git.baikalelectronics.ru Git - kernel.git/commit

author	Roberto Sassu <roberto.sassu@huawei.com>
	Wed, 25 Mar 2020 10:53:50 +0000 (11:53 +0100)
committer	Mimi Zohar <zohar@linux.ibm.com>
	Mon, 20 Apr 2020 02:03:39 +0000 (22:03 -0400)
commit	c57c6036602c310c9a613009c5da3320b79e7d67
tree	7e17b50d0a5cb7c630bd404c4a51727042f71438	tree \| snapshot
parent	4ded3392b061052521b5181c9f1c4668d662600e	commit \| diff

ima: Calculate and extend PCR with digests in ima_template_entry

This patch modifies ima_calc_field_array_hash() to calculate a template
digest for each allocated PCR bank and SHA1. It also passes the tpm_digest
array of the template entry to ima_pcr_extend() or in case of a violation,
the pre-initialized digests array filled with 0xff.

Padding with zeros is still done if the mapping between TPM algorithm ID
and crypto ID is unknown.

This patch calculates again the template digest when a measurement list is
restored. Copying only the SHA1 digest (due to the limitation of the
current measurement list format) is not sufficient, as hash collision
detection will be done on the digest calculated with the IMA default hash
algorithm.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

security/integrity/ima/ima_crypto.c		diff \| blob \| history
security/integrity/ima/ima_queue.c		diff \| blob \| history
security/integrity/ima/ima_template.c		diff \| blob \| history