[Linux-ima-devel] [PATCH 14/16] ima: extend PCR banks with appropriate digests

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Use the new function tpm_pcr_extend_digests() if TPM version is 2.0.
The first digest is padded/truncated if not all algorithms supported
by the TPM have been selected.

Signed-off-by: Roberto Sassu <rob...@hu...>
---
 security/integrity/ima/ima_queue.c | 27 ++++++++++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c
index 640ff9f..3687f6e 100644
--- a/security/integrity/ima/ima_queue.c
+++ b/security/integrity/ima/ima_queue.c
@@ -147,14 +147,35 @@ unsigned long ima_get_binary_runtime_size(void)
 		return binary_runtime_size + sizeof(struct ima_kexec_hdr);
 };
 
-static int ima_pcr_extend(const u8 *hash, int pcr)
+static int ima_pcr_extend(const u8 *hash, int pcr, struct ima_digest_desc *desc)
 {
+	struct tpm2_digest digests[desc->tpm_algo_num];
+	u8 const *hash_ptr = hash;
 	int result = 0;
+	int i, hash_algo_idx;
 
 	if (!ima_used_chip)
 		return result;
 
-	result = tpm_pcr_extend(TPM_ANY_NUM, pcr, hash);
+	if (!tpm_is_tpm2(TPM_ANY_NUM)) {
+		result = tpm_pcr_extend(TPM_ANY_NUM, pcr, hash);
+		goto out;
+	}
+
+	memset(digests, 0, sizeof(digests));
+
+	for (i = 0; i < desc->tpm_algo_num; i++) {
+		hash_algo_idx = (i < desc->algo_num) ? i : 0;
+		hash_ptr = (i < desc->algo_num) ? hash_ptr : hash;
+		digests[i].alg_id = desc->tpm_algorithms[i];
+		memcpy(digests[i].digest, hash_ptr,
+		       hash_digest_size[desc->algorithms[hash_algo_idx]]);
+		hash_ptr += hash_digest_size[desc->algorithms[i]];
+	}
+
+	result = tpm_pcr_extend_digests(TPM_ANY_NUM, pcr, desc->tpm_algo_num,
+					digests);
+out:
 	if (result != 0)
 		pr_err("Error Communicating to TPM chip, result: %d\n", result);
 	return result;
@@ -199,7 +220,7 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation,
 	if (violation)		/* invalidate pcr */
 		memset(digest, 0xff, sizeof(digest));
 
-	tpmresult = ima_pcr_extend(digest, entry->pcr);
+	tpmresult = ima_pcr_extend(digest, entry->pcr, entry->digest_desc);
 	if (tpmresult != 0) {
 		snprintf(tpm_audit_cause, AUDIT_CAUSE_LEN_MAX, "TPM_error(%d)",
 			 tpmresult);
-- 
2.9.3



