3 files changed, 57 insertions, 45 deletions
diff --git a/security/integrity/evm/evm.h b/security/integrity/evm/evm.h
index a45d0d630a30..d320f5197437 100644
--- a/security/integrity/evm/evm.h
+++ b/security/integrity/evm/evm.h
@@ -19,6 +19,8 @@
 extern int evm_initialized;
 extern char *evm_hmac;
+extern struct crypto_shash *hmac_tfm;
 /* List of EVM protected security xattrs */
 extern char *evm_config_xattrnames[];
diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
index c9902bddcb9a..5dd5b140242c 100644
--- a/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@ -16,8 +16,8 @@
 #include <linux/module.h>
 #include <linux/crypto.h>
 #include <linux/xattr.h>
-#include <linux/scatterlist.h>
 #include <keys/encrypted-type.h>
+#include <crypto/hash.h>
 #include "evm.h"
 #define EVMKEY "evm-key"
@@ -25,26 +25,42 @@
 static unsigned char evmkey[MAX_KEY_SIZE];
 static int evmkey_len = MAX_KEY_SIZE;
-static int init_desc(struct hash_desc *desc)
+struct crypto_shash *hmac_tfm;
+static struct shash_desc *init_desc(void)
 {
        int rc;
+        struct shash_desc *desc;
-        desc->tfm = crypto_alloc_hash(evm_hmac, 0, CRYPTO_ALG_ASYNC);
-        if (IS_ERR(desc->tfm)) {
+        if (hmac_tfm == NULL) {
-                pr_info("Can not allocate %s (reason: %ld)\n",
+                hmac_tfm = crypto_alloc_shash(evm_hmac, 0, CRYPTO_ALG_ASYNC);
-                        evm_hmac, PTR_ERR(desc->tfm));
+                if (IS_ERR(hmac_tfm)) {
-                rc = PTR_ERR(desc->tfm);
+                        pr_err("Can not allocate %s (reason: %ld)\n",
-                return rc;
+                               evm_hmac, PTR_ERR(hmac_tfm));
+                        rc = PTR_ERR(hmac_tfm);
+                        hmac_tfm = NULL;
+                        return ERR_PTR(rc);
+                }
        }
-        desc->flags = 0;
-        rc = crypto_hash_setkey(desc->tfm, evmkey, evmkey_len);
+        desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(hmac_tfm),
+                        GFP_KERNEL);
+        if (!desc)
+                return ERR_PTR(-ENOMEM);
+        desc->tfm = hmac_tfm;
+        desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP;
+        rc = crypto_shash_setkey(hmac_tfm, evmkey, evmkey_len);
        if (rc)
                goto out;
-        rc = crypto_hash_init(desc);
+        rc = crypto_shash_init(desc);
 out:
-        if (rc)
+        if (rc) {
-                crypto_free_hash(desc->tfm);
+                kfree(desc);
-        return rc;
+                return ERR_PTR(rc);
+        }
+        return desc;
 }
 /* Protect against 'cutting & pasting' security.evm xattr, include inode
@@ -53,7 +69,7 @@ out:
 * (Additional directory/file metadata needs to be added for more complete
 * protection.)
