Commit 3c0ad98c authored by Linus Torvalds's avatar Linus Torvalds

Merge tag 'integrity-v5.8' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity

Pull integrity updates from Mimi Zohar:
 "The main changes are extending the TPM 2.0 PCR banks with bank
  specific file hashes, calculating the "boot_aggregate" based on other
  TPM PCR banks, using the default IMA hash algorithm, instead of SHA1,
  as the basis for the cache hash table key, and preventing the mprotect
  syscall to circumvent an IMA mmap appraise policy rule.

   - In preparation for extending TPM 2.0 PCR banks with bank specific
     digests, commit 0b6cf6b9 ("tpm: pass an array of
     tpm_extend_digest structures to tpm_pcr_extend()") modified
     tpm_pcr_extend(). The original SHA1 file digests were
     padded/truncated, before being extended into the other TPM PCR
     banks. This pull request calculates and extends the TPM PCR banks
     with bank specific file hashes completing the above change.

   - The "boot_aggregate", the first IMA measurement list record, is the
     "trusted boot" link between the pre-boot environment and the
     running OS. With TPM 2.0, the "boot_aggregate" record is not
     limited to being based on the SHA1 TPM PCR bank, but can be
     calculated based on any enabled bank, assuming the hash algorithm
     is also enabled in the kernel.

  Other changes include the following and five other bug fixes/code
  clean up:

   - supporting both a SHA1 and a larger "boot_aggregate" digest in a
     custom template format containing both the the SHA1 ('d') and
     larger digests ('d-ng') fields.

   - Initial hash table key fix, but additional changes would be good"

* tag 'integrity-v5.8' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
  ima: Directly free *entry in ima_alloc_init_template() if digests is NULL
  ima: Call ima_calc_boot_aggregate() in ima_eventdigest_init()
  ima: Directly assign the ima_default_policy pointer to ima_rules
  ima: verify mprotect change is consistent with mmap policy
  evm: Fix possible memory leak in evm_calc_hmac_or_hash()
  ima: Set again build_ima_appraise variable
  ima: Remove redundant policy rule set in add_rules()
  ima: Fix ima digest hash table key calculation
  ima: Use ima_hash_algo for collision detection in the measurement list
  ima: Calculate and extend PCR with digests in ima_template_entry
  ima: Allocate and initialize tfm for each PCR bank
  ima: Switch to dynamically allocated buffer for template digests
  ima: Store template digest directly in ima_template_entry
  ima: Evaluate error in init_ima()
  ima: Switch to ima_hash_algo for boot aggregate
parents aaa2faab 42413b49
...@@ -18,6 +18,7 @@ extern int ima_file_check(struct file *file, int mask); ...@@ -18,6 +18,7 @@ extern int ima_file_check(struct file *file, int mask);
extern void ima_post_create_tmpfile(struct inode *inode); extern void ima_post_create_tmpfile(struct inode *inode);
extern void ima_file_free(struct file *file); extern void ima_file_free(struct file *file);
extern int ima_file_mmap(struct file *file, unsigned long prot); extern int ima_file_mmap(struct file *file, unsigned long prot);
extern int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot);
extern int ima_load_data(enum kernel_load_data_id id); extern int ima_load_data(enum kernel_load_data_id id);
extern int ima_read_file(struct file *file, enum kernel_read_file_id id); extern int ima_read_file(struct file *file, enum kernel_read_file_id id);
extern int ima_post_read_file(struct file *file, void *buf, loff_t size, extern int ima_post_read_file(struct file *file, void *buf, loff_t size,
...@@ -70,6 +71,12 @@ static inline int ima_file_mmap(struct file *file, unsigned long prot) ...@@ -70,6 +71,12 @@ static inline int ima_file_mmap(struct file *file, unsigned long prot)
return 0; return 0;
} }
static inline int ima_file_mprotect(struct vm_area_struct *vma,
unsigned long prot)
{
return 0;
}
static inline int ima_load_data(enum kernel_load_data_id id) static inline int ima_load_data(enum kernel_load_data_id id)
{ {
return 0; return 0;
......
...@@ -241,7 +241,7 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry, ...@@ -241,7 +241,7 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry,
/* Portable EVM signatures must include an IMA hash */ /* Portable EVM signatures must include an IMA hash */
if (type == EVM_XATTR_PORTABLE_DIGSIG && !ima_present) if (type == EVM_XATTR_PORTABLE_DIGSIG && !ima_present)
return -EPERM; error = -EPERM;
out: out:
kfree(xattr_value); kfree(xattr_value);
kfree(desc); kfree(desc);
......
