~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/security/integrity/ima/ima_init.c

Version: ~ [ linux-6.11.5 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.58 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.114 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.169 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.228 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.284 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.322 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.9 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /security/integrity/ima/ima_init.c (Architecture m68k) and /security/integrity/ima/ima_init.c (Architecture alpha)


  1 // SPDX-License-Identifier: GPL-2.0-only            1 // SPDX-License-Identifier: GPL-2.0-only
  2 /*                                                  2 /*
  3  * Copyright (C) 2005,2006,2007,2008 IBM Corpo      3  * Copyright (C) 2005,2006,2007,2008 IBM Corporation
  4  *                                                  4  *
  5  * Authors:                                         5  * Authors:
  6  * Reiner Sailer      <sailer@watson.ibm.com>       6  * Reiner Sailer      <sailer@watson.ibm.com>
  7  * Leendert van Doorn <leendert@watson.ibm.com      7  * Leendert van Doorn <leendert@watson.ibm.com>
  8  * Mimi Zohar         <zohar@us.ibm.com>            8  * Mimi Zohar         <zohar@us.ibm.com>
  9  *                                                  9  *
 10  * File: ima_init.c                                10  * File: ima_init.c
 11  *             initialization and cleanup func     11  *             initialization and cleanup functions
 12  */                                                12  */
 13                                                    13 
 14 #include <linux/init.h>                            14 #include <linux/init.h>
 15 #include <linux/scatterlist.h>                     15 #include <linux/scatterlist.h>
 16 #include <linux/slab.h>                            16 #include <linux/slab.h>
 17 #include <linux/err.h>                             17 #include <linux/err.h>
 18 #include <linux/ima.h>                             18 #include <linux/ima.h>
 19 #include <generated/utsrelease.h>                  19 #include <generated/utsrelease.h>
 20                                                    20 
 21 #include "ima.h"                                   21 #include "ima.h"
 22                                                    22 
 23 /* name for boot aggregate entry */                23 /* name for boot aggregate entry */
 24 const char boot_aggregate_name[] = "boot_aggre     24 const char boot_aggregate_name[] = "boot_aggregate";
 25 struct tpm_chip *ima_tpm_chip;                     25 struct tpm_chip *ima_tpm_chip;
 26                                                    26 
 27 /* Add the boot aggregate to the IMA measureme     27 /* Add the boot aggregate to the IMA measurement list and extend
 28  * the PCR register.                               28  * the PCR register.
 29  *                                                 29  *
 30  * Calculate the boot aggregate, a hash over t     30  * Calculate the boot aggregate, a hash over tpm registers 0-7,
 31  * assuming a TPM chip exists, and zeroes if t     31  * assuming a TPM chip exists, and zeroes if the TPM chip does not
 32  * exist.  Add the boot aggregate measurement      32  * exist.  Add the boot aggregate measurement to the measurement
 33  * list and extend the PCR register.               33  * list and extend the PCR register.
 34  *                                                 34  *
 35  * If a tpm chip does not exist, indicate the      35  * If a tpm chip does not exist, indicate the core root of trust is
 36  * not hardware based by invalidating the aggr     36  * not hardware based by invalidating the aggregate PCR value.
 37  * (The aggregate PCR value is invalidated by      37  * (The aggregate PCR value is invalidated by adding one value to
 38  * the measurement list and extending the aggr     38  * the measurement list and extending the aggregate PCR value with
 39  * a different value.) Violations add a zero e     39  * a different value.) Violations add a zero entry to the measurement
 40  * list and extend the aggregate PCR value wit     40  * list and extend the aggregate PCR value with ff...ff's.
