aboutsummaryrefslogtreecommitdiffstats
path: root/security/integrity
diff options
context:
space:
mode:
authorDmitry Kasatkin <d.kasatkin@samsung.com>2013-06-07 06:16:25 -0400
committerMimi Zohar <zohar@linux.vnet.ibm.com>2013-10-25 17:17:02 -0400
commit09ef54359c4ad49c01a12503b2c510b424ecf059 (patch)
tree18911069d877f2ae821c040d5fc64339dffd03d7 /security/integrity
parentea593993d361748e795f5eb783a5fb5144fb2df9 (diff)
ima: ima_calc_boot_agregate must use SHA1
With multiple hash algorithms, ima_hash_tfm is no longer guaranteed to be sha1. Need to force to use sha1. Changelog: - pass ima_digest_data to ima_calc_boot_aggregate() instead of char * (Roberto Sassu); - create an ima_digest_data structure in ima_add_boot_aggregate() (Roberto Sassu); - pass hash->algo to ima_alloc_tfm() (Roberto Sassu, reported by Dmitry). - "move hash definition in ima_add_boot_aggregate()" commit hunk to here. - sparse warning fix - Fengguang Wu Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security/integrity')
-rw-r--r--security/integrity/ima/ima.h2
-rw-r--r--security/integrity/ima/ima_crypto.c24
-rw-r--r--security/integrity/ima/ima_init.c10
3 files changed, 31 insertions, 5 deletions
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 52393edfbfd9..e0e1cde6e674 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -73,7 +73,7 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation,
73int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash); 73int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash);
74int ima_calc_buffer_hash(const void *data, int len, 74int ima_calc_buffer_hash(const void *data, int len,
75 struct ima_digest_data *hash); 75 struct ima_digest_data *hash);
76int ima_calc_boot_aggregate(char *digest); 76int __init ima_calc_boot_aggregate(struct ima_digest_data *hash);
77void ima_add_violation(struct inode *inode, const unsigned char *filename, 77void ima_add_violation(struct inode *inode, const unsigned char *filename,
78 const char *op, const char *cause); 78 const char *op, const char *cause);
79int ima_init_crypto(void); 79int ima_init_crypto(void);
diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
index e2be2524a372..22be23f13b3d 100644
--- a/security/integrity/ima/ima_crypto.c
+++ b/security/integrity/ima/ima_crypto.c
@@ -184,16 +184,17 @@ static void __init ima_pcrread(int idx, u8 *pcr)
184/* 184/*
185 * Calculate the boot aggregate hash 185 * Calculate the boot aggregate hash
186 */ 186 */
187int __init ima_calc_boot_aggregate(char *digest) 187static int __init ima_calc_boot_aggregate_tfm(char *digest,
188 struct crypto_shash *tfm)
188{ 189{
189 u8 pcr_i[TPM_DIGEST_SIZE]; 190 u8 pcr_i[TPM_DIGEST_SIZE];
190 int rc, i; 191 int rc, i;
191 struct { 192 struct {
192 struct shash_desc shash; 193 struct shash_desc shash;
193 char ctx[crypto_shash_descsize(ima_shash_tfm)]; 194 char ctx[crypto_shash_descsize(tfm)];
194 } desc; 195 } desc;
195 196
196 desc.shash.tfm = ima_shash_tfm; 197 desc.shash.tfm = tfm;
197 desc.shash.flags = 0; 198 desc.shash.flags = 0;
198 199
199 rc = crypto_shash_init(&desc.shash); 200 rc = crypto_shash_init(&desc.shash);
@@ -210,3 +211,20 @@ int __init ima_calc_boot_aggregate(char *digest)
210 crypto_shash_final(&desc.shash, digest); 211 crypto_shash_final(&desc.shash, digest);
211 return rc; 212 return rc;
212} 213}
214
215int __init ima_calc_boot_aggregate(struct ima_digest_data *hash)
216{
217 struct crypto_shash *tfm;
218 int rc;
219
220 tfm = ima_alloc_tfm(hash->algo);
221 if (IS_ERR(tfm))
222 return PTR_ERR(tfm);
223
224 hash->length = crypto_shash_digestsize(tfm);
225 rc = ima_calc_boot_aggregate_tfm(hash->digest, tfm);
226
227 ima_free_tfm(tfm);
228
229 return rc;
230}
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
index 9d0243c10558..77cd5005f2db 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -18,6 +18,7 @@
18#include <linux/scatterlist.h> 18#include <linux/scatterlist.h>
19#include <linux/slab.h> 19#include <linux/slab.h>
20#include <linux/err.h> 20#include <linux/err.h>
21#include <crypto/hash_info.h>
21#include "ima.h" 22#include "ima.h"
22 23
23/* name for boot aggregate entry */ 24/* name for boot aggregate entry */
@@ -46,6 +47,10 @@ static void __init ima_add_boot_aggregate(void)
46 const char *audit_cause = "ENOMEM"; 47 const char *audit_cause = "ENOMEM";
47 int result = -ENOMEM; 48 int result = -ENOMEM;
48 int violation = 1; 49 int violation = 1;
50 struct {
51 struct ima_digest_data hdr;
52 char digest[TPM_DIGEST_SIZE];
53 } hash;
49 54
50 entry = kmalloc(sizeof(*entry), GFP_KERNEL); 55 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
51 if (!entry) 56 if (!entry)
@@ -56,12 +61,15 @@ static void __init ima_add_boot_aggregate(void)
56 IMA_EVENT_NAME_LEN_MAX); 61 IMA_EVENT_NAME_LEN_MAX);
57 if (ima_used_chip) { 62 if (ima_used_chip) {
58 violation = 0; 63 violation = 0;
59 result = ima_calc_boot_aggregate(entry->template.digest); 64 hash.hdr.algo = HASH_ALGO_SHA1;
65 result = ima_calc_boot_aggregate(&hash.hdr);
60 if (result < 0) { 66 if (result < 0) {
61 audit_cause = "hashing_error"; 67 audit_cause = "hashing_error";
62 kfree(entry); 68 kfree(entry);
63 goto err_out; 69 goto err_out;
64 } 70 }
71 memcpy(entry->template.digest, hash.hdr.digest,
72 hash.hdr.length);
65 } 73 }
66 result = ima_store_template(entry, violation, NULL); 74 result = ima_store_template(entry, violation, NULL);
67 if (result < 0) 75 if (result < 0)
generated by cgit v1.2.2 (git 2.25.0) at 2025-03-09 03:04:56 -0400