diff options
| author | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2013-06-07 06:16:37 -0400 |
|---|---|---|
| committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2013-10-26 21:32:55 -0400 |
| commit | e7a2ad7eb6f48ad80c70a22dd8167fb34b409466 (patch) | |
| tree | d1b7e58d2029a273a347b9b9a08f35c50b244d27 /security/integrity/ima/ima_main.c | |
| parent | 9b9d4ce592d283fc4c01da746c02a840c499bb7e (diff) | |
ima: enable support for larger default filedata hash algorithms
The IMA measurement list contains two hashes - a template data hash
and a filedata hash. The template data hash is committed to the TPM,
which is limited, by the TPM v1.2 specification, to 20 bytes. The
filedata hash is defined as 20 bytes as well.
Now that support for variable length measurement list templates was
added, the filedata hash is not limited to 20 bytes. This patch adds
Kconfig support for defining larger default filedata hash algorithms
and replacing the builtin default with one specified on the kernel
command line.
<uapi/linux/hash_info.h> contains a list of hash algorithms. The
Kconfig default hash algorithm is a subset of this list, but any hash
algorithm included in the list can be specified at boot, using the
'ima_hash=' kernel command line option.
Changelog v2:
- update Kconfig
Changelog:
- support hashes that are configured
- use generic HASH_ALGO_ definitions
- add Kconfig support
- hash_setup must be called only once (Dmitry)
- removed trailing whitespaces (Roberto Sassu)
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
Diffstat (limited to 'security/integrity/ima/ima_main.c')
| -rw-r--r-- | security/integrity/ima/ima_main.c | 26 |
1 files changed, 24 insertions, 2 deletions
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 0b11bb49ac4f..14d4cb557894 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c | |||
| @@ -37,11 +37,32 @@ int ima_appraise; | |||
| 37 | #endif | 37 | #endif |
| 38 | 38 | ||
| 39 | int ima_hash_algo = HASH_ALGO_SHA1; | 39 | int ima_hash_algo = HASH_ALGO_SHA1; |
| 40 | static int hash_setup_done; | ||
| 40 | 41 | ||
| 41 | static int __init hash_setup(char *str) | 42 | static int __init hash_setup(char *str) |
| 42 | { | 43 | { |
| 43 | if (strncmp(str, "md5", 3) == 0) | 44 | struct ima_template_desc *template_desc = ima_template_desc_current(); |
| 44 | ima_hash_algo = HASH_ALGO_MD5; | 45 | int i; |
| 46 | |||
| 47 | if (hash_setup_done) | ||
| 48 | return 1; | ||
| 49 | |||
| 50 | if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) { | ||
| 51 | if (strncmp(str, "sha1", 4) == 0) | ||
| 52 | ima_hash_algo = HASH_ALGO_SHA1; | ||
| 53 | else if (strncmp(str, "md5", 3) == 0) | ||
| 54 | ima_hash_algo = HASH_ALGO_MD5; | ||
| 55 | goto out; | ||
| 56 | } | ||
| 57 | |||
| 58 | for (i = 0; i < HASH_ALGO__LAST; i++) { | ||
| 59 | if (strcmp(str, hash_algo_name[i]) == 0) { | ||
| 60 | ima_hash_algo = i; | ||
| 61 | break; | ||
| 62 | } | ||
| 63 | } | ||
| 64 | out: | ||
| 65 | hash_setup_done = 1; | ||
| 45 | return 1; | 66 | return 1; |
| 46 | } | 67 | } |
| 47 | __setup("ima_hash=", hash_setup); | 68 | __setup("ima_hash=", hash_setup); |
| @@ -306,6 +327,7 @@ static int __init init_ima(void) | |||
| 306 | { | 327 | { |
| 307 | int error; | 328 | int error; |
| 308 | 329 | ||
| 330 | hash_setup(CONFIG_IMA_DEFAULT_HASH); | ||
| 309 | error = ima_init(); | 331 | error = ima_init(); |
| 310 | if (!error) | 332 | if (!error) |
| 311 | ima_initialized = 1; | 333 | ima_initialized = 1; |