* [PATCH v6 0/3] add new ima hook ima_kexec_cmdline to measure kexec boot cmdline args @ 2019-05-21 0:06 Prakhar Srivastava 2019-05-21 0:06 ` [PATCH v6 1/3] Add a new ima hook ima_kexec_cmdline to measure " Prakhar Srivastava ` (2 more replies) 0 siblings, 3 replies; 12+ messages in thread From: Prakhar Srivastava @ 2019-05-21 0:06 UTC (permalink / raw) To: linux-integrity, linux-security-module, linux-kernel Cc: mjg59, zohar, roberto.sassu, vgoyal, Prakhar Srivastava The motive behind the patch series is to measure the boot cmdline args used for soft reboot/kexec case. For secure boot attestation, it is necessary to measure the kernel command line and the kernel version. For cold boot, the boot loader can be enhanced to measure these parameters. (https://mjg59.dreamwidth.org/48897.html) However, for attestation across soft reboot boundary, these values also need to be measured during kexec_file_load. Currently for Kexec(kexec_file_load)/soft reboot scenario the boot cmdline args for the next kernel are not measured. For normal case of boot/hardreboot the cmdline args are measured into the TPM. The hash of boot command line is calculated and added to the current running kernel's measurement list. On a soft reboot like kexec, the PCRs are not reset to zero. Refer to commit 94c3aac567a9 ("ima: on soft reboot, restore the measurement list") patch description. To achive the above the patch series does the following -adds a new ima hook: ima_kexec_cmdline which measures the cmdline args into the ima log, behind a new ima policy entry KEXEC_CMDLINE. -since the cmldine args cannot be appraised, a new template field(buf) is added. The template field contains the buffer passed(cmldine args), which can be used to appraise/attest at a later stage. -call the ima_kexec_cmdline(...) hook from kexec_file_load call. The ima logs need to carried over to the next kernel, which will be followed up by other patchsets for x86_64 and arm64. Changelog: V6: -add a new ima hook and policy to measure the cmdline args(ima_kexec_cmdline) -add a new template field buf to contain the buffer measured. [suggested by Mimi Zohar] add new fields to ima_event_data to store/read buffer data. [suggested by Roberto] -call ima_kexec_cmdline from kexec_file_load path v5: -add a new ima hook and policy to measure the cmdline args(ima_kexec_cmdline) -add a new template field buf to contain the buffer measured. [suggested by Mimi Zohar] -call ima_kexec_cmdline from kexec_file_load path v4: - per feedback from LSM community, removed the LSM hook and renamed the IMA policy to KEXEC_CMDLINE v3: (rebase changes to next-general) - Add policy checks for buffer[suggested by Mimi Zohar] - use the IMA_XATTR to add buffer - Add kexec_cmdline used for kexec file load - Add an LSM hook to allow usage by other LSM.[suggestd by Mimi Zohar] v2: - Add policy checks for buffer[suggested by Mimi Zohar] - Add an LSM hook to allow usage by other LSM.[suggestd by Mimi Zohar] - use the IMA_XATTR to add buffer instead of sig template v1: -Add kconfigs to control the ima_buffer_check -measure the cmdline args suffixed with the kernel file name -add the buffer to the template sig field. Prakhar Srivastava (3): Add a new ima hook ima_kexec_cmdline to measure cmdline args add a new ima template field buf call ima_kexec_cmdline to measure the cmdline args Documentation/ABI/testing/ima_policy | 1 + Documentation/security/IMA-templates.rst | 2 +- include/linux/ima.h | 2 + kernel/kexec_file.c | 8 ++- security/integrity/ima/ima.h | 3 + security/integrity/ima/ima_api.c | 5 +- security/integrity/ima/ima_init.c | 2 +- security/integrity/ima/ima_main.c | 80 +++++++++++++++++++++++ security/integrity/ima/ima_policy.c | 9 +++ security/integrity/ima/ima_template.c | 2 + security/integrity/ima/ima_template_lib.c | 20 ++++++ security/integrity/ima/ima_template_lib.h | 4 ++ 12 files changed, 131 insertions(+), 7 deletions(-) -- 2.17.1 ^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH v6 1/3] Add a new ima hook ima_kexec_cmdline to measure cmdline args 2019-05-21 0:06 [PATCH v6 0/3] add new ima hook ima_kexec_cmdline to measure kexec boot cmdline args Prakhar Srivastava @ 2019-05-21 0:06 ` Prakhar Srivastava 2019-05-24 14:56 ` Mimi Zohar 2019-05-21 0:06 ` [PATCH v6 2/3] add a new ima template field buf Prakhar Srivastava 2019-05-21 0:06 ` [PATCH v6 3/3] call ima_kexec_cmdline to measure the cmdline args Prakhar Srivastava 2 siblings, 1 reply; 12+ messages in thread From: Prakhar Srivastava @ 2019-05-21 0:06 UTC (permalink / raw) To: linux-integrity, linux-security-module, linux-kernel Cc: mjg59, zohar, roberto.sassu, vgoyal, Prakhar Srivastava Currently during kexec_file_load(soft reboot) the cmdline args passed are not measured and the PCR values are not reset. This results in the new kernel to assume a secure boot was followed. The boot args used to launch the new kernel need to be measured and carried over to the next kernel to be used for attestation. IMA supports only measuring files, no functionality exists to measure a buffer(kexec cmdline). This change adds a new functionality to measure buffers process_buffer_measurement which uses the hash of the buffer instead of file hash to add an entry in the ima log. A new ima hook ima_kexec_cmdline is also defined which calls into process_buffer_measurement to add the kexec_cmdline args to the log. A new policy KEXEC_CMDLINE is also defined to control measuring the kexec_cmdline buffer. This patch only adds IMA_MEASURE as a supported functionality. - A new ima hook ima_kexec_cmdline is defined to be called by the kexec code. - A new function process_buffer_measurement is defined to measure the buffer hash into the ima log. - A new func policy KEXEC_CMDLINE is defined to control the measurement. Signed-off-by: Prakhar Srivastava <prsriva02@gmail.com> --- Documentation/ABI/testing/ima_policy | 1 + include/linux/ima.h | 2 + security/integrity/ima/ima.h | 1 + security/integrity/ima/ima_api.c | 1 + security/integrity/ima/ima_main.c | 77 ++++++++++++++++++++++++++++ security/integrity/ima/ima_policy.c | 9 ++++ 6 files changed, 91 insertions(+) diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy index 74c6702de74e..62e7cd687e9c 100644 --- a/Documentation/ABI/testing/ima_policy +++ b/Documentation/ABI/testing/ima_policy @@ -29,6 +29,7 @@ Description: base: func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK] [FIRMWARE_CHECK] [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK] + [KEXEC_CMDLINE] mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND] [[^]MAY_EXEC] fsmagic:= hex value diff --git a/include/linux/ima.h b/include/linux/ima.h index dc12fbcf484c..2e2c77280be8 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -26,6 +26,7 @@ extern int ima_read_file(struct file *file, enum kernel_read_file_id id); extern int ima_post_read_file(struct file *file, void *buf, loff_t size, enum kernel_read_file_id id); extern void ima_post_path_mknod(struct dentry *dentry); +extern void ima_kexec_cmdline(const void *buf, int size); #ifdef CONFIG_IMA_KEXEC extern void ima_add_kexec_buffer(struct kimage *image); @@ -92,6 +93,7 @@ static inline void ima_post_path_mknod(struct dentry *dentry) return; } +static inline void ima_kexec_cmdline(const void *buf, int size) {} #endif /* CONFIG_IMA */ #ifndef CONFIG_IMA_KEXEC diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index d213e835c498..226a26d8de09 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -184,6 +184,7 @@ static inline unsigned long ima_hash_key(u8 *digest) hook(KEXEC_KERNEL_CHECK) \ hook(KEXEC_INITRAMFS_CHECK) \ hook(POLICY_CHECK) \ + hook(KEXEC_CMDLINE) \ hook(MAX_CHECK) #define __ima_hook_enumify(ENUM) ENUM, diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index c7505fb122d4..800d965232e5 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -169,6 +169,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename, * subj=, obj=, type=, func=, mask=, fsmagic= * subj,obj, and type: are LSM specific. * func: FILE_CHECK | BPRM_CHECK | CREDS_CHECK | MMAP_CHECK | MODULE_CHECK + * | KEXEC_CMDLINE * mask: contains the permission mask * fsmagic: hex value * diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 357edd140c09..a88c28918a63 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -576,6 +576,83 @@ int ima_load_data(enum kernel_load_data_id id) return 0; } +/* + * process_buffer_measurement - Measure the buffer to ima log. + * @buf: pointer to the buffer that needs to be added to the log. + * @size: size of buffer(in bytes). + * @eventname: event name to be used for the buffer entry. + * @cred: a pointer to a credentials structure for user validation. + * @secid: the secid of the task to be validated. + * + * Based on policy, the buffer is measured into the ima log. + */ +static void process_buffer_measurement(const void *buf, int size, + const char *eventname, const struct cred *cred, + u32 secid) +{ + int ret = 0; + struct ima_template_entry *entry = NULL; + struct integrity_iint_cache tmp_iint, *iint = &tmp_iint; + struct ima_event_data event_data = {iint, NULL, NULL, + NULL, 0, NULL}; + struct { + struct ima_digest_data hdr; + char digest[IMA_MAX_DIGEST_SIZE]; + } hash; + int violation = 0; + int pcr = CONFIG_IMA_MEASURE_PCR_IDX; + int action = 0; + + action = ima_get_action(NULL, cred, secid, 0, KEXEC_CMDLINE, &pcr); + if (!(action & IMA_MEASURE)) + goto out; + + memset(iint, 0, sizeof(*iint)); + memset(&hash, 0, sizeof(hash)); + + event_data.filename = eventname; + + iint->ima_hash = &hash.hdr; + iint->ima_hash->algo = ima_hash_algo; + iint->ima_hash->length = hash_digest_size[ima_hash_algo]; + + ret = ima_calc_buffer_hash(buf, size, iint->ima_hash); + if (ret < 0) + goto out; + + ret = ima_alloc_init_template(&event_data, &entry); + if (ret < 0) + goto out; + + if (action & IMA_MEASURE) + ret = ima_store_template(entry, violation, NULL, buf, pcr); + + if (ret < 0) { + ima_free_template_entry(entry); + } + +out: + return; +} + +/** + * ima_kexec_cmdline - measure kexec cmdline boot args + * @buf: pointer to buffer + * @size: size of buffer + * + * Buffers can only be measured, not appraised. + */ +void ima_kexec_cmdline(const void *buf, int size) +{ + u32 secid; + + if (buf && size != 0) { + security_task_getsecid(current, &secid); + process_buffer_measurement(buf, size, "kexec-cmdline", + current_cred(), secid); + } +} + static int __init init_ima(void) { int error; diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index e0cc323f948f..413e5921b248 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -291,6 +291,13 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, { int i; + /* only incase of KEXEC_CMDLINE, inode is NULL */ + if (func == KEXEC_CMDLINE) { + if ((rule->flags & IMA_FUNC) && + (rule->func == func) && (!inode)) + return true; + return false; + } if ((rule->flags & IMA_FUNC) && (rule->func != func && func != POST_SETATTR)) return false; @@ -869,6 +876,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) entry->func = KEXEC_INITRAMFS_CHECK; else if (strcmp(args[0].from, "POLICY_CHECK") == 0) entry->func = POLICY_CHECK; + else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0) + entry->func = KEXEC_CMDLINE; else result = -EINVAL; if (!result) -- 2.17.1 ^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [PATCH v6 1/3] Add a new ima hook ima_kexec_cmdline to measure cmdline args 2019-05-21 0:06 ` [PATCH v6 1/3] Add a new ima hook ima_kexec_cmdline to measure " Prakhar Srivastava @ 2019-05-24 14:56 ` Mimi Zohar 0 siblings, 0 replies; 12+ messages in thread From: Mimi Zohar @ 2019-05-24 14:56 UTC (permalink / raw) To: Prakhar Srivastava, linux-integrity, linux-security-module, linux-kernel Cc: mjg59, roberto.sassu, vgoyal Hi Prakhar, On Mon, 2019-05-20 at 17:06 -0700, Prakhar Srivastava wrote: > Currently during kexec_file_load(soft reboot) the cmdline args > passed are not measured and the PCR values are not reset. This patch addresses not measuring the kexec boot cmdline. I don't see a reason for mentioning anything about the PCR values not being reset. Keep it simple. > This results in the new kernel to assume a secure boot was > followed. The boot args used to launch the new kernel need to be > measured and carried over to the next kernel to be used for > attestation. IMA supports only measuring files, no functionality > exists to measure a buffer(kexec cmdline). > > This change adds a new functionality to measure buffers > process_buffer_measurement which uses the hash of the buffer > instead of file hash to add an entry in the ima log. > A new ima hook ima_kexec_cmdline