Menu
▾
▴
Re: [Linux-ima-user] [PATCH] ima: platform-independent hash value
|
From: Mimi Z. <zo...@li...> - 2014-05-14 21:33:36
|
On Wed, 2014-05-07 at 18:13 +0200, Andreas Steffen wrote:
> For remote attestion it is important for the ima measurement values
> to be platform-independent. Therefore integer fields to be hashed
> must be converted to network order first.
>
> Signed-off-by: Andreas Steffen <and...@st...>
> ---
> security/integrity/ima/ima_crypto.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
> index 1bde8e6..8725bff 100644
> --- a/security/integrity/ima/ima_crypto.c
> +++ b/security/integrity/ima/ima_crypto.c
> @@ -170,11 +170,12 @@ static int ima_calc_field_array_hash_tfm(struct ima_field_data *field_data,
> u8 buffer[IMA_EVENT_NAME_LEN_MAX + 1] = { 0 };
> u8 *data_to_hash = field_data[i].data;
> u32 datalen = field_data[i].len;
> + u32 datalen_to_hash = htonl(datalen);
>
> if (strcmp(td->name, IMA_TEMPLATE_IMA_NAME) != 0) {
> rc = crypto_shash_update(&desc.shash,
> - (const u8 *) &field_data[i].len,
> - sizeof(field_data[i].len));
> + (const u8 *) &datalen_to_hash,
> + sizeof(datalen_to_hash));
> if (rc)
> break;
> } else if (strcmp(td->fields[i]->field_id, "n") == 0) {
After thinking about this some more, and discussing it with Roberto and
Dave, this change is probably unnecessary. Assuming the measurement
list is sent in host native format, a hash of the template data will
match the value contained in the measurement list. Only if the template
data is converted to network byte order, prior to sending it, would
there be a problem.
The PCR value provides a good heuristic for determining the data
endianness.
Mimi
|
