From: Roberto Sassu <roberto.sassu@huawei.com>
To: <zohar@linux.ibm.com>, <James.Bottomley@HansenPartnership.com>
Cc: <linux-integrity@vger.kernel.org>,
<linux-security-module@vger.kernel.org>,
<linux-kernel@vger.kernel.org>, <silviu.vlasceanu@huawei.com>,
Roberto Sassu <roberto.sassu@huawei.com>
Subject: [PATCH v4 3/7] ima: Store template digest directly in ima_template_entry
Date: Wed, 25 Mar 2020 11:47:08 +0100 [thread overview]
Message-ID: <20200325104712.25694-4-roberto.sassu@huawei.com> (raw)
In-Reply-To: <20200325104712.25694-1-roberto.sassu@huawei.com>
In preparation for the patch that calculates a digest for each allocated
PCR bank, this patch passes to ima_calc_field_array_hash() the
ima_template_entry structure, so that digests can be directly stored in
that structure instead of ima_digest_data.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
security/integrity/ima/ima.h | 3 +--
security/integrity/ima/ima_api.c | 12 +-----------
security/integrity/ima/ima_crypto.c | 18 +++++++-----------
3 files changed, 9 insertions(+), 24 deletions(-)
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 64317d95363e..a2dfe24e04c7 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -138,8 +138,7 @@ int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash);
int ima_calc_buffer_hash(const void *buf, loff_t len,
struct ima_digest_data *hash);
int ima_calc_field_array_hash(struct ima_field_data *field_data,
- struct ima_template_desc *desc, int num_fields,
- struct ima_digest_data *hash);
+ struct ima_template_entry *entry);
int __init ima_calc_boot_aggregate(struct ima_digest_data *hash);
void ima_add_violation(struct file *file, const unsigned char *filename,
struct integrity_iint_cache *iint,
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index f6bc00914aa5..2ef5a40c7ca5 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -96,26 +96,16 @@ int ima_store_template(struct ima_template_entry *entry,
static const char audit_cause[] = "hashing_error";
char *template_name = entry->template_desc->name;
int result;
- struct {
- struct ima_digest_data hdr;
- char digest[TPM_DIGEST_SIZE];
- } hash;
if (!violation) {
- int num_fields = entry->template_desc->num_fields;
-
- /* this function uses default algo */
- hash.hdr.algo = HASH_ALGO_SHA1;
result = ima_calc_field_array_hash(&entry->template_data[0],
- entry->template_desc,
- num_fields, &hash.hdr);
+ entry);
if (result < 0) {
integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode,
template_name, op,
audit_cause, result, 0);
return result;
}
- memcpy(entry->digest, hash.hdr.digest, hash.hdr.length);
}
entry->pcr = pcr;
result = ima_add_template_entry(entry, violation, op, inode, filename);
diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
index 8e445a671225..03d73a4009ab 100644
--- a/security/integrity/ima/ima_crypto.c
+++ b/security/integrity/ima/ima_crypto.c
@@ -464,18 +464,16 @@ int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash)
* Calculate the hash of template data
*/
static int ima_calc_field_array_hash_tfm(struct ima_field_data *field_data,
- struct ima_template_desc *td,
- int num_fields,
- struct ima_digest_data *hash,
+ struct ima_template_entry *entry,
struct crypto_shash *tfm)
{
SHASH_DESC_ON_STACK(shash, tfm);
+ struct ima_template_desc *td = entry->template_desc;
+ int num_fields = entry->template_desc->num_fields;
int rc, i;
shash->tfm = tfm;
- hash->length = crypto_shash_digestsize(tfm);
-
rc = crypto_shash_init(shash);
if (rc != 0)
return rc;
@@ -504,24 +502,22 @@ static int ima_calc_field_array_hash_tfm(struct ima_field_data *field_data,
}
if (!rc)
- rc = crypto_shash_final(shash, hash->digest);
+ rc = crypto_shash_final(shash, entry->digest);
return rc;
}
int ima_calc_field_array_hash(struct ima_field_data *field_data,
- struct ima_template_desc *desc, int num_fields,
- struct ima_digest_data *hash)
+ struct ima_template_entry *entry)
{
struct crypto_shash *tfm;
int rc;
- tfm = ima_alloc_tfm(hash->algo);
+ tfm = ima_alloc_tfm(HASH_ALGO_SHA1);
if (IS_ERR(tfm))
return PTR_ERR(tfm);
- rc = ima_calc_field_array_hash_tfm(field_data, desc, num_fields,
- hash, tfm);
+ rc = ima_calc_field_array_hash_tfm(field_data, entry, tfm);
ima_free_tfm(tfm);
--
2.17.1
next prev parent reply other threads:[~2020-03-25 10:49 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-25 10:47 [PATCH v4 0/7] ima: support stronger algorithms for attestation Roberto Sassu
2020-03-25 10:47 ` [PATCH v4 1/7] ima: Switch to ima_hash_algo for boot aggregate Roberto Sassu
2020-04-02 23:53 ` Mimi Zohar
2020-05-08 4:54 ` Jerry Snitselaar
2020-05-08 17:29 ` Mimi Zohar
2020-03-25 10:47 ` [PATCH v4 2/7] ima: Evaluate error in init_ima() Roberto Sassu
2020-03-27 0:07 ` James Morris
2020-03-25 10:47 ` Roberto Sassu [this message]
2020-03-25 10:47 ` [PATCH v4 4/7] ima: Switch to dynamically allocated buffer for template digests Roberto Sassu
2020-03-25 10:52 ` [PATCH v4 5/7] ima: Allocate and initialize tfm for each PCR bank Roberto Sassu
2020-03-25 10:53 ` [PATCH v4 6/7] ima: Calculate and extend PCR with digests in ima_template_entry Roberto Sassu
2020-03-25 10:54 ` [PATCH v4 7/7] ima: Use ima_hash_algo for collision detection in the measurement list Roberto Sassu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200325104712.25694-4-roberto.sassu@huawei.com \
--to=roberto.sassu@huawei.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=silviu.vlasceanu@huawei.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).