 */
-static void hmac_add_misc(struct hash_desc *desc, struct inode *inode,
+static void hmac_add_misc(struct shash_desc *desc, struct inode *inode,
                          char *digest)
 {
        struct h_misc {
@@ -63,7 +79,6 @@ static void hmac_add_misc(struct hash_desc *desc, struct inode *inode,
                gid_t gid;
                umode_t mode;
        } hmac_misc;
-        struct scatterlist sg[1];
        memset(&hmac_misc, 0, sizeof hmac_misc);
        hmac_misc.ino = inode->i_ino;
@@ -71,9 +86,8 @@ static void hmac_add_misc(struct hash_desc *desc, struct inode *inode,
        hmac_misc.uid = inode->i_uid;
        hmac_misc.gid = inode->i_gid;
        hmac_misc.mode = inode->i_mode;
-        sg_init_one(sg, &hmac_misc, sizeof hmac_misc);
+        crypto_shash_update(desc, (const u8 *)&hmac_misc, sizeof hmac_misc);
-        crypto_hash_update(desc, sg, sizeof hmac_misc);
+        crypto_shash_final(desc, digest);
-        crypto_hash_final(desc, digest);
 }
 /*
@@ -88,8 +102,7 @@ int evm_calc_hmac(struct dentry *dentry, const char *req_xattr_name,
                  char *digest)
 {
        struct inode *inode = dentry->d_inode;
-        struct hash_desc desc;
+        struct shash_desc *desc;
-        struct scatterlist sg[1];
        char **xattrname;
        size_t xattr_size = 0;
        char *xattr_value = NULL;
@@ -98,17 +111,17 @@ int evm_calc_hmac(struct dentry *dentry, const char *req_xattr_name,
        if (!inode->i_op || !inode->i_op->getxattr)
                return -EOPNOTSUPP;
-        error = init_desc(&desc);
+        desc = init_desc();
-        if (error)
+        if (IS_ERR(desc))
-                return error;
+                return PTR_ERR(desc);
        error = -ENODATA;
        for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) {
                if ((req_xattr_name && req_xattr_value)
                    && !strcmp(*xattrname, req_xattr_name)) {
                        error = 0;
-                        sg_init_one(sg, req_xattr_value, req_xattr_value_len);
+                        crypto_shash_update(desc, (const u8 *)req_xattr_value,
-                        crypto_hash_update(&desc, sg, req_xattr_value_len);
+                                             req_xattr_value_len);
                        continue;
                }
                size = vfs_getxattr_alloc(dentry, *xattrname,
@@ -122,13 +135,13 @@ int evm_calc_hmac(struct dentry *dentry, const char *req_xattr_name,
                error = 0;
                xattr_size = size;
-                sg_init_one(sg, xattr_value, xattr_size);
+                crypto_shash_update(desc, (const u8 *)xattr_value, xattr_size);
-                crypto_hash_update(&desc, sg, xattr_size);
        }
-        hmac_add_misc(&desc, inode, digest);
+        hmac_add_misc(desc, inode, digest);
-        kfree(xattr_value);
 out:
-        crypto_free_hash(desc.tfm);
+        kfree(xattr_value);
+        kfree(desc);
        return error;
 }
@@ -160,20 +173,17 @@ int evm_update_evmxattr(struct dentry *dentry, const char *xattr_name,
 int evm_init_hmac(struct inode *inode, const struct xattr *lsm_xattr,
                  char *hmac_val)
 {
-        struct hash_desc desc;
+        struct shash_desc *desc;
-        struct scatterlist sg[1];
-        int error;
-        error = init_desc(&desc);
+        desc = init_desc();
-        if (error != 0) {
+        if (IS_ERR(desc)) {
                printk(KERN_INFO "init_desc failed\n");
-                return error;
+                return PTR_ERR(desc);
        }
-        sg_init_one(sg, lsm_xattr->value, lsm_xattr->value_len);
+        crypto_shash_update(desc, lsm_xattr->value, lsm_xattr->value_len);
-        crypto_hash_update(&desc, sg, lsm_xattr->value_len);
+        hmac_add_misc(desc, inode, hmac_val);
-        hmac_add_misc(&desc, inode, hmac_val);
+        kfree(desc);
-        crypto_free_hash(desc.tfm);
        return 0;
 }
