ima: Call ima_calc_boot_aggregate() in ima_eventdigest_init()

If the template field 'd' is chosen and the digest to be added to the
measurement entry was not calculated with SHA1 or MD5, it is
recalculated with SHA1, by using the passed file descriptor. However, this
cannot be done for boot_aggregate, because there is no file descriptor.

This patch adds a call to ima_calc_boot_aggregate() in
ima_eventdigest_init(), so that the digest can be recalculated also for the
boot_aggregate entry.

Cc: stable@vger.kernel.org # 3.13.x
Fixes: 3ce1217d6cd5d ("ima: define template fields library and new helpers")
Reported-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 02796473238b6c1bfec227c16511d018a4835132..df93ac258e01350f495da3447a938721932c57b1 100644 (file)
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -57,6 +57,7 @@ extern int ima_hash_algo_idx __ro_after_init;
 extern int ima_extra_slots __ro_after_init;
 extern int ima_appraise;
 extern struct tpm_chip *ima_tpm_chip;
+extern const char boot_aggregate_name[];
 
 /* IMA event related data */
 struct ima_event_data {
@@ -144,7 +145,7 @@ int ima_calc_buffer_hash(const void *buf, loff_t len,
                         struct ima_digest_data *hash);
 int ima_calc_field_array_hash(struct ima_field_data *field_data,
                              struct ima_template_entry *entry);
-int __init ima_calc_boot_aggregate(struct ima_digest_data *hash);
+int ima_calc_boot_aggregate(struct ima_digest_data *hash);
 void ima_add_violation(struct file *file, const unsigned char *filename,
                       struct integrity_iint_cache *iint,
                       const char *op, const char *cause);

diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
index 5201f5ec2ce4f44d2fde323b865d86164abd83d9..002fdf6994d539040e9eee0238e13cc39cc2a108 100644 (file)
--- a/security/integrity/ima/ima_crypto.c
+++ b/security/integrity/ima/ima_crypto.c
@@ -806,8 +806,8 @@ static void __init ima_pcrread(u32 idx, struct tpm_digest *d)
  * hash algorithm for reading the TPM PCRs as for calculating the boot
  * aggregate digest as stored in the measurement list.
  */
-static int __init ima_calc_boot_aggregate_tfm(char *digest, u16 alg_id,
-                                             struct crypto_shash *tfm)
+static int ima_calc_boot_aggregate_tfm(char *digest, u16 alg_id,
+                                      struct crypto_shash *tfm)
 {
        struct tpm_digest d = { .alg_id = alg_id, .digest = {0} };
        int rc;
@@ -835,7 +835,7 @@ static int __init ima_calc_boot_aggregate_tfm(char *digest, u16 alg_id,
        return rc;
 }
 
-int __init ima_calc_boot_aggregate(struct ima_digest_data *hash)
+int ima_calc_boot_aggregate(struct ima_digest_data *hash)
 {
        struct crypto_shash *tfm;
        u16 crypto_id, alg_id;

diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
index fc1e1002b48d63591fc3e799169eb1600180e0fa..4902fe7bd5707f8a15d8e93efe0cd8570ce78b31 100644 (file)
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -19,7 +19,7 @@
 #include "ima.h"
 
 /* name for boot aggregate entry */
-static const char boot_aggregate_name[] = "boot_aggregate";
+const char boot_aggregate_name[] = "boot_aggregate";
 struct tpm_chip *ima_tpm_chip;
 
 /* Add the boot aggregate to the IMA measurement list and extend

diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c
index 9cd1e50f3ccc7521ad84b94d0fb05b7c3d74d353..635c6ac050502533560b6ba58e9d2a28282495b3 100644 (file)
--- a/security/integrity/ima/ima_template_lib.c
+++ b/security/integrity/ima/ima_template_lib.c
@@ -286,6 +286,24 @@ int ima_eventdigest_init(struct ima_event_data *event_data,
                goto out;
        }
 
+       if ((const char *)event_data->filename == boot_aggregate_name) {
+               if (ima_tpm_chip) {
+                       hash.hdr.algo = HASH_ALGO_SHA1;
+                       result = ima_calc_boot_aggregate(&hash.hdr);
+
+                       /* algo can change depending on available PCR banks */
+                       if (!result && hash.hdr.algo != HASH_ALGO_SHA1)
+                               result = -EINVAL;
+
+                       if (result < 0)
+                               memset(&hash, 0, sizeof(hash));
+               }
+
+               cur_digest = hash.hdr.digest;
+               cur_digestsize = hash_digest_size[HASH_ALGO_SHA1];
+               goto out;
+       }
+
        if (!event_data->file)  /* missing info to re-calculate the digest */
                return -EINVAL;