From: Roberto Sassu <roberto.sassu@huawei.com>
To: <zohar@linux.ibm.com>, <gregkh@linuxfoundation.org>,
<mchehab+huawei@kernel.org>
Cc: <linux-integrity@vger.kernel.org>,
<linux-security-module@vger.kernel.org>,
<linux-doc@vger.kernel.org>, <linux-kselftest@vger.kernel.org>,
<linux-kernel@vger.kernel.org>,
Roberto Sassu <roberto.sassu@huawei.com>
Subject: [PATCH v3 06/13] diglim: IMA info
Date: Tue, 14 Sep 2021 18:33:54 +0200 [thread overview]
Message-ID: <20210914163401.864635-7-roberto.sassu@huawei.com> (raw)
In-Reply-To: <20210914163401.864635-1-roberto.sassu@huawei.com>
Introduce diglim_ima_get_info() to retrieve the digest and the actions
performed by IMA on the passed digest list file or buffer.
diglim_ima_get_info() requires the caller to write-lock the file to ensure
that the file content the integrity status is retrieved from didn't change
since the time the buffer passed as argument was filled.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
MAINTAINERS | 1 +
security/integrity/diglim/Makefile | 2 +-
security/integrity/diglim/diglim.h | 6 ++
security/integrity/diglim/ima.c | 122 +++++++++++++++++++++++++++++
security/integrity/integrity.h | 4 +
5 files changed, 134 insertions(+), 1 deletion(-)
create mode 100644 security/integrity/diglim/ima.c
diff --git a/MAINTAINERS b/MAINTAINERS
index f5959936d490..f10690dda734 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -5514,6 +5514,7 @@ F: Documentation/security/diglim/introduction.rst
F: include/linux/diglim.h
F: include/uapi/linux/diglim.h
F: security/integrity/diglim/diglim.h
+F: security/integrity/diglim/ima.c
F: security/integrity/diglim/methods.c
F: security/integrity/diglim/parser.c
diff --git a/security/integrity/diglim/Makefile b/security/integrity/diglim/Makefile
index 34e4e154fff3..880dc5300792 100644
--- a/security/integrity/diglim/Makefile
+++ b/security/integrity/diglim/Makefile
@@ -5,4 +5,4 @@
obj-$(CONFIG_DIGLIM) += diglim.o
-diglim-y := methods.o parser.o
+diglim-y := methods.o parser.o ima.o
diff --git a/security/integrity/diglim/diglim.h b/security/integrity/diglim/diglim.h
index afdb0affdc5e..ebe8936520b5 100644
--- a/security/integrity/diglim/diglim.h
+++ b/security/integrity/diglim/diglim.h
@@ -22,6 +22,8 @@
#include <linux/hash_info.h>
#include <linux/diglim.h>
+#include "../integrity.h"
+
#define MAX_DIGEST_SIZE 64
#define HASH_BITS 10
#define DIGLIM_HTABLE_SIZE (1 << HASH_BITS)
@@ -221,4 +223,8 @@ void digest_list_del(u8 *digest, enum hash_algo algo, u8 actions,
int digest_list_parse(loff_t size, void *buf, enum ops op, u8 actions,
u8 *digest, enum hash_algo algo, const char *label);
+
+int diglim_ima_get_info(struct file *file, u8 *buffer, size_t buffer_len,
+ char *event_name, u8 *digest, size_t digest_len,
+ enum hash_algo *algo, u8 *actions);
#endif /*__DIGLIM_INTERNAL_H*/
diff --git a/security/integrity/diglim/ima.c b/security/integrity/diglim/ima.c
new file mode 100644
index 000000000000..2cc1ec1299f8
--- /dev/null
+++ b/security/integrity/diglim/ima.c
@@ -0,0 +1,122 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) 2021 Huawei Technologies Duesseldorf GmbH
+ *
+ * Author: Roberto Sassu <roberto.sassu@huawei.com>
+ *
+ * Functions to retrieve the integrity status from IMA.
