From: Roberto S. <rob...@hu...> - 2017-03-29 17:36:33
|
This patch set adds support in IMA for calculating the digest of an event with multiple hash algorithms. If a TPM is available, selection is limited to what the TPM support. If not, algorithms supported by the crypto subsystem can be selected up to the limit of PCR banks. Each digest will be used to extend the PCR bank with the same algorithm. If not all algorithms supported by the TPM are selected by the users, the first digest is truncated/padded to extend remaining banks. To display multiple digests, the new Crypto Agile format has been introduced. It is similar to the TCG format, but it has been adapted to make parsing easier. For example, for the binary list, the total length of template digest and each partial length are sent to userspace. The Crypto Agile format can be enabled with the new kernel command line parameter ima_template_hash_fmt=. Its value is the list of chosen algorithms or the string 'all', to select all the algorithms supported by the TPM. The patch set is structured as follows. First, the new digest descriptor structure is introduced. It will be associated to each measurement entry, when a new measurement entry is created (when an event matches policy criteria, or when a list is restored after kexec). It contains the information necessary to parse/display template digests, and to extend a PCR. Second, the IMA code has been modified to calculate the event data digest multiple times and to handle digests with variable length. Third, the Crypto Agile format is introduced and the code necessary to parse/display template digests has been implemented. Fourth, algorithms not supported by the TPM are removed from the digest descriptor and the digests calculated with accepted algorithms is passed to the TPM driver interface. Last, for testing, new files have been added to the securityfs filesystem to save/restore a measurement list. Roberto Sassu (16): ima: introduce ima digest template descriptor ima: set digest descriptor for each measurement entry ima: initialize and store tfm for current digest descriptor ima: switch from hard-coded to variable template digest length ima: calculate the digest for each algorithm selected by the user ima: introduce crypto agile format ima: add functions to define new digest template descriptors ima: add support for restoring crypto agile measurement list ima: introduce ima-header template ima: introduce ima_get_init_template() ima: pass digest fmt and template name to ima_alloc_init_template() ima: introduce ima_add_event_log_header() ima: check if template digest algorithms are supported by the TPM ima: extend PCR banks with appropriate digests ima: added ima_template_hash= kernel parameter ima: enable securityfs interfaces to save/restore a measurements list Documentation/admin-guide/kernel-parameters.txt | 5 + Documentation/security/IMA-templates.txt | 8 +- security/integrity/ima/Kconfig | 8 + security/integrity/ima/ima.h | 37 ++- security/integrity/ima/ima_api.c | 33 ++- security/integrity/ima/ima_crypto.c | 134 ++++++++-- security/integrity/ima/ima_fs.c | 141 ++++++++++- security/integrity/ima/ima_init.c | 60 ++++- security/integrity/ima/ima_kexec.c | 2 +- security/integrity/ima/ima_main.c | 28 +++ security/integrity/ima/ima_queue.c | 47 +++- security/integrity/ima/ima_template.c | 313 ++++++++++++++++++++++-- security/integrity/ima/ima_template_lib.c | 104 ++++++++ security/integrity/ima/ima_template_lib.h | 11 + 14 files changed, 856 insertions(+), 75 deletions(-) -- 2.9.3 |