[Linux-ima-devel] [PATCH 00/16] Multiple template digests

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

This patch set adds support in IMA for calculating the digest of an event
with multiple hash algorithms. If a TPM is available, selection is limited
to what the TPM support. If not, algorithms supported by the crypto
subsystem can be selected up to the limit of PCR banks.

Each digest will be used to extend the PCR bank with the same algorithm.
If not all algorithms supported by the TPM are selected by the users,
the first digest is truncated/padded to extend remaining banks.

To display multiple digests, the new Crypto Agile format has been
introduced. It is similar to the TCG format, but it has been adapted
to make parsing easier. For example, for the binary list, the total
length of template digest and each partial length are sent to userspace.

The Crypto Agile format can be enabled with the new kernel command line
parameter ima_template_hash_fmt=. Its value is the list of chosen
algorithms or the string 'all', to select all the algorithms supported
by the TPM.

The patch set is structured as follows.

First, the new digest descriptor structure is introduced. It will be
associated to each measurement entry, when a new measurement entry
is created (when an event matches policy criteria, or when a list
is restored after kexec). It contains the information necessary
to parse/display template digests, and to extend a PCR.

Second, the IMA code has been modified to calculate the event data
digest multiple times and to handle digests with variable length.

Third, the Crypto Agile format is introduced and the code necessary
to parse/display template digests has been implemented.

Fourth, algorithms not supported by the TPM are removed from the
digest descriptor and the digests calculated with accepted algorithms
is passed to the TPM driver interface.

Last, for testing, new files have been added to the securityfs
filesystem to save/restore a measurement list.

Roberto Sassu (16):
  ima: introduce ima digest template descriptor
  ima: set digest descriptor for each measurement entry
  ima: initialize and store tfm for current digest descriptor
  ima: switch from hard-coded to variable template digest length
  ima: calculate the digest for each algorithm selected by the user
  ima: introduce crypto agile format
  ima: add functions to define new digest template descriptors
  ima: add support for restoring crypto agile measurement list
  ima: introduce ima-header template
  ima: introduce ima_get_init_template()
  ima: pass digest fmt and template name to ima_alloc_init_template()
  ima: introduce ima_add_event_log_header()
  ima: check if template digest algorithms are supported by the TPM
  ima: extend PCR banks with appropriate digests
  ima: added ima_template_hash= kernel parameter
  ima: enable securityfs interfaces to save/restore a measurements list

 Documentation/admin-guide/kernel-parameters.txt |   5 +
 Documentation/security/IMA-templates.txt        |   8 +-
 security/integrity/ima/Kconfig                  |   8 +
 security/integrity/ima/ima.h                    |  37 ++-
 security/integrity/ima/ima_api.c                |  33 ++-
 security/integrity/ima/ima_crypto.c             | 134 ++++++++--
 security/integrity/ima/ima_fs.c                 | 141 ++++++++++-
 security/integrity/ima/ima_init.c               |  60 ++++-
 security/integrity/ima/ima_kexec.c              |   2 +-
 security/integrity/ima/ima_main.c               |  28 +++
 security/integrity/ima/ima_queue.c              |  47 +++-
 security/integrity/ima/ima_template.c           | 313 ++++++++++++++++++++++--
 security/integrity/ima/ima_template_lib.c       | 104 ++++++++
 security/integrity/ima/ima_template_lib.h       |  11 +
 14 files changed, 856 insertions(+), 75 deletions(-)

-- 
2.9.3