1. 18 Jul, 2011 6 commits
    • Mimi Zohar's avatar
      security: imbed evm calls in security hooks · 3e1be52d
      Mimi Zohar authored
      Imbed the evm calls evm_inode_setxattr(), evm_inode_post_setxattr(),
      evm_inode_removexattr() in the security hooks.  evm_inode_setxattr()
      protects security.evm xattr.  evm_inode_post_setxattr() and
      evm_inode_removexattr() updates the hmac associated with an inode.
      
      (Assumes an LSM module protects the setting/removing of xattr.)
      
      Changelog:
        - Don't define evm_verifyxattr(), unless CONFIG_INTEGRITY is enabled.
        - xattr_name is a 'const', value is 'void *'
      Signed-off-by: default avatarMimi Zohar <zohar@us.ibm.com>
      Acked-by: default avatarSerge Hallyn <serge.hallyn@ubuntu.com>
      3e1be52d
    • Dmitry Kasatkin's avatar
      evm: add support for different security.evm data types · 6be5cc52
      Dmitry Kasatkin authored
      EVM protects a file's security extended attributes(xattrs) against integrity
      attacks. The current patchset maintains an HMAC-sha1 value across the security
      xattrs, storing the value as the extended attribute 'security.evm'. We
      anticipate other methods for protecting the security extended attributes.
      This patch reserves the first byte of 'security.evm' as a place holder for
      the type of method.
      
      Changelog v6:
      - move evm_ima_xattr_type definition to security/integrity/integrity.h
      - defined a structure for the EVM xattr called evm_ima_xattr_data
        (based on Serge Hallyn's suggestion)
      - removed unnecessary memset
      Signed-off-by: default avatarDmitry Kasatkin <dmitry.kasatkin@nokia.com>
      Signed-off-by: default avatarMimi Zohar <zohar@us.ibm.com>
      Acked-by: default avatarSerge Hallyn <serge.hallyn@canonical.com>
      6be5cc52
    • Mimi Zohar's avatar
      evm: re-release · 66dbc325
      Mimi Zohar authored
      EVM protects a file's security extended attributes(xattrs) against integrity
      attacks.  This patchset provides the framework and an initial method.  The
      initial method maintains an HMAC-sha1 value across the security extended
      attributes, storing the HMAC value as the extended attribute 'security.evm'.
      Other methods of validating the integrity of a file's metadata will be posted
      separately (eg. EVM-digital-signatures).
      
      While this patchset does authenticate the security xattrs, and
      cryptographically binds them to the inode, coming extensions will bind other
      directory and inode metadata for more complete protection.  To help simplify
      the review and upstreaming process, each extension will be posted separately
      (eg. IMA-appraisal, IMA-appraisal-directory).  For a general overview of the
      proposed Linux integrity subsystem, refer to Dave Safford's whitepaper:
      http://downloads.sf.net/project/linux-ima/linux-ima/Integrity_overview.pdf.
      
      EVM depends on the Kernel Key Retention System to provide it with a
      trusted/encrypted key for the HMAC-sha1 operation. The key is loaded onto the
      root's keyring using keyctl.  Until EVM receives notification that the key has
      been successfully loaded onto the keyring (echo 1 > <securityfs>/evm), EVM can
      not create or validate the 'security.evm' xattr, but returns INTEGRITY_UNKNOWN.
      Loading the key and signaling EVM should be done as early as possible. Normally
      this is done in the initramfs, which has already been measured as part of the
      trusted boot.  For more information on creating and loading existing
      trusted/encrypted keys, refer to Documentation/keys-trusted-encrypted.txt.  A
      sample dracut patch, which loads the trusted/encrypted key and enables EVM, is
      available from http://linux-ima.sourceforge.net/#EVM.
      
      Based on the LSMs enabled, the set of EVM protected security xattrs is defined
      at compile.  EVM adds the following three calls to the existing security hooks:
      evm_inode_setxattr(), evm_inode_post_setxattr(), and evm_inode_removexattr.  To
      initialize and update the 'security.evm' extended attribute, EVM defines three
      calls: evm_inode_post_init(), evm_inode_post_setattr() and
      evm_inode_post_removexattr() hooks.  To verify the integrity of a security
      xattr, EVM exports evm_verifyxattr().
      
