Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=linux-7.0.y 2026-05-23T11:09:06+00:00 2026-05-23T11:09:06+00:00 Dmitry Safonov dima@arista.com 2026-03-10T17:40:39+00:00 urn:sha1:88d4e89a39f0de07798ca3fd93bd1a9ea212a82e [ Upstream commit d7bd8cf0b348d3edae7bee33e74a32b21668b181 ] ima_tpm_chip->allocated_banks[i].crypto_id is initialized to HASH_ALGO__LAST if the TPM algorithm is not supported. However there are places relying on the algorithm to be valid because it is accessed by hash_algo_name[]. On 6.12.40 I observe the following read out-of-bounds in hash_algo_name: ================================================================== BUG: KASAN: global-out-of-bounds in create_securityfs_measurement_lists+0x396/0x440 Read of size 8 at addr ffffffff83e18138 by task swapper/0/1 CPU: 4 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.40 #3 Call Trace: <TASK> dump_stack_lvl+0x61/0x90 print_report+0xc4/0x580 ? kasan_addr_to_slab+0x26/0x80 ? create_securityfs_measurement_lists+0x396/0x440 kasan_report+0xc2/0x100 ? create_securityfs_measurement_lists+0x396/0x440 create_securityfs_measurement_lists+0x396/0x440 ima_fs_init+0xa3/0x300 ima_init+0x7d/0xd0 init_ima+0x28/0x100 do_one_initcall+0xa6/0x3e0 kernel_init_freeable+0x455/0x740 kernel_init+0x24/0x1d0 ret_from_fork+0x38/0x80 ret_from_fork_asm+0x11/0x20 </TASK> The buggy address belongs to the variable: hash_algo_name+0xb8/0x420 Memory state around the buggy address: ffffffff83e18000: 00 01 f9 f9 f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9 ffffffff83e18080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffffff83e18100: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 00 05 f9 f9 ^ ffffffff83e18180: f9 f9 f9 f9 00 00 00 00 00 00 00 04 f9 f9 f9 f9 ffffffff83e18200: 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9 ================================================================== Seems like the TPM chip supports sha3_256, which isn't yet in tpm_algorithms: tpm tpm0: TPM with unsupported bank algorithm 0x0027 That's TPM_ALG_SHA3_256 == 0x0027 from "Trusted Platform Module 2.0 Library Part 2: Structures", page 51 [1]. See also the related U-Boot algorithms update [2]. Thus solve the problem by creating a file name with "_tpm_alg_<ID>" postfix if the crypto algorithm isn't initialized. This is how it looks on the test machine (patch ported to v6.12 release): # ls -1 /sys/kernel/security/ima/ ascii_runtime_measurements ascii_runtime_measurements_tpm_alg_27 ascii_runtime_measurements_sha1 ascii_runtime_measurements_sha256 binary_runtime_measurements binary_runtime_measurements_tpm_alg_27 binary_runtime_measurements_sha1 binary_runtime_measurements_sha256 policy runtime_measurements_count violations [1]: https://trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-2.0-Library-Part-2-Version-184_pub.pdf [2]: https://lists.denx.de/pipermail/u-boot/2024-July/558835.html Fixes: 9fa8e7625008 ("ima: add crypto agility support for template-hash algorithm") Signed-off-by: Dmitry Safonov <dima@arista.com> Cc: Enrico Bravi <enrico.bravi@polito.it> Cc: Silvia Sisinni <silvia.sisinni@polito.it> Cc: Roberto Sassu <roberto.sassu@huawei.com> Cc: Mimi Zohar <zohar@linux.ibm.com> Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com> Tested-by: Roberto Sassu <roberto.sassu@huawei.com> Link: https://github.com/linux-integrity/linux/issues/14 Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2025-10-22T23:24:27+00:00 Roberto Sassu roberto.sassu@huawei.com 2025-09-02T12:54:57+00:00 urn:sha1:82fe7932e84f618c6ec217203606f0c27ebef94b This patch converts IMA and EVM to use the LSM frameworks's initcall mechanism. It moved the integrity_fs_init() call to ima_fs_init() and evm_init_secfs(), to work around the fact that there is no "integrity" LSM, and introduced integrity_fs_fini() to remove the integrity directory, if empty. Both integrity_fs_init() and integrity_fs_fini() support the scenario of being called by both the IMA and EVM LSMs. This patch does not touch any of the platform certificate code that lives under the security/integrity/platform_certs directory as the IMA/EVM developers would prefer to address that in a future patchset. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Acked-by: Mimi Zohar <zohar@linux.ibm.com> [PM: adjust description as discussed over email] Signed-off-by: Paul Moore <paul@paul-moore.com> 2025-06-17T22:10:14+00:00 Al Viro viro@zeniv.linux.org.uk 2025-03-10T16:30:20+00:00 urn:sha1:d15ffbbf4d32a9007c4a339a9fecac90ce30432a lookup_template_data_hash_algo() machinery is used to locate the matching ima_algo_array[] element at read time; securityfs allows to stash that into inode->i_private at object creation time, so there's no need to bother Acked-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2025-06-17T22:09:52+00:00 Al Viro viro@zeniv.linux.org.uk 2024-05-14T05:41:51+00:00 urn:sha1:22260a99d791163f7697a240dfc48e4e5a91ecfe removal of parent takes all children out Acked-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2024-06-03T20:37:22+00:00 Enrico Bravi enrico.bravi@polito.it 2024-05-29T18:14:34+00:00 urn:sha1:fbf06cee60876d50f259d0689e3c03940750f0d4 In case of error during ima_fs_init() all the dentry already created are removed. {ascii, binary}_securityfs_measurement_lists are freed calling for each array the remove_securityfs_measurement_lists(). This function, at the end, assigns to zero the securityfs_measurement_list_count. This causes during the second call of remove_securityfs_measurement_lists() to leave the dentry of the array pending, not removing them correctly, because the securityfs_measurement_list_count is already zero. Move the securityfs_measurement_list_count = 0 after the two remove_securityfs_measurement_lists() calls to correctly remove all the dentry already allocated. Fixes: 9fa8e7625008 ("ima: add crypto agility support for template-hash algorithm") Signed-off-by: Enrico Bravi <enrico.bravi@polito.it> Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2024-04-12T13:59:04+00:00 Enrico Bravi enrico.bravi@polito.it 2024-04-12T09:09:53+00:00 urn:sha1:9fa8e76250082a45d0d3dad525419ab98bd01658 The template hash showed by the ascii_runtime_measurements and binary_runtime_measurements is the one calculated using sha1 and there is no possibility to change this value, despite the fact that the template hash is calculated using the hash algorithms corresponding to all the PCR banks configured in the TPM. Add the support to retrieve the ima log with the template data hash calculated with a specific hash algorithm. Add a new file in the securityfs ima directory for each hash algo configured in a PCR bank of the TPM. Each new file has the name with the following structure: {binary, ascii}_runtime_measurements_<hash_algo_name> Legacy files are kept, to avoid breaking existing applications, but as symbolic links which point to {binary, ascii}_runtime_measurements_sha1 files. These two files are created even if a TPM chip is not detected or the sha1 bank is not configured in the TPM. As example, in the case a TPM chip is present and sha256 is the only configured PCR bank, the listing of the securityfs ima directory is the following: lr--r--r-- [...] ascii_runtime_measurements -> ascii_runtime_measurements_sha1 -r--r----- [...] ascii_runtime_measurements_sha1 -r--r----- [...] ascii_runtime_measurements_sha256 lr--r--r-- [...] binary_runtime_measurements -> binary_runtime_measurements_sha1 -r--r----- [...] binary_runtime_measurements_sha1 -r--r----- [...] binary_runtime_measurements_sha256 --w------- [...] policy -r--r----- [...] runtime_measurements_count -r--r----- [...] violations Signed-off-by: Enrico Bravi <enrico.bravi@polito.it> Signed-off-by: Silvia Sisinni <silvia.sisinni@polito.it> Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2022-02-15T16:17:01+00:00 Stefan Berger stefanb@linux.ibm.com 2022-02-01T20:37:11+00:00 urn:sha1:e4e071baea41e43aebd7f17ed1ffceeca6aa9868 If an error occurs when creating a securityfs file, return the exact error code to the caller. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2022-02-02T16:59:09+00:00 Stefan Berger stefanb@linux.ibm.com 2022-01-25T22:46:23+00:00 urn:sha1:f7333b9572d0559e00352a926c92f29f061b4569 The removal of ima_dir currently fails since ima_policy still exists, so remove the ima_policy file before removing the directory. Fixes: 4af4662fa4a9 ("integrity: IMA policy") Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Cc: <stable@vger.kernel.org> Acked-by: Christian Brauner <brauner@kernel.org> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2021-06-08T20:29:10+00:00 Roberto Sassu roberto.sassu@huawei.com 2021-06-08T12:31:22+00:00 urn:sha1:6b26285f44c9306747c609cb304f787f1933594c The endianness of a variable written to the measurement list cannot be determined at compile time, as it depends on the value of the ima_canonical_fmt global variable (set through a kernel option with the same name if the machine is big endian). If ima_canonical_fmt is false, the endianness of a variable is the same as the machine; if ima_canonical_fmt is true, the endianness is little endian. The warning arises due to this type of instruction: var = cpu_to_leXX(var) which tries to assign a value in little endian to a variable with native endianness (little or big endian). Given that the variables set with this instruction are not used in any operation but just written to a buffer, it is safe to force the type of the value being set to be the same of the type of the variable with: var = (__force <var type>)cpu_to_leXX(var) Reported-by: kernel test robot <lkp@intel.com> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2020-10-05T11:37:04+00:00 Kees Cook keescook@chromium.org 2020-10-02T17:38:25+00:00 urn:sha1:0fa8e084648779eeb8929ae004301b3acf3bad84 To perform partial reads, callers of kernel_read_file*() must have a non-NULL file_size argument and a preallocated buffer. The new "offset" argument can then be used to seek to specific locations in the file to fill the buffer to, at most, "buf_size" per call. Where possible, the LSM hooks can report whether a full file has been read or not so that the contents can be reasoned about. Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20201002173828.2099543-14-keescook@chromium.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>