 41  */                                                41  */
 42 static int __init ima_add_boot_aggregate(void)     42 static int __init ima_add_boot_aggregate(void)
 43 {                                                  43 {
 44         static const char op[] = "add_boot_agg     44         static const char op[] = "add_boot_aggregate";
 45         const char *audit_cause = "ENOMEM";        45         const char *audit_cause = "ENOMEM";
 46         struct ima_template_entry *entry;          46         struct ima_template_entry *entry;
 47         struct ima_iint_cache tmp_iint, *iint      47         struct ima_iint_cache tmp_iint, *iint = &tmp_iint;
 48         struct ima_event_data event_data = { .     48         struct ima_event_data event_data = { .iint = iint,
 49                                              .     49                                              .filename = boot_aggregate_name };
 50         struct ima_max_digest_data hash;           50         struct ima_max_digest_data hash;
 51         struct ima_digest_data *hash_hdr = con     51         struct ima_digest_data *hash_hdr = container_of(&hash.hdr,
 52                                                    52                                                 struct ima_digest_data, hdr);
 53         int result = -ENOMEM;                      53         int result = -ENOMEM;
 54         int violation = 0;                         54         int violation = 0;
 55                                                    55 
 56         memset(iint, 0, sizeof(*iint));            56         memset(iint, 0, sizeof(*iint));
 57         memset(&hash, 0, sizeof(hash));            57         memset(&hash, 0, sizeof(hash));
 58         iint->ima_hash = hash_hdr;                 58         iint->ima_hash = hash_hdr;
 59         iint->ima_hash->algo = ima_hash_algo;      59         iint->ima_hash->algo = ima_hash_algo;
 60         iint->ima_hash->length = hash_digest_s     60         iint->ima_hash->length = hash_digest_size[ima_hash_algo];
 61                                                    61 
 62         /*                                         62         /*
 63          * With TPM 2.0 hash agility, TPM chip     63          * With TPM 2.0 hash agility, TPM chips could support multiple TPM
 64          * PCR banks, allowing firmware to con     64          * PCR banks, allowing firmware to configure and enable different
 65          * banks.  The SHA1 bank is not necess     65          * banks.  The SHA1 bank is not necessarily enabled.
 66          *                                         66          *
 67          * Use the same hash algorithm for rea     67          * Use the same hash algorithm for reading the TPM PCRs as for
 68          * calculating the boot aggregate dige     68          * calculating the boot aggregate digest.  Preference is given to
 69          * the configured IMA default hash alg     69          * the configured IMA default hash algorithm.  Otherwise, use the
 70          * TCG required banks - SHA256 for TPM     70          * TCG required banks - SHA256 for TPM 2.0, SHA1 for TPM 1.2.
 71          * Ultimately select SHA1 also for TPM     71          * Ultimately select SHA1 also for TPM 2.0 if the SHA256 PCR bank
 72          * is not found.                           72          * is not found.
 73          */                                        73          */
 74         if (ima_tpm_chip) {                        74         if (ima_tpm_chip) {
 75                 result = ima_calc_boot_aggrega     75                 result = ima_calc_boot_aggregate(hash_hdr);
 76                 if (result < 0) {                  76                 if (result < 0) {
 77                         audit_cause = "hashing     77                         audit_cause = "hashing_error";
 78                         goto err_out;              78                         goto err_out;
 79                 }                                  79                 }
 80         }                                          80         }
 81                                                    81 
 82         result = ima_alloc_init_template(&even     82         result = ima_alloc_init_template(&event_data, &entry, NULL);
 83         if (result < 0) {                          83         if (result < 0) {
 84                 audit_cause = "alloc_entry";       84                 audit_cause = "alloc_entry";
 85                 goto err_out;                      85                 goto err_out;
 86         }                                          86         }
 87                                                    87 
 88         result = ima_store_template(entry, vio     88         result = ima_store_template(entry, violation, NULL,
 89                                     boot_aggre     89                                     boot_aggregate_name,
 90                                     CONFIG_IMA     90                                     CONFIG_IMA_MEASURE_PCR_IDX);
 91         if (result < 0) {                          91         if (result < 0) {
 92                 ima_free_template_entry(entry)     92                 ima_free_template_entry(entry);
 93                 audit_cause = "store_entry";       93                 audit_cause = "store_entry";
 94                 goto err_out;                      94                 goto err_out;
 95         }                                          95         }
 96         return 0;                                  96         return 0;