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 23486355f443..b65adb5b06c8 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -19,6 +19,7 @@
 #include <linux/xattr.h>
 #include <linux/integrity.h>
 #include <linux/evm.h>
+#include <crypto/hash.h>
 #include "evm.h"
 int evm_initialized;
@@ -283,12 +284,10 @@ out:
 }
 EXPORT_SYMBOL_GPL(evm_inode_init_security);
-static struct crypto_hash *tfm_hmac;    /* preload crypto alg */
 static int __init init_evm(void)
 {
        int error;
-        tfm_hmac = crypto_alloc_hash(evm_hmac, 0, CRYPTO_ALG_ASYNC);
        error = evm_init_secfs();
        if (error < 0) {
                printk(KERN_INFO "EVM: Error registering secfs\n");
@@ -301,7 +300,8 @@ err:
 static void __exit cleanup_evm(void)
 {
        evm_cleanup_secfs();
-        crypto_free_hash(tfm_hmac);
+        if (hmac_tfm)
+                crypto_free_shash(hmac_tfm);
 }
 /*

diff --git a/security/integrity/evm/evm.h b/security/integrity/evm/evm.h index a45d0d630a30..d320f5197437 100644 --- a/security/integrity/evm/evm.h +++ b/security/integrity/evm/evm.h
@@ -19,6 +19,8 @@
19	extern int evm_initialized;	19	extern int evm_initialized;
20	extern char *evm_hmac;	20	extern char *evm_hmac;
21		21
		22	extern struct crypto_shash *hmac_tfm;
		23
22	/* List of EVM protected security xattrs */	24	/* List of EVM protected security xattrs */
23	extern char *evm_config_xattrnames[];	25	extern char *evm_config_xattrnames[];
24		26


diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c index c9902bddcb9a..5dd5b140242c 100644 --- a/security/integrity/evm/evm_crypto.c +++ b/security/integrity/evm/evm_crypto.c
@@ -16,8 +16,8 @@
16	#include <linux/module.h>	16	#include <linux/module.h>
17	#include <linux/crypto.h>	17	#include <linux/crypto.h>
18	#include <linux/xattr.h>	18	#include <linux/xattr.h>
19	#include <linux/scatterlist.h>
20	#include <keys/encrypted-type.h>	19	#include <keys/encrypted-type.h>
		20	#include <crypto/hash.h>
21	#include "evm.h"	21	#include "evm.h"
22		22
23	#define EVMKEY "evm-key"	23	#define EVMKEY "evm-key"
@@ -25,26 +25,42 @@
25	static unsigned char evmkey[MAX_KEY_SIZE];	25	static unsigned char evmkey[MAX_KEY_SIZE];
26	static int evmkey_len = MAX_KEY_SIZE;	26	static int evmkey_len = MAX_KEY_SIZE;
27		27
28	static int init_desc(struct hash_desc *desc)	28	struct crypto_shash *hmac_tfm;
		29
		30	static struct shash_desc *init_desc(void)
29	{	31	{
30	int rc;	32	int rc;
31		33	struct shash_desc *desc;
32	desc->tfm = crypto_alloc_hash(evm_hmac, 0, CRYPTO_ALG_ASYNC);	34
33	if (IS_ERR(desc->tfm)) {	35	if (hmac_tfm == NULL) {
34	pr_info("Can not allocate %s (reason: %ld)\n",	36	hmac_tfm = crypto_alloc_shash(evm_hmac, 0, CRYPTO_ALG_ASYNC);
35	evm_hmac, PTR_ERR(desc->tfm));	37	if (IS_ERR(hmac_tfm)) {
36	rc = PTR_ERR(desc->tfm);	38	pr_err("Can not allocate %s (reason: %ld)\n",
37	return rc;	39	evm_hmac, PTR_ERR(hmac_tfm));
		40	rc = PTR_ERR(hmac_tfm);
		41	hmac_tfm = NULL;
		42	return ERR_PTR(rc);
		43	}
38	}	44	}
39	desc->flags = 0;	45
40	rc = crypto_hash_setkey(desc->tfm, evmkey, evmkey_len);	46	desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(hmac_tfm),
		47	GFP_KERNEL);
		48	if (!desc)
		49	return ERR_PTR(-ENOMEM);
		50
		51	desc->tfm = hmac_tfm;
		52	desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP;
		53
		54	rc = crypto_shash_setkey(hmac_tfm, evmkey, evmkey_len);
41	if (rc)	55	if (rc)
42	goto out;	56	goto out;
43	rc = crypto_hash_init(desc);	57	rc = crypto_shash_init(desc);
44	out:	58	out:
45	if (rc)	59	if (rc) {
46	crypto_free_hash(desc->tfm);	60	kfree(desc);
47	return rc;	61	return ERR_PTR(rc);
		62	}
		63	return desc;
48	}	64	}
49		65
50	/* Protect against 'cutting & pasting' security.evm xattr, include inode	66	/* Protect against 'cutting & pasting' security.evm xattr, include inode
@@ -53,7 +69,7 @@ out:
53	* (Additional directory/file metadata needs to be added for more complete	69	* (Additional directory/file metadata needs to be added for more complete
54	* protection.)	70	* protection.)
