Linux-Integrity Archive on lore.kernel.org
 help / color / Atom feed
From: Nayna Jain <nayna@linux.vnet.ibm.com>
To: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
	Nayna Jain <nayna@linux.ibm.com>,
	linuxppc-dev@ozlabs.org, linux-efi@vger.kernel.org,
	linux-integrity@vger.kernel.org
Cc: linux-kernel@vger.kernel.org,
	Michael Ellerman <mpe@ellerman.id.au>,
	Benjamin Herrenschmidt <benh@kernel.crashing.org>,
	Paul Mackerras <paulus@samba.org>,
	Ard Biesheuvel <ard.biesheuvel@linaro.org>,
	Jeremy Kerr <jk@ozlabs.org>,
	Matthew Garret <matthew.garret@nebula.com>,
	Mimi Zohar <zohar@linux.ibm.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Claudio Carvalho <cclaudio@linux.ibm.com>,
	George Wilson <gcwilson@linux.ibm.com>,
	Elaine Palmer <erpalmer@us.ibm.com>,
	Eric Ricther <erichte@linux.ibm.com>,
	"Oliver O'Halloran" <oohall@gmail.com>,
	Prakhar Srivastava <prsriva02@gmail.com>
Subject: Re: [PATCH v9 7/8] ima: check against blacklisted hashes for files with modsig
Date: Fri, 25 Oct 2019 12:36:37 -0500
Message-ID: <c051d807-59a1-5dd0-40b7-be0867f0e43a@linux.vnet.ibm.com> (raw)
In-Reply-To: <8e6dde58-17c2-a834-9ec3-1271b4ffd3a8@linux.microsoft.com>


On 10/24/19 12:48 PM, Lakshmi Ramasubramanian wrote:
> On 10/23/2019 8:47 PM, Nayna Jain wrote:
>
>> +/*
>> + * ima_check_blacklist - determine if the binary is blacklisted.
>> + *
>> + * Add the hash of the blacklisted binary to the measurement list, 
>> based
>> + * on policy.
>> + *
>> + * Returns -EPERM if the hash is blacklisted.
>> + */
>> +int ima_check_blacklist(struct integrity_iint_cache *iint,
>> +            const struct modsig *modsig, int pcr)
>> +{
>> +    enum hash_algo hash_algo;
>> +    const u8 *digest = NULL;
>> +    u32 digestsize = 0;
>> +    int rc = 0;
>> +
>> +    if (!(iint->flags & IMA_CHECK_BLACKLIST))
>> +        return 0;
>> +
>> +    if (iint->flags & IMA_MODSIG_ALLOWED && modsig) {
>> +        ima_get_modsig_digest(modsig, &hash_algo, &digest, 
>> &digestsize);
>> +
>> +        rc = is_binary_blacklisted(digest, digestsize);
>> +        if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))
>> +            process_buffer_measurement(digest, digestsize,
>> +                           "blacklisted-hash", NONE,
>> +                           pcr);
>> +    }
>
> The enum value "NONE" is being passed to process_buffer_measurement to 
> indicate that the check for required action based on ima policy is 
> already done by ima_check_blacklist. Not sure, but this can cause 
> confusion in the future when someone updates process_buffer_measurement.


As I explained in the response to other patch, the purpose is to 
indicate that it is an auxiliary measurement record. By passing func as 
NONE, it implies there is no explicit policy to be queried for the 
template as it is an additional record for an existing policy and is to 
use ima-buf template.

What type of confusion do you mean ?

Thanks & Regards,

      - Nayna


  reply index

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-10-24  3:47 [PATCH v9 0/8] powerpc: Enabling IMA arch specific secure boot policies Nayna Jain
2019-10-24  3:47 ` [PATCH v9 1/8] powerpc: detect the secure boot mode of the system Nayna Jain
2019-10-24 17:26   ` Lakshmi Ramasubramanian
2019-10-25 16:49     ` Nayna Jain
2019-10-24  3:47 ` [PATCH v9 2/8] powerpc/ima: add support to initialize ima policy rules Nayna Jain
2019-10-24 17:35   ` Lakshmi Ramasubramanian
2019-10-25 17:02     ` Nayna Jain
2019-10-25 18:03       ` Lakshmi Ramasubramanian
2019-10-28 23:42         ` Michael Ellerman
2019-10-26 23:52       ` Mimi Zohar
2019-10-28 11:54         ` Mimi Zohar
2019-10-24  3:47 ` [PATCH v9 3/8] powerpc: detect the trusted boot state of the system Nayna Jain
2019-10-24 17:38   ` Lakshmi Ramasubramanian
2019-10-25 16:50     ` Nayna Jain
2019-10-24  3:47 ` [PATCH v9 4/8] powerpc/ima: define trusted boot policy Nayna Jain
2019-10-24 17:40   ` Lakshmi Ramasubramanian
2019-10-24  3:47 ` [PATCH v9 5/8] ima: make process_buffer_measurement() generic Nayna Jain
2019-10-24 15:20   ` Lakshmi Ramasubramanian
2019-10-25 17:24     ` Nayna Jain
2019-10-25 17:32       ` Lakshmi Ramasubramanian
2019-10-27  0:13         ` Mimi Zohar
2019-10-30 15:22   ` Lakshmi Ramasubramanian
2019-10-30 16:35     ` Mimi Zohar
2019-10-24  3:47 ` [PATCH v9 6/8] certs: add wrapper function to check blacklisted binary hash Nayna Jain
2019-10-24  3:47 ` [PATCH v9 7/8] ima: check against blacklisted hashes for files with modsig Nayna Jain
2019-10-24 17:48   ` Lakshmi Ramasubramanian
2019-10-25 17:36     ` Nayna Jain [this message]
2019-10-24  3:47 ` [PATCH v9 8/8] powerpc/ima: update ima arch policy to check for blacklist Nayna Jain
2019-10-28 12:10 ` [PATCH v9 0/8] powerpc: Enabling IMA arch specific secure boot policies Mimi Zohar

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=c051d807-59a1-5dd0-40b7-be0867f0e43a@linux.vnet.ibm.com \
    --to=nayna@linux.vnet.ibm.com \
    --cc=ard.biesheuvel@linaro.org \
    --cc=benh@kernel.crashing.org \
    --cc=cclaudio@linux.ibm.com \
    --cc=erichte@linux.ibm.com \
    --cc=erpalmer@us.ibm.com \
    --cc=gcwilson@linux.ibm.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=jk@ozlabs.org \
    --cc=linux-efi@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linuxppc-dev@ozlabs.org \
    --cc=matthew.garret@nebula.com \
    --cc=mpe@ellerman.id.au \
    --cc=nayna@linux.ibm.com \
    --cc=nramas@linux.microsoft.com \
    --cc=oohall@gmail.com \
    --cc=paulus@samba.org \
    --cc=prsriva02@gmail.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Integrity Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-integrity/0 linux-integrity/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-integrity linux-integrity/ https://lore.kernel.org/linux-integrity \
		linux-integrity@vger.kernel.org
	public-inbox-index linux-integrity

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-integrity


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git