• Enrico Bravi's avatar
    ima: add crypto agility support for template-hash algorithm · 9fa8e762
    Enrico Bravi authored
    The template hash showed by the ascii_runtime_measurements and
    binary_runtime_measurements is the one calculated using sha1 and there is
    no possibility to change this value, despite the fact that the template
    hash is calculated using the hash algorithms corresponding to all the PCR
    banks configured in the TPM.
    
    Add the support to retrieve the ima log with the template data hash
    calculated with a specific hash algorithm.
    Add a new file in the securityfs ima directory for each hash algo
    configured in a PCR bank of the TPM. Each new file has the name with
    the following structure:
    
            {binary, ascii}_runtime_measurements_<hash_algo_name>
    
    Legacy files are kept, to avoid breaking existing applications, but as
    symbolic links which point to {binary, ascii}_runtime_measurements_sha1
    files. These two files are created even if a TPM chip is not detected or
    the sha1 bank is not configured in the TPM.
    
    As example, in the case a TPM chip is present and sha256 is the only
    configured PCR bank, the listing of the securityfs ima directory is the
    following:
    
    lr--r--r-- [...] ascii_runtime_measurements -> ascii_runtime_measurements_sha1
    -r--r----- [...] ascii_runtime_measurements_sha1
    -r--r----- [...] ascii_runtime_measurements_sha256
    lr--r--r-- [...] binary_runtime_measurements -> binary_runtime_measurements_sha1
    -r--r----- [...] binary_runtime_measurements_sha1
    -r--r----- [...] binary_runtime_measurements_sha256
    --w------- [...] policy
    -r--r----- [...] runtime_measurements_count
    -r--r----- [...] violations
    Signed-off-by: default avatarEnrico Bravi <enrico.bravi@polito.it>
    Signed-off-by: default avatarSilvia Sisinni <silvia.sisinni@polito.it>
    Reviewed-by: default avatarRoberto Sassu <roberto.sassu@huawei.com>
    Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
    9fa8e762
ima_kexec.c 4.08 KB