Skip to content

Commit

Permalink
ima: differentiate between template hash and file data hash sizes
Browse files Browse the repository at this point in the history 
The TPM v1.2 limits the template hash size to 20 bytes.  This
patch differentiates between the template hash size, as defined
in the ima_template_entry, and the file data hash size, as
defined in the ima_template_data.  Subsequent patches add support
for different file data hash algorithms.

Change log:
- hash digest definition in ima_store_template() should be TPM_DIGEST_SIZE

Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
  • Loading branch information
Mimi Zohar committed Oct 25, 2013
1 parent a35c3fb commit 140d802
Show file tree
Hide file tree
Showing 6 changed files with 12 additions and 12 deletions.
2 changes: 1 addition & 1 deletion security/integrity/ima/ima.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ struct ima_template_data {
};

struct ima_template_entry {
u8 digest[IMA_DIGEST_SIZE]; /* sha1 or md5 measurement hash */
u8 digest[TPM_DIGEST_SIZE]; /* sha1 or md5 measurement hash */
const char *template_name;
int template_len;
struct ima_template_data template;
Expand Down
2 changes: 1 addition & 1 deletion security/integrity/ima/ima_api.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ int ima_store_template(struct ima_template_entry *entry,
int result;
struct {
struct ima_digest_data hdr;
char digest[IMA_MAX_DIGEST_SIZE];
char digest[TPM_DIGEST_SIZE];
} hash;

memset(entry->digest, 0, sizeof(entry->digest));
Expand Down
4 changes: 2 additions & 2 deletions security/integrity/ima/ima_crypto.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -155,7 +155,7 @@ static void __init ima_pcrread(int idx, u8 *pcr)
*/
int __init ima_calc_boot_aggregate(char *digest)
{
u8 pcr_i[IMA_DIGEST_SIZE];
u8 pcr_i[TPM_DIGEST_SIZE];
int rc, i;
struct {
struct shash_desc shash;
Expand All @@ -173,7 +173,7 @@ int __init ima_calc_boot_aggregate(char *digest)
for (i = TPM_PCR0; i < TPM_PCR8; i++) {
ima_pcrread(i, pcr_i);
/* now accumulate with current aggregate */
rc = crypto_shash_update(&desc.shash, pcr_i, IMA_DIGEST_SIZE);
rc = crypto_shash_update(&desc.shash, pcr_i, TPM_DIGEST_SIZE);
}
if (!rc)
crypto_shash_final(&desc.shash, digest);
Expand Down
10 changes: 5 additions & 5 deletions security/integrity/ima/ima_fs.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,7 @@ static int ima_measurements_show(struct seq_file *m, void *v)
ima_putc(m, &pcr, sizeof pcr);

/* 2nd: template digest */
ima_putc(m, e->digest, IMA_DIGEST_SIZE);
ima_putc(m, e->digest, TPM_DIGEST_SIZE);

/* 3rd: template name size */
namelen = strlen(e->template_name);
Expand Down Expand Up @@ -167,11 +167,11 @@ static const struct file_operations ima_measurements_ops = {
.release = seq_release,
};

static void ima_print_digest(struct seq_file *m, u8 *digest)
static void ima_print_digest(struct seq_file *m, u8 *digest, int size)
{
int i;

for (i = 0; i < IMA_DIGEST_SIZE; i++)
for (i = 0; i < size; i++)
seq_printf(m, "%02x", *(digest + i));
}

Expand All @@ -182,7 +182,7 @@ void ima_template_show(struct seq_file *m, void *e, enum ima_show_type show)

switch (show) {
case IMA_SHOW_ASCII:
ima_print_digest(m, entry->digest);
ima_print_digest(m, entry->digest, IMA_DIGEST_SIZE);
seq_printf(m, " %s\n", entry->file_name);
break;
case IMA_SHOW_BINARY:
Expand Down Expand Up @@ -212,7 +212,7 @@ static int ima_ascii_measurements_show(struct seq_file *m, void *v)
seq_printf(m, "%2d ", CONFIG_IMA_MEASURE_PCR_IDX);

/* 2nd: SHA1 template hash */
ima_print_digest(m, e->digest);
ima_print_digest(m, e->digest, TPM_DIGEST_SIZE);

/* 3th: template name */
seq_printf(m, " %s ", e->template_name);
Expand Down
2 changes: 1 addition & 1 deletion security/integrity/ima/ima_init.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ static void __init ima_add_boot_aggregate(void)

int __init ima_init(void)
{
u8 pcr_i[IMA_DIGEST_SIZE];
u8 pcr_i[TPM_DIGEST_SIZE];
int rc;

ima_used_chip = 0;
Expand Down
4 changes: 2 additions & 2 deletions security/integrity/ima/ima_queue.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ static struct ima_queue_entry *ima_lookup_digest_entry(u8 *digest_value)
key = ima_hash_key(digest_value);
rcu_read_lock();
hlist_for_each_entry_rcu(qe, &ima_htable.queue[key], hnext) {
rc = memcmp(qe->entry->digest, digest_value, IMA_DIGEST_SIZE);
rc = memcmp(qe->entry->digest, digest_value, TPM_DIGEST_SIZE);
if (rc == 0) {
ret = qe;
break;
Expand Down Expand Up @@ -106,7 +106,7 @@ static int ima_pcr_extend(const u8 *hash)
int ima_add_template_entry(struct ima_template_entry *entry, int violation,
const char *op, struct inode *inode)
{
u8 digest[IMA_DIGEST_SIZE];
u8 digest[TPM_DIGEST_SIZE];
const char *audit_cause = "hash_added";
char tpm_audit_cause[AUDIT_CAUSE_LEN_MAX];
int audit_info = 1;
Expand Down

0 comments on commit 140d802

Please sign in to comment.