hollalinux
/
linux-sg2042
mirror of https://github.com/sophgo/linux-riscv.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ima: include pcr for each measurement log entry 

The IMA measurement list entries include the Kconfig defined PCR value.
This patch defines a new ima_template_entry field for including the PCR
as specified in the policy rule.

Signed-off-by: Eric Richter <erichte@linux.vnet.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
This commit is contained in:
Eric Richter 2016-06-01 13:14:03 -05:00 committed by Mimi Zohar
parent 725de7fabb
commit 14b1da85bb
4 changed files with 13 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
security/integrity/ima/ima.h
View File

@ -88,6 +88,7 @@ struct ima_template_desc {
}; };
struct ima_template_entry { struct ima_template_entry {
int pcr;
u8 digest[TPM_DIGEST_SIZE]; /* sha1 or md5 measurement hash */ u8 digest[TPM_DIGEST_SIZE]; /* sha1 or md5 measurement hash */
struct ima_template_desc *template_desc; /* template descriptor */ struct ima_template_desc *template_desc; /* template descriptor */
u32 template_data_len; u32 template_data_len;
@ -163,13 +164,14 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file, void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,
const unsigned char *filename, const unsigned char *filename,
struct evm_ima_xattr_data *xattr_value, struct evm_ima_xattr_data *xattr_value,
int xattr_len); int xattr_len, int pcr);
void ima_audit_measurement(struct integrity_iint_cache *iint, void ima_audit_measurement(struct integrity_iint_cache *iint,
const unsigned char *filename); const unsigned char *filename);
int ima_alloc_init_template(struct ima_event_data *event_data, int ima_alloc_init_template(struct ima_event_data *event_data,
struct ima_template_entry **entry); struct ima_template_entry **entry);
int ima_store_template(struct ima_template_entry *entry, int violation, int ima_store_template(struct ima_template_entry *entry, int violation,
struct inode *inode, const unsigned char *filename); struct inode *inode,
const unsigned char *filename, int pcr);
void ima_free_template_entry(struct ima_template_entry *entry); void ima_free_template_entry(struct ima_template_entry *entry);
const char *ima_d_path(const struct path *path, char **pathbuf); const char *ima_d_path(const struct path *path, char **pathbuf);

10
security/integrity/ima/ima_api.c
View File

@ -87,7 +87,7 @@ out:
*/ */
int ima_store_template(struct ima_template_entry *entry, int ima_store_template(struct ima_template_entry *entry,
int violation, struct inode *inode, int violation, struct inode *inode,
const unsigned char *filename) const unsigned char *filename, int pcr)
{ {
static const char op[] = "add_template_measure"; static const char op[] = "add_template_measure";
static const char audit_cause[] = "hashing_error"; static const char audit_cause[] = "hashing_error";
@ -114,6 +114,7 @@ int ima_store_template(struct ima_template_entry *entry,
} }
memcpy(entry->digest, hash.hdr.digest, hash.hdr.length); memcpy(entry->digest, hash.hdr.digest, hash.hdr.length);
} }
entry->pcr = pcr;
result = ima_add_template_entry(entry, violation, op, inode, filename); result = ima_add_template_entry(entry, violation, op, inode, filename);
return result; return result;
} }
@ -144,7 +145,8 @@ void ima_add_violation(struct file *file, const unsigned char *filename,
result = -ENOMEM; result = -ENOMEM;
goto err_out; goto err_out;
} }
result = ima_store_template(entry, violation, inode, filename); result = ima_store_template(entry, violation, inode,
filename, CONFIG_IMA_MEASURE_PCR_IDX);
if (result < 0) if (result < 0)
ima_free_template_entry(entry); ima_free_template_entry(entry);
err_out: err_out:
@ -253,7 +255,7 @@ out:
void ima_store_measurement(struct integrity_iint_cache *iint, void ima_store_measurement(struct integrity_iint_cache *iint,
struct file *file, const unsigned char *filename, struct file *file, const unsigned char *filename,
struct evm_ima_xattr_data *xattr_value, struct evm_ima_xattr_data *xattr_value,
int xattr_len) int xattr_len, int pcr)
{ {
static const char op[] = "add_template_measure"; static const char op[] = "add_template_measure";
static const char audit_cause[] = "ENOMEM"; static const char audit_cause[] = "ENOMEM";
@ -274,7 +276,7 @@ void ima_store_measurement(struct integrity_iint_cache *iint,
return; return;
} }
result = ima_store_template(entry, violation, inode, filename); result = ima_store_template(entry, violation, inode, filename, pcr);
if (!result || result == -EEXIST) if (!result || result == -EEXIST)
iint->flags |= IMA_MEASURED; iint->flags |= IMA_MEASURED;
if (result < 0) if (result < 0)

3
security/integrity/ima/ima_init.c
View File

@ -79,7 +79,8 @@ static int __init ima_add_boot_aggregate(void)
} }
result = ima_store_template(entry, violation, NULL, result = ima_store_template(entry, violation, NULL,
boot_aggregate_name); boot_aggregate_name,
CONFIG_IMA_MEASURE_PCR_IDX);
if (result < 0) { if (result < 0) {
ima_free_template_entry(entry); ima_free_template_entry(entry);
audit_cause = "store_entry"; audit_cause = "store_entry";

2
security/integrity/ima/ima_main.c
View File

@ -239,7 +239,7 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
if (action & IMA_MEASURE) if (action & IMA_MEASURE)
ima_store_measurement(iint, file, pathname, ima_store_measurement(iint, file, pathname,
xattr_value, xattr_len); xattr_value, xattr_len, pcr);
if (action & IMA_APPRAISE_SUBMASK) if (action & IMA_APPRAISE_SUBMASK)
rc = ima_appraise_measurement(func, iint, file, pathname, rc = ima_appraise_measurement(func, iint, file, pathname,
xattr_value, xattr_len, opened); xattr_value, xattr_len, opened);