ima: include pcr for each measurement log entry
authorEric Richter <erichte@linux.vnet.ibm.com>
Wed, 1 Jun 2016 18:14:03 +0000 (13:14 -0500)
committerMimi Zohar <zohar@linux.vnet.ibm.com>
Thu, 30 Jun 2016 05:14:21 +0000 (01:14 -0400)
The IMA measurement list entries include the Kconfig defined PCR value.
This patch defines a new ima_template_entry field for including the PCR
as specified in the policy rule.

Signed-off-by: Eric Richter <erichte@linux.vnet.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
security/integrity/ima/ima.h
security/integrity/ima/ima_api.c
security/integrity/ima/ima_init.c
security/integrity/ima/ima_main.c

index 3c8e71e..db25f54 100644 (file)
@@ -88,6 +88,7 @@ struct ima_template_desc {
 };
 
 struct ima_template_entry {
+       int pcr;
        u8 digest[TPM_DIGEST_SIZE];     /* sha1 or md5 measurement hash */
        struct ima_template_desc *template_desc; /* template descriptor */
        u32 template_data_len;
@@ -163,13 +164,14 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
 void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,
                           const unsigned char *filename,
                           struct evm_ima_xattr_data *xattr_value,
-                          int xattr_len);
+                          int xattr_len, int pcr);
 void ima_audit_measurement(struct integrity_iint_cache *iint,
                           const unsigned char *filename);
 int ima_alloc_init_template(struct ima_event_data *event_data,
                            struct ima_template_entry **entry);
 int ima_store_template(struct ima_template_entry *entry, int violation,
-                      struct inode *inode, const unsigned char *filename);
+                      struct inode *inode,
+                      const unsigned char *filename, int pcr);
 void ima_free_template_entry(struct ima_template_entry *entry);
 const char *ima_d_path(const struct path *path, char **pathbuf);
 
index 225b9ce..8363ba3 100644 (file)
@@ -87,7 +87,7 @@ out:
  */
 int ima_store_template(struct ima_template_entry *entry,
                       int violation, struct inode *inode,
-                      const unsigned char *filename)
+                      const unsigned char *filename, int pcr)
 {
        static const char op[] = "add_template_measure";
        static const char audit_cause[] = "hashing_error";
@@ -114,6 +114,7 @@ int ima_store_template(struct ima_template_entry *entry,
                }
                memcpy(entry->digest, hash.hdr.digest, hash.hdr.length);
        }
+       entry->pcr = pcr;
        result = ima_add_template_entry(entry, violation, op, inode, filename);
        return result;
 }
@@ -144,7 +145,8 @@ void ima_add_violation(struct file *file, const unsigned char *filename,
                result = -ENOMEM;
                goto err_out;
        }
-       result = ima_store_template(entry, violation, inode, filename);
+       result = ima_store_template(entry, violation, inode,
+                                   filename, CONFIG_IMA_MEASURE_PCR_IDX);
        if (result < 0)
                ima_free_template_entry(entry);
 err_out:
@@ -253,7 +255,7 @@ out:
 void ima_store_measurement(struct integrity_iint_cache *iint,
                           struct file *file, const unsigned char *filename,
                           struct evm_ima_xattr_data *xattr_value,
-                          int xattr_len)
+                          int xattr_len, int pcr)
 {
        static const char op[] = "add_template_measure";
        static const char audit_cause[] = "ENOMEM";
@@ -274,7 +276,7 @@ void ima_store_measurement(struct integrity_iint_cache *iint,
                return;
        }
 
-       result = ima_store_template(entry, violation, inode, filename);
+       result = ima_store_template(entry, violation, inode, filename, pcr);
        if (!result || result == -EEXIST)
                iint->flags |= IMA_MEASURED;
        if (result < 0)
index 5d679a6..32912bd 100644 (file)
@@ -79,7 +79,8 @@ static int __init ima_add_boot_aggregate(void)
        }
 
        result = ima_store_template(entry, violation, NULL,
-                                   boot_aggregate_name);
+                                   boot_aggregate_name,
+                                   CONFIG_IMA_MEASURE_PCR_IDX);
        if (result < 0) {
                ima_free_template_entry(entry);
                audit_cause = "store_entry";
index 58b08b2..3627afd 100644 (file)
@@ -239,7 +239,7 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
 
        if (action & IMA_MEASURE)
                ima_store_measurement(iint, file, pathname,
-                                     xattr_value, xattr_len);
+                                     xattr_value, xattr_len, pcr);
        if (action & IMA_APPRAISE_SUBMASK)
                rc = ima_appraise_measurement(func, iint, file, pathname,
                                              xattr_value, xattr_len, opened);