      Changelog v7:
      - Fixed URL in EVM ABI documentation
      
      Changelog v6: (based on Serge Hallyn's review)
      - fix URL in patch description
      - remove evm_hmac_size definition
      - use SHA1_DIGEST_SIZE (removed both MAX_DIGEST_SIZE and evm_hmac_size)
      - moved linux include before other includes
      - test for crypto_hash_setkey failure
      - fail earlier for invalid key
      - clear entire encrypted key, even on failure
      - check xattr name length before comparing xattr names
      
      Changelog:
      - locking based on i_mutex, remove evm_mutex
      - using trusted/encrypted keys for storing the EVM key used in the HMAC-sha1
        operation.
      - replaced crypto hash with shash (Dmitry Kasatkin)
      - support for additional methods of verifying the security xattrs
        (Dmitry Kasatkin)
      - iint not allocated for all regular files, but only for those appraised
      - Use cap_sys_admin in lieu of cap_mac_admin
      - Use __vfs_setxattr_noperm(), without permission checks, from EVM
      Signed-off-by: default avatarMimi Zohar <zohar@us.ibm.com>
      Acked-by: default avatarSerge Hallyn <serge.hallyn@canonical.com>
      66dbc325
    • Mimi Zohar's avatar
      xattr: define vfs_getxattr_alloc and vfs_xattr_cmp · 1601fbad
      Mimi Zohar authored
      vfs_getxattr_alloc() and vfs_xattr_cmp() are two new kernel xattr helper
      functions.  vfs_getxattr_alloc() first allocates memory for the requested
      xattr and then retrieves it. vfs_xattr_cmp() compares a given value with
      the contents of an extended attribute.
      Signed-off-by: default avatarMimi Zohar <zohar@us.ibm.com>
      Acked-by: default avatarSerge Hallyn <serge.hallyn@ubuntu.com>
      1601fbad
    • Mimi Zohar's avatar
      integrity: move ima inode integrity data management · f381c272
      Mimi Zohar authored
      Move the inode integrity data(iint) management up to the integrity directory
      in order to share the iint among the different integrity models.
      
      Changelog:
      - don't define MAX_DIGEST_SIZE
      - rename several globally visible 'ima_' prefixed functions, structs,
        locks, etc to 'integrity_'
      - replace '20' with SHA1_DIGEST_SIZE
      - reflect location change in appropriate Kconfig and Makefiles
      - remove unnecessary initialization of iint_initialized to 0
      - rebased on current ima_iint.c
      - define integrity_iint_store/lock as static
      
      There should be no other functional changes.
      Signed-off-by: default avatarMimi Zohar <zohar@us.ibm.com>
      Acked-by: default avatarSerge Hallyn <serge.hallyn@ubuntu.com>
      f381c272
    • Mimi Zohar's avatar
      security: new security_inode_init_security API adds function callback · 9d8f13ba
      Mimi Zohar authored
      This patch changes the security_inode_init_security API by adding a
      filesystem specific callback to write security extended attributes.
      This change is in preparation for supporting the initialization of
      multiple LSM xattrs and the EVM xattr.  Initially the callback function
      walks an array of xattrs, writing each xattr separately, but could be
      optimized to write multiple xattrs at once.
      
      For existing security_inode_init_security() calls, which have not yet
      been converted to use the new callback function, such as those in
      reiserfs and ocfs2, this patch defines security_old_inode_init_security().
      Signed-off-by: default avatarMimi Zohar <zohar@us.ibm.com>
      9d8f13ba
  2. 14 Jul, 2011 1 commit
  3. 12 Jul, 2011 12 commits
    • Stefan Berger's avatar
      tpm: Fix a typo · c9206693
      Stefan Berger authored
      This patch fixes a typo.
      Signed-off-by: default avatarStefan Berger <stefanb@linux.vnet.ibm.com>
      Signed-off-by: default avatarRajiv Andrade <srajiv@linux.vnet.ibm.com>
      c9206693
    • Stefan Berger's avatar
      tpm_tis: Probing function for Intel iTPM bug · 9519de3f
      Stefan Berger authored
      This patch introduces a function for automatic probing for the Intel iTPM
      STS_DATA_EXPECT flaw.
      
      The patch splits the current tpm_tis_send function into 2 parts where the 1st
      part is now called tpm_tis_send_data() and merely sends the data to the TPM.
      This function is then used for probing. The new tpm_tis_send function now
      first calls tpm_tis_send_data and if that succeeds has the TPM process the
      command and waits until the response is there.
      
      The probing for the Intel iTPM is only invoked if the user has not passed
      itpm=1 as parameter for the module *or* if such a TPM was detected via ACPI.
      Previously it was necessary to pass itpm=1 when also passing force=1 to the
      module when doing a 'modprobe'. This function is more general than the ACPI
      test function and the function relying on ACPI could probably be removed.
      Signed-off-by: default avatarStefan Berger <stefanb@linux.vnet.ibm.com>
      Signed-off-by: default avatarRajiv Andrade <srajiv@linux.vnet.ibm.com>
      9519de3f
    • Stefan Berger's avatar
      tpm_tis: Fix the probing for interrupts · a7b66822
      Stefan Berger authored
      This patch fixes several aspects of the probing for interrupts.
      
      This patch reads the TPM's timeouts before probing for the interrupts. The
      tpm_get_timeouts() function is invoked in polling mode and gets the proper
      timeouts from the TPM so that we don't need to fall back to 2 minutes timeouts
      for short duration commands while the interrupt probing is happening.
      
