| Message ID | 20190521000645.16227-3-prsriva02@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | add new ima hook ima_kexec_cmdline to measure kexec boot cmdline args | expand |
On 5/21/2019 2:06 AM, Prakhar Srivastava wrote: > A buffer(cmdline args) measured into ima cannot be appraised > without already being aware of the buffer contents.Since we Space before 'Since'. > don't know what cmdline args will be passed (or need to validate > what was passed) it is not possible to appraise it. > > Since hashs are non reversible the raw buffer is needed to > recompute the hash. Hashes. > To regenrate the hash of the buffer and appraise the same Regenerate. > the contents of the buffer need to be available. > > A new template field buf is added to the existing ima template > fields, which can be used to store/read the buffer itself. > Two new fields are added to the ima_event_data to carry the > buf and buf_len whenever necessary. > > Updated the process_buffer_measurement call to add the buf > to the ima_event_data. > process_buffer_measurement added in "Add a new ima hook > ima_kexec_cmdline to measure cmdline args" > > - Add a new template field 'buf' to be used to store/read > the buffer data. > - Added two new fields to ima_event_data to hold the buf and > buf_len [Suggested by Roberto] > -Updated process_buffer_meaurement to add the buffer to Space after -. > ima_event_data > > Signed-off-by: Prakhar Srivastava <prsriva02@gmail.com> > --- > Documentation/security/IMA-templates.rst | 2 +- > security/integrity/ima/ima.h | 2 ++ > security/integrity/ima/ima_api.c | 4 ++-- > security/integrity/ima/ima_init.c | 2 +- > security/integrity/ima/ima_main.c | 4 +++- > security/integrity/ima/ima_template.c | 2 ++ > security/integrity/ima/ima_template_lib.c | 20 ++++++++++++++++++++ > security/integrity/ima/ima_template_lib.h | 4 ++++ > 8 files changed, 35 insertions(+), 5 deletions(-) > > diff --git a/Documentation/security/IMA-templates.rst b/Documentation/security/IMA-templates.rst > index 2cd0e273cc9a..9cddb66727ee 100644 > --- a/Documentation/security/IMA-templates.rst > +++ b/Documentation/security/IMA-templates.rst > @@ -70,7 +70,7 @@ descriptors by adding their identifier to the format string > prefix is shown only if the hash algorithm is not SHA1 or MD5); > - 'n-ng': the name of the event, without size limitations; > - 'sig': the file signature. ; instead of . > - Keep the new line. Apart from that, the patch looks good to me. Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com> Roberto > + - 'buf': the buffer data that was used to generate the hash without size limitations. > > Below, there is the list of defined template descriptors: > > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h > index 226a26d8de09..4a82541dc3b6 100644 > --- a/security/integrity/ima/ima.h > +++ b/security/integrity/ima/ima.h > @@ -65,6 +65,8 @@ struct ima_event_data { > struct evm_ima_xattr_data *xattr_value; > int xattr_len; > const char *violation; > + const void *buf; > + int buf_len; > }; > > /* IMA template field data definition */ > diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c > index 800d965232e5..c12f1cd38f8f 100644 > --- a/security/integrity/ima/ima_api.c > +++ b/security/integrity/ima/ima_api.c > @@ -134,7 +134,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename, > struct ima_template_entry *entry; > struct inode *inode = file_inode(file); > struct ima_event_data event_data = {iint, file, filename, NULL, 0, > - cause}; > + cause, NULL, 0}; > int violation = 1; > int result; > > @@ -286,7 +286,7 @@ void ima_store_measurement(struct integrity_iint_cache *iint, > struct inode *inode = file_inode(file); > struct ima_template_entry *entry; > struct ima_event_data event_data = {iint, file, filename, xattr_value, > - xattr_len, NULL}; > + xattr_len, NULL, NULL, 0}; > int violation = 0; > > if (iint->measured_pcrs & (0x1 << pcr)) > diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c > index 6c9295449751..0c34d3100b5b 100644 > --- a/security/integrity/ima/ima_init.c > +++ b/security/integrity/ima/ima_init.c > @@ -50,7 +50,7 @@ static int __init ima_add_boot_aggregate(void) > struct ima_template_entry *entry; > struct integrity_iint_cache tmp_iint, *iint = &tmp_iint; > struct