[RFC,v3a,10/11] evm: Include fsverity formatted digest in the HMAC/digest calculation

Commit Message

Roberto Sassu Jan. 27, 2022, 6:46 p.m. UTC

Include the fsverity formatted digest in the HMAC/diget calculation. It can
be a substitute of the IMA xattr for binding the EVM HMAC/signature to the
file content.

This feature is disabled by default, and must be enabled in the kernel
configuration.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 include/linux/evm.h                 |  4 ++++
 security/integrity/evm/Kconfig      | 15 +++++++++++++++
 security/integrity/evm/evm_crypto.c | 18 ++++++++++++++++++
 security/integrity/evm/evm_main.c   |  4 ++++
 4 files changed, 41 insertions(+)

Patch

diff --git a/include/linux/evm.h b/include/linux/evm.h
index 3da25393b011..e6637dfb22fe 100644
--- a/include/linux/evm.h
+++ b/include/linux/evm.h
@@ -16,7 +16,11 @@  struct integrity_iint_cache;
 
 static inline bool evm_protects_fsverity(void)
 {
+#ifdef CONFIG_EVM_ATTR_FSVERITY
+	return true;
+#else
 	return false;
+#endif
 }
 
 #ifdef CONFIG_EVM
diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig
index a6e19d23e700..837308dacede 100644
--- a/security/integrity/evm/Kconfig
+++ b/security/integrity/evm/Kconfig
@@ -27,6 +27,21 @@  config EVM_ATTR_FSUUID
 	  additional info to the calculation, requires existing EVM
 	  labeled file systems to be relabeled.
 
+config EVM_ATTR_FSVERITY
+	bool "Include fsverity formatted digest"
+	default n
+	depends on EVM
+	depends on FS_VERITY
+	help
+	  Include fsverity formatted digest for HMAC/digest calculation.
+
+	  Default value is 'not selected'.
+
+	  WARNING: changing the HMAC/digest calculation method or adding
+	  additional info to the calculation, requires existing EVM
+	  labeled file systems to be relabeled, and the signatures to be
+	  replaced.
+
 config EVM_EXTRA_SMACK_XATTRS
 	bool "Additional SMACK xattrs"
 	depends on EVM && SECURITY_SMACK
diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
index 0450d79afdc8..5da427d8b2c7 100644
--- a/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@ -16,6 +16,7 @@ 
 #include <linux/crypto.h>
 #include <linux/xattr.h>
 #include <linux/evm.h>
+#include <linux/fsverity.h>
 #include <keys/encrypted-type.h>
 #include <crypto/hash.h>
 #include <crypto/hash_info.h>
@@ -224,6 +225,9 @@  static int evm_calc_hmac_or_hash(struct dentry *dentry,
 	int error;
 	int size, user_space_size;
 	bool ima_present = false;
+	u8 fsverity_fmt_digest[FS_VERITY_MAX_FMT_DIGEST_SIZE];
+	ssize_t fsverity_fmt_digest_len;
+	enum hash_algo fsverity_algo;
 
 	if (!(inode->i_opflags & IOP_XATTR) ||
 	    inode->i_sb->s_user_ns != &init_user_ns)
@@ -296,6 +300,20 @@  static int evm_calc_hmac_or_hash(struct dentry *dentry,
 			dump_security_xattr(xattr->name, xattr_value,
 					    xattr_size);
 	}
+
+	if (IS_ENABLED(CONFIG_EVM_ATTR_FSVERITY)) {
+		fsverity_fmt_digest_len = fsverity_get_formatted_digest(inode,
+							fsverity_fmt_digest,
+							&fsverity_algo);
+		if (fsverity_fmt_digest_len > 0) {
+			crypto_shash_update(desc, fsverity_fmt_digest,
+					    fsverity_fmt_digest_len);
+			/* Fsverity formatted digest satisfies this req. */
+			ima_present = true;
+			error = 0;
+		}
+	}
+
 	hmac_add_misc(desc, inode, type, data->digest);
 
 	/* Portable EVM signatures must include an IMA hash */
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 08f907382c61..8943bf4abc62 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -108,6 +108,10 @@  static void __init evm_init_config(void)
 #ifdef CONFIG_EVM_ATTR_FSUUID
 	evm_hmac_attrs |= EVM_ATTR_FSUUID;
 #endif
+
+	if (IS_ENABLED(CONFIG_EVM_ATTR_FSVERITY))
+		pr_info("Fsverity formatted digest included in calculation\n");
+
 	pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs);
 }