ima: differentiate between template hash and file data hash sizes

The TPM v1.2 limits the template hash size to 20 bytes. This patch differentiates between the template hash size, as defined in the ima_template_entry, and the file data hash size, as defined in the ima_template_data. Subsequent patches add support for different file data hash algorithms. Change log: - hash digest definition in ima_store_template() should be TPM_DIGEST_SIZE Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
author: Mimi Zohar <zohar@linux.vnet.ibm.com> 2013-03-11 20:29:47 -0400
committer: Mimi Zohar <zohar@linux.vnet.ibm.com> 2013-10-25 17:17:00 -0400
commit: 140d802240a4ba3351494b4ab199964b96f87493 (patch)
tree: 0fa711063f82e868ef589165e89e7b2298b60025
parent: a35c3fb6490cc1d3446e4781693408100113c4fb (diff)
6 files changed, 12 insertions, 12 deletions
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index efcdef2bf1bc..52393edfbfd9 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -49,7 +49,7 @@ struct ima_template_data {
 };
 struct ima_template_entry {
-        u8 digest[IMA_DIGEST_SIZE];     /* sha1 or md5 measurement hash */
+        u8 digest[TPM_DIGEST_SIZE];     /* sha1 or md5 measurement hash */
        const char *template_name;
        int template_len;
        struct ima_template_data template;
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index 5a7942e20814..2cc5dcc6bdeb 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -46,7 +46,7 @@ int ima_store_template(struct ima_template_entry *entry,
        int result;
        struct {
                struct ima_digest_data hdr;
-                char digest[IMA_MAX_DIGEST_SIZE];
+                char digest[TPM_DIGEST_SIZE];
        } hash;
        memset(entry->digest, 0, sizeof(entry->digest));
diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
index 2fd178651467..872c6698067c 100644
--- a/security/integrity/ima/ima_crypto.c
+++ b/security/integrity/ima/ima_crypto.c
@@ -155,7 +155,7 @@ static void __init ima_pcrread(int idx, u8 *pcr)
 */
 int __init ima_calc_boot_aggregate(char *digest)
 {
-        u8 pcr_i[IMA_DIGEST_SIZE];
+        u8 pcr_i[TPM_DIGEST_SIZE];
        int rc, i;
        struct {
                struct shash_desc shash;
@@ -173,7 +173,7 @@ int __init ima_calc_boot_aggregate(char *digest)
        for (i = TPM_PCR0; i < TPM_PCR8; i++) {
                ima_pcrread(i, pcr_i);
                /* now accumulate with current aggregate */
-                rc = crypto_shash_update(&desc.shash, pcr_i, IMA_DIGEST_SIZE);
+                rc = crypto_shash_update(&desc.shash, pcr_i, TPM_DIGEST_SIZE);
        }
        if (!rc)
                crypto_shash_final(&desc.shash, digest);
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index 5f0fd113433a..c35cfb5b3c5e 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -133,7 +133,7 @@ static int ima_measurements_show(struct seq_file *m, void *v)
        ima_putc(m, &pcr, sizeof pcr);
        /* 2nd: template digest */
-        ima_putc(m, e->digest, IMA_DIGEST_SIZE);
+        ima_putc(m, e->digest, TPM_DIGEST_SIZE);
        /* 3rd: template name size */
        namelen = strlen(e->template_name);
@@ -167,11 +167,11 @@ static const struct file_operations ima_measurements_ops = {
        .release = seq_release,
 };
-static void ima_print_digest(struct seq_file *m, u8 *digest)
+static void ima_print_digest(struct seq_file *m, u8 *digest, int size)
 {
        int i;
-        for (i = 0; i < IMA_DIGEST_SIZE; i++)
+        for (i = 0; i < size; i++)
                seq_printf(m, "%02x", *(digest + i));
 }
@@ -182,7 +182,7 @@ void ima_template_show(struct seq_file *m, void *e, enum ima_show_type show)
        switch (show) {
        case IMA_SHOW_ASCII:
-                ima_print_digest(m, entry->digest);
+                ima_print_digest(m, entry->digest, IMA_DIGEST_SIZE);
                seq_printf(m, " %s\n", entry->file_name);
                break;
        case IMA_SHOW_BINARY:
@@ -212,7 +212,7 @@ static int ima_ascii_measurements_show(struct seq_file *m, void *v)
        seq_printf(m, "%2d ", CONFIG_IMA_MEASURE_PCR_IDX);
        /* 2nd: SHA1 template hash */
-        ima_print_digest(m, e->digest);
+        ima_print_digest(m, e->digest, TPM_DIGEST_SIZE);
        /* 3th:  template name */
        seq_printf(m, " %s ", e->template_name);
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
index 162ea723db3d..9d0243c10558 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -74,7 +74,7 @@ err_out:
 int __init ima_init(void)
 {
-        u8 pcr_i[IMA_DIGEST_SIZE];
+        u8 pcr_i[TPM_DIGEST_SIZE];
        int rc;
        ima_used_chip = 0;
diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c
index ff63fe00c195..e63ff3369f10 100644
--- a/security/integrity/ima/ima_queue.c
+++ b/security/integrity/ima/ima_queue.c
@@ -50,7 +50,7 @@ static struct ima_queue_entry *ima_lookup_digest_entry(u8 *digest_value)
        key = ima_hash_key(digest_value);
        rcu_read_lock();
        hlist_for_each_entry_rcu(qe, &ima_htable.queue[key], hnext) {
-                rc = memcmp(qe->entry->digest, digest_value, IMA_DIGEST_SIZE);
+                rc = memcmp(qe->entry->digest, digest_value, TPM_DIGEST_SIZE);
                if (rc == 0) {
                        ret = qe;
                        break;
@@ -106,7 +106,7 @@ static int ima_pcr_extend(const u8 *hash)
 int ima_add_template_entry(struct ima_template_entry *entry, int violation,
                           const char *op, struct inode *inode)
 {
-        u8 digest[IMA_DIGEST_SIZE];
+        u8 digest[TPM_DIGEST_SIZE];
        const char *audit_cause = "hash_added";
        char tpm_audit_cause[AUDIT_CAUSE_LEN_MAX];
        int audit_info = 1;
author	Mimi Zohar <zohar@linux.vnet.ibm.com>	2013-03-11 20:29:47 -0400
committer	Mimi Zohar <zohar@linux.vnet.ibm.com>	2013-10-25 17:17:00 -0400
commit	140d802240a4ba3351494b4ab199964b96f87493 (patch)
tree	0fa711063f82e868ef589165e89e7b2298b60025
parent	a35c3fb6490cc1d3446e4781693408100113c4fb (diff)

diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index efcdef2bf1bc..52393edfbfd9 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h
@@ -49,7 +49,7 @@ struct ima_template_data {
49	};	49	};
50		50
51	struct ima_template_entry {	51	struct ima_template_entry {
52	u8 digest[IMA_DIGEST_SIZE]; /* sha1 or md5 measurement hash */	52	u8 digest[TPM_DIGEST_SIZE]; /* sha1 or md5 measurement hash */
53	const char *template_name;	53	const char *template_name;
54	int template_len;	54	int template_len;
55	struct ima_template_data template;	55	struct ima_template_data template;


diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 5a7942e20814..2cc5dcc6bdeb 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c
@@ -46,7 +46,7 @@ int ima_store_template(struct ima_template_entry *entry,
46	int result;	46	int result;
47	struct {	47	struct {
48	struct ima_digest_data hdr;	48	struct ima_digest_data hdr;
49	char digest[IMA_MAX_DIGEST_SIZE];	49	char digest[TPM_DIGEST_SIZE];
50	} hash;	50	} hash;
51		51
52	memset(entry->digest, 0, sizeof(entry->digest));	52	memset(entry->digest, 0, sizeof(entry->digest));


diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c index 2fd178651467..872c6698067c 100644 --- a/security/integrity/ima/ima_crypto.c +++ b/security/integrity/ima/ima_crypto.c
@@ -155,7 +155,7 @@ static void __init ima_pcrread(int idx, u8 *pcr)
155	*/	155	*/
156	int __init ima_calc_boot_aggregate(char *digest)	156	int __init ima_calc_boot_aggregate(char *digest)
157	{	157	{
158	u8 pcr_i[IMA_DIGEST_SIZE];	158	u8 pcr_i[TPM_DIGEST_SIZE];
159	int rc, i;	159	int rc, i;
160	struct {	160	struct {
161	struct shash_desc shash;	161	struct shash_desc shash;
@@ -173,7 +173,7 @@ int __init ima_calc_boot_aggregate(char *digest)
173	for (i = TPM_PCR0; i < TPM_PCR8; i++) {	173	for (i = TPM_PCR0; i < TPM_PCR8; i++) {
174	ima_pcrread(i, pcr_i);	174	ima_pcrread(i, pcr_i);
175	/* now accumulate with current aggregate */	175	/* now accumulate with current aggregate */
176	rc = crypto_shash_update(&desc.shash, pcr_i, IMA_DIGEST_SIZE);	176	rc = crypto_shash_update(&desc.shash, pcr_i, TPM_DIGEST_SIZE);
177	}	177	}
178	if (!rc)	178	if (!rc)
179	crypto_shash_final(&desc.shash, digest);	179	crypto_shash_final(&desc.shash, digest);


diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index 5f0fd113433a..c35cfb5b3c5e 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c
@@ -133,7 +133,7 @@ static int ima_measurements_show(struct seq_file m, void v)
133	ima_putc(m, &pcr, sizeof pcr);	133	ima_putc(m, &pcr, sizeof pcr);
134		134
135	/* 2nd: template digest */	135	/* 2nd: template digest */
136	ima_putc(m, e->digest, IMA_DIGEST_SIZE);	136	ima_putc(m, e->digest, TPM_DIGEST_SIZE);
137		137
138	/* 3rd: template name size */	138	/* 3rd: template name size */
139	namelen = strlen(e->template_name);	139	namelen = strlen(e->template_name);
@@ -167,11 +167,11 @@ static const struct file_operations ima_measurements_ops = {
167	.release = seq_release,	167	.release = seq_release,
168	};	168	};
169		169
170	static void ima_print_digest(struct seq_file m, u8 digest)	170	static void ima_print_digest(struct seq_file m, u8 digest, int size)
171	{	171	{
172	int i;	172	int i;
173		173
174	for (i = 0; i < IMA_DIGEST_SIZE; i++)	174	for (i = 0; i < size; i++)
175	seq_printf(m, "%02x", *(digest + i));	175	seq_printf(m, "%02x", *(digest + i));
176	}	176	}
177		177
@@ -182,7 +182,7 @@ void ima_template_show(struct seq_file m, void e, enum ima_show_type show)
182		182
183	switch (show) {	183	switch (show) {
184	case IMA_SHOW_ASCII:	184	case IMA_SHOW_ASCII:
185	ima_print_digest(m, entry->digest);	185	ima_print_digest(m, entry->digest, IMA_DIGEST_SIZE);
186	seq_printf(m, " %s\n", entry->file_name);	186	seq_printf(m, " %s\n", entry->file_name);
187	break;	187	break;
188	case IMA_SHOW_BINARY:	188	case IMA_SHOW_BINARY:
@@ -212,7 +212,7 @@ static int ima_ascii_measurements_show(struct seq_file m, void v)
212	seq_printf(m, "%2d ", CONFIG_IMA_MEASURE_PCR_IDX);	212	seq_printf(m, "%2d ", CONFIG_IMA_MEASURE_PCR_IDX);
213		213
214	/* 2nd: SHA1 template hash */	214	/* 2nd: SHA1 template hash */
215	ima_print_digest(m, e->digest);	215	ima_print_digest(m, e->digest, TPM_DIGEST_SIZE);
216		216
217	/* 3th: template name */	217	/* 3th: template name */
218	seq_printf(m, " %s ", e->template_name);	218	seq_printf(m, " %s ", e->template_name);


diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c index 162ea723db3d..9d0243c10558 100644 --- a/security/integrity/ima/ima_init.c +++ b/security/integrity/ima/ima_init.c
@@ -74,7 +74,7 @@ err_out:
74		74
75	int __init ima_init(void)	75	int __init ima_init(void)
76	{	76	{
77	u8 pcr_i[IMA_DIGEST_SIZE];	77	u8 pcr_i[TPM_DIGEST_SIZE];
78	int rc;	78	int rc;
79		79
80	ima_used_chip = 0;	80	ima_used_chip = 0;


diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c index ff63fe00c195..e63ff3369f10 100644 --- a/security/integrity/ima/ima_queue.c +++ b/security/integrity/ima/ima_queue.c
@@ -50,7 +50,7 @@ static struct ima_queue_entry ima_lookup_digest_entry(u8 digest_value)
50	key = ima_hash_key(digest_value);	50	key = ima_hash_key(digest_value);
51	rcu_read_lock();	51	rcu_read_lock();
52	hlist_for_each_entry_rcu(qe, &ima_htable.queue[key], hnext) {	52	hlist_for_each_entry_rcu(qe, &ima_htable.queue[key], hnext) {
53	rc = memcmp(qe->entry->digest, digest_value, IMA_DIGEST_SIZE);	53	rc = memcmp(qe->entry->digest, digest_value, TPM_DIGEST_SIZE);
54	if (rc == 0) {	54	if (rc == 0) {
55	ret = qe;	55	ret = qe;
56	break;	56	break;
@@ -106,7 +106,7 @@ static int ima_pcr_extend(const u8 *hash)
106	int ima_add_template_entry(struct ima_template_entry *entry, int violation,	106	int ima_add_template_entry(struct ima_template_entry *entry, int violation,
107	const char op, struct inode inode)	107	const char op, struct inode inode)
108	{	108	{
109	u8 digest[IMA_DIGEST_SIZE];	109	u8 digest[TPM_DIGEST_SIZE];
110	const char *audit_cause = "hash_added";	110	const char *audit_cause = "hash_added";
111	char tpm_audit_cause[AUDIT_CAUSE_LEN_MAX];	111	char tpm_audit_cause[AUDIT_CAUSE_LEN_MAX];
112	int audit_info = 1;	112	int audit_info = 1;