ima_event_data event_data = {iint, NULL, boot_aggregate_name, > - NULL, 0, NULL}; > + NULL, 0, NULL, NULL, 0}; > int result = -ENOMEM; > int violation = 0; > struct { > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c > index a88c28918a63..6c5691b65b84 100644 > --- a/security/integrity/ima/ima_main.c > +++ b/security/integrity/ima/ima_main.c > @@ -594,7 +594,7 @@ static void process_buffer_measurement(const void *buf, int size, > struct ima_template_entry *entry = NULL; > struct integrity_iint_cache tmp_iint, *iint = &tmp_iint; > struct ima_event_data event_data = {iint, NULL, NULL, > - NULL, 0, NULL}; > + NULL, 0, NULL, NULL, 0}; > struct { > struct ima_digest_data hdr; > char digest[IMA_MAX_DIGEST_SIZE]; > @@ -611,6 +611,8 @@ static void process_buffer_measurement(const void *buf, int size, > memset(&hash, 0, sizeof(hash)); > > event_data.filename = eventname; > + event_data.buf = buf; > + event_data.buf_len = size; > > iint->ima_hash = &hash.hdr; > iint->ima_hash->algo = ima_hash_algo; > diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c > index b631b8bc7624..a76d1c04162a 100644 > --- a/security/integrity/ima/ima_template.c > +++ b/security/integrity/ima/ima_template.c > @@ -43,6 +43,8 @@ static const struct ima_template_field supported_fields[] = { > .field_show = ima_show_template_string}, > {.field_id = "sig", .field_init = ima_eventsig_init, > .field_show = ima_show_template_sig}, > + {.field_id = "buf", .field_init = ima_eventbuf_init, > + .field_show = ima_show_template_buf}, > }; > #define MAX_TEMPLATE_NAME_LEN 15 > > diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c > index 513b457ae900..43d1404141c1 100644 > --- a/security/integrity/ima/ima_template_lib.c > +++ b/security/integrity/ima/ima_template_lib.c > @@ -162,6 +162,12 @@ void ima_show_template_sig(struct seq_file *m, enum ima_show_type show, > ima_show_template_field_data(m, show, DATA_FMT_HEX, field_data); > } > > +void ima_show_template_buf(struct seq_file *m, enum ima_show_type show, > + struct ima_field_data *field_data) > +{ > + ima_show_template_field_data(m, show, DATA_FMT_HEX, field_data); > +} > + > /** > * ima_parse_buf() - Parses lengths and data from an input buffer > * @bufstartp: Buffer start address. > @@ -389,3 +395,17 @@ int ima_eventsig_init(struct ima_event_data *event_data, > return ima_write_template_field_data(xattr_value, event_data->xattr_len, > DATA_FMT_HEX, field_data); > } > + > +/* > + * ima_eventbuf_init - include the buffer(kexec-cmldine) as part of the > + * template data. > + */ > +int ima_eventbuf_init(struct ima_event_data *event_data, > + struct ima_field_data *field_data) > +{ > + if ((!event_data->buf) || (event_data->buf_len == 0)) > + return 0; > + > + return ima_write_template_field_data(event_data->buf, event_data->buf_len, > + DATA_FMT_HEX, field_data); > +} > diff --git a/security/integrity/ima/ima_template_lib.h b/security/integrity/ima/ima_template_lib.h > index 6a3d8b831deb..f0178bc60c55 100644 > --- a/security/integrity/ima/ima_template_lib.h > +++ b/security/integrity/ima/ima_template_lib.h > @@ -29,6 +29,8 @@ void ima_show_template_string(struct seq_file *m, enum ima_show_type show, > struct ima_field_data *field_data); > void ima_show_template_sig(struct seq_file *m, enum ima_show_type show, > struct ima_field_data *field_data); > +void ima_show_template_buf(struct seq_file *m, enum ima_show_type show, > + struct ima_field_data *field_data); > int ima_parse_buf(void *bufstartp, void *bufendp, void **bufcurp, > int maxfields, struct ima_field_data *fields, int *curfields, > unsigned long *len_mask, int enforce_mask, char *bufname); > @@ -42,4 +44,6 @@ int ima_eventname_ng_init(struct ima_event_data *event_data, > struct ima_field_data *field_data); > int ima_eventsig_init(struct ima_event_data *event_data, > struct ima_field_data *field_data); > +int ima_eventbuf_init(struct ima_event_data *event_data, > + struct ima_field_data *field_data); > #endif /* __LINUX_IMA_TEMPLATE_LIB_H */ >
