From: Roberto Sassu <roberto.sassu@huawei.com>
To: <zohar@linux.ibm.com>, <jarkko.sakkinen@linux.intel.com>,
<james.bottomley@hansenpartnership.com>,
<linux-integrity@vger.kernel.org>
Cc: <linux-security-module@vger.kernel.org>,
<linux-kernel@vger.kernel.org>, <silviu.vlasceanu@huawei.com>,
Roberto Sassu <roberto.sassu@huawei.com>
Subject: [PATCH 8/8] ima: switch to ima_hash_algo for boot aggregate
Date: Mon, 27 Jan 2020 18:04:43 +0100 [thread overview]
Message-ID: <20200127170443.21538-9-roberto.sassu@huawei.com> (raw)
In-Reply-To: <20200127170443.21538-1-roberto.sassu@huawei.com>
boot_aggregate is the first entry of IMA measurement list. Its purpose is
to link pre-boot measurements to IMA measurements. As IMA was designed to
work with a TPM 1.2, the SHA1 PCR bank was always selected.
Currently, even if a TPM 2.0 is used, the SHA1 PCR bank is selected.
However, the assumption that the SHA1 PCR bank is always available is not
correct, as PCR banks can be selected with the PCR_Allocate() TPM command.
This patch tries to use ima_hash_algo as hash algorithm for boot_aggregate.
If no PCR bank uses that algorithm, the patch scans the allocated PCR banks
and selects the first for which the mapping between TPM algorithm ID and
crypto algorithm ID is known. If no suitable algorithm is found, an error
is returned.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
security/integrity/ima/ima_crypto.c | 38 +++++++++++++++++------------
security/integrity/ima/ima_init.c | 6 ++---
2 files changed, 25 insertions(+), 19 deletions(-)
diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
index f84dfd8fc5ca..9bf5e69945b7 100644
--- a/security/integrity/ima/ima_crypto.c
+++ b/security/integrity/ima/ima_crypto.c
@@ -780,25 +780,27 @@ static void __init ima_pcrread(u32 idx, struct tpm_digest *d)
/*
* Calculate the boot aggregate hash
*/
-static int __init ima_calc_boot_aggregate_tfm(char *digest,
- struct crypto_shash *tfm)
+static int __init ima_calc_boot_aggregate_tfm(char *digest, int bank_idx)
{
- struct tpm_digest d = { .alg_id = TPM_ALG_SHA1, .digest = {0} };
+ struct tpm_digest d = { .digest = {0} };
int rc;
u32 i;
- SHASH_DESC_ON_STACK(shash, tfm);
+ SHASH_DESC_ON_STACK(shash, ima_algo_array[bank_idx].tfm);
- shash->tfm = tfm;
+ shash->tfm = ima_algo_array[bank_idx].tfm;
rc = crypto_shash_init(shash);
if (rc != 0)
return rc;
+ d.alg_id = ima_tpm_chip->allocated_banks[bank_idx].alg_id;
+
/* cumulative sha1 over tpm registers 0-7 */
for (i = TPM_PCR0; i < TPM_PCR8; i++) {
ima_pcrread(i, &d);
/* now accumulate with current aggregate */
- rc = crypto_shash_update(shash, d.digest, TPM_DIGEST_SIZE);
+ rc = crypto_shash_update(shash, d.digest,
+ ima_tpm_chip->allocated_banks[bank_idx].digest_size);
}
if (!rc)
crypto_shash_final(shash, digest);
@@ -807,17 +809,21 @@ static int __init ima_calc_boot_aggregate_tfm(char *digest,
int __init ima_calc_boot_aggregate(struct ima_digest_data *hash)
{
- struct crypto_shash *tfm;
- int rc;
+ int bank_idx = ima_hash_algo_idx;
- tfm = ima_alloc_tfm(hash->algo);
- if (IS_ERR(tfm))
- return PTR_ERR(tfm);
-
- hash->length = crypto_shash_digestsize(tfm);
- rc = ima_calc_boot_aggregate_tfm(hash->digest, tfm);
