diff options
author | Roberto Sassu <roberto.sassu@huawei.com> | 2020-03-25 11:53:50 +0100 |
---|---|---|
committer | Mimi Zohar <zohar@linux.ibm.com> | 2020-04-19 22:03:39 -0400 |
commit | 1ea973df6e2166d1a576cabe5d08925d3261ff9d (patch) | |
tree | 7e17b50d0a5cb7c630bd404c4a51727042f71438 /security/integrity/ima/ima_template.c | |
parent | ima: Allocate and initialize tfm for each PCR bank (diff) | |
download | linux-dev-1ea973df6e2166d1a576cabe5d08925d3261ff9d.tar.xz linux-dev-1ea973df6e2166d1a576cabe5d08925d3261ff9d.zip |
ima: Calculate and extend PCR with digests in ima_template_entry
This patch modifies ima_calc_field_array_hash() to calculate a template
digest for each allocated PCR bank and SHA1. It also passes the tpm_digest
array of the template entry to ima_pcr_extend() or in case of a violation,
the pre-initialized digests array filled with 0xff.
Padding with zeros is still done if the mapping between TPM algorithm ID
and crypto ID is unknown.
This patch calculates again the template digest when a measurement list is
restored. Copying only the SHA1 digest (due to the limitation of the
current measurement list format) is not sufficient, as hash collision
detection will be done on the digest calculated with the IMA default hash
algorithm.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'security/integrity/ima/ima_template.c')
-rw-r--r-- | security/integrity/ima/ima_template.c | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c index de84252e65e9..5a2def40a733 100644 --- a/security/integrity/ima/ima_template.c +++ b/security/integrity/ima/ima_template.c @@ -357,6 +357,7 @@ static int ima_restore_template_data(struct ima_template_desc *template_desc, int ima_restore_measurement_list(loff_t size, void *buf) { char template_name[MAX_TEMPLATE_NAME_LEN]; + unsigned char zero[TPM_DIGEST_SIZE] = { 0 }; struct ima_kexec_hdr *khdr = buf; struct ima_field_data hdr[HDR__LAST] = { @@ -456,8 +457,17 @@ int ima_restore_measurement_list(loff_t size, void *buf) if (ret < 0) break; - memcpy(entry->digests[ima_sha1_idx].digest, - hdr[HDR_DIGEST].data, hdr[HDR_DIGEST].len); + if (memcmp(hdr[HDR_DIGEST].data, zero, sizeof(zero))) { + ret = ima_calc_field_array_hash( + &entry->template_data[0], + entry); + if (ret < 0) { + pr_err("cannot calculate template digest\n"); + ret = -EINVAL; + break; + } + } + entry->pcr = !ima_canonical_fmt ? *(hdr[HDR_PCR].data) : le32_to_cpu(*(hdr[HDR_PCR].data)); ret = ima_restore_measurement_entry(entry); |