diff options
author | Deven Bowers <deven.desai@linux.microsoft.com> | 2024-08-02 23:08:27 -0700 |
---|---|---|
committer | Paul Moore <paul@paul-moore.com> | 2024-08-20 14:02:45 -0400 |
commit | e155858dd99523d4afe0f74e9c26e4f4499eb5af (patch) | |
tree | 4e9034938934ccc58d6f10aff42616140392afe2 /security/ipe/audit.c | |
parent | a6af7bc3d72ff52c5526a392144347fcb3094149 (diff) | |
download | linux-e155858dd99523d4afe0f74e9c26e4f4499eb5af.tar.gz linux-e155858dd99523d4afe0f74e9c26e4f4499eb5af.tar.bz2 linux-e155858dd99523d4afe0f74e9c26e4f4499eb5af.zip |
ipe: add support for dm-verity as a trust provider
Allows author of IPE policy to indicate trust for a singular dm-verity
volume, identified by roothash, through "dmverity_roothash" and all
signed and validated dm-verity volumes, through "dmverity_signature".
Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
Signed-off-by: Fan Wu <wufan@linux.microsoft.com>
[PM: fixed some line length issues in the comments]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/ipe/audit.c')
-rw-r--r-- | security/ipe/audit.c | 29 |
1 files changed, 27 insertions, 2 deletions
diff --git a/security/ipe/audit.c b/security/ipe/audit.c index 5af150d99d63..8e21879e96c7 100644 --- a/security/ipe/audit.c +++ b/security/ipe/audit.c @@ -13,6 +13,7 @@ #include "hooks.h" #include "policy.h" #include "audit.h" +#include "digest.h" #define ACTSTR(x) ((x) == IPE_ACTION_ALLOW ? "ALLOW" : "DENY") @@ -52,9 +53,23 @@ static const char *const audit_hook_names[__IPE_HOOK_MAX] = { static const char *const audit_prop_names[__IPE_PROP_MAX] = { "boot_verified=FALSE", "boot_verified=TRUE", + "dmverity_roothash=", + "dmverity_signature=FALSE", + "dmverity_signature=TRUE", }; /** + * audit_dmv_roothash() - audit the roothash of a dmverity_roothash property. + * @ab: Supplies a pointer to the audit_buffer to append to. + * @rh: Supplies a pointer to the digest structure. + */ +static void audit_dmv_roothash(struct audit_buffer *ab, const void *rh) +{ + audit_log_format(ab, "%s", audit_prop_names[IPE_PROP_DMV_ROOTHASH]); + ipe_digest_audit(ab, rh); +} + +/** * audit_rule() - audit an IPE policy rule. * @ab: Supplies a pointer to the audit_buffer to append to. * @r: Supplies a pointer to the ipe_rule to approximate a string form for. @@ -65,8 +80,18 @@ static void audit_rule(struct audit_buffer *ab, const struct ipe_rule *r) audit_log_format(ab, " rule=\"op=%s ", audit_op_names[r->op]); - list_for_each_entry(ptr, &r->props, next) - audit_log_format(ab, "%s ", audit_prop_names[ptr->type]); + list_for_each_entry(ptr, &r->props, next) { + switch (ptr->type) { + case IPE_PROP_DMV_ROOTHASH: + audit_dmv_roothash(ab, ptr->value); + break; + default: + audit_log_format(ab, "%s", audit_prop_names[ptr->type]); + break; + } + + audit_log_format(ab, " "); + } audit_log_format(ab, "action=%s\"", ACTSTR(r->action)); } |