Merge branch 'next-evm-digsig' of git://git.kernel.org/pub/scm/linux/kernel/git/kasatkin/linux-digsig into next

author: James Morris <jmorris@namei.org> 2011-11-18 02:21:31 -0500
committer: James Morris <jmorris@namei.org> 2011-11-18 02:21:31 -0500
commit: 4e2c5b28f8086cd2f678ade0ea21d8c3cc058c53 (patch)
tree: 789fbdac68279765ade21c576bb22b77a5c112bc /security
parent: 8077e8b059232f23fe51fdc42868dcd8ba293549 (diff)
parent: 15647eb3985ef30dfd657038924dc85c03026733 (diff)
7 files changed, 226 insertions, 30 deletions
diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
index 4bf00acf7937..d87fa2a8fa3b 100644
--- a/security/integrity/Kconfig
+++ b/security/integrity/Kconfig
@@ -3,5 +3,19 @@ config INTEGRITY
        def_bool y
        depends on IMA || EVM
+config INTEGRITY_DIGSIG
+        boolean "Digital signature verification using multiple keyrings"
+        depends on INTEGRITY
+        default n
+        select DIGSIG
+        help
+          This option enables digital signature verification support
+          using multiple keyrings. It defines separate keyrings for each
+          of the different use cases - evm, ima, and modules.
+          Different keyrings improves search performance, but also allow
+          to "lock" certain keyring to prevent adding new keys.
+          This is useful for evm and module keyrings, when keys are
+          usually only added from initramfs.
 source security/integrity/ima/Kconfig
 source security/integrity/evm/Kconfig
diff --git a/security/integrity/Makefile b/security/integrity/Makefile
index 0ae44aea6516..bece0563ee5e 100644
--- a/security/integrity/Makefile
+++ b/security/integrity/Makefile
@@ -3,6 +3,7 @@
 #
 obj-$(CONFIG_INTEGRITY) += integrity.o
+obj-$(CONFIG_INTEGRITY_DIGSIG) += digsig.o
 integrity-y := iint.o
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
new file mode 100644
index 000000000000..2dc167d7cde9
--- /dev/null
+++ b/security/integrity/digsig.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2011 Intel Corporation
+ *
+ * Author:
+ * Dmitry Kasatkin <dmitry.kasatkin@intel.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 2 of the License.
+ *
+ */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+#include <linux/err.h>
+#include <linux/rbtree.h>
+#include <linux/key-type.h>
+#include <linux/digsig.h>
+#include "integrity.h"
+static struct key *keyring[INTEGRITY_KEYRING_MAX];
+static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
+        "_evm",
+        "_module",
+        "_ima",
+};
+int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
+                                        const char *digest, int digestlen)
+{
+        if (id >= INTEGRITY_KEYRING_MAX)
+                return -EINVAL;
+        if (!keyring[id]) {
+                keyring[id] =
+                        request_key(&key_type_keyring, keyring_name[id], NULL);
+                if (IS_ERR(keyring[id])) {
+                        int err = PTR_ERR(keyring[id]);
+                        pr_err("no %s keyring: %d\n", keyring_name[id], err);
+                        keyring[id] = NULL;
+                        return err;
+                }
+        }
+        return digsig_verify(keyring[id], sig, siglen, digest, digestlen);
+}
diff --git a/security/integrity/evm/evm.h b/security/integrity/evm/evm.h
index d320f5197437..c885247ebcf7 100644
--- a/security/integrity/evm/evm.h
+++ b/security/integrity/evm/evm.h
@@ -12,14 +12,21 @@
 * File: evm.h
 *
 */
+#ifndef __INTEGRITY_EVM_H
+#define __INTEGRITY_EVM_H
 #include <linux/xattr.h>
 #include <linux/security.h>
 #include "../integrity.h"
 extern int evm_initialized;
 extern char *evm_hmac;
+extern char *evm_hash;
 extern struct crypto_shash *hmac_tfm;
+extern struct crypto_shash *hash_tfm;
 /* List of EVM protected security xattrs */
 extern char *evm_config_xattrnames[];
@@ -32,7 +39,12 @@ extern int evm_update_evmxattr(struct dentry *dentry,
 extern int evm_calc_hmac(struct dentry *dentry, const char *req_xattr_name,
                         const char *req_xattr_value,
                         size_t req_xattr_value_len, char *digest);
+extern int evm_calc_hash(struct dentry *dentry, const char *req_xattr_name,
+                         const char *req_xattr_value,
+                         size_t req_xattr_value_len, char *digest);
 extern int evm_init_hmac(struct inode *inode, const struct xattr *xattr,
                         char *hmac_val);