55	*/	71	*/
56	static void hmac_add_misc(struct hash_desc desc, struct inode inode,	72	static void hmac_add_misc(struct shash_desc desc, struct inode inode,
57	char *digest)	73	char *digest)
58	{	74	{
59	struct h_misc {	75	struct h_misc {
@@ -63,7 +79,6 @@ static void hmac_add_misc(struct hash_desc desc, struct inode inode,
63	gid_t gid;	79	gid_t gid;
64	umode_t mode;	80	umode_t mode;
65	} hmac_misc;	81	} hmac_misc;
66	struct scatterlist sg[1];
67		82
68	memset(&hmac_misc, 0, sizeof hmac_misc);	83	memset(&hmac_misc, 0, sizeof hmac_misc);
69	hmac_misc.ino = inode->i_ino;	84	hmac_misc.ino = inode->i_ino;
@@ -71,9 +86,8 @@ static void hmac_add_misc(struct hash_desc desc, struct inode inode,
71	hmac_misc.uid = inode->i_uid;	86	hmac_misc.uid = inode->i_uid;
72	hmac_misc.gid = inode->i_gid;	87	hmac_misc.gid = inode->i_gid;
73	hmac_misc.mode = inode->i_mode;	88	hmac_misc.mode = inode->i_mode;
74	sg_init_one(sg, &hmac_misc, sizeof hmac_misc);	89	crypto_shash_update(desc, (const u8 *)&hmac_misc, sizeof hmac_misc);
75	crypto_hash_update(desc, sg, sizeof hmac_misc);	90	crypto_shash_final(desc, digest);
76	crypto_hash_final(desc, digest);
77	}	91	}
78		92
79	/*	93	/*
@@ -88,8 +102,7 @@ int evm_calc_hmac(struct dentry dentry, const char req_xattr_name,
88	char *digest)	102	char *digest)
89	{	103	{
90	struct inode *inode = dentry->d_inode;	104	struct inode *inode = dentry->d_inode;
91	struct hash_desc desc;	105	struct shash_desc *desc;
92	struct scatterlist sg[1];
93	char **xattrname;	106	char **xattrname;
94	size_t xattr_size = 0;	107	size_t xattr_size = 0;
95	char *xattr_value = NULL;	108	char *xattr_value = NULL;
@@ -98,17 +111,17 @@ int evm_calc_hmac(struct dentry dentry, const char req_xattr_name,
98		111
99	if (!inode->i_op \|\| !inode->i_op->getxattr)	112	if (!inode->i_op \|\| !inode->i_op->getxattr)
100	return -EOPNOTSUPP;	113	return -EOPNOTSUPP;
101	error = init_desc(&desc);	114	desc = init_desc();
102	if (error)	115	if (IS_ERR(desc))
103	return error;	116	return PTR_ERR(desc);
104		117
105	error = -ENODATA;	118	error = -ENODATA;
106	for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) {	119	for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) {
107	if ((req_xattr_name && req_xattr_value)	120	if ((req_xattr_name && req_xattr_value)
108	&& !strcmp(*xattrname, req_xattr_name)) {	121	&& !strcmp(*xattrname, req_xattr_name)) {
109	error = 0;	122	error = 0;
110	sg_init_one(sg, req_xattr_value, req_xattr_value_len);	123	crypto_shash_update(desc, (const u8 *)req_xattr_value,
111	crypto_hash_update(&desc, sg, req_xattr_value_len);	124	req_xattr_value_len);
112	continue;	125	continue;
113	}	126	}
114	size = vfs_getxattr_alloc(dentry, *xattrname,	127	size = vfs_getxattr_alloc(dentry, *xattrname,
@@ -122,13 +135,13 @@ int evm_calc_hmac(struct dentry dentry, const char req_xattr_name,
122		135
123	error = 0;	136	error = 0;
