• Linus Torvalds's avatar
    Merge tag 'integrity-v5.8' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity · 3c0ad98c
    Linus Torvalds authored
    Pull integrity updates from Mimi Zohar:
     "The main changes are extending the TPM 2.0 PCR banks with bank
      specific file hashes, calculating the "boot_aggregate" based on other
      TPM PCR banks, using the default IMA hash algorithm, instead of SHA1,
      as the basis for the cache hash table key, and preventing the mprotect
      syscall to circumvent an IMA mmap appraise policy rule.
    
       - In preparation for extending TPM 2.0 PCR banks with bank specific
         digests, commit 0b6cf6b9 ("tpm: pass an array of
         tpm_extend_digest structures to tpm_pcr_extend()") modified
         tpm_pcr_extend(). The original SHA1 file digests were
         padded/truncated, before being extended into the other TPM PCR
         banks. This pull request calculates and extends the TPM PCR banks
         with bank specific file hashes completing the above change.
    
       - The "boot_aggregate", the first IMA measurement list record, is the
         "trusted boot" link between the pre-boot environment and the
         running OS. With TPM 2.0, the "boot_aggregate" record is not
         limited to being based on the SHA1 TPM PCR bank, but can be
         calculated based on any enabled bank, assuming the hash algorithm
         is also enabled in the kernel.
    
      Other changes include the following and five other bug fixes/code
      clean up:
    
       - supporting both a SHA1 and a larger "boot_aggregate" digest in a
         custom template format containing both the the SHA1 ('d') and
         larger digests ('d-ng') fields.
    
       - Initial hash table key fix, but additional changes would be good"
    
    * tag 'integrity-v5.8' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
      ima: Directly free *entry in ima_alloc_init_template() if digests is NULL
      ima: Call ima_calc_boot_aggregate() in ima_eventdigest_init()
      ima: Directly assign the ima_default_policy pointer to ima_rules
      ima: verify mprotect change is consistent with mmap policy
      evm: Fix possible memory leak in evm_calc_hmac_or_hash()
      ima: Set again build_ima_appraise variable
      ima: Remove redundant policy rule set in add_rules()
      ima: Fix ima digest hash table key calculation
      ima: Use ima_hash_algo for collision detection in the measurement list
      ima: Calculate and extend PCR with digests in ima_template_entry
      ima: Allocate and initialize tfm for each PCR bank
      ima: Switch to dynamically allocated buffer for template digests
      ima: Store template digest directly in ima_template_entry
      ima: Evaluate error in init_ima()
      ima: Switch to ima_hash_algo for boot aggregate
    3c0ad98c
ima_crypto.c 20.2 KB