[PATCH 3/3] ima: add pre-calculated measurements (experimental)

Mimi Zohar zohar at linux.vnet.ibm.com
Wed Jun 22 06:35:05 PDT 2016 

This patch defines a new IMA hook named ima_add_measurement_check()
for including pre-calculated measurements in the IMA measurement list.

Signed-off-by: Mimi Zohar <zohar at linux.vnet.ibm.com>
---
 Documentation/ABI/testing/ima_policy |   2 +-
 include/linux/ima.h                  |  12 ++++
 security/integrity/ima/Kconfig       |   8 +++
 security/integrity/ima/ima.h         |   1 +
 security/integrity/ima/ima_buffer.c  | 116 +++++++++++++++++++++++++++++------
 security/integrity/ima/ima_policy.c  |  18 +++++-
 6 files changed, 136 insertions(+), 21 deletions(-)

diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index 5a99c6f..e5a137e 100644
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -28,7 +28,7 @@ Description:
 		base: 	func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK]
 				[FIRMWARE_CHECK]
 				[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
-				[KEXEC_CMDLINE_CHECK]
+				[KEXEC_CMDLINE_CHECK] [PRECALC_CHECK]
 			mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
 			       [[^]MAY_EXEC]
 			fsmagic:= hex value
diff --git a/include/linux/ima.h b/include/linux/ima.h
index 88203f9..797de51 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -15,6 +15,7 @@ struct linux_binprm;
 
 enum ima_buffer_id {
 	MEASURING_KEXEC_CMDLINE,
+	MEASURING_PRECALC_DATA,
 	MEASURING_MAX_BUFFER_ID
 };
 
@@ -29,6 +30,9 @@ extern int ima_post_read_file(struct file *file, void *buf, loff_t size,
 extern void ima_post_path_mknod(struct dentry *dentry);
 extern void ima_buffer_check(void *buf, loff_t size,
 			     enum ima_buffer_id buffer_id);
+extern void ima_add_measurement_check(const char *hashname, u8 *digest,
+				      loff_t size, enum ima_buffer_id buffer_id,
+				      char *hint);
 
 #else
 static inline int ima_bprm_check(struct linux_binprm *bprm)
@@ -72,6 +76,14 @@ static inline void ima_buffer_check(void *buf, loff_t size,
 {
 	return;
 }
+
+static inline void ima_add_measurement_check(const char *hashname, u8 *digest,
+					     loff_t size,
+					     enum ima_buffer_id buffer_id,
+					     char *hint)
+{
+	return;
+}
 #endif /* CONFIG_IMA */
 
 #ifdef CONFIG_IMA_APPRAISE
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 5487827..0fb54d3 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -44,6 +44,14 @@ config IMA_LSM_RULES
 	help
 	  Disabling this option will disregard LSM based policy rules.
 
+config IMA_PRECALC_RULES
+	bool "Permit pre-calculated measurements (EXPERIMENTAL)"
+	depends on IMA
+	default n
+	help
+	  Enabling this option will permit pre-calculated measurements
+	  to be added to the IMA measurement list.
+
 choice
 	prompt "Default template"
 	default IMA_NG_TEMPLATE
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 5f21a9a..ccad21d 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -152,6 +152,7 @@ enum ima_hooks {
 	KEXEC_INITRAMFS_CHECK,
 	KEXEC_CMDLINE_CHECK,
 	POLICY_CHECK,
+	PRECALC_CHECK,
 	MAX_CHECK
 };
 
diff --git a/security/integrity/ima/ima_buffer.c b/security/integrity/ima/ima_buffer.c
index e74131b..ad49f6c 100644
--- a/security/integrity/ima/ima_buffer.c
+++ b/security/integrity/ima/ima_buffer.c
@@ -11,6 +11,8 @@
 #include <linux/uaccess.h>
 #include <linux/module.h>
 #include <linux/ima.h>
+#include <crypto/hash_info.h>
+#include <linux/string_helpers.h>
 
 #include "ima.h"
 
@@ -21,9 +23,37 @@ struct buffer_idmap {
 
 static struct buffer_idmap _idmap[MEASURING_MAX_BUFFER_ID] = {
 	[MEASURING_KEXEC_CMDLINE].func = KEXEC_CMDLINE_CHECK,
-	[MEASURING_KEXEC_CMDLINE].buf = "boot-cmdline",
+	[MEASURING_KEXEC_CMDLINE].buf = "kexec-boot-cmdline",
+	[MEASURING_PRECALC_DATA].func = PRECALC_CHECK,
+	[MEASURING_PRECALC_DATA].buf = "precalc",
 };
 
+#define IMA_MAX_BUFFER_HINT_SIZE 255
+
+static int store_buffer_measurement(struct ima_digest_data *hash, int pcr,
+				    char *buffer_hint)
+{
+	struct ima_template_entry *entry;
+	struct integrity_iint_cache tmp_iint, *iint = &tmp_iint;
+	struct ima_event_data event_data = {iint, NULL, NULL, NULL, 0, NULL};
+	int violation = 0;
+	int result;
+
+	iint->ima_hash = hash;
+	event_data.filename = buffer_hint;
+
+	result = ima_alloc_init_template(&event_data, &entry);
+	if (result < 0)
+		return result;
+
+	result = ima_store_template(entry, violation, NULL,
+				    event_data.filename, pcr);
+	if (result < 0)
+		ima_free_template_entry(entry);
+
+	return result;
+}
+
 static void process_buffer_measurement(void *buf, loff_t size,
 				       enum ima_buffer_id buffer_id, int pcr)
 {
@@ -31,10 +61,6 @@ static void process_buffer_measurement(void *buf, loff_t size,
 		struct ima_digest_data hdr;
 		char digest[IMA_MAX_DIGEST_SIZE];
 	} hash;
-	struct ima_template_entry *entry;
-	struct integrity_iint_cache tmp_iint, *iint = &tmp_iint;
-	struct ima_event_data event_data = {iint, NULL, NULL, NULL, 0, NULL};
-	int violation = 0;
 	int result;
 
 	memset(&hash, 0, sizeof(hash));
@@ -45,20 +71,10 @@ static void process_buffer_measurement(void *buf, loff_t size,
 		return;
 	}
 
-	iint->ima_hash = &hash.hdr;
-	event_data.filename = _idmap[buffer_id].buf;
-	result = ima_alloc_init_template(&event_data, &entry);
-	if (result < 0) {
-		pr_debug("failed allocating template\n");
-		return;
-	}
-
-	result = ima_store_template(entry, violation, NULL,
-				    event_data.filename, pcr);
-	if (result < 0) {
+	result = store_buffer_measurement(&hash.hdr, pcr,
+					  _idmap[buffer_id].buf);
+	if (result < 0)
 		pr_debug("failed storing buffer measurement\n");
-		ima_free_template_entry(entry);
-	}
 }
 
 /**
@@ -82,3 +98,67 @@ void ima_buffer_check(void *buf, loff_t size, enum ima_buffer_id buffer_id)
 	process_buffer_measurement(buf, size, buffer_id, pcr);
 }
 EXPORT_SYMBOL_GPL(ima_buffer_check);
+
+/**
+ * ima_add_measurement_check - add pre-calculated hash measurement
+ * @hashname: pointer to hash algorithm name
+ * @digest: pointer to hash digest
+ * @size: hash digest size
+ * @buffer_id: caller identifier
+ * @hint: measurement identifier
+ *
+ * Include pre-calculated hash measurements in the IMA measurement list.
+ */
+void ima_add_measurement_check(const char *hashname, u8 *digest, loff_t size,
+			      enum ima_buffer_id buffer_id, char *hint)
+{
+	struct {
+		struct ima_digest_data hdr;
+		char digest[IMA_MAX_DIGEST_SIZE];
+	} hash;
+	int pcr = CONFIG_IMA_MEASURE_PCR_IDX;
+	char buffer_hint[IMA_MAX_BUFFER_HINT_SIZE];
+	char *buf;
+	int result, i;
+
+	if (buffer_id > MEASURING_MAX_BUFFER_ID)
+		return;
+
+	if (!ima_match_buffer_id(_idmap[buffer_id].func, &pcr))
+		return;
+
+	if (!hint) {
+		pr_debug("missing buffer hint\n");
+		return;
+	}
+
+	buf = kstrdup_quotable(hint, GFP_KERNEL);
+	if (!buf) {
+		pr_debug("failed quoting buffer hint\n");
+		return;
+	}
+
+	/* Limit the total measurement hint to IMA_MAX_BUFFER_HINT_SIZE. */
+	snprintf(buffer_hint, sizeof(buffer_hint), "(%s) %s",
+		 _idmap[buffer_id].buf, buf);
+	kfree(buf);
+
+	memset(&hash, 0, sizeof(hash));
+	for (i = 1; i < HASH_ALGO__LAST; i++) {
+		if (strcmp(hashname, hash_algo_name[i]) != 0)
+			continue;
+		hash.hdr.algo = i;
+		break;
+	}
+	if (hash.hdr.algo == 0) {
+		pr_debug("invalid hash algorithm (%d)\n", hash.hdr.algo);
+		return;
+	}
+
+	hash.hdr.length = size;
+	memcpy(&hash.hdr.digest, digest, size);
+	result = store_buffer_measurement(&hash.hdr, pcr, buffer_hint);
+	if (result < 0)
+		pr_debug("failed to store buffer measurement\n");
+}
+EXPORT_SYMBOL_GPL(ima_add_measurement_check);
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 8e53f84..4094dd7 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -20,6 +20,7 @@
 #include <linux/rculist.h>
 #include <linux/genhd.h>
 #include <linux/seq_file.h>
+#include <linux/ima.h>
 
 #include "ima.h"
 
@@ -54,6 +55,12 @@ enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,
 
 enum policy_types { ORIGINAL_TCB = 1, DEFAULT_TCB };
 
+#ifdef CONFIG_MEASURING_PRECALC_RULES
+static int permit_measuring_precalc_rules = 1;
+#else
+static int permit_measuring_precalc_rules;
+#endif
+
 struct ima_rule_entry {
 	struct list_head list;
 	int action;
@@ -668,6 +675,9 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
 				entry->func = KEXEC_CMDLINE_CHECK;
 			else if (strcmp(args[0].from, "POLICY_CHECK") == 0)
 				entry->func = POLICY_CHECK;
+			else if ((strcmp(args[0].from, "PRECALC_CHECK") == 0)
+				 && permit_measuring_precalc_rules)
+				entry->func = PRECALC_CHECK;
 			else
 				result = -EINVAL;
 			if (!result)
@@ -929,7 +939,7 @@ enum {
 	func_file = 0, func_mmap, func_bprm,
 	func_module, func_firmware, func_post,
 	func_kexec_kernel, func_kexec_initramfs,
-	func_kexec_cmdline, func_policy
+	func_kexec_cmdline, func_policy, func_precalc
 };
 
 static char *func_tokens[] = {
@@ -942,7 +952,8 @@ static char *func_tokens[] = {
 	"KEXEC_KERNEL_CHECK",
 	"KEXEC_INITRAMFS_CHECK",
 	"KEXEC_CMDLINE_CHECK",
-	"POLICY_CHECK"
+	"POLICY_CHECK",
+	"PRECALC_CHECK"
 };
 
 void *ima_policy_start(struct seq_file *m, loff_t *pos)
@@ -1019,6 +1030,9 @@ static void policy_func_show(struct seq_file *m, enum ima_hooks func)
 	case POLICY_CHECK:
 		seq_printf(m, pt(Opt_func), ft(func_policy));
 		break;
+	case PRECALC_CHECK:
+		seq_printf(m, pt(Opt_func), ft(func_precalc));
+		break;
 	default:
 		snprintf(tbuf, sizeof(tbuf), "%d", func);
 		seq_printf(m, pt(Opt_func), tbuf);
-- 
2.1.0

More information about the kexec mailing list