      This patch introduces a variable probed_irq into the vendor structure that gets
      the irq number if an interrupt is received while the the tpm_gen_interrupt()
      function is run in polling mode during interrupt probing. Previously some
      parts of tpm_gen_interrupt() were run in polling mode, then the irq variable
      was set in the interrupt handler when an interrupt was received and execution
      of tpm_gen_interrupt() ended up switching over to interrupt mode.
      tpm_gen_interrupt() execution ended up on an event queue where it eventually
      timed out since the probing handler doesn't wake any queues.
      
      Before calling into free_irq() clear all interrupt flags that may have
      been set by the TPM. The reason is that free_irq() will call into the probing
      interrupt handler and may otherwise fool us into thinking that a real interrupt
      happened (because we see the flags as being set) while the TPM's interrupt line
      is not even connected to anything on the motherboard. This solves a problem
      on one machine I did testing on (Thinkpad T60).
      
      If a TPM claims to use a specifc interrupt, the probing is done as well
      to verify that the interrupt is actually working. If a TPM indicates
      that it does not use a specific interrupt (returns '0'), probe all interrupts
      from 3 to 15.
      Signed-off-by: default avatarStefan Berger <stefanb@linux.vnet.ibm.com>
      Signed-off-by: default avatarRajiv Andrade <srajiv@linux.vnet.ibm.com>
      a7b66822
    • Stefan Berger's avatar
      tpm_tis: Delay ACPI S3 suspend while the TPM is busy · 20b87bbf
      Stefan Berger authored
      This patch delays the (ACPI S3) suspend while the TPM is busy processing a
      command and the TPM TIS driver is run in interrupt mode. This is the same
      behavior as we already have it for the TPM TIS driver in polling mode.
      
      Reasoning: Some of the TPM's commands advance the internal state of the TPM.
      An example would be the extending of one of its PCR registers. Upper layers,
      such as IMA or TSS (TrouSerS), would certainly want to be sure that the
      command succeeded rather than getting an error code (-62 = -ETIME) that may
      not give a conclusive answer as for what reason the command failed. Reissuing
      such a command would put the TPM into the wrong state, so waiting for it to
      finish is really the only option.
      
      The downside is that some commands (key creation) can take a long time and
      actually prevent the machine from entering S3 at all before the 20 second
      timeout of the power management subsystem arrives.
      Signed-off-by: default avatarStefan Berger <stefanb@linux.vnet.ibm.com>
      Signed-off-by: default avatarRajiv Andrade <srajiv@linux.vnet.ibm.com>
      20b87bbf
    • Stefan Berger's avatar
      tpm_tis: Re-enable interrupts upon (S3) resume · 45baa1d1
      Stefan Berger authored
      This patch makes sure that if the TPM TIS interface is run in interrupt mode
      (rather than polling mode) that all interrupts are enabled in the TPM's
      interrupt enable register after a resume from ACPI S3 suspend. The registers
      may either have been cleared by the TPM loosing its state during device sleep
      or by the BIOS leaving the TPM in polling mode (after sending a command to
      the TPM for starting it up again)
      
      You may want to check if your TPM runs with interrupts by doing
      
      cat /proc/interrupts | grep -i tpm
      
      and see whether there is an entry or otherwise for it to use interrupts:
      
      modprobe tpm_tis interrupts=1 [add 'itpm=1' for Intel TPM ]
      
      v2:
        - the patch was adapted to work with the pnp and platform driver
          implementations in tpm_tis.c
      Signed-off-by: default avatarStefan Berger <stefanb@linux.vnet.ibm.com>
      Signed-off-by: default avatarRajiv Andrade <srajiv@linux.vnet.ibm.com>
      45baa1d1
    • Stefan Berger's avatar
      tpm: Fix display of data in pubek sysfs entry · 5a79444f
      Stefan Berger authored
      This patch fixes the TPM's pubek sysfs entry that is accessible as long
      as the TPM doesn't have an owner. It was necessary to shift the access to the
      data by -10 -- the first byte immediately follows the 10 byte header. The
      line
      
       	data = tpm_cmd.params.readpubek_out_buffer;
      
      sets it at the offset '10' in the packet, so we can read the data array
      starting at offset '0'.
      
      Before:
      
      Algorithm: 00 0C 00 00
      Encscheme: 08 00
      Sigscheme: 00 00
      Parameters: 00 00 00 00 01 00 AC E2 5E 3C A0 78
      Modulus length: -563306801
      Modulus:
      28 21 08 0F 82 CD F2 B1 E7 49 F7 74 70 BE 59 8C
      43 78 B1 24 EA 52 E2 FE 52 5C 3A 12 3B DC 61 71
      [...]
      
      After:
      
      Algorithm: 00 00 00 01
      Encscheme: 00 03
      Sigscheme: 00 01
      Parameters: 00 00 08 00 00 00 00 02 00 00 00 00
      Modulus length: 256
      Modulus:
      AC E2 5E 3C A0 78 DE 6C 9E CF 28 21 08 0F 82 CD
      F2 B1 E7 49 F7 74 70 BE 59 8C 43 78 B1 24 EA 52
      [...]
      Signed-off-by: default avatarStefan Berger <stefanb@linux.vnet.ibm.com>
      Signed-off-by: default avatarRajiv Andrade <srajiv@linux.vnet.ibm.com>
      5a79444f
    • Stefan Berger's avatar
      tpm_tis: Add timeouts sysfs entry · 62592101
      Stefan Berger authored
      Display the TPM's interface timeouts in a 'timeouts' sysfs entry. Display
      the entries as having been adjusted when they were scaled due to their values
      being reported in milliseconds rather than microseconds.
      Signed-off-by: default avatarStefan Berger <stefanb@linux.vnet.ibm.com>
      Signed-off-by: default avatarRajiv Andrade <srajiv@linux.vnet.ibm.com>
      62592101
    • Stefan Berger's avatar
      tpm: Adjust interface timeouts if they are too small · e3e1a1e1
      Stefan Berger authored
      Adjust the interface timeouts if they are found to be too small, i.e., if
      they are returned in milliseconds rather than microseconds as we heared
      from Infineon that some (old) Infineon TPMs do.
      Signed-off-by: default avatarStefan Berger <stefanb@linux.vnet.ibm.com>
      Signed-off-by: default avatarRajiv Andrade <srajiv@linux.vnet.ibm.com>
      e3e1a1e1
    • Stefan Berger's avatar
      tpm: Use interface timeouts returned from the TPM · 829bf067
      Stefan Berger authored
      The TPM driver currently discards the interface timeout values returned
      from the TPM. The check of the response packet needs to consider that
      the return_code field is 0 on success and the size of the expected
      packet is equivalent to the header size + u32 length indicator for the
      TPM_GetCapability() result + 4 interface timeout indicators of type u32.
      Signed-off-by: default avatarStefan Berger <stefanb@linux.vnet.ibm.com>
      Signed-off-by: default avatarRajiv Andrade <srajiv@linux.vnet.ibm.com>
      829bf067
    • Stefan Berger's avatar
      tpm_tis: Introduce durations sysfs entry · 04ab2293
      Stefan Berger authored
      Display the TPM's command timeouts in a 'durations' sysfs entry. Display
      the entries as having been adjusted when they were scaled due to their values
      being reported in milliseconds rather than microseconds.
      Signed-off-by: default avatarStefan Berger <stefanb@linux.vnet.ibm.com>
      Tested-by: default avatarGuillaume Chazarain <guichaz@gmail.com>
      Signed-off-by: default avatarRajiv Andrade <srajiv@linux.vnet.ibm.com>
      04ab2293
    • Stefan Berger's avatar
      tpm: Adjust the durations if they are too small · e934acca
      Stefan Berger authored
      Adjust the durations if they are found to be too small, i.e., if they are
      returned in milliseconds rather than microseconds as some Infineon TPMs are
      reported to do.
      Signed-off-by: default avatarStefan Berger <stefanb@linux.vnet.ibm.com>
      Signed-off-by: default avatarRajiv Andrade <srajiv@linux.vnet.ibm.com>
      e934acca
    • Stefan Berger's avatar
      tpm: Use durations returned from TPM · 979b1406
      Stefan Berger authored
      The TPM driver currently discards the durations values returned
      from the TPM. The check of the response packet needs to consider that
      the return_code field is 0 on success and the size of the expected
      packet is equivalent to the header size + u32 length indicator for the
      TPM_GetCapability() result + 3 timeout indicators of type u32.
      
      v4:
      - sysfs entry 'durations' is now a patch of its own
      - the work-around for TPMs reporting durations in milliseconds is now in a
        patch of its own
      
      v3:
      - sysfs entry now called 'durations' to resemble TPM-speak (previously
        was called 'timeouts')
      
      v2:
      - adjusting all timeouts for TPM devices reporting timeouts in msec rather
        than usec
      - also displaying in sysfs whether the timeouts are 'original' or 'adjusted'
      Signed-off-by: default avatarStefan Berger <stefanb@linux.vnet.ibm.com>
      Tested-by: default avatarGuillaume Chazarain <guichaz@gmail.com>
      Signed-off-by: default avatarRajiv Andrade <srajiv@linux.vnet.ibm.com>
      979b1406
  4. 11 Jul, 2011 5 commits
  5. 07 Jul, 2011 1 commit
  6. 30 Jun, 2011 7 commits
  7. 29 Jun, 2011 8 commits