+ if (bank_idx >= ima_tpm_chip->nr_allocated_banks) {
+ for (bank_idx = 0; bank_idx < ima_tpm_chip->nr_allocated_banks;
+ bank_idx++)
+ if (ima_algo_array[bank_idx].tfm)
+ break;
- ima_free_tfm(tfm);
+ if (bank_idx == ima_tpm_chip->nr_allocated_banks) {
+ pr_err("No suitable algo found for boot aggregate\n");
+ return -ENOENT;
+ }
+ }
- return rc;
+ hash->algo = ima_algo_array[bank_idx].algo;
+ hash->length = crypto_shash_digestsize(ima_algo_array[bank_idx].tfm);
+ return ima_calc_boot_aggregate_tfm(hash->digest, bank_idx);
}
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
index 195cb4079b2b..b4da190a33ba 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -51,14 +51,14 @@ static int __init ima_add_boot_aggregate(void)
int violation = 0;
struct {
struct ima_digest_data hdr;
- char digest[TPM_DIGEST_SIZE];
+ char digest[SHA512_DIGEST_SIZE];
} hash;
memset(iint, 0, sizeof(*iint));
memset(&hash, 0, sizeof(hash));
iint->ima_hash = &hash.hdr;
- iint->ima_hash->algo = HASH_ALGO_SHA1;
- iint->ima_hash->length = SHA1_DIGEST_SIZE;
+ iint->ima_hash->algo = ima_hash_algo;
+ iint->ima_hash->length = hash_digest_size[ima_hash_algo];
if (ima_tpm_chip) {
result = ima_calc_boot_aggregate(&hash.hdr);
--
2.17.1
next prev parent reply other threads:[~2020-01-27 17:07 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-27 17:04 [PATCH 0/8] ima: support stronger algorithms for attestation Roberto Sassu
2020-01-27 17:04 ` [PATCH 1/8] tpm: initialize crypto_id of allocated_banks to HASH_ALGO__LAST Roberto Sassu
2020-01-29 8:39 ` Petr Vorel
2020-01-30 8:47 ` Jarkko Sakkinen
2020-01-30 16:11 ` Roberto Sassu
2020-01-31 13:33 ` Mimi Zohar
2020-02-01 17:10 ` Jarkko Sakkinen
2020-01-27 17:04 ` [PATCH 2/8] ima: evaluate error in init_ima() Roberto Sassu
2020-01-31 13:33 ` Mimi Zohar
2020-01-27 17:04 ` [PATCH 3/8] ima: store template digest directly in ima_template_entry Roberto Sassu
2020-01-27 17:04 ` [PATCH 4/8] ima: switch to dynamically allocated buffer for template digests Roberto Sassu
2020-01-27 17:04 ` [PATCH 5/8] ima: allocate and initialize tfm for each PCR bank Roberto Sassu
2020-01-31 12:18 ` Mimi Zohar
2020-01-31 13:42 ` Roberto Sassu
2020-01-31 13:58 ` Mimi Zohar
2020-01-27 17:04 ` [PATCH 6/8] ima: calculate and extend PCR with digests in ima_template_entry Roberto Sassu
2020-01-27 17:29 ` Roberto Sassu
2020-01-27 17:04 ` [PATCH 7/8] ima: use ima_hash_algo for collision detection in the measurement list Roberto Sassu
2020-01-30 22:26 ` Mimi Zohar
2020-01-31 14:02 ` Roberto Sassu
2020-01-31 14:22 ` Mimi Zohar
2020-01-31 14:41 ` Roberto Sassu
2020-01-31 14:50 ` Mimi Zohar
2020-01-27 17:04 ` Roberto Sassu [this message]
2020-01-31 15:21 ` [PATCH 8/8] ima: switch to ima_hash_algo for boot aggregate Roberto Sassu
2020-01-30 22:26 ` [PATCH 0/8] ima: support stronger algorithms for attestation Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200127170443.21538-9-roberto.sassu@huawei.com \
--to=roberto.sassu@huawei.com \
--cc=james.bottomley@hansenpartnership.com \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=silviu.vlasceanu@huawei.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).