - * In below hash_alg_prefix_len assignment +1 is for the additional char (':'), 189 - * when prefixing the hash value with the hash algorithm name. e.g. sha256:<hash_value>. 190 - */ 191 - const size_t hash_alg_prefix_len = strlen(DM_IMA_TABLE_HASH_ALG) + 1; 192 188 char table_load_event_name[] = "dm_table_load"; 193 189 194 190 ima_buf = dm_ima_alloc(DM_IMA_MEASUREMENT_BUF_LEN, noio); ··· 202 210 if (dm_ima_alloc_and_copy_device_data(table->md, &device_data_buf, num_targets, noio)) 203 211 goto error; 204 212 205 - tfm = crypto_alloc_shash(DM_IMA_TABLE_HASH_ALG, 0, 0); 206 - if (IS_ERR(tfm)) 207 - goto error; 208 - 209 - shash->tfm = tfm; 210 - digest_size = crypto_shash_digestsize(tfm); 211 - digest = dm_ima_alloc(digest_size, noio); 212 - if (!digest) 213 - goto error; 214 - 215 - r = crypto_shash_init(shash); 216 - if (r) 217 - goto error; 213 + sha256_init(&hash_ctx); 218 214 219 215 memcpy(ima_buf + l, DM_IMA_VERSION_STR, table->md->ima.dm_version_str_len); 220 216 l += table->md->ima.dm_version_str_len; ··· 250 270 */ 251 271 if (unlikely(cur_total_buf_len >= DM_IMA_MEASUREMENT_BUF_LEN)) { 252 272 dm_ima_measure_data(table_load_event_name, ima_buf, l, noio); 253 - r = crypto_shash_update(shash, (const u8 *)ima_buf, l); 254 - if (r < 0) 255 - goto error; 273 + sha256_update(&hash_ctx, (const u8 *)ima_buf, l); 256 274 257 275 memset(ima_buf, 0, DM_IMA_MEASUREMENT_BUF_LEN); 258 276 l = 0; ··· 289 311 if (!last_target_measured) { 290 312 dm_ima_measure_data(table_load_event_name, ima_buf, l, noio); 291 313 292 - r = crypto_shash_update(shash, (const u8 *)ima_buf, l); 293 - if (r < 0) 294 - goto error; 314 + sha256_update(&hash_ctx, (const u8 *)ima_buf, l); 295 315 } 296 316 297 317 /* ··· 297 321 * so that the table data can be verified against the future device state change 298 322 * events, e.g. resume, rename, remove, table-clear etc. 299 323 */ 300 - r = crypto_shash_final(shash, digest); 301 - if (r < 0) 302 - goto error; 324 + sha256_final(&hash_ctx, digest); 303 325 304 - digest_buf = dm_ima_alloc((digest_size*2) + hash_alg_prefix_len + 1, noio); 305 - 326 + digest_buf = kasprintf(GFP_KERNEL, "sha256:%*phN", SHA256_DIGEST_SIZE, 327 + digest); 306 328 if (!digest_buf) 307 329 goto error; 308 - 309 - snprintf(digest_buf, hash_alg_prefix_len + 1, "%s:", DM_IMA_TABLE_HASH_ALG); 310 - 311 - for (i = 0; i < digest_size; i++) 312 - snprintf((digest_buf + hash_alg_prefix_len + (i*2)), 3, "%02x", digest[i]); 313 330 314 331 if (table->md->ima.active_table.hash != table->md->ima.inactive_table.hash) 315 332 kfree(table->md->ima.inactive_table.hash); ··· 323 354 kfree(digest_buf); 324 355 kfree(device_data_buf); 325 356 exit: 326 - kfree(digest); 327 - if (tfm) 328 - crypto_free_shash(tfm); 329 357 kfree(ima_buf); 330 358 kfree(target_metadata_buf); 331 359 kfree(target_data_buf);
-1
drivers/md/dm-ima.h
··· 15 15 #define DM_IMA_TARGET_METADATA_BUF_LEN 128 16 16 #define DM_IMA_TARGET_DATA_BUF_LEN 2048 17 17 #define DM_IMA_DEVICE_CAPACITY_BUF_LEN 128 18 - #define DM_IMA_TABLE_HASH_ALG "sha256" 19 18 20 19 #define __dm_ima_stringify(s) #s 21 20 #define __dm_ima_str(s) __dm_ima_stringify(s)