Commit 67696f6d authored by Eric Richter's avatar Eric Richter Committed by Mimi Zohar

ima: redefine duplicate template entries

Template entry duplicates are prevented from being added to the
measurement list by checking a hash table that contains the template
entry digests. However, the PCR value is not included in this comparison,
so duplicate template entry digests with differing PCRs may be dropped.

This patch redefines duplicate template entries as template entries with
the same digest and same PCR values.
Reported-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: default avatarEric Richter <erichte@linux.vnet.ibm.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
parent 5f6f027b
...@@ -44,7 +44,8 @@ struct ima_h_table ima_htable = { ...@@ -44,7 +44,8 @@ struct ima_h_table ima_htable = {
static DEFINE_MUTEX(ima_extend_list_mutex); static DEFINE_MUTEX(ima_extend_list_mutex);
/* lookup up the digest value in the hash table, and return the entry */ /* lookup up the digest value in the hash table, and return the entry */
static struct ima_queue_entry *ima_lookup_digest_entry(u8 *digest_value) static struct ima_queue_entry *ima_lookup_digest_entry(u8 *digest_value,
int pcr)
{ {
struct ima_queue_entry *qe, *ret = NULL; struct ima_queue_entry *qe, *ret = NULL;
unsigned int key; unsigned int key;
...@@ -54,7 +55,7 @@ static struct ima_queue_entry *ima_lookup_digest_entry(u8 *digest_value) ...@@ -54,7 +55,7 @@ static struct ima_queue_entry *ima_lookup_digest_entry(u8 *digest_value)
rcu_read_lock(); rcu_read_lock();
hlist_for_each_entry_rcu(qe, &ima_htable.queue[key], hnext) { hlist_for_each_entry_rcu(qe, &ima_htable.queue[key], hnext) {
rc = memcmp(qe->entry->digest, digest_value, TPM_DIGEST_SIZE); rc = memcmp(qe->entry->digest, digest_value, TPM_DIGEST_SIZE);
if (rc == 0) { if ((rc == 0) && (qe->entry->pcr == pcr)) {
ret = qe; ret = qe;
break; break;
} }
...@@ -118,7 +119,7 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation, ...@@ -118,7 +119,7 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation,
mutex_lock(&ima_extend_list_mutex); mutex_lock(&ima_extend_list_mutex);
if (!violation) { if (!violation) {
memcpy(digest, entry->digest, sizeof(digest)); memcpy(digest, entry->digest, sizeof(digest));
if (ima_lookup_digest_entry(digest)) { if (ima_lookup_digest_entry(digest, entry->pcr)) {
audit_cause = "hash_exists"; audit_cause = "hash_exists";
result = -EEXIST; result = -EEXIST;
goto out; goto out;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment