mirror of
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-05-24 10:39:52 +00:00
86b4da8c0e
A buffer(kexec boot command line arguments) measured into IMA measuremnt list cannot be appraised, without already being aware of the buffer contents. Since hashes are non-reversible, raw buffer is needed for validation or regenerating hash for appraisal/attestation. Add support to store/read the buffer contents in HEX. The kexec cmdline hash is stored in the "d-ng" field of the template data. It can be verified using sudo cat /sys/kernel/security/integrity/ima/ascii_runtime_measurements | grep kexec-cmdline | cut -d' ' -f 6 | xxd -r -p | sha256sum - Add two new fields to ima_event_data to hold the buf and buf_len - Add a new template field 'buf' to be used to store/read the buffer data. - Updated process_buffer_meaurement to add the buffer to ima_event_data. process_buffer_measurement added in "Define a new IMA hook to measure the boot command line arguments" - Add a new template policy name ima-buf to represent 'd-ng|n-ng|buf' Signed-off-by: Prakhar Srivastava <prsriva02@gmail.com> Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com> Reviewed-by: James Morris <jamorris@linux.microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
49 lines
2 KiB
C
49 lines
2 KiB
C
/*
|
|
* Copyright (C) 2013 Politecnico di Torino, Italy
|
|
* TORSEC group -- http://security.polito.it
|
|
*
|
|
* Author: Roberto Sassu <roberto.sassu@polito.it>
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public License as
|
|
* published by the Free Software Foundation, version 2 of the
|
|
* License.
|
|
*
|
|
* File: ima_template_lib.h
|
|
* Header for the library of supported template fields.
|
|
*/
|
|
#ifndef __LINUX_IMA_TEMPLATE_LIB_H
|
|
#define __LINUX_IMA_TEMPLATE_LIB_H
|
|
|
|
#include <linux/seq_file.h>
|
|
#include "ima.h"
|
|
|
|
#define ENFORCE_FIELDS 0x00000001
|
|
#define ENFORCE_BUFEND 0x00000002
|
|
|
|
void ima_show_template_digest(struct seq_file *m, enum ima_show_type show,
|
|
struct ima_field_data *field_data);
|
|
void ima_show_template_digest_ng(struct seq_file *m, enum ima_show_type show,
|
|
struct ima_field_data *field_data);
|
|
void ima_show_template_string(struct seq_file *m, enum ima_show_type show,
|
|
struct ima_field_data *field_data);
|
|
void ima_show_template_sig(struct seq_file *m, enum ima_show_type show,
|
|
struct ima_field_data *field_data);
|
|
void ima_show_template_buf(struct seq_file *m, enum ima_show_type show,
|
|
struct ima_field_data *field_data);
|
|
int ima_parse_buf(void *bufstartp, void *bufendp, void **bufcurp,
|
|
int maxfields, struct ima_field_data *fields, int *curfields,
|
|
unsigned long *len_mask, int enforce_mask, char *bufname);
|
|
int ima_eventdigest_init(struct ima_event_data *event_data,
|
|
struct ima_field_data *field_data);
|
|
int ima_eventname_init(struct ima_event_data *event_data,
|
|
struct ima_field_data *field_data);
|
|
int ima_eventdigest_ng_init(struct ima_event_data *event_data,
|
|
struct ima_field_data *field_data);
|
|
int ima_eventname_ng_init(struct ima_event_data *event_data,
|
|
struct ima_field_data *field_data);
|
|
int ima_eventsig_init(struct ima_event_data *event_data,
|
|
struct ima_field_data *field_data);
|
|
int ima_eventbuf_init(struct ima_event_data *event_data,
|
|
struct ima_field_data *field_data);
|
|
#endif /* __LINUX_IMA_TEMPLATE_LIB_H */
|