tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

ima: enable support for larger default filedata hash algorithms

The IMA measurement list contains two hashes - a template data hash
and a filedata hash. The template data hash is committed to the TPM,
which is limited, by the TPM v1.2 specification, to 20 bytes. The
filedata hash is defined as 20 bytes as well.

Now that support for variable length measurement list templates was
added, the filedata hash is not limited to 20 bytes. This patch adds
Kconfig support for defining larger default filedata hash algorithms
and replacing the builtin default with one specified on the kernel
command line.

<uapi/linux/hash_info.h> contains a list of hash algorithms. The
Kconfig default hash algorithm is a subset of this list, but any hash
algorithm included in the list can be specified at boot, using the
'ima_hash=' kernel command line option.

Changelog v2:
- update Kconfig

Changelog:
- support hashes that are configured
- use generic HASH_ALGO_ definitions
- add Kconfig support
- hash_setup must be called only once (Dmitry)
- removed trailing whitespaces (Roberto Sassu)

Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>

Mimi Zohar e7a2ad7e 9b9d4ce5

+64 -3
+5 -1
Documentation/kernel-parameters.txt
··· 1181 1181 owned by uid=0. 1182 1182 1183 1183 ima_hash= [IMA] 1184 - Format: { "sha1" | "md5" } 1184 + Format: { md5 | sha1 | rmd160 | sha256 | sha384 1185 + | sha512 | ... } 1185 1186 default: "sha1" 1187 + 1188 + The list of supported hash algorithms is defined 1189 + in crypto/hash_info.h. 1186 1190 1187 1191 ima_tcb [IMA] 1188 1192 Load a policy which meets the needs of the Trusted
+35
security/integrity/ima/Kconfig
··· 71 71 default "ima" if IMA_TEMPLATE 72 72 default "ima-ng" if IMA_NG_TEMPLATE 73 73 74 + choice 75 + prompt "Default integrity hash algorithm" 76 + default IMA_DEFAULT_HASH_SHA1 77 + depends on IMA 78 + help 79 + Select the default hash algorithm used for the measurement 80 + list, integrity appraisal and audit log. The compiled default 81 + hash algorithm can be overwritten using the kernel command 82 + line 'ima_hash=' option. 83 + 84 + config IMA_DEFAULT_HASH_SHA1 85 + bool "SHA1 (default)" 86 + depends on CRYPTO_SHA1 87 + 88 + config IMA_DEFAULT_HASH_SHA256 89 + bool "SHA256" 90 + depends on CRYPTO_SHA256 && !IMA_TEMPLATE 91 + 92 + config IMA_DEFAULT_HASH_SHA512 93 + bool "SHA512" 94 + depends on CRYPTO_SHA512 && !IMA_TEMPLATE 95 + 96 + config IMA_DEFAULT_HASH_WP512 97 + bool "WP512" 98 + depends on CRYPTO_WP512 && !IMA_TEMPLATE 99 + endchoice 100 + 101 + config IMA_DEFAULT_HASH 102 + string 103 + depends on IMA 104 + default "sha1" if IMA_DEFAULT_HASH_SHA1 105 + default "sha256" if IMA_DEFAULT_HASH_SHA256 106 + default "sha512" if IMA_DEFAULT_HASH_SHA512 107 + default "wp512" if IMA_DEFAULT_HASH_WP512 108 + 74 109 config IMA_APPRAISE 75 110 bool "Appraise integrity measurements" 76 111 depends on IMA
+24 -2
security/integrity/ima/ima_main.c
··· 37 37 #endif 38 38 39 39 int ima_hash_algo = HASH_ALGO_SHA1; 40 + static int hash_setup_done; 40 41 41 42 static int __init hash_setup(char *str) 42 43 { 43 - if (strncmp(str, "md5", 3) == 0) 44 - ima_hash_algo = HASH_ALGO_MD5; 44 + struct ima_template_desc *template_desc = ima_template_desc_current(); 45 + int i; 46 + 47 + if (hash_setup_done) 48 + return 1; 49 + 50 + if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) { 51 + if (strncmp(str, "sha1", 4) == 0) 52 + ima_hash_algo = HASH_ALGO_SHA1; 53 + else if (strncmp(str, "md5", 3) == 0) 54 + ima_hash_algo = HASH_ALGO_MD5; 55 + goto out; 56 + } 57 + 58 + for (i = 0; i < HASH_ALGO__LAST; i++) { 59 + if (strcmp(str, hash_algo_name[i]) == 0) { 60 + ima_hash_algo = i; 61 + break; 62 + } 63 + } 64 + out: 65 + hash_setup_done = 1; 45 66 return 1; 46 67 } 47 68 __setup("ima_hash=", hash_setup); ··· 327 306 { 328 307 int error; 329 308 309 + hash_setup(CONFIG_IMA_DEFAULT_HASH); 330 310 error = ima_init(); 331 311 if (!error) 332 312 ima_initialized = 1;