...@@ -36,7 +36,7 @@ enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 }; ...@@ -36,7 +36,7 @@ enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 };
#define IMA_DIGEST_SIZE SHA1_DIGEST_SIZE #define IMA_DIGEST_SIZE SHA1_DIGEST_SIZE
#define IMA_EVENT_NAME_LEN_MAX 255 #define IMA_EVENT_NAME_LEN_MAX 255
#define IMA_HASH_BITS 9 #define IMA_HASH_BITS 10
#define IMA_MEASURE_HTABLE_SIZE (1 << IMA_HASH_BITS) #define IMA_MEASURE_HTABLE_SIZE (1 << IMA_HASH_BITS)
#define IMA_TEMPLATE_FIELD_ID_MAX_LEN 16 #define IMA_TEMPLATE_FIELD_ID_MAX_LEN 16
...@@ -45,13 +45,19 @@ enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 }; ...@@ -45,13 +45,19 @@ enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 };
#define IMA_TEMPLATE_IMA_NAME "ima" #define IMA_TEMPLATE_IMA_NAME "ima"
#define IMA_TEMPLATE_IMA_FMT "d|n" #define IMA_TEMPLATE_IMA_FMT "d|n"
#define NR_BANKS(chip) ((chip != NULL) ? chip->nr_allocated_banks : 0)
/* current content of the policy */ /* current content of the policy */
extern int ima_policy_flag; extern int ima_policy_flag;
/* set during initialization */ /* set during initialization */
extern int ima_hash_algo; extern int ima_hash_algo;
extern int ima_sha1_idx __ro_after_init;
extern int ima_hash_algo_idx __ro_after_init;
extern int ima_extra_slots __ro_after_init;
extern int ima_appraise; extern int ima_appraise;
extern struct tpm_chip *ima_tpm_chip; extern struct tpm_chip *ima_tpm_chip;
extern const char boot_aggregate_name[];
/* IMA event related data */ /* IMA event related data */
struct ima_event_data { struct ima_event_data {
...@@ -92,7 +98,7 @@ struct ima_template_desc { ...@@ -92,7 +98,7 @@ struct ima_template_desc {
struct ima_template_entry { struct ima_template_entry {
int pcr; int pcr;
u8 digest[TPM_DIGEST_SIZE]; /* sha1 or md5 measurement hash */ struct tpm_digest *digests;
struct ima_template_desc *template_desc; /* template descriptor */ struct ima_template_desc *template_desc; /* template descriptor */
u32 template_data_len; u32 template_data_len;
struct ima_field_data template_data[0]; /* template related data */ struct ima_field_data template_data[0]; /* template related data */
...@@ -138,9 +144,8 @@ int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash); ...@@ -138,9 +144,8 @@ int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash);
int ima_calc_buffer_hash(const void *buf, loff_t len, int ima_calc_buffer_hash(const void *buf, loff_t len,
struct ima_digest_data *hash); struct ima_digest_data *hash);
int ima_calc_field_array_hash(struct ima_field_data *field_data, int ima_calc_field_array_hash(struct ima_field_data *field_data,
struct ima_template_desc *desc, int num_fields, struct ima_template_entry *entry);
struct ima_digest_data *hash); int ima_calc_boot_aggregate(struct ima_digest_data *hash);
int __init ima_calc_boot_aggregate(struct ima_digest_data *hash);
void ima_add_violation(struct file *file, const unsigned char *filename, void ima_add_violation(struct file *file, const unsigned char *filename,
struct integrity_iint_cache *iint, struct integrity_iint_cache *iint,
const char *op, const char *cause); const char *op, const char *cause);
...@@ -175,9 +180,10 @@ struct ima_h_table { ...@@ -175,9 +180,10 @@ struct ima_h_table {
}; };
extern struct ima_h_table ima_htable; extern struct ima_h_table ima_htable;
static inline unsigned long ima_hash_key(u8 *digest) static inline unsigned int ima_hash_key(u8 *digest)
{ {
return hash_long(*digest, IMA_HASH_BITS); /* there is no point in taking a hash of part of a digest */
return (digest[0] | digest[1] << 8) % IMA_MEASURE_HTABLE_SIZE;
} }
#define __ima_hooks(hook) \ #define __ima_hooks(hook) \
......
...@@ -27,6 +27,7 @@ void ima_free_template_entry(struct ima_template_entry *entry) ...@@ -27,6 +27,7 @@ void ima_free_template_entry(struct ima_template_entry *entry)
for (i = 0; i < entry->template_desc->num_fields; i++) for (i = 0; i < entry->template_desc->num_fields; i++)
kfree(entry->template_data[i].data); kfree(entry->template_data[i].data);
kfree(entry->digests);
kfree(entry); kfree(entry);
} }
...@@ -38,6 +39,7 @@ int ima_alloc_init_template(struct ima_event_data *event_data, ...@@ -38,6 +39,7 @@ int ima_alloc_init_template(struct ima_event_data *event_data,
struct ima_template_desc *desc) struct ima_template_desc *desc)
{ {
struct ima_template_desc *template_desc; struct ima_template_desc *template_desc;
struct tpm_digest *digests;
int i, result = 0; int i, result = 0;
if (desc) if (desc)
...@@ -50,6 +52,15 @@ int ima_alloc_init_template(struct ima_event_data *event_data, ...@@ -50,6 +52,15 @@ int ima_alloc_init_template(struct ima_event_data *event_data,
if (!*entry) if (!*entry)
return -ENOMEM; return -ENOMEM;
digests = kcalloc(NR_BANKS(ima_tpm_chip) + ima_extra_slots,
sizeof(*digests), GFP_NOFS);
if (!digests) {
kfree(*entry);
*entry = NULL;
return -ENOMEM;
}
(*entry)->digests = digests;
(*entry)->template_desc = template_desc; (*entry)->template_desc = template_desc;
for (i = 0; i < template_desc->num_fields; i++) { for (i = 0; i < template_desc->num_fields; i++) {
const struct ima_template_field *field = const struct ima_template_field *field =
...@@ -96,26 +107,16 @@ int ima_store_template(struct ima_template_entry *entry, ...@@ -96,26 +107,16 @@ int ima_store_template(struct ima_template_entry *entry,
static const char audit_cause[] = "hashing_error"; static const char audit_cause[] = "hashing_error";
char *template_name = entry->template_desc->name; char *template_name = entry->template_desc->name;
int result; int result;
struct {
struct ima_digest_data hdr;
char digest[TPM_DIGEST_SIZE];
} hash;
if (!violation) { if (!violation) {
int num_fields = entry->template_desc->num_fields;
/* this function uses default algo */
hash.hdr.algo = HASH_ALGO_SHA1;
result = ima_calc_field_array_hash(&entry->template_data[0], result = ima_calc_field_array_hash(&entry->template_data[0],
entry->template_desc, entry);
num_fields, &hash.hdr);
if (result < 0) { if (result < 0) {
integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode,
template_name, op, template_name, op,
audit_cause, result, 0); audit_cause, result, 0);
return result; return result;
} }
memcpy(entry->digest, hash.hdr.digest, hash.hdr.length);
} }
entry->pcr = pcr; entry->pcr = pcr;
result = ima_add_template_entry(entry, violation, op, inode, filename); result = ima_add_template_entry(entry, violation, op, inode, filename);
......