is also defined which calls > into process_buffer_measurement to add the kexec_cmdline args > to the log. > > A new policy KEXEC_CMDLINE is also defined to control measuring the > kexec_cmdline buffer. > This patch only adds IMA_MEASURE as a supported functionality. > > - A new ima hook ima_kexec_cmdline is defined to be called by the > kexec code. > - A new function process_buffer_measurement is defined to measure > the buffer hash into the ima log. > - A new func policy KEXEC_CMDLINE is defined to control the measurement. Missing is how to verify the digest of the measurement list kexec boot cmdline entry based on /proc/cmdline. Everything before the "root=" in the /proc entry needs to be removed before calculating the hash. Please include a sample shell command. Matthew's patch "IMA: Allow profiles to define the desired IMA template" will require changes to this patch. Please rebase this patch set on top of it, once Matthew addresses the comments and re- posts. (Reminder: the patch description should be 70 - 75 characters.) > > Signed-off-by: Prakhar Srivastava <prsriva02@gmail.com> > --- < snip > > --- a/security/integrity/ima/ima_main.c > +++ b/security/integrity/ima/ima_main.c > @@ -576,6 +576,83 @@ int ima_load_data(enum kernel_load_data_id id) > return 0; > } > > +/* > + * process_buffer_measurement - Measure the buffer to ima log. > + * @buf: pointer to the buffer that needs to be added to the log. > + * @size: size of buffer(in bytes). > + * @eventname: event name to be used for the buffer entry. > + * @cred: a pointer to a credentials structure for user validation. > + * @secid: the secid of the task to be validated. > + * > + * Based on policy, the buffer is measured into the ima log. > + */ > +static void process_buffer_measurement(const void *buf, int size, > + const char *eventname, const struct cred *cred, > + u32 secid) > +{ > + int ret = 0; > + struct ima_template_entry *entry = NULL; > + struct integrity_iint_cache tmp_iint, *iint = &tmp_iint; > + struct ima_event_data event_data = {iint, NULL, NULL, > + NULL, 0, NULL}; Thiago's clean up patch initializes only specific variables, as needed. Please initialize event_data like: struct ima_event_data event_data = {.iint = iint}; > + struct { > + struct ima_digest_data hdr; > + char digest[IMA_MAX_DIGEST_SIZE]; > + } hash; > + int violation = 0; > + int pcr = CONFIG_IMA_MEASURE_PCR_IDX; > + int action = 0; > + > + action = ima_get_action(NULL, cred, secid, 0, KEXEC_CMDLINE, &pcr); > + if (!(action & IMA_MEASURE)) > + goto out; > + > + memset(iint, 0, sizeof(*iint)); > + memset(&hash, 0, sizeof(hash)); > + > + event_data.filename = eventname; > + > + iint->ima_hash = &hash.hdr; > + iint->ima_hash->algo = ima_hash_algo; > + iint->ima_hash->length = hash_digest_size[ima_hash_algo]; > + > + ret = ima_calc_buffer_hash(buf, size, iint->ima_hash); > + if (ret < 0) > + goto out; > + > + ret = ima_alloc_init_template(&event_data, &entry); > + if (ret < 0) > + goto out; > + > + if (action & IMA_MEASURE) > + ret = ima_store_template(entry, violation, NULL, buf, pcr); > + > + if (ret < 0) { > + ima_free_template_entry(entry); > + } Remove brackets. Mimi > + > +out: > + return; > +} ^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH v6 2/3] add a new ima template field buf 2019-05-21 0:06 [PATCH v6 0/3] add new ima hook ima_kexec_cmdline to measure kexec boot cmdline args Prakhar Srivastava 2019-05-21 0:06 ` [PATCH v6 1/3] Add a new ima hook ima_kexec_cmdline to measure " Prakhar Srivastava @ 2019-05-21 0:06 ` Prakhar Srivastava 2019-05-21 7:11 ` Roberto Sassu 2019-05-24 15:12 ` Mimi Zohar 2019-05-21 0:06 ` [PATCH v6 3/3] call ima_kexec_cmdline to measure the cmdline args Prakhar Srivastava 2 siblings, 2 replies; 12+ messages in thread From: Prakhar Srivastava @ 2019-05-21 0:06 UTC (permalink / raw) To: linux-integrity, linux-security-module, linux-kernel Cc: mjg59, zohar, roberto.sassu, vgoyal, Prakhar Srivastava A buffer(cmdline args) measured into ima cannot be appraised without already being aware of the buffer contents.Since we don't know what cmdline args will be passed (or need to validate what was passed) it is not possible to appraise it. Since hashs are non reversible the raw buffer is needed to recompute the hash. To regenrate the hash of the buffer and appraise the same the contents of the buffer need to be available. A new template field buf is added to the existing ima template fields, which can be used to store/read the buffer itself. Two new fields are added to the ima_event_data to carry the buf and buf_len whenever necessary. Updated the process_buffer_measurement call to add the buf to the ima_event_data. process_buffer_measurement added in "Add a new ima hook ima_kexec_cmdline to measure cmdline args" - Add a new template field 'buf' to be used to store/read the buffer data. - Added two new fields to ima_event_data to hold the buf and buf_len [Suggested by Roberto] -Updated process_buffer_meaurement to add the buffer to ima_event_data Signed-off-by: Prakhar Srivastava <prsriva02@gmail.com> --- Documentation/security/IMA-templates.rst | 2 +- security/integrity/ima/ima.h | 2 ++ security/integrity/ima/ima_api.c | 4 ++-- security/integrity/ima/ima_init.c | 2 +- security/integrity/ima/ima_main.c | 4 +++- security/integrity/ima/ima_template.c | 2 ++ security/integrity/ima/ima_template_lib.c | 20 ++++++++++++++++++++ security/integrity/ima/ima_template_lib.h | 4 ++++ 8 files changed, 35 insertions(+), 5 deletions(-) diff --git a/Documentation/security/IMA-templates.rst b/Documentation/security/IMA-templates.rst index 2cd0e273cc9a..9cddb66727ee 100644 --- a/Documentation/security/IMA-templates.rst +++ b/Documentation/security/IMA-templates.rst @@ -70,7 +70,7 @@ descriptors by adding their identifier to the format string prefix is shown only if the hash algorithm is not SHA1 or MD5); - 'n-ng': the name of the event, without size limitations; - 'sig': the file signature. - + - 'buf': the buffer data that was used to generate the hash without size limitations. Below, there is the list of defined template descriptors: diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 226a26d8de09..4a82541dc3b6 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -65,6 +65,8 @@ struct ima_event_data { struct evm_ima_xattr_data *xattr_value; int xattr_len; const char *violation; + const void *buf; + int buf_len; }; /* IMA template field data definition */ diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 800d965232e5..c12f1cd38f8f 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -134,7 +134,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename, struct ima_template_entry *entry; struct inode *inode = file_inode(file); struct ima_event_data event_data = {iint, file, filename, NULL, 0, - cause}; + cause, NULL, 0}; int violation = 1; int result; @@ -286,7 +286,7 @@ void ima_store_measurement(struct integrity_iint_cache *iint, struct inode *inode = file_inode(file); struct ima_template_entry *entry; struct ima_event_data event_data = {iint, file, filename, xattr_value, - xattr_len, NULL}; + xattr_len, NULL, NULL, 0}; int violation = 0; if (iint->measured_pcrs & (0x1 << pcr)) diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c index 6c9295449751..0c34d3100b5b 100644 --- a/security/integrity/ima/ima_init.c +++ b/security/integrity/ima/ima_init.c @@ -50,7 +50,7 @@ static int __init ima_add_boot_aggregate(void) struct ima_template_entry *entry; struct integrity_iint_cache tmp_iint, *iint = &tmp_iint; struct ima_event_data event_data = {iint, NULL, boot_aggregate_name, - NULL, 0, NULL}; + NULL, 0, NULL, NULL, 0}; int result = -ENOMEM; int violation = 0; struct { diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index a88c28918a63..6c5691b65b84 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -594,7 +594,7 @@ static void process_buffer_measurement(const void *buf, int size, struct ima_template_entry *entry = NULL; struct integrity_iint_cache tmp_iint, *iint = &tmp_iint; struct ima_event_data event_data = {iint, NULL, NULL, - NULL, 0, NULL}; + NULL, 0, NULL, NULL, 0}; struct { struct ima_digest_data hdr; char digest[IMA_MAX_DIGEST_SIZE]; @@ -611,6 +611,8 @@ static void process_buffer_measurement(const void *buf, int size, memset(&hash, 0, sizeof(hash)); event_data.filename = eventname; + event_data.buf = buf; + event_data.buf_len = size; iint->ima_hash = &hash.hdr; iint->ima_hash->algo = ima_hash_algo; diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c index b631b8bc7624..a76d1c04162a 100644 --- a/security/integrity/ima/ima_template.c +++ b/security/integrity/ima/ima_template.c @@ -43,6 +43,8 @@ static const struct ima_template_field supported_fields[] = { .field_show = ima_show_template_string}, {.field_id = "sig", .field_init = ima_eventsig_init, .field_show = ima_show_template_sig}, + {.field_id = "buf", .field_init = ima_eventbuf_init, + .field_show = ima_show_template_buf}, }; #define MAX_TEMPLATE_NAME_LEN 15 diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c index 513b457ae900..43d1404141c1 100644 --- a/security/integrity/ima/ima_template_lib.c +++ b/security/integrity/ima/ima_template_lib.c @@ -162,6 +162,12 @@ void ima_show_template_sig(struct seq_file *m, enum ima_show_type show, ima_show_template_field_data(m, show, DATA_FMT_HEX, field_data); } +void ima_show_template_buf(struct seq_file *m, enum ima_show_type show, + struct ima_field_data *field_data) +{ + ima_show_template_field_data(m, show, DATA_FMT_HEX, field_data); +} + /** * ima_parse_buf() - Parses lengths and data from an input buffer * @bufstartp: Buffer start address. @@ -389,3 +395,17 @@ int ima_eventsig_init(struct ima_event_data *event_data, return ima_write_template_field_data(xattr_value, event_data->xattr_len, DATA_FMT_HEX, field_data); } + +/* + * ima_eventbuf_init - include the buffer(kexec-cmldine) as part of the + * template data. + */ +int ima_eventbuf_init(struct ima_event_data *event_data, + struct ima_field_data *field_data) +{ + if ((!event_data->buf) || (event_data->buf_len == 0)) + return 0; + + return ima_write_template_field_data(event_data->buf, event_data->buf_len, + DATA_FMT_HEX, field_data); +} diff --git a/security/integrity/ima/ima_template_lib.h b/security/integrity/ima/ima_template_lib.h index 6a3d8b831deb..f0178bc60c55 100644 --- a/security/integrity/ima/ima_template_lib.h +++ b/security/integrity/ima/ima_template_lib.h @@ -29,6 +29,8 @@ void ima_show_template_string(struct seq_file *m, enum ima_show_type show, struct ima_field_data *field_data); void ima_show_template_sig(struct seq_file *m, enum ima_show_type show, struct ima_field_data *field_data); +void ima_show_template_buf(struct seq_file *m, enum ima_show_type show, + struct ima_field_data *field_data); int ima_parse_buf(void *bufstartp, void *bufendp, void **bufcurp, int maxfields, struct ima_field_data *fields, int *curfields, unsigned long *len_mask, int enforce_mask, char *bufname); @@ -42,4 +44,6 @@ int ima_eventname_ng_init(struct ima_event_data *event_data, struct ima_field_data *field_data); int ima_eventsig_init(struct ima_event_data *event_data, struct ima_field_data *field_data); +int ima_eventbuf_init(struct ima_event_data *event_data, + struct ima_field_data *field_data); #endif /* __LINUX_IMA_TEMPLATE_LIB_H */ -- 2.17.1 ^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [PATCH v6 2/3] add a new ima template field buf 2019-05-21 0:06 ` [PATCH v6 2/3] add a new ima template field buf Prakhar Srivastava @ 2019-05-21 7:11 ` Roberto Sassu 2019-05-24 15:12 ` Mimi Zohar 1 sibling, 0 replies; 12+ messages in thread From: Roberto Sassu @ 2019-05-21 7:11 UTC (permalink / raw) To: Prakhar Srivastava, linux-integrity, linux-security-module, linux-kernel Cc: mjg59, zohar, vgoyal On 5/21/2019 2:06 AM, Prakhar Srivastava wrote: > A buffer(cmdline args) measured into ima cannot be appraised > without already being aware of the buffer contents.Since we Space before 'Since'. > don't know what cmdline args will be passed (or need to validate > what was passed) it is not possible to appraise it. > > Since hashs are non reversible the raw buffer is needed to > recompute the hash. Hashes. > To regenrate the hash of the buffer and appraise the same Regenerate. > the contents of the buffer need to be available. > > A new template field buf is added to the existing ima template > fields, which can be used to store/read the buffer itself. > Two new fields are added to the ima_event_data to carry the > buf and buf_len whenever necessary. > > Updated the process_buffer_measurement call to add the buf > to the