aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/integrity/evm/Kconfig13
-rw-r--r--security/integrity/evm/evm.h1
-rw-r--r--security/integrity/evm/evm_crypto.c3
-rw-r--r--security/integrity/evm/evm_main.c1
4 files changed, 18 insertions, 0 deletions
diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig
index afbb59dd262d..fea9749c3756 100644
--- a/security/integrity/evm/Kconfig
+++ b/security/integrity/evm/Kconfig
@@ -11,3 +11,16 @@ config EVM
11 integrity attacks. 11 integrity attacks.
12 12
13 If you are unsure how to answer this question, answer N. 13 If you are unsure how to answer this question, answer N.
14
15config EVM_HMAC_VERSION
16 int "EVM HMAC version"
17 depends on EVM
18 default 2
19 help
20 This options adds EVM HMAC version support.
21 1 - original version
22 2 - add per filesystem unique identifier (UUID) (default)
23
24 WARNING: changing the HMAC calculation method or adding
25 additional info to the calculation, requires existing EVM
26 labeled file systems to be relabeled.
diff --git a/security/integrity/evm/evm.h b/security/integrity/evm/evm.h
index 3eb30c6db419..30bd1ec0232e 100644
--- a/security/integrity/evm/evm.h
+++ b/security/integrity/evm/evm.h
@@ -24,6 +24,7 @@
24extern int evm_initialized; 24extern int evm_initialized;
25extern char *evm_hmac; 25extern char *evm_hmac;
26extern char *evm_hash; 26extern char *evm_hash;
27extern int evm_hmac_version;
27 28
28extern struct crypto_shash *hmac_tfm; 29extern struct crypto_shash *hmac_tfm;
29extern struct crypto_shash *hash_tfm; 30extern struct crypto_shash *hash_tfm;
diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
index dfb26918699c..ff8e2abf8f21 100644
--- a/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@ -110,6 +110,9 @@ static void hmac_add_misc(struct shash_desc *desc, struct inode *inode,
110 hmac_misc.gid = from_kgid(&init_user_ns, inode->i_gid); 110 hmac_misc.gid = from_kgid(&init_user_ns, inode->i_gid);
111 hmac_misc.mode = inode->i_mode; 111 hmac_misc.mode = inode->i_mode;
112 crypto_shash_update(desc, (const u8 *)&hmac_misc, sizeof hmac_misc); 112 crypto_shash_update(desc, (const u8 *)&hmac_misc, sizeof hmac_misc);
113 if (evm_hmac_version > 1)
114 crypto_shash_update(desc, inode->i_sb->s_uuid,
115 sizeof(inode->i_sb->s_uuid));
113 crypto_shash_final(desc, digest); 116 crypto_shash_final(desc, digest);
114} 117}
115 118
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index a78a5e21ef70..cdbde1762189 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -26,6 +26,7 @@ int evm_initialized;
26 26
27char *evm_hmac = "hmac(sha1)"; 27char *evm_hmac = "hmac(sha1)";
28char *evm_hash = "sha1"; 28char *evm_hash = "sha1";
29int evm_hmac_version = CONFIG_EVM_HMAC_VERSION;
29 30
30char *evm_config_xattrnames[] = { 31char *evm_config_xattrnames[] = {
31#ifdef CONFIG_SECURITY_SELINUX 32#ifdef CONFIG_SECURITY_SELINUX
generated by cgit v1.2.2 (git 2.25.0) at 2025-01-01 18:15:05 -0500