summaryrefslogtreecommitdiffstats
path: root/security/integrity/evm/evm.h
diff options
context:
space:
mode:
authorDmitry Kasatkin <dmitry.kasatkin@intel.com>2012-09-10 10:37:20 +0300
committerMimi Zohar <zohar@linux.vnet.ibm.com>2013-02-06 10:40:28 -0500
commit74de66842473bdafa798010e58f1999ec70a8983 (patch)
tree83bb9c589051fd7269a9cd2bf1d7be9a955eccbd /security/integrity/evm/evm.h
parent6e38bfaad6c83bdd07eb659f9bfd50f8d71a5a46 (diff)
downloadlinux-74de66842473bdafa798010e58f1999ec70a8983.tar.gz
linux-74de66842473bdafa798010e58f1999ec70a8983.tar.bz2
linux-74de66842473bdafa798010e58f1999ec70a8983.zip
evm: add file system uuid to EVM hmac
EVM uses the same key for all file systems to calculate the HMAC, making it possible to paste inodes from one file system on to another one, without EVM being able to detect it. To prevent such an attack, it is necessary to make the EVM HMAC file system specific. This patch uses the file system UUID, a file system unique identifier, to bind the EVM HMAC to the file system. The value inode->i_sb->s_uuid is used for the HMAC hash calculation, instead of using it for deriving the file system specific key. Initializing the key for every inode HMAC calculation is a bit more expensive operation than adding the uuid to the HMAC hash. Changing the HMAC calculation method or adding additional info to the calculation, requires existing EVM labeled file systems to be relabeled. This patch adds a Kconfig HMAC version option for backwards compatability. Changelog v1: - squash "hmac version setting" Changelog v0: - add missing Kconfig depends (Mimi) Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security/integrity/evm/evm.h')
-rw-r--r--security/integrity/evm/evm.h1
1 files changed, 1 insertions, 0 deletions
diff --git a/security/integrity/evm/evm.h b/security/integrity/evm/evm.h
index 3eb30c6db419..30bd1ec0232e 100644
--- a/security/integrity/evm/evm.h
+++ b/security/integrity/evm/evm.h
@@ -24,6 +24,7 @@
extern int evm_initialized;
extern char *evm_hmac;
extern char *evm_hash;
+extern int evm_hmac_version;
extern struct crypto_shash *hmac_tfm;
extern struct crypto_shash *hash_tfm;