ima_event_data. > process_buffer_measurement added in "Add a new ima hook > ima_kexec_cmdline to measure cmdline args" > > - Add a new template field 'buf' to be used to store/read > the buffer data. > - Added two new fields to ima_event_data to hold the buf and > buf_len [Suggested by Roberto] > -Updated process_buffer_meaurement to add the buffer to Space after -. > ima_event_data > > Signed-off-by: Prakhar Srivastava <prsriva02@gmail.com> > --- > Documentation/security/IMA-templates.rst | 2 +- > security/integrity/ima/ima.h | 2 ++ > security/integrity/ima/ima_api.c | 4 ++-- > security/integrity/ima/ima_init.c | 2 +- > security/integrity/ima/ima_main.c | 4 +++- > security/integrity/ima/ima_template.c | 2 ++ > security/integrity/ima/ima_template_lib.c | 20 ++++++++++++++++++++ > security/integrity/ima/ima_template_lib.h | 4 ++++ > 8 files changed, 35 insertions(+), 5 deletions(-) > > diff --git a/Documentation/security/IMA-templates.rst b/Documentation/security/IMA-templates.rst > index 2cd0e273cc9a..9cddb66727ee 100644 > --- a/Documentation/security/IMA-templates.rst > +++ b/Documentation/security/IMA-templates.rst > @@ -70,7 +70,7 @@ descriptors by adding their identifier to the format string > prefix is shown only if the hash algorithm is not SHA1 or MD5); > - 'n-ng': the name of the event, without size limitations; > - 'sig': the file signature. ; instead of . > - Keep the new line. Apart from that, the patch looks good to me. Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com> Roberto > + - 'buf': the buffer data that was used to generate the hash without size limitations. > > Below, there is the list of defined template descriptors: > > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h > index 226a26d8de09..4a82541dc3b6 100644 > --- a/security/integrity/ima/ima.h > +++ b/security/integrity/ima/ima.h > @@ -65,6 +65,8 @@ struct ima_event_data { > struct evm_ima_xattr_data *xattr_value; > int xattr_len; > const char *violation; > + const void *buf; > + int buf_len; > }; > > /* IMA template field data definition */ > diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c > index 800d965232e5..c12f1cd38f8f 100644 > --- a/security/integrity/ima/ima_api.c > +++ b/security/integrity/ima/ima_api.c > @@ -134,7 +134,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename, > struct ima_template_entry *entry; > struct inode *inode = file_inode(file); > struct ima_event_data event_data = {iint, file, filename, NULL, 0, > - cause}; > + cause, NULL, 0}; > int violation = 1; > int result; > > @@ -286,7 +286,7 @@ void ima_store_measurement(struct integrity_iint_cache *iint, > struct inode *inode = file_inode(file); > struct ima_template_entry *entry; > struct ima_event_data event_data = {iint, file, filename, xattr_value, > - xattr_len, NULL}; > + xattr_len, NULL, NULL, 0}; > int violation = 0; > > if (iint->measured_pcrs & (0x1 << pcr)) > diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c > index 6c9295449751..0c34d3100b5b 100644 > --- a/security/integrity/ima/ima_init.c > +++ b/security/integrity/ima/ima_init.c > @@ -50,7 +50,7 @@ static int __init ima_add_boot_aggregate(void) > struct ima_template_entry *entry; > struct integrity_iint_cache tmp_iint, *iint = &tmp_iint; > struct ima_event_data event_data = {iint, NULL, boot_aggregate_name, > - NULL, 0, NULL}; > + NULL, 0, NULL, NULL, 0}; > int result = -ENOMEM; > int violation = 0; > struct { > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c > index a88c28918a63..6c5691b65b84 100644 > --- a/security/integrity/ima/ima_main.c > +++ b/security/integrity/ima/ima_main.c > @@ -594,7 +594,7 @@ static void process_buffer_measurement(const void *buf, int size, > struct ima_template_entry *entry = NULL; > struct integrity_iint_cache tmp_iint, *iint = &tmp_iint; > struct ima_event_data event_data = {iint, NULL, NULL, > - NULL, 0, NULL}; > + NULL, 0, NULL, NULL, 0}; > struct { > struct ima_digest_data hdr; > char digest[IMA_MAX_DIGEST_SIZE]; > @@ -611,6 +611,8 @@ static void process_buffer_measurement(const void *buf, int size, > memset(&hash, 0, sizeof(hash)); > > event_data.filename = eventname; > + event_data.buf = buf; > + event_data.buf_len = size; > > iint->ima_hash = &hash.hdr; > iint->ima_hash->algo = ima_hash_algo; > diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c > index b631b8bc7624..a76d1c04162a 100644 > --- a/security/integrity/ima/ima_template.c > +++ b/security/integrity/ima/ima_template.c > @@ -43,6 +43,8 @@ static const struct ima_template_field supported_fields[] = { > .field_show = ima_show_template_string}, > {.field_id = "sig", .field_init = ima_eventsig_init, > .field_show = ima_show_template_sig}, > + {.field_id = "buf", .field_init = ima_eventbuf_init, > + .field_show = ima_show_template_buf}, > }; > #define MAX_TEMPLATE_NAME_LEN 15 > > diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c > index 513b457ae900..43d1404141c1 100644 > --- a/security/integrity/ima/ima_template_lib.c > +++ b/security/integrity/ima/ima_template_lib.c > @@ -162,6 +162,12 @@ void ima_show_template_sig(struct seq_file *m, enum ima_show_type show, > ima_show_template_field_data(m, show, DATA_FMT_HEX, field_data); > } > > +void ima_show_template_buf(struct seq_file *m, enum ima_show_type show, > + struct ima_field_data *field_data) > +{ > + ima_show_template_field_data(m, show, DATA_FMT_HEX, field_data); > +} > + > /** > * ima_parse_buf() - Parses lengths and data from an input buffer > * @bufstartp: Buffer start address. > @@ -389,3 +395,17 @@ int ima_eventsig_init(struct ima_event_data *event_data, > return ima_write_template_field_data(xattr_value, event_data->xattr_len, > DATA_FMT_HEX, field_data); > } > + > +/* > + * ima_eventbuf_init - include the buffer(kexec-cmldine) as part of the > + * template data. > + */ > +int ima_eventbuf_init(struct ima_event_data *event_data, > + struct ima_field_data *field_data) > +{ > + if ((!event_data->buf) || (event_data->buf_len == 0)) > + return 0; > + > + return ima_write_template_field_data(event_data->buf, event_data->buf_len, > + DATA_FMT_HEX, field_data); > +} > diff --git a/security/integrity/ima/ima_template_lib.h b/security/integrity/ima/ima_template_lib.h > index 6a3d8b831deb..f0178bc60c55 100644 > --- a/security/integrity/ima/ima_template_lib.h > +++ b/security/integrity/ima/ima_template_lib.h > @@ -29,6 +29,8 @@ void ima_show_template_string(struct seq_file *m, enum ima_show_type show, > struct ima_field_data *field_data); > void ima_show_template_sig(struct seq_file *m, enum ima_show_type show, > struct ima_field_data *field_data); > +void ima_show_template_buf(struct seq_file *m, enum ima_show_type show, > + struct ima_field_data *field_data); > int ima_parse_buf(void *bufstartp, void *bufendp, void **bufcurp, > int maxfields, struct ima_field_data *fields, int *curfields, > unsigned long *len_mask, int enforce_mask, char *bufname); > @@ -42,4 +44,6 @@ int ima_eventname_ng_init(struct ima_event_data *event_data, > struct ima_field_data *field_data); > int ima_eventsig_init(struct ima_event_data *event_data, > struct ima_field_data *field_data); > +int ima_eventbuf_init(struct ima_event_data *event_data, > + struct ima_field_data *field_data); > #endif /* __LINUX_IMA_TEMPLATE_LIB_H */ > -- HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 Managing Director: Bo PENG, Jian LI, Yanli SHI ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH v6 2/3] add a new ima template field buf 2019-05-21 0:06 ` [PATCH v6 2/3] add a new ima template field buf Prakhar Srivastava 2019-05-21 7:11 ` Roberto Sassu @ 2019-05-24 15:12 ` Mimi Zohar 2019-05-24 15:42 ` Roberto Sassu 1 sibling, 1 reply; 12+ messages in thread From: Mimi Zohar @ 2019-05-24 15:12 UTC (permalink / raw) To: Prakhar Srivastava, linux-integrity, linux-security-module, linux-kernel Cc: mjg59, roberto.sassu, vgoyal On Mon, 2019-05-20 at 17:06 -0700, Prakhar Srivastava wrote: > A buffer(cmdline args) measured into ima cannot be appraised > without already being aware of the buffer contents.Since we > don't know what cmdline args will be passed (or need to validate > what was passed) it is not possible to appraise it. > > Since hashs are non reversible the raw buffer is needed to > recompute the hash. > To regenrate the hash of the buffer and appraise the same > the contents of the buffer need to be available. > > A new template field buf is added to the existing ima template > fields, which can be used to store/read the buffer itself. > Two new fields are added to the ima_event_data to carry the > buf and buf_len whenever necessary. > > Updated the process_buffer_measurement call to add the buf > to the ima_event_data. > process_buffer_measurement added in "Add a new ima hook > ima_kexec_cmdline to measure cmdline args" > > - Add a new template field 'buf' to be used to store/read > the buffer data. > - Added two new fields to ima_event_data to hold the buf and > buf_len [Suggested by Roberto] > -Updated process_buffer_meaurement to add the buffer to > ima_event_data This patch description can be written more concisely. Patch 1/3 in this series introduces measuring the kexec boot command line. This patch defines a new template field for storing the kexec boot command line in the measurement list in order for a remote attestation server to verify. As mentioned, the first patch description should include a shell command for verifying the digest in the kexec boot command line measurement list record against /proc/cmdline. This patch description should include a shell command showing how to verify the digest based on the new field. Should the new field in the ascii measurement list be displayed as a string, not hex? Mimi ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: 2019-05-24 15:12 ` Mimi Zohar @ 2019-05-24 15:42 ` Roberto Sassu 2019-05-24 15:47 ` Re: Roberto Sassu 0 siblings, 1 reply; 12+ messages in thread From: Roberto Sassu @ 2019-05-24 15:42 UTC (permalink / raw) To: Mimi Zohar, Prakhar Srivastava, linux-integrity, linux-security-module, linux-kernel Cc: mjg59, vgoyal On 5/24/2019 5:12 PM, Mimi Zohar wrote: > On Mon, 2019-05-20 at 17:06 -0700, Prakhar Srivastava wrote: >> A buffer(cmdline args) measured into ima cannot be appraised >> without already being aware of the buffer contents.Since we >> don't know what cmdline args will be passed (or need to validate >> what was passed) it is not possible to appraise it. >> >> Since hashs are non reversible the raw buffer is needed to >> recompute the hash. >> To regenrate the hash of the buffer and appraise the same >> the contents of the buffer need to be available. >> >> A new template field buf is added to the existing ima template >> fields, which can be used to store/read the buffer itself. >> Two new fields are added to the ima_event_data to carry the >> buf and buf_len whenever necessary. >> >> Updated the process_buffer_measurement call to add the buf >> to the ima_event_data. >> process_buffer_measurement added in "Add a new ima hook >> ima_kexec_cmdline to measure cmdline args" >> >> - Add a new template field 'buf' to be used to store/read >> the buffer data. >> - Added two new fields to ima_event_data to hold the buf and >> buf_len [Suggested by Roberto] >> -Updated process_buffer_meaurement to add the buffer to >> ima_event_data > > This patch description can be written more concisely. > > Patch 1/3 in this series introduces measuring the kexec boot command > line. This patch defines a new template field for storing the kexec > boot command line in the measurement list in order for a remote > attestation server to verify. > > As mentioned, the first patch description should include a shell > command for verifying the digest in the kexec boot command line > measurement list record against /proc/cmdline. This patch description > should include a shell command showing how to verify the digest based > on the new field. Should the new field in the ascii measurement list > be displayed as a string, not hex? We should define a new type. If the type is DATA_FMT_STRING, spaces are replaced with '_'. Roberto -- HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 Managing Director: Bo PENG, Jian LI, Yanli SHI ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: 2019-05-24 15:42 ` Roberto Sassu @ 2019-05-24 15:47 ` Roberto Sassu 2019-05-24 18:09 ` Re: Mimi Zohar 0 siblings, 1 reply; 12+ messages in thread From: Roberto Sassu @ 2019-05-24 15:47 UTC (permalink / raw) To: Mimi Zohar, Prakhar Srivastava, linux-integrity, linux-security-module, linux-kernel Cc: mjg59, vgoyal On 5/24/2019 5:42 PM, Roberto Sassu wrote: > On 5/24/2019 5:12 PM, Mimi Zohar wrote: >> On Mon, 2019-05-20 at 17:06 -0700, Prakhar Srivastava wrote: >>> A buffer(cmdline args) measured into ima cannot be appraised >>> without already being aware of the buffer contents.Since we >>> don't know what cmdline args will be passed (or need to validate >>> what was passed) it is not possible to appraise it. >>> >>> Since hashs are non reversible the raw buffer is needed to >>> recompute the hash. >>> To regenrate the hash of the buffer and appraise the same >>> the contents of the buffer need to be available. >>> >>> A new template field buf is added to the existing ima template >>> fields, which can be used to store/read the buffer itself. >>> Two new fields are added to the ima_event_data to carry the >>> buf and buf_len whenever necessary. >>> >>> Updated the process_buffer_measurement call to add the buf >>> to the ima_event_data. >>> process_buffer_measurement added in "Add a new ima hook >>> ima_kexec_cmdline to measure cmdline args" >>> >>> - Add a new template field 'buf' to be used to store/read >>> the buffer data. >>> - Added two new fields to ima_event_data to hold the buf and >>> buf_len [Suggested by Roberto] >>> -Updated process_buffer_meaurement to add the buffer to >>> ima_event_data >> >> This patch description can be written more concisely. >> >> Patch 1/3 in this series introduces measuring the kexec boot command >> line. This patch defines a new template field for storing the kexec >> boot command line in the measurement list in order for a remote >> attestation server to verify. >> >> As mentioned, the first patch description should include a shell >> command for verifying the digest in the kexec boot command line >> measurement list record against /proc/cmdline. This patch description >> should include a shell command showing how to verify the digest based >> on the new field. Should the new field in the ascii measurement list >> be displayed as a string, not hex? > > We should define a new type. If the type is DATA_FMT_STRING, spaces are > replaced with '_'. Or better. Leave it as hex, otherwise there would be a parsing problem if there are spaces in the data for a field. Roberto -- HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 Managing Director: Bo PENG, Jian LI, Yanli SHI ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Re: 2019-05-24 15:47 ` Re: Roberto Sassu @ 2019-05-24 18:09 ` Mimi Zohar 2019-05-24 19:00 ` Re: prakhar srivastava 0 siblings, 1 reply; 12+ messages in thread From: Mimi Zohar @ 2019-05-24 18:09 UTC (permalink / raw) To: Roberto Sassu, Prakhar Srivastava, linux-integrity, linux-security-module, linux-kernel Cc: mjg59, vgoyal > >> As mentioned, the first patch description should include a shell > >> command for verifying the digest in the kexec boot command line > >> measurement list record against /proc/cmdline. This patch description > >> should include a shell command showing how to verify the digest based > >> on the new field. Should the new field in the ascii measurement list > >> be displayed as a string, not hex? > > > > We should define a new type. If the type is DATA_FMT_STRING, spaces are > > replaced with '_'. > > Or better. Leave it as hex, otherwise there would be a parsing problem > if there are spaces in the data for a field. After making a few changes, the measurement list contains the following kexec-cmdline data: 10 edc32d1e3a5ba7272280a395b6fb56a5ef7c78c3 ima-buf sha256:4f43b7db850e 88c49dfeffd4b1eb4f021d78033dfb05b07e45eec8d0b45275 kexec-cmdline 726f6f 743d2f6465762f7364613420726f2072642e6c756b732e757569643d6c756b73 2d6637 3633643737632d653236622d343431642d613734652d62363633636334643832 656120 696d615f706f6c6963793d7463627c61707072616973655f746362 There's probably a better shell command, but the following works to verify the digest locally against the /proc/cmdline: $ echo -n -e `cat /proc/cmdline | sed 's/^.*root=/root=/'` | sha256sum 4f43b7db850e88c49dfeffd4b1eb4f021d78033dfb05b07e45eec8d0b4527f65 - If we leave the "buf" field as ascii-hex, what would the shell command look like when verifying the digest based on the "buf" field? Mimi ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Re: 2019-05-24 18:09 ` Re: Mimi Zohar @ 2019-05-24 19:00 ` prakhar srivastava 2019-05-24 19:15 ` Re: Mimi Zohar 0 siblings, 1 reply; 12+ messages in thread From: prakhar srivastava @ 2019-05-24 19:00 UTC (permalink / raw) To: Mimi Zohar Cc: Roberto Sassu, linux-integrity, linux-security-module, linux-kernel, Matthew Garrett, vgoyal On Fri, May 24, 2019 at 11:09 AM Mimi Zohar <zohar@linux.ibm.com> wrote: > > > >> As mentioned, the first patch description should include a shell > > >> command for verifying the digest in the kexec boot command line > > >> measurement list record against /proc/cmdline. This patch description > > >> should include a shell command showing how to verify the digest based > > >> on the new field. Should the new field in the ascii measurement list > > >> be displayed as a string, not hex? > > > > > > We should define a new type. If the type is DATA_FMT_STRING, spaces are > > > replaced with '_'. > > > > Or better. Leave it as hex, otherwise there would be a parsing problem > > if there are spaces in the data for a field. > > After making a few changes, the measurement list contains the > following kexec-cmdline data: > > 10 edc32d1e3a5ba7272280a395b6fb56a5ef7c78c3 ima-buf > sha256:4f43b7db850e > 88c49dfeffd4b1eb4f021d78033dfb05b07e45eec8d0b45275 > kexec-cmdline > 726f6f > 743d2f6465762f7364613420726f2072642e6c756b732e757569643d6c756b73 > 2d6637 > 3633643737632d653236622d343431642d613734652d62363633636334643832 > 656120 > 696d615f706f6c6963793d7463627c61707072616973655f746362 > > There's probably a better shell command, but the following works to > verify the digest locally against the /proc/cmdline: > > $ echo -n -e `cat /proc/cmdline | sed 's/^.*root=/root=/'` | sha256sum > 4f43b7db850e88c49dfeffd4b1eb4f021d78033dfb05b07e45eec8d0b4527f65 - > > If we leave the "buf" field as ascii-hex, what would the shell command > look like when verifying the digest based on the "buf" field? > > Mimi > To quickly test the sha256 i used the my /proc/cmdline ro quiet splash vt.handoff=1 ima_policy=tcb ima_appraise=fix ima_template_fmt=n-ng|d-ng|sig|buf ima_hash=sha256 export $VAL= 726f2071756965742073706c6173682076742e68616e646f66663d3120 696d615f706f6c6963793d74636220696d615f61707072616973653d666 97820696d615f74656d706c6174655f666d743d6e2d6e677c642d6e677c 7369677c62756620696d615f686173683d736861323536 echo -n -e $VAL | xxd -r -p | sha256sum 0d0b891bb730120d9593799cba1a7b3febf68f2bb81fb1304b0c963f95f6bc58 - I will run it through the code as well, but the shell command should work. Thanks, Prakhar Srivastava ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Re: 2019-05-24 19:00 ` Re: prakhar srivastava @ 2019-05-24 19:15 ` Mimi Zohar 0 siblings, 0 replies; 12+ messages in thread From: Mimi Zohar @ 2019-05-24 19:15 UTC (permalink / raw) To: prakhar srivastava Cc: Roberto Sassu, linux-integrity, linux-security-module, linux-kernel, Matthew Garrett, vgoyal On Fri, 2019-05-24 at 12:00 -0700, prakhar srivastava wrote: > On Fri, May 24, 2019 at 11:09 AM Mimi Zohar <zohar@linux.ibm.com> wrote: > > > > > >> As mentioned, the first patch description should include a shell > > > >> command for verifying the digest in the kexec boot command line > > > >> measurement list record against /proc/cmdline. This patch description > > > >> should include a shell command showing how to verify the digest based > > > >> on the new field. Should the new field in the ascii measurement list > > > >> be displayed as a string, not hex? > > > > > > > > We should define a new type. If the type is DATA_FMT_STRING, spaces are > > > > replaced with '_'. > > > > > > Or better. Leave it as hex, otherwise there would be a parsing problem > > > if there are spaces in the data for a field. > > > > After making a few changes, the measurement list contains the > > following kexec-cmdline data: > > > > 10 edc32d1e3a5ba7272280a395b6fb56a5ef7c78c3 ima-buf > > sha256:4f43b7db850e > > 88c49dfeffd4b1eb4f021d78033dfb05b07e45eec8d0b45275 > > kexec-cmdline > > 726f6f > > 743d2f6465762f7364613420726f2072642e6c756b732e757569643d6c756b73 > > 2d6637 > > 3633643737632d653236622d343431642d613734652d62363633636334643832 > > 656120 > > 696d615f706f6c6963793d7463627c61707072616973655f746362 > > > > There's probably a better shell command, but the following works to > > verify the digest locally against the /proc/cmdline: > > > > $ echo -n -e `cat /proc/cmdline | sed 's/^.*root=/root=/'` | sha256sum > > 4f43b7db850e88c49dfeffd4b1eb4f021d78033dfb05b07e45eec8d0b4527f65 - > > > > If we leave the "buf" field as ascii-hex, what would the shell command > > look like when verifying the digest based on the "buf" field? > > > > Mimi > > > To quickly test the sha256 i used the my /proc/cmdline > ro quiet splash vt.handoff=1 ima_policy=tcb ima_appraise=fix > ima_template_fmt=n-ng|d-ng|sig|buf ima_hash=sha256 > > export $VAL= > 726f2071756965742073706c6173682076742e68616e646f66663d3120 > 696d615f706f6c6963793d74636220696d615f61707072616973653d666 > 97820696d615f74656d706c6174655f666d743d6e2d6e677c642d6e677c > 7369677c62756620696d615f686173683d736861323536 > > echo -n -e $VAL | xxd -r -p | sha256sum > 0d0b891bb730120d9593799cba1a7b3febf68f2bb81fb1304b0c963f95f6bc58 - > > I will run it through the code as well, but the shell command should work. Yes, that works. sudo cat /sys/kernel/security/integrity/ima/ascii_runtime_measurements | grep kexec-cmdline | cut -d' ' -f 6 | xxd -r -p | sha256sum Mimi ^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH v6 3/3] call ima_kexec_cmdline to measure the cmdline args 2019-05-21 0:06 [PATCH v6 0/3] add new ima hook ima_kexec_cmdline to measure kexec boot cmdline args Prakhar Srivastava 2019-05-21 0:06 ` [PATCH v6 1/3] Add a new ima hook ima_kexec_cmdline to measure " Prakhar Srivastava 2019-05-21 0:06 ` [PATCH v6 2/3] add a new ima template field buf Prakhar Srivastava @ 2019-05-21 0:06 ` Prakhar Srivastava 2 siblings, 0 replies; 12+ messages in thread From: Prakhar Srivastava @ 2019-05-21 0:06 UTC (permalink / raw) To: linux-integrity, linux-security-module, linux-kernel Cc: mjg59, zohar, roberto.sassu, vgoyal, Prakhar Srivastava During soft reboot(kexec_file_load) boot cmdline args are not measured.Thus the new kernel on load boots with an assumption of cold reboot. This patch makes a call to the ima hook ima_kexec_cmdline, added in "Add a new ima hook ima_kexec_cmdline to measure cmdline args" to measure the boot cmdline args into the ima log. - call ima_kexec_cmdline from kexec_file_load. - move the call ima_add_kexec_buffer after the cmdline args have been measured. Signed-off-by: Prakhar Srivastava <prsriva02@gmail.com> --- kernel/kexec_file.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index f1d0e00a3971..fcc04a230925 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -198,9 +198,6 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, return ret; image->kernel_buf_len = size; - /* IMA needs to pass the measurement list to the next kernel. */ - ima_add_kexec_buffer(image); - /* Call arch image probe handlers */ ret = arch_kexec_kernel_image_probe(image, image->kernel_buf, image->kernel_buf_len); @@ -241,8 +238,13 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, ret = -EINVAL; goto out; } + + ima_kexec_cmdline(image->cmdline_buf, image->cmdline_buf_len - 1); } + /* IMA needs to pass the measurement list to the next kernel. */ + ima_add_kexec_buffer(image); + /* Call arch image load handlers */ ldata = arch_kexec_kernel_image_load(image); -- 2.17.1 ^ permalink raw reply related [flat|nested] 12+ messages in thread
end of thread, other threads:[~2019-05-24 19:15 UTC | newest] Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-05-21 0:06 [PATCH v6 0/3] add new ima hook ima_kexec_cmdline to measure kexec boot cmdline args Prakhar Srivastava 2019-05-21 0:06 ` [PATCH v6 1/3] Add a new ima hook ima_kexec_cmdline to measure " Prakhar Srivastava 2019-05-24 14:56 ` Mimi Zohar 2019-05-21 0:06 ` [PATCH v6 2/3] add a new ima template field buf Prakhar Srivastava 2019-05-21 7:11 ` Roberto Sassu 2019-05-24 15:12 ` Mimi Zohar 2019-05-24 15:42 ` Roberto Sassu 2019-05-24 15:47 ` Re: Roberto Sassu 2019-05-24 18:09 ` Re: Mimi Zohar 2019-05-24 19:00 ` Re: prakhar srivastava 2019-05-24 19:15 ` Re: Mimi Zohar 2019-05-21 0:06 ` [PATCH v6 3/3] call ima_kexec_cmdline to measure the cmdline args Prakhar Srivastava
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).