 97 err_out:                                           97 err_out:
 98         integrity_audit_msg(AUDIT_INTEGRITY_PC     98         integrity_audit_msg(AUDIT_INTEGRITY_PCR, NULL, boot_aggregate_name, op,
 99                             audit_cause, resul     99                             audit_cause, result, 0);
100         return result;                            100         return result;
101 }                                                 101 }
102                                                   102 
103 #ifdef CONFIG_IMA_LOAD_X509                       103 #ifdef CONFIG_IMA_LOAD_X509
104 void __init ima_load_x509(void)                   104 void __init ima_load_x509(void)
105 {                                                 105 {
106         int unset_flags = ima_policy_flag & IM    106         int unset_flags = ima_policy_flag & IMA_APPRAISE;
107                                                   107 
108         ima_policy_flag &= ~unset_flags;          108         ima_policy_flag &= ~unset_flags;
109         integrity_load_x509(INTEGRITY_KEYRING_    109         integrity_load_x509(INTEGRITY_KEYRING_IMA, CONFIG_IMA_X509_PATH);
110                                                   110 
111         /* load also EVM key to avoid appraisa    111         /* load also EVM key to avoid appraisal */
112         evm_load_x509();                          112         evm_load_x509();
113                                                   113 
114         ima_policy_flag |= unset_flags;           114         ima_policy_flag |= unset_flags;
115 }                                                 115 }
116 #endif                                            116 #endif
117                                                   117 
118 int __init ima_init(void)                         118 int __init ima_init(void)
119 {                                                 119 {
120         int rc;                                   120         int rc;
121                                                   121 
122         ima_tpm_chip = tpm_default_chip();        122         ima_tpm_chip = tpm_default_chip();
123         if (!ima_tpm_chip)                        123         if (!ima_tpm_chip)
124                 pr_info("No TPM chip found, ac    124                 pr_info("No TPM chip found, activating TPM-bypass!\n");
125                                                   125 
126         rc = integrity_init_keyring(INTEGRITY_    126         rc = integrity_init_keyring(INTEGRITY_KEYRING_IMA);
127         if (rc)                                   127         if (rc)
128                 return rc;                        128                 return rc;
129                                                   129 
130         rc = ima_init_crypto();                   130         rc = ima_init_crypto();
131         if (rc)                                   131         if (rc)
132                 return rc;                        132                 return rc;
133         rc = ima_init_template();                 133         rc = ima_init_template();
134         if (rc != 0)                              134         if (rc != 0)
135                 return rc;                        135                 return rc;
136                                                   136 
137         /* It can be called before ima_init_di    137         /* It can be called before ima_init_digests(), it does not use TPM. */
138         ima_load_kexec_buffer();                  138         ima_load_kexec_buffer();
139                                                   139 
140         rc = ima_init_digests();                  140         rc = ima_init_digests();
141         if (rc != 0)                              141         if (rc != 0)
142                 return rc;                        142                 return rc;
143         rc = ima_add_boot_aggregate();  /* boo    143         rc = ima_add_boot_aggregate();  /* boot aggregate must be first entry */
144         if (rc != 0)                              144         if (rc != 0)
145                 return rc;                        145                 return rc;
146                                                   146 
147         ima_init_policy();                        147         ima_init_policy();
148                                                   148 
149         rc = ima_fs_init();                       149         rc = ima_fs_init();
150         if (rc != 0)                              150         if (rc != 0)
151                 return rc;                        151                 return rc;
152                                                   152 
153         ima_init_key_queue();                     153         ima_init_key_queue();
154                                                   154 
155         ima_measure_critical_data("kernel_info    155         ima_measure_critical_data("kernel_info", "kernel_version",
156                                   UTS_RELEASE,    156                                   UTS_RELEASE, strlen(UTS_RELEASE), false,
157                                   NULL, 0);       157                                   NULL, 0);
158                                                   158 
159         return rc;                                159         return rc;
160 }                                                 160 }
161                                                   161 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php