Menu
▾
▴
Re: [Linux-ima-user] [PATCH] ima: platform-independent hash value
|
From: Mimi Z. <zo...@li...> - 2014-05-14 13:03:59
|
On Wed, 2014-05-07 at 18:13 +0200, Andreas Steffen wrote:
> For remote attestion it is important for the ima measurement values
> to be platform-independent. Therefore integer fields to be hashed
> must be converted to network order first.
>
> Signed-off-by: Andreas Steffen <and...@st...>
Prior to this patch, verifying the measurement list didn't require any
knowledge of the template format. The local host would calculate the
hash on the entire template data and compare it with the hash value in
the measurement list. Now, verifying the measurement list requires
parsing the template data and converting each of the length fields from
network byte order to host order.
Mimi
> ---
> security/integrity/ima/ima_crypto.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
> index 1bde8e6..8725bff 100644
> --- a/security/integrity/ima/ima_crypto.c
> +++ b/security/integrity/ima/ima_crypto.c
> @@ -170,11 +170,12 @@ static int ima_calc_field_array_hash_tfm(struct ima_field_data *field_data,
> u8 buffer[IMA_EVENT_NAME_LEN_MAX + 1] = { 0 };
> u8 *data_to_hash = field_data[i].data;
> u32 datalen = field_data[i].len;
> + u32 datalen_to_hash = htonl(datalen);
>
> if (strcmp(td->name, IMA_TEMPLATE_IMA_NAME) != 0) {
> rc = crypto_shash_update(&desc.shash,
> - (const u8 *) &field_data[i].len,
> - sizeof(field_data[i].len));
> + (const u8 *) &datalen_to_hash,
> + sizeof(datalen_to_hash));
> if (rc)
> break;
> } else if (strcmp(td->fields[i]->field_id, "n") == 0) {
|