...@@ -57,7 +57,22 @@ MODULE_PARM_DESC(ahash_bufsize, "Maximum ahash buffer size"); ...@@ -57,7 +57,22 @@ MODULE_PARM_DESC(ahash_bufsize, "Maximum ahash buffer size");
static struct crypto_shash *ima_shash_tfm; static struct crypto_shash *ima_shash_tfm;
static struct crypto_ahash *ima_ahash_tfm; static struct crypto_ahash *ima_ahash_tfm;
int __init ima_init_crypto(void) struct ima_algo_desc {
struct crypto_shash *tfm;
enum hash_algo algo;
};
int ima_sha1_idx __ro_after_init;
int ima_hash_algo_idx __ro_after_init;
/*
* Additional number of slots reserved, as needed, for SHA1
* and IMA default algo.
*/
int ima_extra_slots __ro_after_init;
static struct ima_algo_desc *ima_algo_array;
static int __init ima_init_ima_crypto(void)
{ {
long rc; long rc;
...@@ -76,26 +91,137 @@ int __init ima_init_crypto(void) ...@@ -76,26 +91,137 @@ int __init ima_init_crypto(void)
static struct crypto_shash *ima_alloc_tfm(enum hash_algo algo) static struct crypto_shash *ima_alloc_tfm(enum hash_algo algo)
{ {
struct crypto_shash *tfm = ima_shash_tfm; struct crypto_shash *tfm = ima_shash_tfm;
int rc; int rc, i;
if (algo < 0 || algo >= HASH_ALGO__LAST) if (algo < 0 || algo >= HASH_ALGO__LAST)
algo = ima_hash_algo; algo = ima_hash_algo;
if (algo != ima_hash_algo) { if (algo == ima_hash_algo)
tfm = crypto_alloc_shash(hash_algo_name[algo], 0, 0); return tfm;
if (IS_ERR(tfm)) {
rc = PTR_ERR(tfm); for (i = 0; i < NR_BANKS(ima_tpm_chip) + ima_extra_slots; i++)
pr_err("Can not allocate %s (reason: %d)\n", if (ima_algo_array[i].tfm && ima_algo_array[i].algo == algo)
hash_algo_name[algo], rc); return ima_algo_array[i].tfm;
}
tfm = crypto_alloc_shash(hash_algo_name[algo], 0, 0);
if (IS_ERR(tfm)) {
rc = PTR_ERR(tfm);
pr_err("Can not allocate %s (reason: %d)\n",
hash_algo_name[algo], rc);
} }
return tfm; return tfm;
} }
int __init ima_init_crypto(void)
{
enum hash_algo algo;
long rc;
int i;
rc = ima_init_ima_crypto();
if (rc)
return rc;
ima_sha1_idx = -1;
ima_hash_algo_idx = -1;
for (i = 0; i < NR_BANKS(ima_tpm_chip); i++) {
algo = ima_tpm_chip->allocated_banks[i].crypto_id;
if (algo == HASH_ALGO_SHA1)
ima_sha1_idx = i;
if (algo == ima_hash_algo)
ima_hash_algo_idx = i;
}
if (ima_sha1_idx < 0) {
ima_sha1_idx = NR_BANKS(ima_tpm_chip) + ima_extra_slots++;
if (ima_hash_algo == HASH_ALGO_SHA1)
ima_hash_algo_idx = ima_sha1_idx;
}
if (ima_hash_algo_idx < 0)
ima_hash_algo_idx = NR_BANKS(ima_tpm_chip) + ima_extra_slots++;
ima_algo_array = kcalloc(NR_BANKS(ima_tpm_chip) + ima_extra_slots,
sizeof(*ima_algo_array), GFP_KERNEL);
if (!ima_algo_array) {
rc = -ENOMEM;
goto out;
}
for (i = 0; i < NR_BANKS(ima_tpm_chip); i++) {
algo = ima_tpm_chip->allocated_banks[i].crypto_id;
ima_algo_array[i].algo = algo;
/* unknown TPM algorithm */
if (algo == HASH_ALGO__LAST)
continue;
if (algo == ima_hash_algo) {
ima_algo_array[i].tfm = ima_shash_tfm;
continue;
}
ima_algo_array[i].tfm = ima_alloc_tfm(algo);
if (IS_ERR(ima_algo_array[i].tfm)) {
if (algo == HASH_ALGO_SHA1) {
rc = PTR_ERR(ima_algo_array[i].tfm);
ima_algo_array[i].tfm = NULL;
goto out_array;
}
ima_algo_array[i].tfm = NULL;
}
}
if (ima_sha1_idx >= NR_BANKS(ima_tpm_chip)) {
if (ima_hash_algo == HASH_ALGO_SHA1) {
ima_algo_array[ima_sha1_idx].tfm = ima_shash_tfm;
} else {
ima_algo_array[ima_sha1_idx].tfm =
ima_alloc_tfm(HASH_ALGO_SHA1);
if (IS_ERR(ima_algo_array[ima_sha1_idx].tfm)) {
rc = PTR_ERR(ima_algo_array[ima_sha1_idx].tfm);
goto out_array;
}
}
ima_algo_array[ima_sha1_idx].algo = HASH_ALGO_SHA1;
}
if (ima_hash_algo_idx >= NR_BANKS(ima_tpm_chip) &&
ima_hash_algo_idx != ima_sha1_idx) {
ima_algo_array[ima_hash_algo_idx].tfm = ima_shash_tfm;
ima_algo_array[ima_hash_algo_idx].algo = ima_hash_algo;
}
return 0;
out_array:
for (i = 0; i < NR_BANKS(ima_tpm_chip) + ima_extra_slots; i++) {
if (!ima_algo_array[i].tfm ||
ima_algo_array[i].tfm == ima_shash_tfm)
continue;
crypto_free_shash(ima_algo_array[i].tfm);
}
out:
crypto_free_shash(ima_shash_tfm);
return rc;
}
static void ima_free_tfm(struct crypto_shash *tfm) static void ima_free_tfm(struct crypto_shash *tfm)
{ {
if (tfm != ima_shash_tfm) int i;
crypto_free_shash(tfm);
if (tfm == ima_shash_tfm)
return;
for (i = 0; i < NR_BANKS(ima_tpm_chip) + ima_extra_slots; i++)
if (ima_algo_array[i].tfm == tfm)
return;
crypto_free_shash(tfm);
} }
/** /**
...@@ -464,17 +590,15 @@ int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash) ...@@ -464,17 +590,15 @@ int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash)
* Calculate the hash of template data * Calculate the hash of template data
*/ */
static int ima_calc_field_array_hash_tfm(struct ima_field_data *field_data, static int ima_calc_field_array_hash_tfm(struct ima_field_data *field_data,
struct ima_template_desc *td, struct ima_template_entry *entry,
int num_fields, int tfm_idx)
struct ima_digest_data *hash,
struct crypto_shash *tfm)
{ {
SHASH_DESC_ON_STACK(shash, tfm); SHASH_DESC_ON_STACK(shash, ima_algo_array[tfm_idx].tfm);
struct ima_template_desc *td = entry->template_desc;
int num_fields = entry->template_desc->num_fields;
int rc, i; int rc, i;
shash->tfm = tfm; shash->tfm = ima_algo_array[tfm_idx].tfm;
hash->length = crypto_shash_digestsize(tfm);
rc = crypto_shash_init(shash); rc = crypto_shash_init(shash);
if (rc != 0) if (rc != 0)
...@@ -504,27 +628,44 @@ static int ima_calc_field_array_hash_tfm(struct ima_field_data *field_data, ...@@ -504,27 +628,44 @@ static int ima_calc_field_array_hash_tfm(struct ima_field_data *field_data,
} }
if (!rc) if (!rc)
rc = crypto_shash_final(shash, hash->digest); rc = crypto_shash_final(shash, entry->digests[tfm_idx].digest);
return rc; return rc;
} }
int ima_calc_field_array_hash(struct ima_field_data *field_data, int ima_calc_field_array_hash(struct ima_field_data *field_data,
struct ima_template_desc *desc, int num_fields, struct ima_template_entry *entry)
struct ima_digest_data *hash)
{ {
struct crypto_shash *tfm; u16 alg_id;
int rc; int rc, i;
tfm = ima_alloc_tfm(hash->algo); rc = ima_calc_field_array_hash_tfm(field_data, entry, ima_sha1_idx);
if (IS_ERR(tfm)) if (rc)
return PTR_ERR(tfm); return rc;
rc = ima_calc_field_array_hash_tfm(field_data, desc, num_fields, entry->digests[ima_sha1_idx].alg_id = TPM_ALG_SHA1;
hash, tfm);
ima_free_tfm(tfm); for (i = 0; i < NR_BANKS(ima_tpm_chip) + ima_extra_slots; i++) {
if (i == ima_sha1_idx)
continue;
if (i < NR_BANKS(ima_tpm_chip)) {
alg_id = ima_tpm_chip->allocated_banks[i].alg_id;
entry->digests[i].alg_id = alg_id;
}
/* for unmapped TPM algorithms digest is still a padded SHA1 */
if (!ima_algo_array[i].tfm) {
memcpy(entry->digests[i].digest,
entry->digests[ima_sha1_idx].digest,
TPM_DIGEST_SIZE);
continue;
}
rc = ima_calc_field_array_hash_tfm(field_data, entry, i);
if (rc)
return rc;
}
return rc; return rc;
} }
...@@ -655,18 +796,29 @@ static void __init ima_pcrread(u32 idx, struct tpm_digest *d) ...@@ -655,18 +796,29 @@ static void __init ima_pcrread(u32 idx, struct tpm_digest *d)
} }
/* /*
* Calculate the boot aggregate hash * The boot_aggregate is a cumulative hash over TPM registers 0 - 7. With
* TPM 1.2 the boot_aggregate was based on reading the SHA1 PCRs, but with
* TPM 2.0 hash agility, TPM chips could support multiple TPM PCR banks,
* allowing firmware to configure and enable different banks.
*
* Knowing which TPM bank is read to calculate the boot_aggregate digest
* needs to be conveyed to a verifier. For this reason, use the same
* hash algorithm for reading the TPM PCRs as for calculating the boot
* aggregate digest as stored in the measurement list.
*/ */
static int __init ima_calc_boot_aggregate_tfm(char *digest, static int ima_calc_boot_aggregate_tfm(char *digest, u16 alg_id,
struct crypto_shash *tfm) struct crypto_shash *tfm)
{ {
struct tpm_digest d = { .alg_id = TPM_ALG_SHA1, .digest = {0} }; struct tpm_digest d = { .alg_id = alg_id, .digest = {0} };
int rc; int rc;
u32 i; u32 i;
SHASH_DESC_ON_STACK(shash, tfm); SHASH_DESC_ON_STACK(shash, tfm);
shash->tfm = tfm; shash->tfm = tfm;
pr_devel("calculating the boot-aggregate based on TPM bank: %04x\n",
d.alg_id);
rc = crypto_shash_init(shash); rc = crypto_shash_init(shash);
if (rc != 0) if (rc != 0)
return rc; return rc;
...@@ -675,24 +827,48 @@ static int __init ima_calc_boot_aggregate_tfm(char *digest, ...@@ -675,24 +827,48 @@ static int __init ima_calc_boot_aggregate_tfm(char *digest,
for (i = TPM_PCR0; i < TPM_PCR8; i++) { for (i = TPM_PCR0; i < TPM_PCR8; i++) {
ima_pcrread(i, &d); ima_pcrread(i, &d);
/* now accumulate with current aggregate */ /* now accumulate with current aggregate */
rc = crypto_shash_update(shash, d.digest, TPM_DIGEST_SIZE); rc = crypto_shash_update(shash, d.digest,
crypto_shash_digestsize(tfm));
} }
if (!rc) if (!rc)
crypto_shash_final(shash, digest); crypto_shash_final(shash, digest);
return rc; return rc;
} }
int __init ima_calc_boot_aggregate(struct ima_digest_data *hash) int ima_calc_boot_aggregate(struct ima_digest_data *hash)
{ {
struct crypto_shash *tfm; struct crypto_shash *tfm;
int rc; u16 crypto_id, alg_id;
int rc, i, bank_idx = -1;
for (i = 0; i < ima_tpm_chip->nr_allocated_banks; i++) {
crypto_id = ima_tpm_chip->allocated_banks[i].crypto_id;
if (crypto_id == hash->algo) {
bank_idx = i;
break;
}
if (crypto_id == HASH_ALGO_SHA256)
bank_idx = i;
if (bank_idx == -1 && crypto_id == HASH_ALGO_SHA1)
bank_idx = i;
}
if (bank_idx == -1) {
pr_err("No suitable TPM algorithm for boot aggregate\n");
return 0;
}
hash->algo = ima_tpm_chip->allocated_banks[bank_idx].crypto_id;
tfm = ima_alloc_tfm(hash->algo); tfm = ima_alloc_tfm(hash->algo);
if (IS_ERR(tfm)) if (IS_ERR(tfm))
return PTR_ERR(tfm); return PTR_ERR(tfm);
hash->length = crypto_shash_digestsize(tfm); hash->length = crypto_shash_digestsize(tfm);
rc = ima_calc_boot_aggregate_tfm(hash->digest, tfm); alg_id = ima_tpm_chip->allocated_banks[bank_idx].alg_id;
rc = ima_calc_boot_aggregate_tfm(hash->digest, alg_id, tfm);
ima_free_tfm(tfm); ima_free_tfm(tfm);
......
...@@ -150,7 +150,7 @@ int ima_measurements_show(struct seq_file *m, void *v) ...@@ -150,7 +150,7 @@ int ima_measurements_show(struct seq_file *m, void *v)
ima_putc(m, &pcr, sizeof(e->pcr)); ima_putc(m, &pcr, sizeof(e->pcr));
/* 2nd: template digest */ /* 2nd: template digest */
ima_putc(m, e->digest, TPM_DIGEST_SIZE); ima_putc(m, e->digests[ima_sha1_idx].digest, TPM_DIGEST_SIZE);
/* 3rd: template name size */ /* 3rd: template name size */
namelen = !ima_canonical_fmt ? strlen(template_name) : namelen = !ima_canonical_fmt ? strlen(template_name) :
...@@ -233,7 +233,7 @@ static int ima_ascii_measurements_show(struct seq_file *m, void *v) ...@@ -233,7 +233,7 @@ static int ima_ascii_measurements_show(struct seq_file *m, void *v)
seq_printf(m, "%2d ", e->pcr); seq_printf(m, "%2d ", e->pcr);
/* 2nd: SHA1 template hash */ /* 2nd: SHA1 template hash */
ima_print_digest(m, e->digest, TPM_DIGEST_SIZE); ima_print_digest(m, e->digests[ima_sha1_idx].digest, TPM_DIGEST_SIZE);
/* 3th: template name */ /* 3th: template name */
seq_printf(m, " %s", template_name); seq_printf(m, " %s", template_name);
......
...@@ -19,13 +19,13 @@ ...@@ -19,13 +19,13 @@
#include "ima.h" #include "ima.h"
/* name for boot aggregate entry */ /* name for boot aggregate entry */
static const char boot_aggregate_name[] = "boot_aggregate"; const char boot_aggregate_name[] = "boot_aggregate";
struct tpm_chip *ima_tpm_chip; struct tpm_chip *ima_tpm_chip;
/* Add the boot aggregate to the IMA measurement list and extend /* Add the boot aggregate to the IMA measurement list and extend
* the PCR register. * the PCR register.
* *
* Calculate the boot aggregate, a SHA1 over tpm registers 0-7, * Calculate the boot aggregate, a hash over tpm registers 0-7,
* assuming a TPM chip exists, and zeroes if the TPM chip does not * assuming a TPM chip exists, and zeroes if the TPM chip does not
* exist. Add the boot aggregate measurement to the measurement * exist. Add the boot aggregate measurement to the measurement
* list and extend the PCR register. * list and extend the PCR register.
...@@ -49,15 +49,27 @@ static int __init ima_add_boot_aggregate(void) ...@@ -49,15 +49,27 @@ static int __init ima_add_boot_aggregate(void)
int violation = 0; int violation = 0;
struct { struct {
struct ima_digest_data hdr; struct ima_digest_data hdr;
char digest[TPM_DIGEST_SIZE]; char digest[TPM_MAX_DIGEST_SIZE];
} hash; } hash;
memset(iint, 0, sizeof(*iint)); memset(iint, 0, sizeof(*iint));
memset(&hash, 0, sizeof(hash)); memset(&hash, 0, sizeof(hash));
iint->ima_hash = &hash.hdr; iint->ima_hash = &hash.hdr;
iint->ima_hash->algo = HASH_ALGO_SHA1; iint->ima_hash->algo = ima_hash_algo;
iint->ima_hash->length = SHA1_DIGEST_SIZE; iint->ima_hash->length = hash_digest_size[ima_hash_algo];
/*
* With TPM 2.0 hash agility, TPM chips could support multiple TPM
* PCR banks, allowing firmware to configure and enable different
* banks. The SHA1 bank is not necessarily enabled.
*
* Use the same hash algorithm for reading the TPM PCRs as for
* calculating the boot aggregate digest. Preference is given to
* the configured IMA default hash algorithm. Otherwise, use the
* TCG required banks - SHA256 for TPM 2.0, SHA1 for TPM 1.2.
* Ultimately select SHA1 also for TPM 2.0 if the SHA256 PCR bank
* is not found.
*/
if (ima_tpm_chip) { if (ima_tpm_chip) {
result = ima_calc_boot_aggregate(&hash.hdr); result = ima_calc_boot_aggregate(&hash.hdr);
if (result < 0) { if (result < 0) {
......
...@@ -393,6 +393,57 @@ int ima_file_mmap(struct file *file, unsigned long prot) ...@@ -393,6 +393,57 @@ int ima_file_mmap(struct file *file, unsigned long prot)
return 0; return 0;
} }
/**
* ima_file_mprotect - based on policy, limit mprotect change
* @prot: contains the protection that will be applied by the kernel.
*
* Files can be mmap'ed read/write and later changed to execute to circumvent
* IMA's mmap appraisal policy rules. Due to locking issues (mmap semaphore
* would be taken before i_mutex), files can not be measured or appraised at
* this point. Eliminate this integrity gap by denying the mprotect
* PROT_EXECUTE change, if an mmap appraise policy rule exists.
*
* On mprotect change success, return 0. On failure, return -EACESS.
*/
int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot)
{
struct ima_template_desc *template;
struct file *file = vma->vm_file;
char filename[NAME_MAX];
char *pathbuf = NULL;
const char *pathname = NULL;
struct inode *inode;
int result = 0;
int action;
u32 secid;
int pcr;
/* Is mprotect making an mmap'ed file executable? */
if (!vma->vm_file || !(prot & PROT_EXEC) || (vma->vm_flags & VM_EXEC))
return 0;
security_task_getsecid(current, &secid);
inode = file_inode(vma->vm_file);
action = ima_get_action(inode, current_cred(), secid, MAY_EXEC,
MMAP_CHECK, &pcr, &template, 0);
/* Is the mmap'ed file in policy? */
if (!(action & (IMA_MEASURE | IMA_APPRAISE_SUBMASK)))
return 0;
if (action & IMA_APPRAISE_SUBMASK)
result = -EPERM;
file = vma->vm_file;
pathname = ima_d_path(&file->f_path, &pathbuf, filename);
integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, pathname,
"collect_data", "failed-mprotect", result, 0);
if (pathbuf)
__putname(pathbuf);
return result;
}
/** /**
* ima_bprm_check - based on policy, collect/store measurement. * ima_bprm_check - based on policy, collect/store measurement.
* @bprm: contains the linux_binprm structure * @bprm: contains the linux_binprm structure
...@@ -792,6 +843,9 @@ static int __init init_ima(void) ...@@ -792,6 +843,9 @@ static int __init init_ima(void)
error = ima_init(); error = ima_init();
} }
if (error)
return error;
error = register_blocking_lsm_notifier(&ima_lsm_policy_notifier); error = register_blocking_lsm_notifier(&ima_lsm_policy_notifier);
if (error) if (error)
pr_warn("Couldn't register LSM notifier, error %d\n", error); pr_warn("Couldn't register LSM notifier, error %d\n", error);
......
...@@ -204,7 +204,7 @@ static struct ima_rule_entry *arch_policy_entry __ro_after_init; ...@@ -204,7 +204,7 @@ static struct ima_rule_entry *arch_policy_entry __ro_after_init;
static LIST_HEAD(ima_default_rules); static LIST_HEAD(ima_default_rules);
static LIST_HEAD(ima_policy_rules); static LIST_HEAD(ima_policy_rules);
static LIST_HEAD(ima_temp_rules); static LIST_HEAD(ima_temp_rules);
static struct list_head *ima_rules; static struct list_head *ima_rules = &ima_default_rules;
/* Pre-allocated buffer used for matching keyrings. */ /* Pre-allocated buffer used for matching keyrings. */
static char *ima_keyrings; static char *ima_keyrings;
...@@ -644,9 +644,12 @@ static void add_rules(struct ima_rule_entry *entries, int count, ...@@ -644,9 +644,12 @@ static void add_rules(struct ima_rule_entry *entries, int count,
list_add_tail(&entry->list, &ima_policy_rules); list_add_tail(&entry->list, &ima_policy_rules);
} }
if (entries[i].action == APPRAISE) { if (entries[i].action == APPRAISE) {
temp_ima_appraise |= ima_appraise_flag(entries[i].func); if (entries != build_appraise_rules)
if (entries[i].func == POLICY_CHECK) temp_ima_appraise |=
temp_ima_appraise |= IMA_APPRAISE_POLICY; ima_appraise_flag(entries[i].func);
else
build_ima_appraise |=
ima_appraise_flag(entries[i].func);
} }
} }
} }
...@@ -765,7 +768,6 @@ void __init ima_init_policy(void) ...@@ -765,7 +768,6 @@ void __init ima_init_policy(void)
ARRAY_SIZE(default_appraise_rules), ARRAY_SIZE(default_appraise_rules),
IMA_DEFAULT_POLICY); IMA_DEFAULT_POLICY);
ima_rules = &ima_default_rules;
ima_update_policy_flag(); ima_update_policy_flag();
} }
......
...@@ -55,7 +55,8 @@ static struct ima_queue_entry *ima_lookup_digest_entry(u8 *digest_value, ...@@ -55,7 +55,8 @@ static struct ima_queue_entry *ima_lookup_digest_entry(u8 *digest_value,
key = ima_hash_key(digest_value); key = ima_hash_key(digest_value);
rcu_read_lock(); rcu_read_lock();
hlist_for_each_entry_rcu(qe, &ima_htable.queue[key], hnext) { hlist_for_each_entry_rcu(qe, &ima_htable.queue[key], hnext) {
rc = memcmp(qe->entry->digest, digest_value, TPM_DIGEST_SIZE); rc = memcmp(qe->entry->digests[ima_hash_algo_idx].digest,
digest_value, hash_digest_size[ima_hash_algo]);
if ((rc == 0) && (qe->entry->pcr == pcr)) { if ((rc == 0) && (qe->entry->pcr == pcr)) {
ret = qe; ret = qe;
break; break;
...@@ -75,7 +76,7 @@ static int get_binary_runtime_size(struct ima_template_entry *entry) ...@@ -75,7 +76,7 @@ static int get_binary_runtime_size(struct ima_template_entry *entry)
int size = 0; int size = 0;
size += sizeof(u32); /* pcr */ size += sizeof(u32); /* pcr */
size += sizeof(entry->digest); size += TPM_DIGEST_SIZE;
size += sizeof(int); /* template name size field */ size += sizeof(int); /* template name size field */
size += strlen(entry->template_desc->name); size += strlen(entry->template_desc->name);
size += sizeof(entry->template_data_len); size += sizeof(entry->template_data_len);
...@@ -107,7 +108,7 @@ static int ima_add_digest_entry(struct ima_template_entry *entry, ...@@ -107,7 +108,7 @@ static int ima_add_digest_entry(struct ima_template_entry *entry,
atomic_long_inc(&ima_htable.len); atomic_long_inc(&ima_htable.len);
if (update_htable) { if (update_htable) {
key = ima_hash_key(entry->digest); key = ima_hash_key(entry->digests[ima_hash_algo_idx].digest);
hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]); hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
} }
...@@ -134,18 +135,14 @@ unsigned long ima_get_binary_runtime_size(void) ...@@ -134,18 +135,14 @@ unsigned long ima_get_binary_runtime_size(void)
return binary_runtime_size + sizeof(struct ima_kexec_hdr); return binary_runtime_size + sizeof(struct ima_kexec_hdr);
}; };
static int ima_pcr_extend(const u8 *hash, int pcr) static int ima_pcr_extend(struct tpm_digest *digests_arg, int pcr)
{ {
int result = 0; int result = 0;
int i;
if (!ima_tpm_chip) if (!ima_tpm_chip)
return result; return result;
for (i = 0; i < ima_tpm_chip->nr_allocated_banks; i++) result = tpm_pcr_extend(ima_tpm_chip, pcr, digests_arg);
memcpy(digests[i].digest, hash, TPM_DIGEST_SIZE);
result = tpm_pcr_extend(ima_tpm_chip, pcr, digests);
if (result != 0) if (result != 0)
pr_err("Error Communicating to TPM chip, result: %d\n", result); pr_err("Error Communicating to TPM chip, result: %d\n", result);
return result; return result;
...@@ -163,7 +160,8 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation, ...@@ -163,7 +160,8 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation,
const char *op, struct inode *inode, const char *op, struct inode *inode,
const unsigned char *filename) const unsigned char *filename)
{ {
u8 digest[TPM_DIGEST_SIZE]; u8 *digest = entry->digests[ima_hash_algo_idx].digest;
struct tpm_digest *digests_arg = entry->digests;
const char *audit_cause = "hash_added"; const char *audit_cause = "hash_added";
char tpm_audit_cause[AUDIT_CAUSE_LEN_MAX]; char tpm_audit_cause[AUDIT_CAUSE_LEN_MAX];
int audit_info = 1; int audit_info = 1;
...@@ -171,7 +169,6 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation, ...@@ -171,7 +169,6 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation,
mutex_lock(&ima_extend_list_mutex); mutex_lock(&ima_extend_list_mutex);
if (!violation) { if (!violation) {
memcpy(digest, entry->digest, sizeof(digest));
if (ima_lookup_digest_entry(digest, entry->pcr)) { if (ima_lookup_digest_entry(digest, entry->pcr)) {
audit_cause = "hash_exists"; audit_cause = "hash_exists";
result = -EEXIST; result = -EEXIST;
...@@ -187,9 +184,9 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation, ...@@ -187,9 +184,9 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation,
} }
if (violation) /* invalidate pcr */ if (violation) /* invalidate pcr */
memset(digest, 0xff, sizeof(digest)); digests_arg = digests;
tpmresult = ima_pcr_extend(digest, entry->pcr); tpmresult = ima_pcr_extend(digests_arg, entry->pcr);
if (tpmresult != 0) { if (tpmresult != 0) {
snprintf(tpm_audit_cause, AUDIT_CAUSE_LEN_MAX, "TPM_error(%d)", snprintf(tpm_audit_cause, AUDIT_CAUSE_LEN_MAX, "TPM_error(%d)",
tpmresult); tpmresult);
...@@ -215,6 +212,8 @@ int ima_restore_measurement_entry(struct ima_template_entry *entry) ...@@ -215,6 +212,8 @@ int ima_restore_measurement_entry(struct ima_template_entry *entry)
int __init ima_init_digests(void) int __init ima_init_digests(void)
{ {
u16 digest_size;
u16 crypto_id;
int i; int i;
if (!ima_tpm_chip) if (!ima_tpm_chip)
...@@ -225,8 +224,17 @@ int __init ima_init_digests(void) ...@@ -225,8 +224,17 @@ int __init ima_init_digests(void)
if (!digests) if (!digests)
return -ENOMEM; return -ENOMEM;
for (i = 0; i < ima_tpm_chip->nr_allocated_banks; i++) for (i = 0; i < ima_tpm_chip->nr_allocated_banks; i++) {
digests[i].alg_id = ima_tpm_chip->allocated_banks[i].alg_id; digests[i].alg_id = ima_tpm_chip->allocated_banks[i].alg_id;
digest_size = ima_tpm_chip->allocated_banks[i].digest_size;
crypto_id = ima_tpm_chip->allocated_banks[i].crypto_id;
/* for unmapped TPM algorithms digest is still a padded SHA1 */
if (crypto_id == HASH_ALGO__LAST)
digest_size = SHA1_DIGEST_SIZE;
memset(digests[i].digest, 0xff, digest_size);
}
return 0; return 0;
} }
...@@ -301,6 +301,7 @@ static int ima_restore_template_data(struct ima_template_desc *template_desc, ...@@ -301,6 +301,7 @@ static int ima_restore_template_data(struct ima_template_desc *template_desc,
int template_data_size, int template_data_size,
struct ima_template_entry **entry) struct ima_template_entry **entry)
{ {
struct tpm_digest *digests;
int ret = 0; int ret = 0;
int i; int i;
...@@ -309,11 +310,21 @@ static int ima_restore_template_data(struct ima_template_desc *template_desc, ...@@ -309,11 +310,21 @@ static int ima_restore_template_data(struct ima_template_desc *template_desc,
if (!*entry) if (!*entry)
return -ENOMEM; return -ENOMEM;
digests = kcalloc(NR_BANKS(ima_tpm_chip) + ima_extra_slots,
sizeof(*digests), GFP_NOFS);
if (!digests) {
kfree(*entry);
return -ENOMEM;
}
(*entry)->digests = digests;
ret = ima_parse_buf(template_data, template_data + template_data_size, ret = ima_parse_buf(template_data, template_data + template_data_size,
NULL, template_desc->num_fields, NULL, template_desc->num_fields,
(*entry)->template_data, NULL, NULL, (*entry)->template_data, NULL, NULL,
ENFORCE_FIELDS | ENFORCE_BUFEND, "template data"); ENFORCE_FIELDS | ENFORCE_BUFEND, "template data");
if (ret < 0) { if (ret < 0) {
kfree((*entry)->digests);
kfree(*entry); kfree(*entry);
return ret; return ret;
} }
...@@ -346,6 +357,7 @@ static int ima_restore_template_data(struct ima_template_desc *template_desc, ...@@ -346,6 +357,7 @@ static int ima_restore_template_data(struct ima_template_desc *template_desc,
int ima_restore_measurement_list(loff_t size, void *buf) int ima_restore_measurement_list(loff_t size, void *buf)
{ {
char template_name[MAX_TEMPLATE_NAME_LEN]; char template_name[MAX_TEMPLATE_NAME_LEN];
unsigned char zero[TPM_DIGEST_SIZE] = { 0 };
struct ima_kexec_hdr *khdr = buf; struct ima_kexec_hdr *khdr = buf;
struct ima_field_data hdr[HDR__LAST] = { struct ima_field_data hdr[HDR__LAST] = {
...@@ -445,8 +457,17 @@ int ima_restore_measurement_list(loff_t size, void *buf) ...@@ -445,8 +457,17 @@ int ima_restore_measurement_list(loff_t size, void *buf)
if (ret < 0) if (ret < 0)
break; break;
memcpy(entry->digest, hdr[HDR_DIGEST].data, if (memcmp(hdr[HDR_DIGEST].data, zero, sizeof(zero))) {
hdr[HDR_DIGEST].len); ret = ima_calc_field_array_hash(
&entry->template_data[0],
entry);
if (ret < 0) {
pr_err("cannot calculate template digest\n");
ret = -EINVAL;
break;
}
}
entry->pcr = !ima_canonical_fmt ? *(hdr[HDR_PCR].data) : entry->pcr = !ima_canonical_fmt ? *(hdr[HDR_PCR].data) :
le32_to_cpu(*(hdr[HDR_PCR].data)); le32_to_cpu(*(hdr[HDR_PCR].data));
ret = ima_restore_measurement_entry(entry); ret = ima_restore_measurement_entry(entry);
......
...@@ -286,6 +286,24 @@ int ima_eventdigest_init(struct ima_event_data *event_data, ...@@ -286,6 +286,24 @@ int ima_eventdigest_init(struct ima_event_data *event_data,
goto out; goto out;
} }
if ((const char *)event_data->filename == boot_aggregate_name) {
if (ima_tpm_chip) {
hash.hdr.algo = HASH_ALGO_SHA1;
result = ima_calc_boot_aggregate(&hash.hdr);
/* algo can change depending on available PCR banks */
if (!result && hash.hdr.algo != HASH_ALGO_SHA1)
result = -EINVAL;
if (result < 0)
memset(&hash, 0, sizeof(hash));
}
cur_digest = hash.hdr.digest;
cur_digestsize = hash_digest_size[HASH_ALGO_SHA1];
goto out;
}
if (!event_data->file) /* missing info to re-calculate the digest */ if (!event_data->file) /* missing info to re-calculate the digest */
return -EINVAL; return -EINVAL;
......
...@@ -1517,7 +1517,12 @@ int security_mmap_addr(unsigned long addr) ...@@ -1517,7 +1517,12 @@ int security_mmap_addr(unsigned long addr)
int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
unsigned long prot) unsigned long prot)
{ {
return call_int_hook(file_mprotect, 0, vma, reqprot, prot); int ret;
ret = call_int_hook(file_mprotect, 0, vma, reqprot, prot);
if (ret)
return ret;
return ima_file_mprotect(vma, prot);
} }
int security_file_lock(struct file *file, unsigned int cmd) int security_file_lock(struct file *file, unsigned int cmd)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment