commit 678074f1a8e03598977bdeea10a4ce51c4f4a0c4 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Merge tag 'integrity-v6.18' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity

Pull integrity updates from Mimi Zohar:
"Just a couple of changes: crypto code cleanup and a IMA xattr bug fix"

* tag 'integrity-v6.18' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr
lib/digsig: Use SHA-1 library instead of crypto_shash
integrity: Select CRYPTO from INTEGRITY_ASYMMETRIC_KEYS

Linus Torvalds 4 months ago 678074f1 6a74422b

+26 -47

4 changed files

expand all

unified split

lib

Kconfig

digsig.c

security

integrity

Kconfig

ima

ima_appraise.c

+1 -2

lib/Kconfig

··· 477 477 config SIGNATURE 478 478 tristate 479 479 depends on KEYS 480 - select CRYPTO 481 - select CRYPTO_SHA1 480 + select CRYPTO_LIB_SHA1 482 481 select MPILIB 483 482 help 484 483 Digital signature verification. Currently only RSA is supported.

+6 -40

lib/digsig.c

··· 18 18 #include <linux/module.h> 19 19 #include <linux/slab.h> 20 20 #include <linux/key.h> 21 - #include <linux/crypto.h> 22 - #include <crypto/hash.h> 23 21 #include <crypto/sha1.h> 24 22 #include <keys/user-type.h> 25 23 #include <linux/mpi.h> 26 24 #include <linux/digsig.h> 27 - 28 - static struct crypto_shash *shash; 29 25 30 26 static const char *pkcs_1_v1_5_decode_emsa(const unsigned char *msg, 31 27 unsigned long msglen, ··· 194 198 int digsig_verify(struct key *keyring, const char *sig, int siglen, 195 199 const char *data, int datalen) 196 200 { 197 - int err = -ENOMEM; 198 201 struct signature_hdr *sh = (struct signature_hdr *)sig; 199 - struct shash_desc *desc = NULL; 202 + struct sha1_ctx ctx; 200 203 unsigned char hash[SHA1_DIGEST_SIZE]; 201 204 struct key *key; 202 205 char name[20]; 206 + int err; 203 207 204 208 if (siglen < sizeof(*sh) + 2) 205 209 return -EINVAL; ··· 226 230 return PTR_ERR(key); 227 231 } 228 232 229 - desc = kzalloc(sizeof(*desc) + crypto_shash_descsize(shash), 230 - GFP_KERNEL); 231 - if (!desc) 232 - goto err; 233 - 234 - desc->tfm = shash; 235 - 236 - crypto_shash_init(desc); 237 - crypto_shash_update(desc, data, datalen); 238 - crypto_shash_update(desc, sig, sizeof(*sh)); 239 - crypto_shash_final(desc, hash); 240 - 241 - kfree(desc); 233 + sha1_init(&ctx); 234 + sha1_update(&ctx, data, datalen); 235 + sha1_update(&ctx, sig, sizeof(*sh)); 236 + sha1_final(&ctx, hash); 242 237 243 238 /* pass signature mpis address */ 244 239 err = digsig_verify_rsa(key, sig + sizeof(*sh), siglen - sizeof(*sh), 245 240 hash, sizeof(hash)); 246 241 247 - err: 248 242 key_put(key); 249 243 250 244 return err ? -EINVAL : 0; 251 245 } 252 246 EXPORT_SYMBOL_GPL(digsig_verify); 253 - 254 - static int __init digsig_init(void) 255 - { 256 - shash = crypto_alloc_shash("sha1", 0, 0); 257 - if (IS_ERR(shash)) { 258 - pr_err("shash allocation failed\n"); 259 - return PTR_ERR(shash); 260 - } 261 - 262 - return 0; 263 - 264 - } 265 - 266 - static void __exit digsig_cleanup(void) 267 - { 268 - crypto_free_shash(shash); 269 - } 270 - 271 - module_init(digsig_init); 272 - module_exit(digsig_cleanup); 273 247 274 248 MODULE_LICENSE("GPL");

security/integrity/Kconfig

··· 36 36 default n 37 37 select ASYMMETRIC_KEY_TYPE 38 38 select ASYMMETRIC_PUBLIC_KEY_SUBTYPE 39 + select CRYPTO 39 40 select CRYPTO_RSA 40 41 select X509_CERTIFICATE_PARSER 41 42 help

+18 -5

security/integrity/ima/ima_appraise.c

··· 694 694 return 0; 695 695 } 696 696 697 + /* 698 + * ima_reset_appraise_flags - reset ima_iint_cache flags 699 + * 700 + * @digsig: whether to clear/set IMA_DIGSIG flag, tristate values 701 + * 0: clear IMA_DIGSIG 702 + * 1: set IMA_DIGSIG 703 + * -1: don't change IMA_DIGSIG 704 + * 705 + */ 697 706 static void ima_reset_appraise_flags(struct inode *inode, int digsig) 698 707 { 699 708 struct ima_iint_cache *iint; ··· 715 706 return; 716 707 iint->measured_pcrs = 0; 717 708 set_bit(IMA_CHANGE_XATTR, &iint->atomic_flags); 718 - if (digsig) 709 + if (digsig == 1) 719 710 set_bit(IMA_DIGSIG, &iint->atomic_flags); 720 - else 711 + else if (digsig == 0) 721 712 clear_bit(IMA_DIGSIG, &iint->atomic_flags); 722 713 } 723 714 ··· 803 794 digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG); 804 795 } else if (!strcmp(xattr_name, XATTR_NAME_EVM) && xattr_value_len > 0) { 805 796 digsig = (xvalue->type == EVM_XATTR_PORTABLE_DIGSIG); 797 + } else { 798 + digsig = -1; 806 799 } 807 800 if (result == 1 || evm_revalidate_status(xattr_name)) { 808 801 ima_reset_appraise_flags(d_backing_inode(dentry), digsig); ··· 818 807 const char *acl_name, struct posix_acl *kacl) 819 808 { 820 809 if (evm_revalidate_status(acl_name)) 821 - ima_reset_appraise_flags(d_backing_inode(dentry), 0); 810 + ima_reset_appraise_flags(d_backing_inode(dentry), -1); 822 811 823 812 return 0; 824 813 } ··· 826 815 static int ima_inode_removexattr(struct mnt_idmap *idmap, struct dentry *dentry, 827 816 const char *xattr_name) 828 817 { 829 - int result; 818 + int result, digsig = -1; 830 819 831 820 result = ima_protect_xattr(dentry, xattr_name, NULL, 0); 832 821 if (result == 1 || evm_revalidate_status(xattr_name)) { 833 - ima_reset_appraise_flags(d_backing_inode(dentry), 0); 822 + if (!strcmp(xattr_name, XATTR_NAME_IMA)) 823 + digsig = 0; 824 + ima_reset_appraise_flags(d_backing_inode(dentry), digsig); 834 825 if (result == 1) 835 826 result = 0; 836 827 }