Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=linux-5.11.y 2020-11-29T12:02:53+00:00 2020-11-29T12:02:53+00:00 Roberto Sassu roberto.sassu@huawei.com 2020-11-26T10:34:56+00:00 urn:sha1:207cdd565dfc95a0a5185263a567817b7ebf5467 Commit a408e4a86b36b ("ima: open a new file instance if no read permissions") already introduced a second open to measure a file when the original file descriptor does not allow it. However, it didn't remove the existing method of changing the mode of the original file descriptor, which is still necessary if the current process does not have enough privileges to open a new one. Changing the mode isn't really an option, as the filesystem might need to do preliminary steps to make the read possible. Thus, this patch removes the code and keeps the second open as the only option to measure a file when it is unreadable with the original file descriptor. Cc: <stable@vger.kernel.org> # 4.20.x: 0014cc04e8ec0 ima: Set file->f_mode Fixes: 2fe5d6def1672 ("ima: integrity appraisal extension") Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2020-09-15T17:47:37+00:00 Roberto Sassu roberto.sassu@huawei.com 2020-09-04T09:23:28+00:00 urn:sha1:60386b854008adc951c470067f90a2d85b5d520f Errors returned by crypto_shash_update() are not checked in ima_calc_boot_aggregate_tfm() and thus can be overwritten at the next iteration of the loop. This patch adds a check after calling crypto_shash_update() and returns immediately if the result is not zero. Cc: stable@vger.kernel.org Fixes: 3323eec921efd ("integrity: IMA as an integrity service provider") Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2020-06-25T00:47:24+00:00 Maurizio Drocco maurizio.drocco@ibm.com 2020-06-23T15:57:32+00:00 urn:sha1:20c59ce010f84300f6c655d32db2610d3433f85c Registers 8-9 are used to store measurements of the kernel and its command line (e.g., grub2 bootloader with tpm module enabled). IMA should include them in the boot aggregate. Registers 8-9 should be only included in non-SHA1 digests to avoid ambiguity. Signed-off-by: Maurizio Drocco <maurizio.drocco@ibm.com> Reviewed-by: Bruno Meneguele <bmeneg@redhat.com> Tested-by: Bruno Meneguele <bmeneg@redhat.com> (TPM 1.2, TPM 2.0) Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2020-06-07T23:03:09+00:00 Roberto Sassu roberto.sassu@huawei.com 2020-06-07T21:00:29+00:00 urn:sha1:8b8c704d913b0fe490af370631a4200e26334ec0 Commit 6cc7c266e5b4 ("ima: Call ima_calc_boot_aggregate() in ima_eventdigest_init()") added a call to ima_calc_boot_aggregate() so that the digest can be recalculated for the boot_aggregate measurement entry if the 'd' template field has been requested. For the 'd' field, only SHA1 and MD5 digests are accepted. Given that ima_eventdigest_init() does not have the __init annotation, all functions called should not have it. This patch removes __init from ima_pcrread(). Cc: stable@vger.kernel.org Fixes: 6cc7c266e5b4 ("ima: Call ima_calc_boot_aggregate() in ima_eventdigest_init()") Reported-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2020-06-06T16:39:05+00:00 Linus Torvalds torvalds@linux-foundation.org 2020-06-06T16:39:05+00:00 urn:sha1:3c0ad98c2eda5ff30d23777e30744be6f7b8f097 Pull integrity updates from Mimi Zohar: "The main changes are extending the TPM 2.0 PCR banks with bank specific file hashes, calculating the "boot_aggregate" based on other TPM PCR banks, using the default IMA hash algorithm, instead of SHA1, as the basis for the cache hash table key, and preventing the mprotect syscall to circumvent an IMA mmap appraise policy rule. - In preparation for extending TPM 2.0 PCR banks with bank specific digests, commit 0b6cf6b97b7e ("tpm: pass an array of tpm_extend_digest structures to tpm_pcr_extend()") modified tpm_pcr_extend(). The original SHA1 file digests were padded/truncated, before being extended into the other TPM PCR banks. This pull request calculates and extends the TPM PCR banks with bank specific file hashes completing the above change. - The "boot_aggregate", the first IMA measurement list record, is the "trusted boot" link between the pre-boot environment and the running OS. With TPM 2.0, the "boot_aggregate" record is not limited to being based on the SHA1 TPM PCR bank, but can be calculated based on any enabled bank, assuming the hash algorithm is also enabled in the kernel. Other changes include the following and five other bug fixes/code clean up: - supporting both a SHA1 and a larger "boot_aggregate" digest in a custom template format