124	xattr_size = size;	137	xattr_size = size;
125	sg_init_one(sg, xattr_value, xattr_size);	138	crypto_shash_update(desc, (const u8 *)xattr_value, xattr_size);
126	crypto_hash_update(&desc, sg, xattr_size);
127	}	139	}
128	hmac_add_misc(&desc, inode, digest);	140	hmac_add_misc(desc, inode, digest);
129	kfree(xattr_value);	141
130	out:	142	out:
131	crypto_free_hash(desc.tfm);	143	kfree(xattr_value);
		144	kfree(desc);
132	return error;	145	return error;
133	}	146	}
134		147
@@ -160,20 +173,17 @@ int evm_update_evmxattr(struct dentry dentry, const char xattr_name,
160	int evm_init_hmac(struct inode inode, const struct xattr lsm_xattr,	173	int evm_init_hmac(struct inode inode, const struct xattr lsm_xattr,
161	char *hmac_val)	174	char *hmac_val)
162	{	175	{
163	struct hash_desc desc;	176	struct shash_desc *desc;
164	struct scatterlist sg[1];
165	int error;
166		177
167	error = init_desc(&desc);	178	desc = init_desc();
168	if (error != 0) {	179	if (IS_ERR(desc)) {
169	printk(KERN_INFO "init_desc failed\n");	180	printk(KERN_INFO "init_desc failed\n");
170	return error;	181	return PTR_ERR(desc);
171	}	182	}
172		183
173	sg_init_one(sg, lsm_xattr->value, lsm_xattr->value_len);	184	crypto_shash_update(desc, lsm_xattr->value, lsm_xattr->value_len);
174	crypto_hash_update(&desc, sg, lsm_xattr->value_len);	185	hmac_add_misc(desc, inode, hmac_val);
175	hmac_add_misc(&desc, inode, hmac_val);	186	kfree(desc);
176	crypto_free_hash(desc.tfm);
177	return 0;	187	return 0;
178	}	188	}
179		189


diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 23486355f443..b65adb5b06c8 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c
@@ -19,6 +19,7 @@
19	#include <linux/xattr.h>	19	#include <linux/xattr.h>
20	#include <linux/integrity.h>	20	#include <linux/integrity.h>
21	#include <linux/evm.h>	21	#include <linux/evm.h>
		22	#include <crypto/hash.h>
22	#include "evm.h"	23	#include "evm.h"
23		24
24	int evm_initialized;	25	int evm_initialized;
@@ -283,12 +284,10 @@ out:
283	}	284	}
284	EXPORT_SYMBOL_GPL(evm_inode_init_security);	285	EXPORT_SYMBOL_GPL(evm_inode_init_security);
285		286
286	static struct crypto_hash tfm_hmac; / preload crypto alg */
287	static int __init init_evm(void)	287	static int __init init_evm(void)
288	{	288	{
289	int error;	289	int error;
290		290
291	tfm_hmac = crypto_alloc_hash(evm_hmac, 0, CRYPTO_ALG_ASYNC);
292	error = evm_init_secfs();	291	error = evm_init_secfs();
293	if (error < 0) {	292	if (error < 0) {
294	printk(KERN_INFO "EVM: Error registering secfs\n");	293	printk(KERN_INFO "EVM: Error registering secfs\n");
@@ -301,7 +300,8 @@ err:
301	static void __exit cleanup_evm(void)	300	static void __exit cleanup_evm(void)
302	{	301	{
303	evm_cleanup_secfs();	302	evm_cleanup_secfs();
304	crypto_free_hash(tfm_hmac);	303	if (hmac_tfm)
		304	crypto_free_shash(hmac_tfm);
305	}	305	}
306		306
307	/*	307	/*