2 files changed, 36 insertions, 0 deletions
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index 1a036cd972fb..2b78cb55ac34 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -1190,6 +1190,11 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
                        programs exec'd, files mmap'd for exec, and all files
                        opened for read by uid=0.
+        ima_template=   [IMA]
+                        Select one of defined IMA measurements template formats.
+                        Formats: { "ima" | "ima-ng" }
+                        Default: "ima-ng"
        init=           [KNL]
                        Format: <full_path>
                        Run specified binary instead of /sbin/init as init
diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
index c28ff9bf8f32..000221419f6c 100644
--- a/security/integrity/ima/ima_template.c
+++ b/security/integrity/ima/ima_template.c
@@ -12,6 +12,8 @@
 * File: ima_template.c
 *      Helpers to manage template descriptors.
 */
+#include <crypto/hash_info.h>
 #include "ima.h"
 #include "ima_template_lib.h"
@@ -32,6 +34,35 @@ static struct ima_template_field supported_fields[] = {
 };
 static struct ima_template_desc *ima_template;
+static struct ima_template_desc *lookup_template_desc(const char *name);
+static int __init ima_template_setup(char *str)
+{
+        struct ima_template_desc *template_desc;
+        int template_len = strlen(str);
+        /*
+         * Verify that a template with the supplied name exists.
+         * If not, use CONFIG_IMA_DEFAULT_TEMPLATE.
+         */
+        template_desc = lookup_template_desc(str);
+        if (!template_desc)
+                return 1;
+        /*
+         * Verify whether the current hash algorithm is supported
+         * by the 'ima' template.
+         */
+        if (template_len == 3 && strcmp(str, IMA_TEMPLATE_IMA_NAME) == 0 &&
+            ima_hash_algo != HASH_ALGO_SHA1 && ima_hash_algo != HASH_ALGO_MD5) {
+                pr_err("IMA: template does not support hash alg\n");
+                return 1;
+        }
+        ima_template = template_desc;
+        return 1;
+}
+__setup("ima_template=", ima_template_setup);
 static struct ima_template_desc *lookup_template_desc(const char *name)
 {

diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt index 1a036cd972fb..2b78cb55ac34 100644 --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt
@@ -1190,6 +1190,11 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
1190	programs exec'd, files mmap'd for exec, and all files	1190	programs exec'd, files mmap'd for exec, and all files
1191	opened for read by uid=0.	1191	opened for read by uid=0.
1192		1192
		1193	ima_template= [IMA]
		1194	Select one of defined IMA measurements template formats.
		1195	Formats: { "ima" \| "ima-ng" }
		1196	Default: "ima-ng"
		1197
1193	init= [KNL]	1198	init= [KNL]
1194	Format: <full_path>	1199	Format: <full_path>
1195	Run specified binary instead of /sbin/init as init	1200	Run specified binary instead of /sbin/init as init


diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c index c28ff9bf8f32..000221419f6c 100644 --- a/security/integrity/ima/ima_template.c +++ b/security/integrity/ima/ima_template.c
@@ -12,6 +12,8 @@
12	* File: ima_template.c	12	* File: ima_template.c
13	* Helpers to manage template descriptors.	13	* Helpers to manage template descriptors.
14	*/	14	*/
		15	#include <crypto/hash_info.h>
		16
15	#include "ima.h"	17	#include "ima.h"
16	#include "ima_template_lib.h"	18	#include "ima_template_lib.h"
17		19
@@ -32,6 +34,35 @@ static struct ima_template_field supported_fields[] = {
32	};	34	};
33		35
34	static struct ima_template_desc *ima_template;	36	static struct ima_template_desc *ima_template;
		37	static struct ima_template_desc lookup_template_desc(const char name);
		38
		39	static int __init ima_template_setup(char *str)
		40	{
		41	struct ima_template_desc *template_desc;
		42	int template_len = strlen(str);
		43
		44	/*
		45	* Verify that a template with the supplied name exists.
		46	* If not, use CONFIG_IMA_DEFAULT_TEMPLATE.
		47	*/
		48	template_desc = lookup_template_desc(str);
		49	if (!template_desc)
		50	return 1;
		51
		52	/*
		53	* Verify whether the current hash algorithm is supported
		54	* by the 'ima' template.
		55	*/
		56	if (template_len == 3 && strcmp(str, IMA_TEMPLATE_IMA_NAME) == 0 &&
		57	ima_hash_algo != HASH_ALGO_SHA1 && ima_hash_algo != HASH_ALGO_MD5) {
		58	pr_err("IMA: template does not support hash alg\n");
		59	return 1;
		60	}
		61
		62	ima_template = template_desc;
		63	return 1;
		64	}
		65	__setup("ima_template=", ima_template_setup);
35		66
36	static struct ima_template_desc lookup_template_desc(const char name)	67	static struct ima_template_desc lookup_template_desc(const char name)
37	{	68	{