All of lore.kernel.org
 help / color / mirror / Atom feed
From: nramas <nramas@linux.microsoft.com>
To: Mimi Zohar <zohar@linux.ibm.com>, linux-integrity@vger.kernel.org
Cc: linux-security-module@vger.kernel.org,
	Stefan Berger <stefanb@linux.ibm.com>,
	Russell Coker <russell@coker.com.au>
Subject: Re: [PATCH 2/2] evm: output EVM digest calculation info
Date: Tue, 08 Jun 2021 09:06:00 -0700	[thread overview]
Message-ID: <6f42e07fb057efdc72dc292017f6dbf05c3adfe9.camel@linux.microsoft.com> (raw)
In-Reply-To: <20210608132950.424148-3-zohar@linux.ibm.com>

On Tue, 2021-06-08 at 09:29 -0400, Mimi Zohar wrote:
> Output the data used in calculating the EVM digest and the resulting
> digest as ascii hexadecimal strings.

Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>

> 
> Suggested-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
> (CONFIG_DYNAMIC_DEBUG)
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
> Changelog:
> - Use pr_debug *phN format
> - Define dump_security_xattr() for larger binary data
> - Based on CONFIG_DYNAMIC_DEBUG
> 
>  security/integrity/evm/evm_crypto.c | 42
> +++++++++++++++++++++++++++++
>  security/integrity/evm/evm_main.c   |  4 +++
>  2 files changed, 46 insertions(+)
> 
> diff --git a/security/integrity/evm/evm_crypto.c
> b/security/integrity/evm/evm_crypto.c
> index 1628e2ca9862..900cf8a157b6 100644
> --- a/security/integrity/evm/evm_crypto.c
> +++ b/security/integrity/evm/evm_crypto.c
> @@ -10,6 +10,8 @@
>   *	 Using root's kernel master key (kmk), calculate the HMAC
>   */
>  
> +#define pr_fmt(fmt) "EVM: "fmt
> +
>  #include <linux/export.h>
>  #include <linux/crypto.h>
>  #include <linux/xattr.h>
> @@ -175,6 +177,29 @@ static void hmac_add_misc(struct shash_desc
> *desc, struct inode *inode,
>  	    type != EVM_XATTR_PORTABLE_DIGSIG)
>  		crypto_shash_update(desc, (u8 *)&inode->i_sb->s_uuid,
> UUID_SIZE);
>  	crypto_shash_final(desc, digest);
> +
> +	pr_debug("hmac_misc: (%lu) [%*phN]\n", sizeof(struct h_misc),
> +		 (int) sizeof(struct h_misc), &hmac_misc);
> +}
> +
> +/*
> + * Dump large security xattr values as a continuous ascii
> hexademical string.
> + * (pr_debug is limited to 64 bytes.)
> + */
> +static void dump_security_xattr(const char *prefix, const void *src,
> size_t count)
> +{
> +#if defined(DEBUG) || defined(CONFIG_DYNAMIC_DEBUG)
> +	char *asciihex, *p;
> +
> +	p = asciihex = kmalloc(count * 2 + 1, GFP_KERNEL);
> +	if (!asciihex)
> +		return;
> +
> +	p = bin2hex(p, src, count);
> +	*p = 0;
> +	pr_debug("%s: (%lu) %.*s\n", prefix, count, (int) count * 2,
> asciihex);
> +	kfree(asciihex);
> +#endif
>  }
>  
>  /*
> @@ -230,6 +255,16 @@ static int evm_calc_hmac_or_hash(struct dentry
> *dentry,
>  					     req_xattr_value_len);
>  			if (is_ima)
>  				ima_present = true;
> +
> +			if (req_xattr_value_len < 64)
> +				pr_debug("%s: (%lu) [%*phN]\n",
> req_xattr_name,
> +					 req_xattr_value_len,
> +					 (int)req_xattr_value_len,
> +					 req_xattr_value);
> +			else
> +				dump_security_xattr(req_xattr_name,
> +						    req_xattr_value,
> +						    req_xattr_value_len
> );
>  			continue;
>  		}
>  		size = vfs_getxattr_alloc(&init_user_ns, dentry, xattr-
> >name,
> @@ -246,6 +281,13 @@ static int evm_calc_hmac_or_hash(struct dentry
> *dentry,
>  		crypto_shash_update(desc, (const u8 *)xattr_value,
> xattr_size);
>  		if (is_ima)
>  			ima_present = true;
> +
> +		if (xattr_size < 64)
> +			pr_debug("%s: (%lu) [%*phN]", xattr->name,
> xattr_size,
> +				 (int)xattr_size, xattr_value);
> +		else
> +			dump_security_xattr(xattr->name, xattr_value,
> +					    xattr_size);
>  	}
>  	hmac_add_misc(desc, inode, type, data->digest);
>  
> diff --git a/security/integrity/evm/evm_main.c
> b/security/integrity/evm/evm_main.c
> index 2c226e634ae9..059ac17a0041 100644
> --- a/security/integrity/evm/evm_main.c
> +++ b/security/integrity/evm/evm_main.c
> @@ -11,6 +11,8 @@
>   *	evm_inode_removexattr, and evm_verifyxattr
>   */
>  
> +#define pr_fmt(fmt) "EVM: "fmt
> +
>  #include <linux/init.h>
>  #include <linux/crypto.h>
>  #include <linux/audit.h>
> @@ -272,6 +274,8 @@ static enum integrity_status
> evm_verify_hmac(struct dentry *dentry,
>  		else
>  			evm_status = INTEGRITY_FAIL;
>  	}
> +	pr_debug("digest: (%d) [%*phN]\n", digest.hdr.length,
> digest.hdr.length,
> +		  digest.digest);
>  out:
>  	if (iint)
>  		iint->evm_status = evm_status;


      reply	other threads:[~2021-06-08 16:06 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-06-08 13:29 [PATCH 0/2] EVM: add some debugging info Mimi Zohar
2021-06-08 13:29 ` [PATCH 1/2] ima: differentiate between EVM failures in the audit log Mimi Zohar
2021-06-08 13:29 ` [PATCH 2/2] evm: output EVM digest calculation info Mimi Zohar
2021-06-08 16:06   ` nramas [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6f42e07fb057efdc72dc292017f6dbf05c3adfe9.camel@linux.microsoft.com \
    --to=nramas@linux.microsoft.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=russell@coker.com.au \
    --cc=stefanb@linux.ibm.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.