tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

ima: Define and use a digest_size field in the ima_algo_desc structure

Add the digest_size field to the ima_algo_desc structure to determine the
digest size from the correct source.

If the hash algorithm is among allocated PCR banks, take the value from the
TPM bank info (equal to the value from the crypto subsystem if the TPM
algorithm is supported by it; otherwise, not exceding the size of the
digest buffer in the tpm_digest structure, used by IMA).

If the hash algorithm is SHA1, use the predefined value. Lastly, if the
hash algorithm is the default one but not among the PCR banks, take the
digest size from the crypto subsystem (the default hash algorithm is
checked when parsing the ima_hash= command line option).

Finally, use the new information to correctly show the template digest in
ima_measurements_show() and ima_ascii_measurements_show().

Link: https://github.com/linux-integrity/linux/issues/14
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

authored by

Roberto Sassu and committed by
Mimi Zohar a74d7197 1984dc2c

+13 -12
+1
security/integrity/ima/ima.h
··· 53 53 struct ima_algo_desc { 54 54 struct crypto_shash *tfm; 55 55 enum hash_algo algo; 56 + unsigned int digest_size; 56 57 }; 57 58 58 59 /* set during initialization */
+6
security/integrity/ima/ima_crypto.c
··· 109 109 110 110 int __init ima_init_crypto(void) 111 111 { 112 + unsigned int digest_size; 112 113 enum hash_algo algo; 113 114 long rc; 114 115 int i; ··· 148 147 149 148 for (i = 0; i < NR_BANKS(ima_tpm_chip); i++) { 150 149 algo = ima_tpm_chip->allocated_banks[i].crypto_id; 150 + digest_size = ima_tpm_chip->allocated_banks[i].digest_size; 151 151 ima_algo_array[i].algo = algo; 152 + ima_algo_array[i].digest_size = digest_size; 152 153 153 154 /* unknown TPM algorithm */ 154 155 if (algo == HASH_ALGO__LAST) ··· 186 183 } 187 184 188 185 ima_algo_array[ima_sha1_idx].algo = HASH_ALGO_SHA1; 186 + ima_algo_array[ima_sha1_idx].digest_size = SHA1_DIGEST_SIZE; 189 187 } 190 188 191 189 if (ima_hash_algo_idx >= NR_BANKS(ima_tpm_chip) && 192 190 ima_hash_algo_idx != ima_sha1_idx) { 191 + digest_size = hash_digest_size[ima_hash_algo]; 193 192 ima_algo_array[ima_hash_algo_idx].tfm = ima_shash_tfm; 194 193 ima_algo_array[ima_hash_algo_idx].algo = ima_hash_algo; 194 + ima_algo_array[ima_hash_algo_idx].digest_size = digest_size; 195 195 } 196 196 197 197 return 0;
+6 -12
security/integrity/ima/ima_fs.c
··· 132 132 char *template_name; 133 133 u32 pcr, namelen, template_data_len; /* temporary fields */ 134 134 bool is_ima_template = false; 135 - enum hash_algo algo; 136 135 int i, algo_idx; 137 136 138 137 algo_idx = ima_sha1_idx; 139 - algo = HASH_ALGO_SHA1; 140 138 141 - if (m->file != NULL) { 139 + if (m->file != NULL) 142 140 algo_idx = (unsigned long)file_inode(m->file)->i_private; 143 - algo = ima_algo_array[algo_idx].algo; 144 - } 145 141 146 142 /* get entry */ 147 143 e = qe->entry; ··· 156 160 ima_putc(m, &pcr, sizeof(e->pcr)); 157 161 158 162 /* 2nd: template digest */ 159 - ima_putc(m, e->digests[algo_idx].digest, hash_digest_size[algo]); 163 + ima_putc(m, e->digests[algo_idx].digest, 164 + ima_algo_array[algo_idx].digest_size); 160 165 161 166 /* 3rd: template name size */ 162 167 namelen = !ima_canonical_fmt ? strlen(template_name) : ··· 226 229 struct ima_queue_entry *qe = v; 227 230 struct ima_template_entry *e; 228 231 char *template_name; 229 - enum hash_algo algo; 230 232 int i, algo_idx; 231 233 232 234 algo_idx = ima_sha1_idx; 233 - algo = HASH_ALGO_SHA1; 234 235 235 - if (m->file != NULL) { 236 + if (m->file != NULL) 236 237 algo_idx = (unsigned long)file_inode(m->file)->i_private; 237 - algo = ima_algo_array[algo_idx].algo; 238 - } 239 238 240 239 /* get entry */ 241 240 e = qe->entry; ··· 245 252 seq_printf(m, "%2d ", e->pcr); 246 253 247 254 /* 2nd: template hash */ 248 - ima_print_digest(m, e->digests[algo_idx].digest, hash_digest_size[algo]); 255 + ima_print_digest(m, e->digests[algo_idx].digest, 256 + ima_algo_array[algo_idx].digest_size); 249 257 250 258 /* 3th: template name */ 251 259 seq_printf(m, " %s", template_name);