containing both the the SHA1 ('d') and larger digests ('d-ng') fields. - Initial hash table key fix, but additional changes would be good" * tag 'integrity-v5.8' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity: ima: Directly free *entry in ima_alloc_init_template() if digests is NULL ima: Call ima_calc_boot_aggregate() in ima_eventdigest_init() ima: Directly assign the ima_default_policy pointer to ima_rules ima: verify mprotect change is consistent with mmap policy evm: Fix possible memory leak in evm_calc_hmac_or_hash() ima: Set again build_ima_appraise variable ima: Remove redundant policy rule set in add_rules() ima: Fix ima digest hash table key calculation ima: Use ima_hash_algo for collision detection in the measurement list ima: Calculate and extend PCR with digests in ima_template_entry ima: Allocate and initialize tfm for each PCR bank ima: Switch to dynamically allocated buffer for template digests ima: Store template digest directly in ima_template_entry ima: Evaluate error in init_ima() ima: Switch to ima_hash_algo for boot aggregate 2020-06-03T21:20:43+00:00 Roberto Sassu roberto.sassu@huawei.com 2020-06-03T15:08:21+00:00 urn:sha1:6cc7c266e5b47d3cd2b5bb7fd3aac4e6bb2dd1d2 If the template field 'd' is chosen and the digest to be added to the measurement entry was not calculated with SHA1 or MD5, it is recalculated with SHA1, by using the passed file descriptor. However, this cannot be done for boot_aggregate, because there is no file descriptor. This patch adds a call to ima_calc_boot_aggregate() in ima_eventdigest_init(), so that the digest can be recalculated also for the boot_aggregate entry. Cc: stable@vger.kernel.org # 3.13.x Fixes: 3ce1217d6cd5d ("ima: define template fields library and new helpers") Reported-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2020-05-08T01:30:58+00:00 Roberto Sassu roberto.sassu@huawei.com 2020-04-27T10:28:55+00:00 urn:sha1:0014cc04e8ec077dc482f00c87dfd949cfe2b98f Commit a408e4a86b36 ("ima: open a new file instance if no read permissions") tries to create a new file descriptor to calculate a file digest if the file has not been opened with O_RDONLY flag. However, if a new file descriptor cannot be obtained, it sets the FMODE_READ flag to file->f_flags instead of file->f_mode. This patch fixes this issue by replacing f_flags with f_mode as it was before that commit. Cc: stable@vger.kernel.org # 4.20.x Fixes: a408e4a86b36 ("ima: open a new file instance if no read permissions") Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Reviewed-by: Goldwyn Rodrigues <rgoldwyn@suse.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2020-04-20T02:03:39+00:00 Roberto Sassu roberto.sassu@huawei.com 2020-03-25T10:54:24+00:00 urn:sha1:2592677c0486e64a08e0b930a7dfa6fbf77e6fc1 Before calculating a digest for each PCR bank, collisions were detected with a SHA1 digest. This patch includes ima_hash_algo among the algorithms used to calculate the template digest and checks collisions on that digest. The position in the measurement entry array of the template digest calculated with the IMA default hash algorithm is stored in the ima_hash_algo_idx global variable and is determined at IMA initialization time. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2020-04-20T02:03:39+00:00 Roberto Sassu roberto.sassu@huawei.com 2020-03-25T10:53:50+00:00 urn:sha1:1ea973df6e2166d1a576cabe5d08925d3261ff9d This patch modifies ima_calc_field_array_hash() to calculate a template digest for each allocated PCR bank and SHA1. It also passes the tpm_digest array of the template entry to ima_pcr_extend() or in case of a violation, the pre-initialized digests array filled with 0xff. Padding with zeros is still done if the mapping between TPM algorithm ID and crypto ID is unknown. This patch calculates again the template digest when a measurement list is restored. Copying only the SHA1 digest (due to the limitation of the current measurement list format) is not sufficient, as hash collision detection will be done on the digest calculated with the IMA default hash algorithm. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2020-04-20T02:03:39+00:00 Roberto Sassu roberto.sassu@huawei.com 2020-03-25T10:52:48+00:00 urn:sha1:6d94809af6b0830c4dfcad661535a5939bcb8a7d This patch creates a crypto_shash structure for each allocated PCR bank and for SHA1 if a bank with that algorithm is not currently allocated. Reported-by: kbuild test robot <lkp@intel.com> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>