diff options
Diffstat (limited to 'security/integrity')
| -rw-r--r-- | security/integrity/ima/ima.h | 2 | ||||
| -rw-r--r-- | security/integrity/ima/ima_crypto.c | 24 | ||||
| -rw-r--r-- | security/integrity/ima/ima_init.c | 10 |
3 files changed, 31 insertions, 5 deletions
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 52393edfbfd9..e0e1cde6e674 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h | |||
| @@ -73,7 +73,7 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation, | |||
| 73 | int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash); | 73 | int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash); |
| 74 | int ima_calc_buffer_hash(const void *data, int len, | 74 | int ima_calc_buffer_hash(const void *data, int len, |
| 75 | struct ima_digest_data *hash); | 75 | struct ima_digest_data *hash); |
| 76 | int ima_calc_boot_aggregate(char *digest); | 76 | int __init ima_calc_boot_aggregate(struct ima_digest_data *hash); |
| 77 | void ima_add_violation(struct inode *inode, const unsigned char *filename, | 77 | void ima_add_violation(struct inode *inode, const unsigned char *filename, |
| 78 | const char *op, const char *cause); | 78 | const char *op, const char *cause); |
| 79 | int ima_init_crypto(void); | 79 | int ima_init_crypto(void); |
diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c index e2be2524a372..22be23f13b3d 100644 --- a/security/integrity/ima/ima_crypto.c +++ b/security/integrity/ima/ima_crypto.c | |||
| @@ -184,16 +184,17 @@ static void __init ima_pcrread(int idx, u8 *pcr) | |||
| 184 | /* | 184 | /* |
| 185 | * Calculate the boot aggregate hash | 185 | * Calculate the boot aggregate hash |
| 186 | */ | 186 | */ |
| 187 | int __init ima_calc_boot_aggregate(char *digest) | 187 | static int __init ima_calc_boot_aggregate_tfm(char *digest, |
| 188 | struct crypto_shash *tfm) | ||
| 188 | { | 189 | { |
| 189 | u8 pcr_i[TPM_DIGEST_SIZE]; | 190 | u8 pcr_i[TPM_DIGEST_SIZE]; |
| 190 | int rc, i; | 191 | int rc, i; |
| 191 | struct { | 192 | struct { |
| 192 | struct shash_desc shash; | 193 | struct shash_desc shash; |
| 193 | char ctx[crypto_shash_descsize(ima_shash_tfm)]; | 194 | char ctx[crypto_shash_descsize(tfm)]; |
| 194 | } desc; | 195 | } desc; |
| 195 | 196 | ||
| 196 | desc.shash.tfm = ima_shash_tfm; | 197 | desc.shash.tfm = tfm; |
| 197 | desc.shash.flags = 0; | 198 | desc.shash.flags = 0; |
| 198 | 199 | ||
| 199 | rc = crypto_shash_init(&desc.shash); | 200 | rc = crypto_shash_init(&desc.shash); |
| @@ -210,3 +211,20 @@ int __init ima_calc_boot_aggregate(char *digest) | |||
| 210 | crypto_shash_final(&desc.shash, digest); | 211 | crypto_shash_final(&desc.shash, digest); |
| 211 | return rc; | 212 | return rc; |
| 212 | } | 213 | } |
| 214 | |||
| 215 | int __init ima_calc_boot_aggregate(struct ima_digest_data *hash) | ||
| 216 | { | ||
| 217 | struct crypto_shash *tfm; | ||
| 218 | int rc; | ||
| 219 | |||
| 220 | tfm = ima_alloc_tfm(hash->algo); | ||
| 221 | if (IS_ERR(tfm)) | ||
| 222 | return PTR_ERR(tfm); | ||
| 223 | |||
| 224 | hash->length = crypto_shash_digestsize(tfm); | ||
| 225 | rc = ima_calc_boot_aggregate_tfm(hash->digest, tfm); | ||
| 226 | |||
| 227 | ima_free_tfm(tfm); | ||
| 228 | |||
| 229 | return rc; | ||
| 230 | } | ||
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c index 9d0243c10558..77cd5005f2db 100644 --- a/security/integrity/ima/ima_init.c +++ b/security/integrity/ima/ima_init.c | |||
| @@ -18,6 +18,7 @@ | |||
| 18 | #include <linux/scatterlist.h> | 18 | #include <linux/scatterlist.h> |
| 19 | #include <linux/slab.h> | 19 | #include <linux/slab.h> |
| 20 | #include <linux/err.h> | 20 | #include <linux/err.h> |
| 21 | #include <crypto/hash_info.h> | ||
| 21 | #include "ima.h" | 22 | #include "ima.h" |
| 22 | 23 | ||
| 23 | /* name for boot aggregate entry */ | 24 | /* name for boot aggregate entry */ |
| @@ -46,6 +47,10 @@ static void __init ima_add_boot_aggregate(void) | |||
| 46 | const char *audit_cause = "ENOMEM"; | 47 | const char *audit_cause = "ENOMEM"; |
| 47 | int result = -ENOMEM; | 48 | int result = -ENOMEM; |
| 48 | int violation = 1; | 49 | int violation = 1; |
| 50 | struct { | ||
| 51 | struct ima_digest_data hdr; | ||
| 52 | char digest[TPM_DIGEST_SIZE]; | ||
| 53 | } hash; | ||
| 49 | 54 | ||
| 50 | entry = kmalloc(sizeof(*entry), GFP_KERNEL); | 55 | entry = kmalloc(sizeof(*entry), GFP_KERNEL); |
| 51 | if (!entry) | 56 | if (!entry) |
| @@ -56,12 +61,15 @@ static void __init ima_add_boot_aggregate(void) | |||
| 56 | IMA_EVENT_NAME_LEN_MAX); | 61 | IMA_EVENT_NAME_LEN_MAX); |
| 57 | if (ima_used_chip) { | 62 | if (ima_used_chip) { |
| 58 | violation = 0; | 63 | violation = 0; |
| 59 | result = ima_calc_boot_aggregate(entry->template.digest); | 64 | hash.hdr.algo = HASH_ALGO_SHA1; |
| 65 | result = ima_calc_boot_aggregate(&hash.hdr); | ||
| 60 | if (result < 0) { | 66 | if (result < 0) { |
| 61 | audit_cause = "hashing_error"; | 67 | audit_cause = "hashing_error"; |
| 62 | kfree(entry); | 68 | kfree(entry); |
| 63 | goto err_out; | 69 | goto err_out; |
| 64 | } | 70 | } |
| 71 | memcpy(entry->template.digest, hash.hdr.digest, | ||
| 72 | hash.hdr.length); | ||
| 65 | } | 73 | } |
| 66 | result = ima_store_template(entry, violation, NULL); | 74 | result = ima_store_template(entry, violation, NULL); |
| 67 | if (result < 0) | 75 | if (result < 0) |