 extern int evm_init_secfs(void);
 extern void evm_cleanup_secfs(void);
+#endif
diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
index 5dd5b140242c..847a2d7dff17 100644
--- a/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@ -26,34 +26,48 @@ static unsigned char evmkey[MAX_KEY_SIZE];
 static int evmkey_len = MAX_KEY_SIZE;
 struct crypto_shash *hmac_tfm;
+struct crypto_shash *hash_tfm;
-static struct shash_desc *init_desc(void)
+static struct shash_desc *init_desc(const char type)
 {
        int rc;
+        char *algo;
+        struct crypto_shash **tfm;
        struct shash_desc *desc;
-        if (hmac_tfm == NULL) {
+        if (type == EVM_XATTR_HMAC) {
-                hmac_tfm = crypto_alloc_shash(evm_hmac, 0, CRYPTO_ALG_ASYNC);
+                tfm = &hmac_tfm;
-                if (IS_ERR(hmac_tfm)) {
+                algo = evm_hmac;
+        } else {
+                tfm = &hash_tfm;
+                algo = evm_hash;
+        }
+        if (*tfm == NULL) {
+                *tfm = crypto_alloc_shash(algo, 0, CRYPTO_ALG_ASYNC);
+                if (IS_ERR(*tfm)) {
                        pr_err("Can not allocate %s (reason: %ld)\n",
-                               evm_hmac, PTR_ERR(hmac_tfm));
+                               algo, PTR_ERR(*tfm));
-                        rc = PTR_ERR(hmac_tfm);
+                        rc = PTR_ERR(*tfm);
-                        hmac_tfm = NULL;
+                        *tfm = NULL;
                        return ERR_PTR(rc);
                }
        }
-        desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(hmac_tfm),
+        desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(*tfm),
                        GFP_KERNEL);
        if (!desc)
                return ERR_PTR(-ENOMEM);
-        desc->tfm = hmac_tfm;
+        desc->tfm = *tfm;
        desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP;
-        rc = crypto_shash_setkey(hmac_tfm, evmkey, evmkey_len);
+        if (type == EVM_XATTR_HMAC) {
-        if (rc)
+                rc = crypto_shash_setkey(*tfm, evmkey, evmkey_len);
-                goto out;
+                if (rc)
+                        goto out;
+        }
        rc = crypto_shash_init(desc);
 out:
        if (rc) {
@@ -97,9 +111,11 @@ static void hmac_add_misc(struct shash_desc *desc, struct inode *inode,
 * the hmac using the requested xattr value. Don't alloc/free memory for
 * each xattr, but attempt to re-use the previously allocated memory.
 */
-int evm_calc_hmac(struct dentry *dentry, const char *req_xattr_name,
+static int evm_calc_hmac_or_hash(struct dentry *dentry,
-                  const char *req_xattr_value, size_t req_xattr_value_len,
+                                const char *req_xattr_name,
-                  char *digest)
+                                const char *req_xattr_value,
+                                size_t req_xattr_value_len,
+                                char type, char *digest)
 {
        struct inode *inode = dentry->d_inode;
        struct shash_desc *desc;
@@ -111,7 +127,7 @@ int evm_calc_hmac(struct dentry *dentry, const char *req_xattr_name,
        if (!inode->i_op || !inode->i_op->getxattr)
                return -EOPNOTSUPP;
-        desc = init_desc();
+        desc = init_desc(type);
        if (IS_ERR(desc))
                return PTR_ERR(desc);
@@ -145,6 +161,22 @@ out:
        return error;
 }
+int evm_calc_hmac(struct dentry *dentry, const char *req_xattr_name,
+                  const char *req_xattr_value, size_t req_xattr_value_len,
+                  char *digest)
+{
+        return evm_calc_hmac_or_hash(dentry, req_xattr_name, req_xattr_value,
+                                req_xattr_value_len, EVM_XATTR_HMAC, digest);
+}
+int evm_calc_hash(struct dentry *dentry, const char *req_xattr_name,
+                  const char *req_xattr_value, size_t req_xattr_value_len,
+                  char *digest)
+{
+        return evm_calc_hmac_or_hash(dentry, req_xattr_name, req_xattr_value,
+                                req_xattr_value_len, IMA_XATTR_DIGEST, digest);
+}
 /*
 * Calculate the hmac and update security.evm xattr
 *
@@ -175,7 +207,7 @@ int evm_init_hmac(struct inode *inode, const struct xattr *lsm_xattr,
 {
        struct shash_desc *desc;
-        desc = init_desc();
+        desc = init_desc(EVM_XATTR_HMAC);
        if (IS_ERR(desc)) {
                printk(KERN_INFO "init_desc failed\n");
                return PTR_ERR(desc);
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 92d3d99a9f7b..8901501425f4 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -25,6 +25,7 @@
 int evm_initialized;
 char *evm_hmac = "hmac(sha1)";
+char *evm_hash = "sha1";
 char *evm_config_xattrnames[] = {
 #ifdef CONFIG_SECURITY_SELINUX
@@ -46,6 +47,29 @@ static int __init evm_set_fixmode(char *str)
 }
 __setup("evm=", evm_set_fixmode);
+static int evm_find_protected_xattrs(struct dentry *dentry)
+{
+        struct inode *inode = dentry->d_inode;
+        char **xattr;
+        int error;
+        int count = 0;
+        if (!inode->i_op || !inode->i_op->getxattr)
+                return -EOPNOTSUPP;
+        for (xattr = evm_config_xattrnames; *xattr != NULL; xattr++) {
+                error = inode->i_op->getxattr(dentry, *xattr, NULL, 0);
+                if (error < 0) {
+                        if (error == -ENODATA)
+                                continue;
+                        return error;
+                }
+                count++;
+        }
+        return count;
+}
 /*
 * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr
 *
@@ -65,32 +89,72 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
                                             size_t xattr_value_len,
                                             struct integrity_iint_cache *iint)
 {
-        struct evm_ima_xattr_data xattr_data;
+        struct evm_ima_xattr_data *xattr_data = NULL;
+        struct evm_ima_xattr_data calc;
        enum integrity_status evm_status = INTEGRITY_PASS;
-        int rc;
+        int rc, xattr_len;
        if (iint && iint->evm_status == INTEGRITY_PASS)
                return iint->evm_status;
        /* if status is not PASS, try to check again - against -ENOMEM */
-        rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
+        /* first need to know the sig type */
-                           xattr_value_len, xattr_data.digest);
+        rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0,
-        if (rc < 0) {
+                                GFP_NOFS);
-                evm_status = (rc == -ENODATA)
+        if (rc <= 0) {
-                    ? INTEGRITY_NOXATTRS : INTEGRITY_FAIL;
+                if (rc == 0)
+                        evm_status = INTEGRITY_FAIL; /* empty */
+                else if (rc == -ENODATA) {
+                        rc = evm_find_protected_xattrs(dentry);
+                        if (rc > 0)
+                                evm_status = INTEGRITY_NOLABEL;
+                        else if (rc == 0)
+                                evm_status = INTEGRITY_NOXATTRS; /* new file */
+                }
                goto out;
        }
-        xattr_data.type = EVM_XATTR_HMAC;
+        xattr_len = rc - 1;
-        rc = vfs_xattr_cmp(dentry, XATTR_NAME_EVM, (u8 *)&xattr_data,
-                           sizeof xattr_data, GFP_NOFS);
+        /* check value type */
-        if (rc < 0)
+        switch (xattr_data->type) {
-                evm_status = (rc == -ENODATA)
+        case EVM_XATTR_HMAC:
-                    ? INTEGRITY_NOLABEL : INTEGRITY_FAIL;
+                rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
+                                   xattr_value_len, calc.digest);
+                if (rc)
+                        break;
+                rc = memcmp(xattr_data->digest, calc.digest,
+                            sizeof(calc.digest));
+                if (rc)
+                        rc = -EINVAL;
+                break;
+        case EVM_IMA_XATTR_DIGSIG:
+                rc = evm_calc_hash(dentry, xattr_name, xattr_value,
+                                xattr_value_len, calc.digest);
+                if (rc)
+                        break;
+                rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,
+                                        xattr_data->digest, xattr_len,
+                                        calc.digest, sizeof(calc.digest));
+                if (!rc) {
+                        /* we probably want to replace rsa with hmac here */
+                        evm_update_evmxattr(dentry, xattr_name, xattr_value,
+                                   xattr_value_len);
+                }
+                break;
+        default:
+                rc = -EINVAL;
+                break;
+        }
+        if (rc)
+                evm_status = (rc == -ENODATA) ?
+                                INTEGRITY_NOXATTRS : INTEGRITY_FAIL;
 out:
        if (iint)
                iint->evm_status = evm_status;
+        kfree(xattr_data);
        return evm_status;
 }
@@ -354,6 +418,8 @@ static int __init init_evm(void)
                printk(KERN_INFO "EVM: Error registering secfs\n");
                goto err;
        }
+        return 0;
 err:
        return error;
 }
@@ -363,6 +429,8 @@ static void __exit cleanup_evm(void)
        evm_cleanup_secfs();
        if (hmac_tfm)
                crypto_free_shash(hmac_tfm);
+        if (hash_tfm)
+                crypto_free_shash(hash_tfm);
 }
 /*
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 3143a3c39868..4da6ba81d153 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -46,5 +46,26 @@ struct integrity_iint_cache {
 struct integrity_iint_cache *integrity_iint_insert(struct inode *inode);
 struct integrity_iint_cache *integrity_iint_find(struct inode *inode);
+#define INTEGRITY_KEYRING_EVM           0
+#define INTEGRITY_KEYRING_MODULE        1
+#define INTEGRITY_KEYRING_IMA           2
+#define INTEGRITY_KEYRING_MAX           3
+#ifdef CONFIG_INTEGRITY_DIGSIG
+int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
+                                        const char *digest, int digestlen);
+#else
+static inline int integrity_digsig_verify(const unsigned int id,
+                                          const char *sig, int siglen,
+                                          const char *digest, int digestlen)
+{
+        return -EOPNOTSUPP;
+}
+#endif /* CONFIG_INTEGRITY_DIGSIG */
 /* set during initialization */
 extern int iint_initialized;
author	James Morris <jmorris@namei.org>	2011-11-18 02:21:31 -0500
committer	James Morris <jmorris@namei.org>	2011-11-18 02:21:31 -0500
commit	4e2c5b28f8086cd2f678ade0ea21d8c3cc058c53 (patch)
tree	789fbdac68279765ade21c576bb22b77a5c112bc /security
parent	8077e8b059232f23fe51fdc42868dcd8ba293549 (diff)
parent	15647eb3985ef30dfd657038924dc85c03026733 (diff)

diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig index 4bf00acf7937..d87fa2a8fa3b 100644 --- a/security/integrity/Kconfig +++ b/security/integrity/Kconfig
@@ -3,5 +3,19 @@ config INTEGRITY
3	def_bool y	3	def_bool y
4	depends on IMA \|\| EVM	4	depends on IMA \|\| EVM
5		5
		6	config INTEGRITY_DIGSIG
		7	boolean "Digital signature verification using multiple keyrings"
		8	depends on INTEGRITY
		9	default n
		10	select DIGSIG
		11	help
		12	This option enables digital signature verification support
		13	using multiple keyrings. It defines separate keyrings for each
		14	of the different use cases - evm, ima, and modules.
		15	Different keyrings improves search performance, but also allow
		16	to "lock" certain keyring to prevent adding new keys.
		17	This is useful for evm and module keyrings, when keys are
		18	usually only added from initramfs.
		19
6	source security/integrity/ima/Kconfig	20	source security/integrity/ima/Kconfig
7	source security/integrity/evm/Kconfig	21	source security/integrity/evm/Kconfig


diff --git a/security/integrity/Makefile b/security/integrity/Makefile index 0ae44aea6516..bece0563ee5e 100644 --- a/security/integrity/Makefile +++ b/security/integrity/Makefile
@@ -3,6 +3,7 @@
3	#	3	#
4		4
5	obj-$(CONFIG_INTEGRITY) += integrity.o	5	obj-$(CONFIG_INTEGRITY) += integrity.o
		6	obj-$(CONFIG_INTEGRITY_DIGSIG) += digsig.o
6		7
7	integrity-y := iint.o	8	integrity-y := iint.o
8		9


diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c new file mode 100644 index 000000000000..2dc167d7cde9 --- /dev/null +++ b/security/integrity/digsig.c
@@ -0,0 +1,48 @@
		1	/*
		2	* Copyright (C) 2011 Intel Corporation
		3	*
		4	* Author:
		5	* Dmitry Kasatkin <dmitry.kasatkin@intel.com>
		6	*
		7	* This program is free software; you can redistribute it and/or modify
		8	* it under the terms of the GNU General Public License as published by
		9	* the Free Software Foundation, version 2 of the License.
		10	*
		11	*/
		12
		13	#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
		14
		15	#include <linux/err.h>
		16	#include <linux/rbtree.h>
		17	#include <linux/key-type.h>
		18	#include <linux/digsig.h>
		19
		20	#include "integrity.h"
		21
		22	static struct key *keyring[INTEGRITY_KEYRING_MAX];
		23
		24	static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
		25	"_evm",
		26	"_module",
		27	"_ima",
		28	};
		29
		30	int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
		31	const char *digest, int digestlen)
		32	{
		33	if (id >= INTEGRITY_KEYRING_MAX)
		34	return -EINVAL;
		35
		36	if (!keyring[id]) {
		37	keyring[id] =
		38	request_key(&key_type_keyring, keyring_name[id], NULL);
		39	if (IS_ERR(keyring[id])) {
		40	int err = PTR_ERR(keyring[id]);
		41	pr_err("no %s keyring: %d\n", keyring_name[id], err);
		42	keyring[id] = NULL;
		43	return err;
		44	}
		45	}
		46
		47	return digsig_verify(keyring[id], sig, siglen, digest, digestlen);
		48	}


diff --git a/security/integrity/evm/evm.h b/security/integrity/evm/evm.h index d320f5197437..c885247ebcf7 100644 --- a/security/integrity/evm/evm.h +++ b/security/integrity/evm/evm.h
@@ -12,14 +12,21 @@
12	* File: evm.h	12	* File: evm.h
13	*	13	*
14	*/	14	*/
		15
		16	#ifndef __INTEGRITY_EVM_H
		17	#define __INTEGRITY_EVM_H
		18
15	#include <linux/xattr.h>	19	#include <linux/xattr.h>
16	#include <linux/security.h>	20	#include <linux/security.h>
		21
17	#include "../integrity.h"	22	#include "../integrity.h"
18		23
19	extern int evm_initialized;	24	extern int evm_initialized;
20	extern char *evm_hmac;	25	extern char *evm_hmac;
		26	extern char *evm_hash;
21		27
22	extern struct crypto_shash *hmac_tfm;	28	extern struct crypto_shash *hmac_tfm;
		29	extern struct crypto_shash *hash_tfm;
23		30
24	/* List of EVM protected security xattrs */	31	/* List of EVM protected security xattrs */
25	extern char *evm_config_xattrnames[];	32	extern char *evm_config_xattrnames[];
@@ -32,7 +39,12 @@ extern int evm_update_evmxattr(struct dentry *dentry,
32	extern int evm_calc_hmac(struct dentry dentry, const char req_xattr_name,	39	extern int evm_calc_hmac(struct dentry dentry, const char req_xattr_name,
33	const char *req_xattr_value,	40	const char *req_xattr_value,
34	size_t req_xattr_value_len, char *digest);	41	size_t req_xattr_value_len, char *digest);
		42	extern int evm_calc_hash(struct dentry dentry, const char req_xattr_name,
		43	const char *req_xattr_value,
		44	size_t req_xattr_value_len, char *digest);
35	extern int evm_init_hmac(struct inode inode, const struct xattr xattr,	45	extern int evm_init_hmac(struct inode inode, const struct xattr xattr,
36	char *hmac_val);	46	char *hmac_val);
37	extern int evm_init_secfs(void);	47	extern int evm_init_secfs(void);
38	extern void evm_cleanup_secfs(void);	48	extern void evm_cleanup_secfs(void);
		49
		50	#endif


diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c index 5dd5b140242c..847a2d7dff17 100644 --- a/security/integrity/evm/evm_crypto.c +++ b/security/integrity/evm/evm_crypto.c
@@ -26,34 +26,48 @@ static unsigned char evmkey[MAX_KEY_SIZE];
26	static int evmkey_len = MAX_KEY_SIZE;	26	static int evmkey_len = MAX_KEY_SIZE;
27		27
28	struct crypto_shash *hmac_tfm;	28	struct crypto_shash *hmac_tfm;
		29	struct crypto_shash *hash_tfm;
29		30
30	static struct shash_desc *init_desc(void)	31	static struct shash_desc *init_desc(const char type)
