kernel_5.10 no rt

hc

2023-12-11 6778948f9de86c3cfaf36725a7c87dcff9ba247f

 kernel/security/integrity/ima/ima_init.c
..
..
@@ -1,3 +1,4 @@
1
+// SPDX-License-Identifier: GPL-2.0-only
1
2
 /*
2
3
  * Copyright (C) 2005,2006,2007,2008 IBM Corporation
3
4
  *
..
..
@@ -6,18 +7,11 @@
6
7
  * Leendert van Doorn <leendert@watson.ibm.com>
7
8
  * Mimi Zohar         <zohar@us.ibm.com>
8
9
  *
9
- * This program is free software; you can redistribute it and/or
10
- * modify it under the terms of the GNU General Public License as
11
- * published by the Free Software Foundation, version 2 of the
12
- * License.
13
- *
14
10
  * File: ima_init.c
15
11
  *             initialization and cleanup functions
16
12
  */
17
13
 
18
-#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
19
-
20
-#include <linux/module.h>
14
+#include <linux/init.h>
21
15
 #include <linux/scatterlist.h>
22
16
 #include <linux/slab.h>
23
17
 #include <linux/err.h>
..
..
@@ -31,7 +25,7 @@
31
25
 /* Add the boot aggregate to the IMA measurement list and extend
32
26
  * the PCR register.
33
27
  *
34
- * Calculate the boot aggregate, a SHA1 over tpm registers 0-7,
28
+ * Calculate the boot aggregate, a hash over tpm registers 0-7,
35
29
  * assuming a TPM chip exists, and zeroes if the TPM chip does not
36
30
  * exist.  Add the boot aggregate measurement to the measurement
37
31
  * list and extend the PCR register.
..
..
@@ -49,21 +43,33 @@
49
43
 	const char *audit_cause = "ENOMEM";
50
44
 	struct ima_template_entry *entry;
51
45
 	struct integrity_iint_cache tmp_iint, *iint = &tmp_iint;
52
-	struct ima_event_data event_data = {iint, NULL, boot_aggregate_name,
53
-					    NULL, 0, NULL};
46
+	struct ima_event_data event_data = { .iint = iint,
47
+					     .filename = boot_aggregate_name };
54
48
 	int result = -ENOMEM;
55
49
 	int violation = 0;
56
50
 	struct {
57
51
 		struct ima_digest_data hdr;
58
-		char digest[TPM_DIGEST_SIZE];
52
+		char digest[TPM_MAX_DIGEST_SIZE];
59
53
 	} hash;
60
54
 
61
55
 	memset(iint, 0, sizeof(*iint));
62
56
 	memset(&hash, 0, sizeof(hash));
63
57
 	iint->ima_hash = &hash.hdr;
64
-	iint->ima_hash->algo = HASH_ALGO_SHA1;
65
-	iint->ima_hash->length = SHA1_DIGEST_SIZE;
58
+	iint->ima_hash->algo = ima_hash_algo;
59
+	iint->ima_hash->length = hash_digest_size[ima_hash_algo];
66
60
 
61
+	/*
62
+	 * With TPM 2.0 hash agility, TPM chips could support multiple TPM
63
+	 * PCR banks, allowing firmware to configure and enable different
64
+	 * banks.  The SHA1 bank is not necessarily enabled.
65
+	 *
66
+	 * Use the same hash algorithm for reading the TPM PCRs as for
67
+	 * calculating the boot aggregate digest.  Preference is given to
68
+	 * the configured IMA default hash algorithm.  Otherwise, use the
69
+	 * TCG required banks - SHA256 for TPM 2.0, SHA1 for TPM 1.2.
70
+	 * Ultimately select SHA1 also for TPM 2.0 if the SHA256 PCR bank
71
+	 * is not found.
72
+	 */
67
73
 	if (ima_tpm_chip) {
68
74
 		result = ima_calc_boot_aggregate(&hash.hdr);
69
75
 		if (result < 0) {
..
..
@@ -72,7 +78,7 @@
72
78
 		}
73
79
 	}
74
80
 
75
-	result = ima_alloc_init_template(&event_data, &entry);
81
+	result = ima_alloc_init_template(&event_data, &entry, NULL);
76
82
 	if (result < 0) {
77
83
 		audit_cause = "alloc_entry";
78
84
 		goto err_out;
..
..
@@ -123,13 +129,23 @@
123
129
 	if (rc != 0)
124
130
 		return rc;
125
131
 
132
+	/* It can be called before ima_init_digests(), it does not use TPM. */
126
133
 	ima_load_kexec_buffer();
127
134
 
135
+	rc = ima_init_digests();
136
+	if (rc != 0)
137
+		return rc;
128
138
 	rc = ima_add_boot_aggregate();	/* boot aggregate must be first entry */
129
139
 	if (rc != 0)
130
140
 		return rc;
131
141
 
132
142
 	ima_init_policy();
133
143
 
134
-	return ima_fs_init();
144
+	rc = ima_fs_init();
145
+	if (rc != 0)
146
+		return rc;
147
+
148
+	ima_init_key_queue();
149
+
150
+	return rc;
135
151
 }