ima: include pcr for each measurement log entry

The IMA measurement list entries include the Kconfig defined PCR value. This patch defines a new ima_template_entry field for including the PCR as specified in the policy rule. Signed-off-by: Eric Richter <erichte@linux.vnet.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
author: Eric Richter <erichte@linux.vnet.ibm.com> 2016-06-01 14:14:03 -0400
committer: Mimi Zohar <zohar@linux.vnet.ibm.com> 2016-06-30 01:14:21 -0400
commit: 14b1da85bbe9a59c5e01123a06dea4c4758a6db9 (patch)
tree: 1a61fea1cd6101588305467af50337d414420b4f /security/integrity
parent: 725de7fabb9fe4ca388c780ad4644352f2f06ccc (diff)
4 files changed, 13 insertions, 8 deletions
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 3c8e71e9e049..db25f54a04fe 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -88,6 +88,7 @@ struct ima_template_desc {
 };
 struct ima_template_entry {
+        int pcr;
        u8 digest[TPM_DIGEST_SIZE];     /* sha1 or md5 measurement hash */
        struct ima_template_desc *template_desc; /* template descriptor */
        u32 template_data_len;
@@ -163,13 +164,14 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
 void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,
                           const unsigned char *filename,
                           struct evm_ima_xattr_data *xattr_value,
-                           int xattr_len);
+                           int xattr_len, int pcr);
 void ima_audit_measurement(struct integrity_iint_cache *iint,
                           const unsigned char *filename);
 int ima_alloc_init_template(struct ima_event_data *event_data,
                            struct ima_template_entry **entry);
 int ima_store_template(struct ima_template_entry *entry, int violation,
-                       struct inode *inode, const unsigned char *filename);
+                       struct inode *inode,
+                       const unsigned char *filename, int pcr);
 void ima_free_template_entry(struct ima_template_entry *entry);
 const char *ima_d_path(const struct path *path, char **pathbuf);
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index 225b9cede300..8363ba384992 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -87,7 +87,7 @@ out:
 */
 int ima_store_template(struct ima_template_entry *entry,
                       int violation, struct inode *inode,
-                       const unsigned char *filename)
+                       const unsigned char *filename, int pcr)
 {
        static const char op[] = "add_template_measure";
        static const char audit_cause[] = "hashing_error";
@@ -114,6 +114,7 @@ int ima_store_template(struct ima_template_entry *entry,
                }
                memcpy(entry->digest, hash.hdr.digest, hash.hdr.length);
        }
+        entry->pcr = pcr;
        result = ima_add_template_entry(entry, violation, op, inode, filename);
        return result;
 }
@@ -144,7 +145,8 @@ void ima_add_violation(struct file *file, const unsigned char *filename,
                result = -ENOMEM;
                goto err_out;
        }
-        result = ima_store_template(entry, violation, inode, filename);
+        result = ima_store_template(entry, violation, inode,
+                                    filename, CONFIG_IMA_MEASURE_PCR_IDX);
        if (result < 0)
                ima_free_template_entry(entry);
 err_out:
@@ -253,7 +255,7 @@ out:
 void ima_store_measurement(struct integrity_iint_cache *iint,
                           struct file *file, const unsigned char *filename,
                           struct evm_ima_xattr_data *xattr_value,
-                           int xattr_len)
+                           int xattr_len, int pcr)
 {
        static const char op[] = "add_template_measure";
        static const char audit_cause[] = "ENOMEM";
@@ -274,7 +276,7 @@ void ima_store_measurement(struct integrity_iint_cache *iint,
                return;
        }
-        result = ima_store_template(entry, violation, inode, filename);
+        result = ima_store_template(entry, violation, inode, filename, pcr);
        if (!result || result == -EEXIST)
                iint->flags |= IMA_MEASURED;
        if (result < 0)
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
index 5d679a685616..32912bd54ead 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -79,7 +79,8 @@ static int __init ima_add_boot_aggregate(void)
        }
        result = ima_store_template(entry, violation, NULL,
-                                    boot_aggregate_name);
+                                    boot_aggregate_name,
+                                    CONFIG_IMA_MEASURE_PCR_IDX);
        if (result < 0) {
                ima_free_template_entry(entry);
                audit_cause = "store_entry";
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 58b08b25437a..3627afdc932e 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -239,7 +239,7 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
        if (action & IMA_MEASURE)
                ima_store_measurement(iint, file, pathname,
-                                      xattr_value, xattr_len);
+                                      xattr_value, xattr_len, pcr);
        if (action & IMA_APPRAISE_SUBMASK)
                rc = ima_appraise_measurement(func, iint, file, pathname,
                                              xattr_value, xattr_len, opened);
author	Eric Richter <erichte@linux.vnet.ibm.com>	2016-06-01 14:14:03 -0400
committer	Mimi Zohar <zohar@linux.vnet.ibm.com>	2016-06-30 01:14:21 -0400
commit	14b1da85bbe9a59c5e01123a06dea4c4758a6db9 (patch)
tree	1a61fea1cd6101588305467af50337d414420b4f /security/integrity
parent	725de7fabb9fe4ca388c780ad4644352f2f06ccc (diff)