31	{	32	{
32	int rc;	33	int rc;
		34	char *algo;
		35	struct crypto_shash **tfm;
33	struct shash_desc *desc;	36	struct shash_desc *desc;
34		37
35	if (hmac_tfm == NULL) {	38	if (type == EVM_XATTR_HMAC) {
36	hmac_tfm = crypto_alloc_shash(evm_hmac, 0, CRYPTO_ALG_ASYNC);	39	tfm = &hmac_tfm;
37	if (IS_ERR(hmac_tfm)) {	40	algo = evm_hmac;
		41	} else {
		42	tfm = &hash_tfm;
		43	algo = evm_hash;
		44	}
		45
		46	if (*tfm == NULL) {
		47	*tfm = crypto_alloc_shash(algo, 0, CRYPTO_ALG_ASYNC);
		48	if (IS_ERR(*tfm)) {
38	pr_err("Can not allocate %s (reason: %ld)\n",	49	pr_err("Can not allocate %s (reason: %ld)\n",
39	evm_hmac, PTR_ERR(hmac_tfm));	50	algo, PTR_ERR(*tfm));
40	rc = PTR_ERR(hmac_tfm);	51	rc = PTR_ERR(*tfm);
41	hmac_tfm = NULL;	52	*tfm = NULL;
42	return ERR_PTR(rc);	53	return ERR_PTR(rc);
43	}	54	}
44	}	55	}
45		56
46	desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(hmac_tfm),	57	desc = kmalloc(sizeof(desc) + crypto_shash_descsize(tfm),
47	GFP_KERNEL);	58	GFP_KERNEL);
48	if (!desc)	59	if (!desc)
49	return ERR_PTR(-ENOMEM);	60	return ERR_PTR(-ENOMEM);
50		61
51	desc->tfm = hmac_tfm;	62	desc->tfm = *tfm;
52	desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP;	63	desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP;
53		64
54	rc = crypto_shash_setkey(hmac_tfm, evmkey, evmkey_len);	65	if (type == EVM_XATTR_HMAC) {
55	if (rc)	66	rc = crypto_shash_setkey(*tfm, evmkey, evmkey_len);
56	goto out;	67	if (rc)
		68	goto out;
		69	}
		70
57	rc = crypto_shash_init(desc);	71	rc = crypto_shash_init(desc);
58	out:	72	out:
59	if (rc) {	73	if (rc) {
@@ -97,9 +111,11 @@ static void hmac_add_misc(struct shash_desc desc, struct inode inode,
97	* the hmac using the requested xattr value. Don't alloc/free memory for	111	* the hmac using the requested xattr value. Don't alloc/free memory for
98	* each xattr, but attempt to re-use the previously allocated memory.	112	* each xattr, but attempt to re-use the previously allocated memory.
99	*/	113	*/
100	int evm_calc_hmac(struct dentry dentry, const char req_xattr_name,	114	static int evm_calc_hmac_or_hash(struct dentry *dentry,
101	const char *req_xattr_value, size_t req_xattr_value_len,	115	const char *req_xattr_name,
102	char *digest)	116	const char *req_xattr_value,
		117	size_t req_xattr_value_len,
		118	char type, char *digest)
103	{	119	{
104	struct inode *inode = dentry->d_inode;	120	struct inode *inode = dentry->d_inode;
105	struct shash_desc *desc;	121	struct shash_desc *desc;
@@ -111,7 +127,7 @@ int evm_calc_hmac(struct dentry dentry, const char req_xattr_name,
111		127
112	if (!inode->i_op \|\| !inode->i_op->getxattr)	128	if (!inode->i_op \|\| !inode->i_op->getxattr)
113	return -EOPNOTSUPP;	129	return -EOPNOTSUPP;
114	desc = init_desc();	130	desc = init_desc(type);
115	if (IS_ERR(desc))	131	if (IS_ERR(desc))
116	return PTR_ERR(desc);	132	return PTR_ERR(desc);
117		133
@@ -145,6 +161,22 @@ out:
145	return error;	161	return error;
146	}	162	}
147		163
		164	int evm_calc_hmac(struct dentry dentry, const char req_xattr_name,
		165	const char *req_xattr_value, size_t req_xattr_value_len,
		166	char *digest)
		167	{
		168	return evm_calc_hmac_or_hash(dentry, req_xattr_name, req_xattr_value,
		169	req_xattr_value_len, EVM_XATTR_HMAC, digest);
		170	}
		171
		172	int evm_calc_hash(struct dentry dentry, const char req_xattr_name,
