diff options
| author | Mimi Zohar <zohar@linux.ibm.com> | 2021-12-23 12:29:56 -0500 |
|---|---|---|
| committer | Mimi Zohar <zohar@linux.ibm.com> | 2022-05-05 11:49:13 -0400 |
| commit | 54f03916fb892441f9a9b579db9ad7925cdeb395 (patch) | |
| tree | 0fdee8270399ff57636479db46d5d37044373608 /security/integrity/ima/ima_template_lib.c | |
| parent | 989dc72511f7b57b94b42eabfcbe79d9070de6e3 (diff) | |
| download | linux-stable-54f03916fb892441f9a9b579db9ad7925cdeb395.tar.gz linux-stable-54f03916fb892441f9a9b579db9ad7925cdeb395.tar.bz2 linux-stable-54f03916fb892441f9a9b579db9ad7925cdeb395.zip | |
ima: permit fsverity's file digests in the IMA measurement list
Permit fsverity's file digest (a hash of struct fsverity_descriptor) to
be included in the IMA measurement list, based on the new measurement
policy rule 'digest_type=verity' option.
To differentiate between a regular IMA file hash from an fsverity's
file digest, use the new d-ngv2 format field included in the ima-ngv2
template.
The following policy rule requires fsverity file digests and specifies
the new 'ima-ngv2' template, which contains the new 'd-ngv2' field. The
policy rule may be constrained, for example based on a fsuuid or LSM
label.
measure func=FILE_CHECK digest_type=verity template=ima-ngv2
Acked-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'security/integrity/ima/ima_template_lib.c')
| -rw-r--r-- | security/integrity/ima/ima_template_lib.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c index 409023e620d6..08fd74217e2c 100644 --- a/security/integrity/ima/ima_template_lib.c +++ b/security/integrity/ima/ima_template_lib.c @@ -32,12 +32,14 @@ enum data_formats { enum digest_type { DIGEST_TYPE_IMA, + DIGEST_TYPE_VERITY, DIGEST_TYPE__LAST }; -#define DIGEST_TYPE_NAME_LEN_MAX 4 /* including NUL */ +#define DIGEST_TYPE_NAME_LEN_MAX 7 /* including NUL */ static const char * const digest_type_name[DIGEST_TYPE__LAST] = { - [DIGEST_TYPE_IMA] = "ima" + [DIGEST_TYPE_IMA] = "ima", + [DIGEST_TYPE_VERITY] = "verity" }; static int ima_write_template_field_data(const void *data, const u32 datalen, @@ -297,7 +299,7 @@ static int ima_eventdigest_init_common(const u8 *digest, u32 digestsize, * * where 'DATA_FMT_DIGEST' is the original digest format ('d') * with a hash size limitation of 20 bytes, - * where <digest type> is "ima", + * where <digest type> is either "ima" or "verity", * where <hash algo> is the hash_algo_name[] string. */ u8 buffer[DIGEST_TYPE_NAME_LEN_MAX + CRYPTO_MAX_ALG_NAME + 2 + @@ -432,6 +434,8 @@ int ima_eventdigest_ngv2_init(struct ima_event_data *event_data, cur_digestsize = event_data->iint->ima_hash->length; hash_algo = event_data->iint->ima_hash->algo; + if (event_data->iint->flags & IMA_VERITY_REQUIRED) + digest_type = DIGEST_TYPE_VERITY; out: return ima_eventdigest_init_common(cur_digest, cur_digestsize, digest_type, hash_algo, |