+ */
+
+#include <linux/vmalloc.h>
+#include <linux/module.h>
+#include <linux/ima.h>
+
+#include "diglim.h"
+
+static int diglim_ima_get_info_file(struct file *file, u8 *digest,
+ size_t digest_len, enum hash_algo *algo,
+ u8 *actions)
+{
+ struct integrity_iint_cache *iint;
+ struct inode *inode = file_inode(file);
+ int ret = -ENOENT;
+
+ iint = integrity_iint_find(inode);
+ if (!iint)
+ return ret;
+
+ mutex_lock(&iint->mutex);
+ /* File digest has not been calculated. */
+ if (!(iint->flags & IMA_COLLECTED))
+ goto out;
+
+ ret = 0;
+
+ if (iint->flags & IMA_MEASURED)
+ *actions |= 1 << COMPACT_ACTION_IMA_MEASURED;
+
+ if (iint->flags & IMA_APPRAISED)
+ *actions |= 1 << COMPACT_ACTION_IMA_APPRAISED;
+
+ if (test_bit(IMA_DIGSIG, &iint->atomic_flags))
+ *actions |= 1 << COMPACT_ACTION_IMA_APPRAISED_DIGSIG;
+
+ if (algo)
+ *algo = iint->ima_hash->algo;
+ if (digest)
+ memcpy(digest, iint->ima_hash->digest, hash_digest_size[*algo]);
+out:
+ mutex_unlock(&iint->mutex);
+ return ret;
+}
+
+static int diglim_ima_get_info_buffer(u8 *buffer, size_t buffer_len,
+ char *event_name, u8 *digest,
+ size_t digest_len, enum hash_algo *algo,
+ u8 *actions)
+{
+ int ret;
+
+ ret = ima_measure_critical_data("diglim", event_name, buffer,
+ buffer_len, false, digest, digest_len);
+ if (ret < 0 && ret != -EEXIST)
+ return -ENOENT;
+
+ *algo = ima_get_current_hash_algo();
+
+ if (!ret || ret == -EEXIST)
+ *actions |= 1 << COMPACT_ACTION_IMA_MEASURED;
+
+ return 0;
+}
+
+/**
+ * diglim_ima_get_info - retrieve the integrity status of digest list from IMA
+ * @file: file to retrieve the integrity status from
+ * @buffer: buffer to retrieve the integrity status from (alternative to file)
+ * @buffer_len: buffer length
+ * @event_name: name of the event to be generated by IMA for buffer measurement
+ * @digest: digest of the file or the buffer
+ * @digest_len: digest length
+ * @algo: digest algorithm
+ * @actions: actions performed on the file or the buffer
+ *
+ * This function attempts to retrieve some information from the passed digest
+ * list file or buffer: the digest, its algorithm, and the actions performed by
+ * IMA.
+ *
+ * This function first attempts to retrieve the information from the file, and
+ * if unsuccessful, attempts with the buffer.
+ *
+ * The caller must prevent writes to the file with deny_write_access() to ensure
+ * that the file content the integrity status is retrieved from didn't change
+ * since the time the buffer passed as argument was filled.
+ *
+ * Return: 0 if the information has been successfully retrieved, -ENOENT
+ * otherwise.
+ */
+int diglim_ima_get_info(struct file *file, u8 *buffer, size_t buffer_len,
+ char *event_name, u8 *digest, size_t digest_len,
+ enum hash_algo *algo, u8 *actions)
+{
+ int ret = -ENOENT;
+
+ /* Ensure that the file is write-locked. */
+ if (file && atomic_read(&file_inode(file)->i_writecount) >= 0)
+ return -EINVAL;
+
+ if (file) {
+ ret = diglim_ima_get_info_file(file, digest, digest_len, algo,
+ actions);
+ if (!ret && (*actions & (1 << COMPACT_ACTION_IMA_MEASURED)))
+ return ret;
+ }
+
+ if (buffer) {
+ ret = diglim_ima_get_info_buffer(buffer, buffer_len, event_name,
+ digest, digest_len, algo,
+ actions);
+ }
+
+ return ret;
+}
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 74919b638f52..de5dde382f11 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -6,6 +6,9 @@
* Mimi Zohar <zohar@us.ibm.com>
*/
+#ifndef __INTEGRITY_H
+#define __INTEGRITY_H
+
#ifdef pr_fmt
#undef pr_fmt
#endif
@@ -285,3 +288,4 @@ static inline void __init add_to_platform_keyring(const char *source,
{
}
#endif
+#endif /*__INTEGRITY_H*/
--
2.25.1
next prev parent reply other threads:[~2021-09-14 16:35 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-14 16:33 [PATCH v3 00/13] integrity: Introduce DIGLIM Roberto Sassu
2021-09-14 16:33 ` [PATCH v3 01/13] diglim: Overview Roberto Sassu
2021-09-14 17:00 ` Jarkko Sakkinen
2021-09-15 6:54 ` Roberto Sassu
2021-09-14 16:33 ` [PATCH v3 02/13] diglim: Basic definitions Roberto Sassu
2021-09-14 16:33 ` [PATCH v3 03/13] diglim: Objects Roberto Sassu
2021-09-14 16:33 ` [PATCH v3 04/13] diglim: Methods Roberto Sassu
2021-09-14 16:33 ` [PATCH v3 05/13] diglim: Parser Roberto Sassu
2021-09-14 16:33 ` Roberto Sassu [this message]
2021-09-14 16:33 ` [PATCH v3 07/13] diglim: Interfaces - digest_list_add, digest_list_del Roberto Sassu
2021-09-14 16:33 ` [PATCH v3 08/13] diglim: Interfaces - digest_lists_loaded Roberto Sassu
2021-09-14 16:33 ` [PATCH v3 09/13] diglim: Interfaces - digest_list_label Roberto Sassu
2021-09-14 16:33 ` [PATCH v3 10/13] diglim: Interfaces - digest_query Roberto Sassu
2021-09-14 16:33 ` [PATCH v3 11/13] diglim: Interfaces - digests_count Roberto Sassu
2021-09-14 16:34 ` [PATCH v3 12/13] diglim: Remote Attestation Roberto Sassu
2021-09-14 16:34 ` [PATCH v3 13/13] diglim: Tests Roberto Sassu
2021-10-28 9:08 ` [PATCH v3 00/13] integrity: Introduce DIGLIM Roberto Sassu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210914163401.864635-7-roberto.sassu@huawei.com \
--to=roberto.sassu@huawei.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mchehab+huawei@kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).