		173	const char *req_xattr_value, size_t req_xattr_value_len,
		174	char *digest)
		175	{
		176	return evm_calc_hmac_or_hash(dentry, req_xattr_name, req_xattr_value,
		177	req_xattr_value_len, IMA_XATTR_DIGEST, digest);
		178	}
		179
148	/*	180	/*
149	* Calculate the hmac and update security.evm xattr	181	* Calculate the hmac and update security.evm xattr
150	*	182	*
@@ -175,7 +207,7 @@ int evm_init_hmac(struct inode inode, const struct xattr lsm_xattr,
175	{	207	{
176	struct shash_desc *desc;	208	struct shash_desc *desc;
177		209
178	desc = init_desc();	210	desc = init_desc(EVM_XATTR_HMAC);
179	if (IS_ERR(desc)) {	211	if (IS_ERR(desc)) {
180	printk(KERN_INFO "init_desc failed\n");	212	printk(KERN_INFO "init_desc failed\n");
181	return PTR_ERR(desc);	213	return PTR_ERR(desc);


diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 92d3d99a9f7b..8901501425f4 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c
@@ -25,6 +25,7 @@
25	int evm_initialized;	25	int evm_initialized;
26		26
27	char *evm_hmac = "hmac(sha1)";	27	char *evm_hmac = "hmac(sha1)";
		28	char *evm_hash = "sha1";
28		29
29	char *evm_config_xattrnames[] = {	30	char *evm_config_xattrnames[] = {
30	#ifdef CONFIG_SECURITY_SELINUX	31	#ifdef CONFIG_SECURITY_SELINUX
@@ -46,6 +47,29 @@ static int __init evm_set_fixmode(char *str)
46	}	47	}
47	__setup("evm=", evm_set_fixmode);	48	__setup("evm=", evm_set_fixmode);
48		49
		50	static int evm_find_protected_xattrs(struct dentry *dentry)
		51	{
		52	struct inode *inode = dentry->d_inode;
		53	char **xattr;
		54	int error;
		55	int count = 0;
		56
		57	if (!inode->i_op \|\| !inode->i_op->getxattr)
		58	return -EOPNOTSUPP;
		59
		60	for (xattr = evm_config_xattrnames; *xattr != NULL; xattr++) {
		61	error = inode->i_op->getxattr(dentry, *xattr, NULL, 0);
		62	if (error < 0) {
		63	if (error == -ENODATA)
		64	continue;
		65	return error;
		66	}
		67	count++;
		68	}
		69
		70	return count;
		71	}
		72
49	/*	73	/*
50	* evm_verify_hmac - calculate and compare the HMAC with the EVM xattr	74	* evm_verify_hmac - calculate and compare the HMAC with the EVM xattr
51	*	75	*
@@ -65,32 +89,72 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
65	size_t xattr_value_len,	89	size_t xattr_value_len,
66	struct integrity_iint_cache *iint)	90	struct integrity_iint_cache *iint)
67	{	91	{
68	struct evm_ima_xattr_data xattr_data;	92	struct evm_ima_xattr_data *xattr_data = NULL;
		93	struct evm_ima_xattr_data calc;
69	enum integrity_status evm_status = INTEGRITY_PASS;	94	enum integrity_status evm_status = INTEGRITY_PASS;
70	int rc;	95	int rc, xattr_len;
71		96
72	if (iint && iint->evm_status == INTEGRITY_PASS)	97	if (iint && iint->evm_status == INTEGRITY_PASS)
73	return iint->evm_status;	98	return iint->evm_status;
74		99
75	/* if status is not PASS, try to check again - against -ENOMEM */	100	/* if status is not PASS, try to check again - against -ENOMEM */
76		101
77	rc = evm_calc_hmac(dentry, xattr_name, xattr_value,	102	/* first need to know the sig type */
78	xattr_value_len, xattr_data.digest);	103	rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0,
79	if (rc < 0) {	104	GFP_NOFS);
80	evm_status = (rc == -ENODATA)	105	if (rc <= 0) {
81	? INTEGRITY_NOXATTRS : INTEGRITY_FAIL;	106	if (rc == 0)
		107	evm_status = INTEGRITY_FAIL; /* empty */
		108	else if (rc == -ENODATA) {
		109	rc = evm_find_protected_xattrs(dentry);
