Commit 291af651 authored by Tushar Sugandhi's avatar Tushar Sugandhi Committed by Mimi Zohar

IMA: add support to measure buffer data hash

The original IMA buffer data measurement sizes were small (e.g.  boot
command line), but the new buffer data measurement use cases have data
sizes that are a lot larger.  Just as IMA measures the file data hash,
not the file data, IMA should similarly support the option for measuring
buffer data hash.

Introduce a boolean parameter to support measuring buffer data hash,
which would be much smaller, instead of the buffer itself.
Signed-off-by: default avatarTushar Sugandhi <tusharsu@linux.microsoft.com>
Reviewed-by: default avatarTyler Hicks <tyhicks@linux.microsoft.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
parent 2b4a2474
...@@ -268,7 +268,8 @@ void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file, ...@@ -268,7 +268,8 @@ void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,
struct ima_template_desc *template_desc); struct ima_template_desc *template_desc);
void process_buffer_measurement(struct inode *inode, const void *buf, int size, void process_buffer_measurement(struct inode *inode, const void *buf, int size,
const char *eventname, enum ima_hooks func, const char *eventname, enum ima_hooks func,
int pcr, const char *func_data); int pcr, const char *func_data,
bool buf_hash);
void ima_audit_measurement(struct integrity_iint_cache *iint, void ima_audit_measurement(struct integrity_iint_cache *iint,
const unsigned char *filename); const unsigned char *filename);
int ima_alloc_init_template(struct ima_event_data *event_data, int ima_alloc_init_template(struct ima_event_data *event_data,
......
...@@ -352,7 +352,7 @@ int ima_check_blacklist(struct integrity_iint_cache *iint, ...@@ -352,7 +352,7 @@ int ima_check_blacklist(struct integrity_iint_cache *iint,
if ((rc == -EPERM) && (iint->flags & IMA_MEASURE)) if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))
process_buffer_measurement(NULL, digest, digestsize, process_buffer_measurement(NULL, digest, digestsize,
"blacklisted-hash", NONE, "blacklisted-hash", NONE,
pcr, NULL); pcr, NULL, false);
} }
return rc; return rc;
......
...@@ -60,5 +60,5 @@ void ima_post_key_create_or_update(struct key *keyring, struct key *key, ...@@ -60,5 +60,5 @@ void ima_post_key_create_or_update(struct key *keyring, struct key *key,
*/ */
process_buffer_measurement(NULL, payload, payload_len, process_buffer_measurement(NULL, payload, payload_len,
keyring->description, KEY_CHECK, 0, keyring->description, KEY_CHECK, 0,
keyring->description); keyring->description, false);
} }
...@@ -809,7 +809,7 @@ int ima_post_load_data(char *buf, loff_t size, ...@@ -809,7 +809,7 @@ int ima_post_load_data(char *buf, loff_t size,
} }
/* /*
* process_buffer_measurement - Measure the buffer to ima log. * process_buffer_measurement - Measure the buffer or the buffer data hash
* @inode: inode associated with the object being measured (NULL for KEY_CHECK) * @inode: inode associated with the object being measured (NULL for KEY_CHECK)
* @buf: pointer to the buffer that needs to be added to the log. * @buf: pointer to the buffer that needs to be added to the log.
* @size: size of buffer(in bytes). * @size: size of buffer(in bytes).
...@@ -817,12 +817,14 @@ int ima_post_load_data(char *buf, loff_t size, ...@@ -817,12 +817,14 @@ int ima_post_load_data(char *buf, loff_t size,
* @func: IMA hook * @func: IMA hook
* @pcr: pcr to extend the measurement * @pcr: pcr to extend the measurement
* @func_data: func specific data, may be NULL * @func_data: func specific data, may be NULL
* @buf_hash: measure buffer data hash
* *
* Based on policy, the buffer is measured into the ima log. * Based on policy, either the buffer data or buffer data hash is measured
*/ */
void process_buffer_measurement(struct inode *inode, const void *buf, int size, void process_buffer_measurement(struct inode *inode, const void *buf, int size,
const char *eventname, enum ima_hooks func, const char *eventname, enum ima_hooks func,
int pcr, const char *func_data) int pcr, const char *func_data,
bool buf_hash)
{ {
int ret = 0; int ret = 0;
const char *audit_cause = "ENOMEM"; const char *audit_cause = "ENOMEM";
...@@ -837,6 +839,8 @@ void process_buffer_measurement(struct inode *inode, const void *buf, int size, ...@@ -837,6 +839,8 @@ void process_buffer_measurement(struct inode *inode, const void *buf, int size,
struct ima_digest_data hdr; struct ima_digest_data hdr;
char digest[IMA_MAX_DIGEST_SIZE]; char digest[IMA_MAX_DIGEST_SIZE];
} hash = {}; } hash = {};
char digest_hash[IMA_MAX_DIGEST_SIZE];
int digest_hash_len = hash_digest_size[ima_hash_algo];
int violation = 0; int violation = 0;
int action = 0; int action = 0;
u32 secid; u32 secid;
...@@ -879,13 +883,27 @@ void process_buffer_measurement(struct inode *inode, const void *buf, int size, ...@@ -879,13 +883,27 @@ void process_buffer_measurement(struct inode *inode, const void *buf, int size,
goto out; goto out;
} }
if (buf_hash) {
memcpy(digest_hash, hash.hdr.digest, digest_hash_len);
ret = ima_calc_buffer_hash(digest_hash, digest_hash_len,
iint.ima_hash);
if (ret < 0) {
audit_cause = "hashing_error";
goto out;
}
event_data.buf = digest_hash;
event_data.buf_len = digest_hash_len;
}
ret = ima_alloc_init_template(&event_data, &entry, template); ret = ima_alloc_init_template(&event_data, &entry, template);
if (ret < 0) { if (ret < 0) {
audit_cause = "alloc_entry"; audit_cause = "alloc_entry";
goto out; goto out;
} }
ret = ima_store_template(entry, violation, NULL, buf, pcr); ret = ima_store_template(entry, violation, NULL, event_data.buf, pcr);
if (ret < 0) { if (ret < 0) {
audit_cause = "store_entry"; audit_cause = "store_entry";
ima_free_template_entry(entry); ima_free_template_entry(entry);
...@@ -920,7 +938,8 @@ void ima_kexec_cmdline(int kernel_fd, const void *buf, int size) ...@@ -920,7 +938,8 @@ void ima_kexec_cmdline(int kernel_fd, const void *buf, int size)
return; return;
process_buffer_measurement(file_inode(f.file), buf, size, process_buffer_measurement(file_inode(f.file), buf, size,
"kexec-cmdline", KEXEC_CMDLINE, 0, NULL); "kexec-cmdline", KEXEC_CMDLINE, 0, NULL,
false);
fdput(f); fdput(f);
} }
......
...@@ -162,7 +162,8 @@ void ima_process_queued_keys(void) ...@@ -162,7 +162,8 @@ void ima_process_queued_keys(void)
entry->payload_len, entry->payload_len,
entry->keyring_name, entry->keyring_name,
KEY_CHECK, 0, KEY_CHECK, 0,
entry->keyring_name); entry->keyring_name,
false);
list_del(&entry->list); list_del(&entry->list);
ima_free_key_entry(entry); ima_free_key_entry(entry);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment