Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp129844ybv; Wed, 5 Feb 2020 02:38:59 -0800 (PST) X-Google-Smtp-Source: APXvYqzX6VD648e5Q0/yHusrrn7z10f2yFerF0oo4zsswOHaTZL1oId+TZiUFUJxLyJ8YsAeX456 X-Received: by 2002:a05:6830:20c4:: with SMTP id z4mr26354856otq.260.1580899139534; Wed, 05 Feb 2020 02:38:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1580899139; cv=none; d=google.com; s=arc-20160816; b=U2WOmU6Mi2F7KKKC9QxghrQtCLnPNkwGfmuVr5iMpNVResRap+lmruh/icEmWrQe2K TZD023cmw3Xk84ptT6TpAd+eyWf3wp+XZnO3MipgwI2T2xMqme5Xh81QkG5U0H6YAS9Q MILWySP/JxDdA+PPdZLmENP0hd5BXxGnAekDIvKK/O5XLkIbBciFTPx4+H4P30j9t9Tz VXfBMd0dScXXtE8D+DWF+wPVr57k5AQ/4j9LxN9l9O6VH6KqM9ejPQowqU62NWM/QA59 +6k15mVKItYpQf3ERp1vyTebYK1wYL1//NvRUYTvL+ZIaE7Ga3kkVJElhyuM+L0aDXIl QMHg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from; bh=F8Otn4ZXLfhhX6He5RigUnczOqQbwfTe8IXvM7DL5xk=; b=adYYS2Gncq/iO9w4uOQSqZARqLsPw/P3PwGxEq8AiujUTvd+QpjALUn4AJVVEX0zh1 5Qebp7CsCN1o71KPR0pxlGPMnvE+pfK7MEOV9CjSgqz1Yq3eoVG1+HeZ2CsWV4FCsFwV jUw0E/1l5Kb+fJNtZCI082hl4jZhqlq/x4dUIMoeBWSHqnaS1Q/KofSEynVUuUN6y7RM cjtYKioZv9mY0KybfQHYQp0EgCLLQ49K4VL8aA+a5ES3B/MG1p5qz0fvKOck0qHFl9qv IaGnlwsG7uxRBVrSVEeqUDCZ30X/hUViQXZQqGREd9aUBFH+lXaM6PI/ht3eCatHy727 4BYw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 65si12584911oif.14.2020.02.05.02.38.46; Wed, 05 Feb 2020 02:38:59 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728310AbgBEKgo (ORCPT + 99 others); Wed, 5 Feb 2020 05:36:44 -0500 Received: from lhrrgout.huawei.com ([185.176.76.210]:2373 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727562AbgBEKgo (ORCPT ); Wed, 5 Feb 2020 05:36:44 -0500 Received: from lhreml702-cah.china.huawei.com (unknown [172.18.7.108]) by Forcepoint Email with ESMTP id 5B0A0A50E481B9D7D2A2; Wed, 5 Feb 2020 10:36:42 +0000 (GMT) Received: from roberto-HP-EliteDesk-800-G2-DM-65W.huawei.com (10.204.65.160) by smtpsuk.huawei.com (10.201.108.43) with Microsoft SMTP Server (TLS) id 14.3.408.0; Wed, 5 Feb 2020 10:36:35 +0000 From: Roberto Sassu To: , , CC: , , , , Roberto Sassu Subject: [PATCH v2 8/8] ima: Use ima_hash_algo for collision detection in the measurement list Date: Wed, 5 Feb 2020 11:33:17 +0100 Message-ID: <20200205103317.29356-9-roberto.sassu@huawei.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200205103317.29356-1-roberto.sassu@huawei.com> References: <20200205103317.29356-1-roberto.sassu@huawei.com> MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.204.65.160] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Before calculating a digest for each PCR bank, collisions were detected with a SHA1 digest. This patch includes ima_hash_algo among the algorithms used to calculate the template digest and checks collisions on that digest. Changelog v1: - increment ima_num_template_digests before kcalloc() (suggested by Mimi) - check if ima_tpm_chip is NULL Signed-off-by: Roberto Sassu --- security/integrity/ima/ima.h | 1 + security/integrity/ima/ima_crypto.c | 20 ++++++++++++++++++-- security/integrity/ima/ima_queue.c | 8 ++++---- 3 files changed, 23 insertions(+), 6 deletions(-) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 4843077dc9e8..23d63bb96d2c 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -51,6 +51,7 @@ extern int ima_policy_flag; /* set during initialization */ extern int ima_hash_algo; extern int ima_sha1_idx; +extern int ima_hash_algo_idx; extern int ima_num_template_digests; extern int ima_appraise; extern struct tpm_chip *ima_tpm_chip; diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c index 1ee813d33bdc..f391ee3412b9 100644 --- a/security/integrity/ima/ima_crypto.c +++ b/security/integrity/ima/ima_crypto.c @@ -65,6 +65,7 @@ struct ima_algo_desc { }; int ima_sha1_idx; +int ima_hash_algo_idx; int ima_num_template_digests; static struct ima_algo_desc *ima_algo_array; @@ -123,16 +124,26 @@ int __init ima_init_crypto(void) nr_allocated_banks = ima_tpm_chip->nr_allocated_banks; ima_sha1_idx = -1; + ima_hash_algo_idx = -1; ima_num_template_digests = nr_allocated_banks; for (i = 0; i < nr_allocated_banks; i++) { algo = ima_tpm_chip->allocated_banks[i].crypto_id; if (algo == HASH_ALGO_SHA1) ima_sha1_idx = i; + + if (algo == ima_hash_algo) + ima_hash_algo_idx = i; } - if (ima_sha1_idx < 0) + if (ima_sha1_idx < 0) { ima_sha1_idx = ima_num_template_digests++; + if (ima_hash_algo == HASH_ALGO_SHA1) + ima_hash_algo_idx = ima_sha1_idx; + } + + if (ima_hash_algo_idx < 0) + ima_hash_algo_idx = ima_num_template_digests++; ima_algo_array = kcalloc(ima_num_template_digests, sizeof(*ima_algo_array), GFP_KERNEL); @@ -173,7 +184,12 @@ int __init ima_init_crypto(void) goto out_array; } - ima_algo_array[i].algo = HASH_ALGO_SHA1; + ima_algo_array[i++].algo = HASH_ALGO_SHA1; + } + + if (ima_hash_algo_idx >= nr_allocated_banks) { + ima_algo_array[i].tfm = ima_shash_tfm; + ima_algo_array[i].algo = ima_hash_algo; } return 0; diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c index 7f7509774b85..58983d0f0214 100644 --- a/security/integrity/ima/ima_queue.c +++ b/security/integrity/ima/ima_queue.c @@ -57,8 +57,8 @@ static struct ima_queue_entry *ima_lookup_digest_entry(u8 *digest_value, key = ima_hash_key(digest_value); rcu_read_lock(); hlist_for_each_entry_rcu(qe, &ima_htable.queue[key], hnext) { - rc = memcmp(qe->entry->digests[ima_sha1_idx].digest, - digest_value, TPM_DIGEST_SIZE); + rc = memcmp(qe->entry->digests[ima_hash_algo_idx].digest, + digest_value, hash_digest_size[ima_hash_algo]); if ((rc == 0) && (qe->entry->pcr == pcr)) { ret = qe; break; @@ -110,7 +110,7 @@ static int ima_add_digest_entry(struct ima_template_entry *entry, atomic_long_inc(&ima_htable.len); if (update_htable) { - key = ima_hash_key(entry->digests[ima_sha1_idx].digest); + key = ima_hash_key(entry->digests[ima_hash_algo_idx].digest); hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]); } @@ -162,7 +162,7 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation, const char *op, struct inode *inode, const unsigned char *filename) { - u8 *digest = entry->digests[ima_sha1_idx].digest; + u8 *digest = entry->digests[ima_hash_algo_idx].digest; struct tpm_digest *digests_arg = entry->digests; const char *audit_cause = "hash_added"; char tpm_audit_cause[AUDIT_CAUSE_LEN_MAX]; -- 2.17.1