Re: [Linux-ima-user] [PATCH] ima: platform-independent hash value

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Wed, 2014-05-14 at 09:02 -0400, Mimi Zohar wrote:
> On Wed, 2014-05-07 at 18:13 +0200, Andreas Steffen wrote: 
> > For remote attestion it is important for the ima measurement values
> > to be platform-independent. Therefore integer fields to be hashed
> > must be converted to network order first.
> > 
> > Signed-off-by: Andreas Steffen <and...@st...>
> 
> Prior to this patch, verifying the measurement list didn't require any
> knowledge of the template format.  The local host would calculate the
> hash on the entire template data and compare it with the hash value in
> the measurement list.  Now, verifying the measurement list requires
> parsing the template data and converting each of the length fields from
> network byte order to host order.

Basically, if the length fields are included in the hash in network byte
order, then the lengths fields in the binary runtime measurement list
should also be converted to use network byte order.

diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c
index 1506f02..63c6a8a 100644
--- a/security/integrity/ima/ima_template_lib.c
+++ b/security/integrity/ima/ima_template_lib.c
@@ -103,8 +103,10 @@ static void ima_show_template_data_binary(struct seq_file *m,
 	u32 len = (show == IMA_SHOW_BINARY_OLD_STRING_FMT) ?
 	    strlen(field_data->data) : field_data->len;
 
-	if (show != IMA_SHOW_BINARY_NO_FIELD_LEN)
-		ima_putc(m, &len, sizeof(len));
+	if (show != IMA_SHOW_BINARY_NO_FIELD_LEN) {
+		u32 nl_len = htonl(len);	
+		ima_putc(m, &nl_len, sizeof(len));
+	}
 
 	if (!len)
 		return;

Mimi



