Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp576358ybt; Fri, 19 Jun 2020 08:32:03 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzNZVK/pGF57H3MeDUONT/L5kUlQEUsUgOiqL44LXLTaQaiXtUMzRwuglQFlDBpJtXG69kX X-Received: by 2002:a17:906:6c98:: with SMTP id s24mr4385089ejr.438.1592580723439; Fri, 19 Jun 2020 08:32:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1592580723; cv=none; d=google.com; s=arc-20160816; b=ngnqCC6O34d6nbpAtdi+RbBmHXlqEcHHHSPT+Pc2yIkJuARfVh5jZLu1fQB9rSYJ/i BynQYzkK8hD4VjWvvqShqPp14pX6irQq19T5NUxW1YiYDL2a/djiqXE7qO8wgYGfpwUE 64juGlAig+drsoe5S1qmDq8zMjjtGUW8QaajU/k6/O8hDEVLq8/0lfkuHYu3rgaH6Yfn MAflX6iBAzoT2StrGwNuw5M1uitcKrApRs41p/oks6hatu8y1FrNVib2UcdR2/V5TSkP Sw3eaVQ/1CM6tixipekJSmWn2s/Nt4MUd9U0ecbKKwWstN2xuUriGdBUCddw256F790F CvQw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=HVC1N0S2aCyOBGSIapPgH4TMYXJXcKNRvXV506VtQ4o=; b=Ep3Wa5bGDa9xKTGA4MkBYcam1mgW7gm7Dc46I/u7Ip5uCtQU1ZCYien3cANNZNxTNE qspxlrVoydsikLiuvyzMWpFYBsCuEEduRprM/m4jrJHQVme/9FRNdEvgxRhsnouugl/t t3f40ODkP7C4gnoGSxjzQpkXZfPD+aaODCBSMiBTmCriBpHd2SEvxWzfdYls1k60graO 2k4i/3myjrMABo4GAKJ3n/2NClmxi9U+v23vbpfweP2njeqJ/GaVGzqq4G2bu4w9ak1h 0ujDqbceoV9ZV7oh3Er0cHfSjMZdnjFbTFwgrKlADKQI5Bk3gQ1/we636x4JKF7JxAor NETQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=A0XFYB8B; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id qu2si3941965ejb.89.2020.06.19.08.31.40; Fri, 19 Jun 2020 08:32:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=A0XFYB8B; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2404621AbgFSP30 (ORCPT + 99 others); Fri, 19 Jun 2020 11:29:26 -0400 Received: from mail.kernel.org ([198.145.29.99]:60670 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2404589AbgFSP2u (ORCPT ); Fri, 19 Jun 2020 11:28:50 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B129221D80; Fri, 19 Jun 2020 15:28:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1592580529; bh=u/SGjul9L8yvIwQLf0aUzCJ7rcHYtEU3h8ZQ5UY7iUc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=A0XFYB8BQEEthTtWE5GfWO0E1N6/R5LiiafbOfebwtv+5gpM7m53OWRSEccPnijhY DFtUEDGNrN1WKCypEFrMcf/Hq6vl1BBI8YzQ1a8VdtoS7bJQglHtd4bBA9TOOQlnnG qDTcaMcplfdVkDBOWgkW6RyNMTYxmIm2MPR/ZL2k= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Takashi Iwai , Roberto Sassu , Mimi Zohar Subject: [PATCH 5.7 277/376] ima: Call ima_calc_boot_aggregate() in ima_eventdigest_init() Date: Fri, 19 Jun 2020 16:33:15 +0200 Message-Id: <20200619141723.446976459@linuxfoundation.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200619141710.350494719@linuxfoundation.org> References: <20200619141710.350494719@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Roberto Sassu commit 6cc7c266e5b47d3cd2b5bb7fd3aac4e6bb2dd1d2 upstream. If the template field 'd' is chosen and the digest to be added to the measurement entry was not calculated with SHA1 or MD5, it is recalculated with SHA1, by using the passed file descriptor. However, this cannot be done for boot_aggregate, because there is no file descriptor. This patch adds a call to ima_calc_boot_aggregate() in ima_eventdigest_init(), so that the digest can be recalculated also for the boot_aggregate entry. Cc: stable@vger.kernel.org # 3.13.x Fixes: 3ce1217d6cd5d ("ima: define template fields library and new helpers") Reported-by: Takashi Iwai Signed-off-by: Roberto Sassu Signed-off-by: Mimi Zohar Signed-off-by: Greg Kroah-Hartman --- security/integrity/ima/ima.h | 3 ++- security/integrity/ima/ima_crypto.c | 6 +++--- security/integrity/ima/ima_init.c | 2 +- security/integrity/ima/ima_template_lib.c | 18 ++++++++++++++++++ 4 files changed, 24 insertions(+), 5 deletions(-) --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -52,6 +52,7 @@ extern int ima_policy_flag; extern int ima_hash_algo; extern int ima_appraise; extern struct tpm_chip *ima_tpm_chip; +extern const char boot_aggregate_name[]; /* IMA event related data */ struct ima_event_data { @@ -140,7 +141,7 @@ int ima_calc_buffer_hash(const void *buf int ima_calc_field_array_hash(struct ima_field_data *field_data, struct ima_template_desc *desc, int num_fields, struct ima_digest_data *hash); -int __init ima_calc_boot_aggregate(struct ima_digest_data *hash); +int ima_calc_boot_aggregate(struct ima_digest_data *hash); void ima_add_violation(struct file *file, const unsigned char *filename, struct integrity_iint_cache *iint, const char *op, const char *cause); --- a/security/integrity/ima/ima_crypto.c +++ b/security/integrity/ima/ima_crypto.c @@ -665,8 +665,8 @@ static void __init ima_pcrread(u32 idx, * hash algorithm for reading the TPM PCRs as for calculating the boot * aggregate digest as stored in the measurement list. */ -static int __init ima_calc_boot_aggregate_tfm(char *digest, u16 alg_id, - struct crypto_shash *tfm) +static int ima_calc_boot_aggregate_tfm(char *digest, u16 alg_id, + struct crypto_shash *tfm) { struct tpm_digest d = { .alg_id = alg_id, .digest = {0} }; int rc; @@ -694,7 +694,7 @@ static int __init ima_calc_boot_aggregat return rc; } -int __init ima_calc_boot_aggregate(struct ima_digest_data *hash) +int ima_calc_boot_aggregate(struct ima_digest_data *hash) { struct crypto_shash *tfm; u16 crypto_id, alg_id; --- a/security/integrity/ima/ima_init.c +++ b/security/integrity/ima/ima_init.c @@ -19,7 +19,7 @@ #include "ima.h" /* name for boot aggregate entry */ -static const char boot_aggregate_name[] = "boot_aggregate"; +const char boot_aggregate_name[] = "boot_aggregate"; struct tpm_chip *ima_tpm_chip; /* Add the boot aggregate to the IMA measurement list and extend --- a/security/integrity/ima/ima_template_lib.c +++ b/security/integrity/ima/ima_template_lib.c @@ -286,6 +286,24 @@ int ima_eventdigest_init(struct ima_even goto out; } + if ((const char *)event_data->filename == boot_aggregate_name) { + if (ima_tpm_chip) { + hash.hdr.algo = HASH_ALGO_SHA1; + result = ima_calc_boot_aggregate(&hash.hdr); + + /* algo can change depending on available PCR banks */ + if (!result && hash.hdr.algo != HASH_ALGO_SHA1) + result = -EINVAL; + + if (result < 0) + memset(&hash, 0, sizeof(hash)); + } + + cur_digest = hash.hdr.digest; + cur_digestsize = hash_digest_size[HASH_ALGO_SHA1]; + goto out; + } + if (!event_data->file) /* missing info to re-calculate the digest */ return -EINVAL;