Commit 1ea973df authored by Roberto Sassu's avatar Roberto Sassu Committed by Mimi Zohar

ima: Calculate and extend PCR with digests in ima_template_entry

This patch modifies ima_calc_field_array_hash() to calculate a template
digest for each allocated PCR bank and SHA1. It also passes the tpm_digest
array of the template entry to ima_pcr_extend() or in case of a violation,
the pre-initialized digests array filled with 0xff.

Padding with zeros is still done if the mapping between TPM algorithm ID
and crypto ID is unknown.

This patch calculates again the template digest when a measurement list is
restored. Copying only the SHA1 digest (due to the limitation of the
current measurement list format) is not sufficient, as hash collision
detection will be done on the digest calculated with the IMA default hash
algorithm.
Signed-off-by: default avatarRoberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
parent 6d94809a
...@@ -619,9 +619,36 @@ static int ima_calc_field_array_hash_tfm(struct ima_field_data *field_data, ...@@ -619,9 +619,36 @@ static int ima_calc_field_array_hash_tfm(struct ima_field_data *field_data,
int ima_calc_field_array_hash(struct ima_field_data *field_data, int ima_calc_field_array_hash(struct ima_field_data *field_data,
struct ima_template_entry *entry) struct ima_template_entry *entry)
{ {
int rc; u16 alg_id;
int rc, i;
rc = ima_calc_field_array_hash_tfm(field_data, entry, ima_sha1_idx); rc = ima_calc_field_array_hash_tfm(field_data, entry, ima_sha1_idx);
if (rc)
return rc;
entry->digests[ima_sha1_idx].alg_id = TPM_ALG_SHA1;
for (i = 0; i < NR_BANKS(ima_tpm_chip) + ima_extra_slots; i++) {
if (i == ima_sha1_idx)
continue;
if (i < NR_BANKS(ima_tpm_chip)) {
alg_id = ima_tpm_chip->allocated_banks[i].alg_id;
entry->digests[i].alg_id = alg_id;
}
/* for unmapped TPM algorithms digest is still a padded SHA1 */
if (!ima_algo_array[i].tfm) {
memcpy(entry->digests[i].digest,
entry->digests[ima_sha1_idx].digest,
TPM_DIGEST_SIZE);
continue;
}
rc = ima_calc_field_array_hash_tfm(field_data, entry, i);
if (rc)
return rc;
}
return rc; return rc;
} }
......
...@@ -135,18 +135,14 @@ unsigned long ima_get_binary_runtime_size(void) ...@@ -135,18 +135,14 @@ unsigned long ima_get_binary_runtime_size(void)
return binary_runtime_size + sizeof(struct ima_kexec_hdr); return binary_runtime_size + sizeof(struct ima_kexec_hdr);
}; };
static int ima_pcr_extend(const u8 *hash, int pcr) static int ima_pcr_extend(struct tpm_digest *digests_arg, int pcr)
{ {
int result = 0; int result = 0;
int i;
if (!ima_tpm_chip) if (!ima_tpm_chip)
return result; return result;
for (i = 0; i < ima_tpm_chip->nr_allocated_banks; i++) result = tpm_pcr_extend(ima_tpm_chip, pcr, digests_arg);
memcpy(digests[i].digest, hash, TPM_DIGEST_SIZE);
result = tpm_pcr_extend(ima_tpm_chip, pcr, digests);
if (result != 0) if (result != 0)
pr_err("Error Communicating to TPM chip, result: %d\n", result); pr_err("Error Communicating to TPM chip, result: %d\n", result);
return result; return result;
...@@ -164,7 +160,8 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation, ...@@ -164,7 +160,8 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation,
const char *op, struct inode *inode, const char *op, struct inode *inode,
const unsigned char *filename) const unsigned char *filename)
{ {
u8 digest[TPM_DIGEST_SIZE]; u8 *digest = entry->digests[ima_sha1_idx].digest;
struct tpm_digest *digests_arg = entry->digests;
const char *audit_cause = "hash_added"; const char *audit_cause = "hash_added";
char tpm_audit_cause[AUDIT_CAUSE_LEN_MAX]; char tpm_audit_cause[AUDIT_CAUSE_LEN_MAX];
int audit_info = 1; int audit_info = 1;
...@@ -172,8 +169,6 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation, ...@@ -172,8 +169,6 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation,
mutex_lock(&ima_extend_list_mutex); mutex_lock(&ima_extend_list_mutex);
if (!violation) { if (!violation) {
memcpy(digest, entry->digests[ima_sha1_idx].digest,
sizeof(digest));
if (ima_lookup_digest_entry(digest, entry->pcr)) { if (ima_lookup_digest_entry(digest, entry->pcr)) {
audit_cause = "hash_exists"; audit_cause = "hash_exists";
result = -EEXIST; result = -EEXIST;
...@@ -189,9 +184,9 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation, ...@@ -189,9 +184,9 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation,
} }
if (violation) /* invalidate pcr */ if (violation) /* invalidate pcr */
memset(digest, 0xff, sizeof(digest)); digests_arg = digests;
tpmresult = ima_pcr_extend(digest, entry->pcr); tpmresult = ima_pcr_extend(digests_arg, entry->pcr);
if (tpmresult != 0) { if (tpmresult != 0) {
snprintf(tpm_audit_cause, AUDIT_CAUSE_LEN_MAX, "TPM_error(%d)", snprintf(tpm_audit_cause, AUDIT_CAUSE_LEN_MAX, "TPM_error(%d)",
tpmresult); tpmresult);
...@@ -217,6 +212,8 @@ int ima_restore_measurement_entry(struct ima_template_entry *entry) ...@@ -217,6 +212,8 @@ int ima_restore_measurement_entry(struct ima_template_entry *entry)
int __init ima_init_digests(void) int __init ima_init_digests(void)
{ {
u16 digest_size;
u16 crypto_id;
int i; int i;
if (!ima_tpm_chip) if (!ima_tpm_chip)
...@@ -227,8 +224,17 @@ int __init ima_init_digests(void) ...@@ -227,8 +224,17 @@ int __init ima_init_digests(void)
if (!digests) if (!digests)
return -ENOMEM; return -ENOMEM;
for (i = 0; i < ima_tpm_chip->nr_allocated_banks; i++) for (i = 0; i < ima_tpm_chip->nr_allocated_banks; i++) {
digests[i].alg_id = ima_tpm_chip->allocated_banks[i].alg_id; digests[i].alg_id = ima_tpm_chip->allocated_banks[i].alg_id;
digest_size = ima_tpm_chip->allocated_banks[i].digest_size;
crypto_id = ima_tpm_chip->allocated_banks[i].crypto_id;
/* for unmapped TPM algorithms digest is still a padded SHA1 */
if (crypto_id == HASH_ALGO__LAST)
digest_size = SHA1_DIGEST_SIZE;
memset(digests[i].digest, 0xff, digest_size);
}
return 0; return 0;
} }
...@@ -357,6 +357,7 @@ static int ima_restore_template_data(struct ima_template_desc *template_desc, ...@@ -357,6 +357,7 @@ static int ima_restore_template_data(struct ima_template_desc *template_desc,
int ima_restore_measurement_list(loff_t size, void *buf) int ima_restore_measurement_list(loff_t size, void *buf)
{ {
char template_name[MAX_TEMPLATE_NAME_LEN]; char template_name[MAX_TEMPLATE_NAME_LEN];
unsigned char zero[TPM_DIGEST_SIZE] = { 0 };
struct ima_kexec_hdr *khdr = buf; struct ima_kexec_hdr *khdr = buf;
struct ima_field_data hdr[HDR__LAST] = { struct ima_field_data hdr[HDR__LAST] = {
...@@ -456,8 +457,17 @@ int ima_restore_measurement_list(loff_t size, void *buf) ...@@ -456,8 +457,17 @@ int ima_restore_measurement_list(loff_t size, void *buf)
if (ret < 0) if (ret < 0)
break; break;
memcpy(entry->digests[ima_sha1_idx].digest, if (memcmp(hdr[HDR_DIGEST].data, zero, sizeof(zero))) {
hdr[HDR_DIGEST].data, hdr[HDR_DIGEST].len); ret = ima_calc_field_array_hash(
&entry->template_data[0],
entry);
if (ret < 0) {
pr_err("cannot calculate template digest\n");
ret = -EINVAL;
break;
}
}
entry->pcr = !ima_canonical_fmt ? *(hdr[HDR_PCR].data) : entry->pcr = !ima_canonical_fmt ? *(hdr[HDR_PCR].data) :
le32_to_cpu(*(hdr[HDR_PCR].data)); le32_to_cpu(*(hdr[HDR_PCR].data));
ret = ima_restore_measurement_entry(entry); ret = ima_restore_measurement_entry(entry);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment