diff mbox series

[v4,1/3] ima: Introduce ima_get_current_hash_algo()

Message ID 20210723085304.1760138-2-roberto.sassu@huawei.com (mailing list archive)
State New, archived
Headers show
Series ima: Provide more info about buffer measurement | expand

Commit Message

Roberto Sassu July 23, 2021, 8:53 a.m. UTC
Buffer measurements, unlike file measurements, are not accessible after the
measurement is done, as buffers are not suitable for use with the
integrity_iint_cache structure (there is no index, for files it is the
inode number). In the subsequent patches, the measurement (digest) will be
returned directly by the functions that perform the buffer measurement,
ima_measure_critical_data() and process_buffer_measurement().

A caller of those functions also needs to know the algorithm used to
calculate the digest. Instead of adding the algorithm as a new parameter to
the functions, this patch provides it separately with the new function
ima_get_current_hash_algo().

Since the hash algorithm does not change after the IMA setup phase, there
is no risk of races (obtaining a digest calculated with a different
algorithm than the one returned).

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
---
 include/linux/ima.h               | 7 +++++++
 security/integrity/ima/ima_main.c | 5 +++++
 2 files changed, 12 insertions(+)

Comments

Mimi Zohar July 23, 2021, 12:49 p.m. UTC | #1
On Fri, 2021-07-23 at 10:53 +0200, Roberto Sassu wrote:
> Buffer measurements, unlike file measurements, are not accessible after the
> measurement is done, as buffers are not suitable for use with the
> integrity_iint_cache structure (there is no index, for files it is the
> inode number). In the subsequent patches, the measurement (digest) will be
> returned directly by the functions that perform the buffer measurement,
> ima_measure_critical_data() and process_buffer_measurement().
> 
> A caller of those functions also needs to know the algorithm used to
> calculate the digest. Instead of adding the algorithm as a new parameter to
> the functions, this patch provides it separately with the new function
> ima_get_current_hash_algo().
> 
> Since the hash algorithm does not change after the IMA setup phase, there
> is no risk of races (obtaining a digest calculated with a different
> algorithm than the one returned).

Perfect explaination for annotating ima_hash_algo like:

int __ro_after_init ima_hash_algo = HASH_ALGO_SHA1;

Assuming you don't object, I'll include this change in this patch.

thanks,

Mimi

> 
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
Roberto Sassu July 23, 2021, 12:51 p.m. UTC | #2
> From: Mimi Zohar [mailto:zohar@linux.ibm.com]
> Sent: Friday, July 23, 2021 2:49 PM
> On Fri, 2021-07-23 at 10:53 +0200, Roberto Sassu wrote:
> > Buffer measurements, unlike file measurements, are not accessible after the
> > measurement is done, as buffers are not suitable for use with the
> > integrity_iint_cache structure (there is no index, for files it is the
> > inode number). In the subsequent patches, the measurement (digest) will be
> > returned directly by the functions that perform the buffer measurement,
> > ima_measure_critical_data() and process_buffer_measurement().
> >
> > A caller of those functions also needs to know the algorithm used to
> > calculate the digest. Instead of adding the algorithm as a new parameter to
> > the functions, this patch provides it separately with the new function
> > ima_get_current_hash_algo().
> >
> > Since the hash algorithm does not change after the IMA setup phase, there
> > is no risk of races (obtaining a digest calculated with a different
> > algorithm than the one returned).
> 
> Perfect explaination for annotating ima_hash_algo like:
> 
> int __ro_after_init ima_hash_algo = HASH_ALGO_SHA1;
> 
> Assuming you don't object, I'll include this change in this patch.

Sure, thanks.

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli

> thanks,
> 
> Mimi
> 
> >
> > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> > Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
diff mbox series

Patch

diff --git a/include/linux/ima.h b/include/linux/ima.h
index 61d5723ec303..81e830d01ced 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -11,9 +11,11 @@ 
 #include <linux/fs.h>
 #include <linux/security.h>
 #include <linux/kexec.h>
+#include <crypto/hash_info.h>
 struct linux_binprm;
 
 #ifdef CONFIG_IMA
+extern enum hash_algo ima_get_current_hash_algo(void);
 extern int ima_bprm_check(struct linux_binprm *bprm);
 extern int ima_file_check(struct file *file, int mask);
 extern void ima_post_create_tmpfile(struct user_namespace *mnt_userns,
@@ -64,6 +66,11 @@  static inline const char * const *arch_get_ima_policy(void)
 #endif
 
 #else
+static inline enum hash_algo ima_get_current_hash_algo(void)
+{
+	return HASH_ALGO__LAST;
+}
+
 static inline int ima_bprm_check(struct linux_binprm *bprm)
 {
 	return 0;
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 287b90509006..8ef1fa357e0c 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -76,6 +76,11 @@  static int __init hash_setup(char *str)
 }
 __setup("ima_hash=", hash_setup);
 
+enum hash_algo ima_get_current_hash_algo(void)
+{
+	return ima_hash_algo;
+}
+
 /* Prevent mmap'ing a file execute that is already mmap'ed write */
 static int mmap_violation_check(enum ima_hooks func, struct file *file,
 				char **pathbuf, const char **pathname,