		110	if (rc > 0)
		111	evm_status = INTEGRITY_NOLABEL;
		112	else if (rc == 0)
		113	evm_status = INTEGRITY_NOXATTRS; /* new file */
		114	}
82	goto out;	115	goto out;
83	}	116	}
84		117
85	xattr_data.type = EVM_XATTR_HMAC;	118	xattr_len = rc - 1;
86	rc = vfs_xattr_cmp(dentry, XATTR_NAME_EVM, (u8 *)&xattr_data,	119
87	sizeof xattr_data, GFP_NOFS);	120	/* check value type */
88	if (rc < 0)	121	switch (xattr_data->type) {
89	evm_status = (rc == -ENODATA)	122	case EVM_XATTR_HMAC:
90	? INTEGRITY_NOLABEL : INTEGRITY_FAIL;	123	rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
		124	xattr_value_len, calc.digest);
		125	if (rc)
		126	break;
		127	rc = memcmp(xattr_data->digest, calc.digest,
		128	sizeof(calc.digest));
		129	if (rc)
		130	rc = -EINVAL;
		131	break;
		132	case EVM_IMA_XATTR_DIGSIG:
		133	rc = evm_calc_hash(dentry, xattr_name, xattr_value,
		134	xattr_value_len, calc.digest);
		135	if (rc)
		136	break;
		137	rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,
		138	xattr_data->digest, xattr_len,
		139	calc.digest, sizeof(calc.digest));
		140	if (!rc) {
		141	/* we probably want to replace rsa with hmac here */
		142	evm_update_evmxattr(dentry, xattr_name, xattr_value,
		143	xattr_value_len);
		144	}
		145	break;
		146	default:
		147	rc = -EINVAL;
		148	break;
		149	}
		150
		151	if (rc)
		152	evm_status = (rc == -ENODATA) ?
		153	INTEGRITY_NOXATTRS : INTEGRITY_FAIL;
91	out:	154	out:
92	if (iint)	155	if (iint)
93	iint->evm_status = evm_status;	156	iint->evm_status = evm_status;
		157	kfree(xattr_data);
94	return evm_status;	158	return evm_status;
95	}	159	}
96		160
@@ -354,6 +418,8 @@ static int __init init_evm(void)
354	printk(KERN_INFO "EVM: Error registering secfs\n");	418	printk(KERN_INFO "EVM: Error registering secfs\n");
355	goto err;	419	goto err;
356	}	420	}
		421
		422	return 0;
357	err:	423	err:
358	return error;	424	return error;
359	}	425	}
@@ -363,6 +429,8 @@ static void __exit cleanup_evm(void)
363	evm_cleanup_secfs();	429	evm_cleanup_secfs();
364	if (hmac_tfm)	430	if (hmac_tfm)
365	crypto_free_shash(hmac_tfm);	431	crypto_free_shash(hmac_tfm);
		432	if (hash_tfm)
		433	crypto_free_shash(hash_tfm);
366	}	434	}
367		435
368	/*	436	/*


diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 3143a3c39868..4da6ba81d153 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h
@@ -46,5 +46,26 @@ struct integrity_iint_cache {
46	struct integrity_iint_cache integrity_iint_insert(struct inode inode);	46	struct integrity_iint_cache integrity_iint_insert(struct inode inode);
47	struct integrity_iint_cache integrity_iint_find(struct inode inode);	47	struct integrity_iint_cache integrity_iint_find(struct inode inode);
48		48
		49	#define INTEGRITY_KEYRING_EVM 0
		50	#define INTEGRITY_KEYRING_MODULE 1
		51	#define INTEGRITY_KEYRING_IMA 2
		52	#define INTEGRITY_KEYRING_MAX 3
		53
		54	#ifdef CONFIG_INTEGRITY_DIGSIG
		55
		56	int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
		57	const char *digest, int digestlen);
		58
		59	#else
		60
		61	static inline int integrity_digsig_verify(const unsigned int id,
		62	const char *sig, int siglen,
		63	const char *digest, int digestlen)
		64	{
		65	return -EOPNOTSUPP;
		66	}
		67
		68	#endif /* CONFIG_INTEGRITY_DIGSIG */
		69
49	/* set during initialization */	70	/* set during initialization */
50	extern int iint_initialized;	71	extern int iint_initialized;