On Mon, 2019-05-20 at 17:06 -0700, Prakhar Srivastava wrote: > A buffer(cmdline args) measured into ima cannot be appraised > without already being aware of the buffer contents.Since we > don't know what cmdline args will be passed (or need to validate > what was passed) it is not possible to appraise it. > > Since hashs are non reversible the raw buffer is needed to > recompute the hash. > To regenrate the hash of the buffer and appraise the same > the contents of the buffer need to be available. > > A new template field buf is added to the existing ima template > fields, which can be used to store/read the buffer itself. > Two new fields are added to the ima_event_data to carry the > buf and buf_len whenever necessary. > > Updated the process_buffer_measurement call to add the buf > to the ima_event_data. > process_buffer_measurement added in "Add a new ima hook > ima_kexec_cmdline to measure cmdline args" > > - Add a new template field 'buf' to be used to store/read > the buffer data. > - Added two new fields to ima_event_data to hold the buf and > buf_len [Suggested by Roberto] > -Updated process_buffer_meaurement to add the buffer to > ima_event_data This patch description can be written more concisely. Patch 1/3 in this series introduces measuring the kexec boot command line. This patch defines a new template field for storing the kexec boot command line in the measurement list in order for a remote attestation server to verify. As mentioned, the first patch description should include a shell command for verifying the digest in the kexec boot command line measurement list record against /proc/cmdline. This patch description should include a shell command showing how to verify the digest based on the new field. Should the new field in the ascii measurement list be displayed as a string, not hex? Mimi
On 5/24/2019 5:12 PM, Mimi Zohar wrote: > On Mon, 2019-05-20 at 17:06 -0700, Prakhar Srivastava wrote: >> A buffer(cmdline args) measured into ima cannot be appraised >> without already being aware of the buffer contents.Since we >> don't know what cmdline args will be passed (or need to validate >> what was passed) it is not possible to appraise it. >> >> Since hashs are non reversible the raw buffer is needed to >> recompute the hash. >> To regenrate the hash of the buffer and appraise the same >> the contents of the buffer need to be available. >> >> A new template field buf is added to the existing ima template >> fields, which can be used to store/read the buffer itself. >> Two new fields are added to the ima_event_data to carry the >> buf and buf_len whenever necessary. >> >> Updated the process_buffer_measurement call to add the buf >> to the ima_event_data. >> process_buffer_measurement added in "Add a new ima hook >> ima_kexec_cmdline to measure cmdline args" >> >> - Add a new template field 'buf' to be used to store/read >> the buffer data. >> - Added two new fields to ima_event_data to hold the buf and >> buf_len [Suggested by Roberto] >> -Updated process_buffer_meaurement to add the buffer to >> ima_event_data > > This patch description can be written more concisely. > > Patch 1/3 in this series introduces measuring the kexec boot command > line. This patch defines a new template field for storing the kexec > boot command line in the measurement list in order for a remote > attestation server to verify. > > As mentioned, the first patch description should include a shell > command for verifying the digest in the kexec boot command line > measurement list record against /proc/cmdline. This patch description > should include a shell command showing how to verify the digest based > on the new field. Should the new field in the ascii measurement list > be displayed as a string, not hex? We should define a new type. If the type is DATA_FMT_STRING, spaces are replaced with '_'. Roberto
On 5/24/2019 5:42 PM, Roberto Sassu wrote: > On 5/24/2019 5:12 PM, Mimi Zohar wrote: >> On Mon, 2019-05-20 at 17:06 -0700, Prakhar Srivastava wrote: >>> A buffer(cmdline args) measured into ima cannot be appraised >>> without already being aware of the buffer contents.Since we >>> don't know what cmdline args will be passed (or need to validate >>> what was passed) it is not possible to appraise it. >>> >>> Since hashs are non reversible the raw buffer is needed to >>> recompute the hash. >>> To regenrate the hash of the buffer and appraise the same >>> the contents of the buffer need to be available. >>> >>> A new template field buf is added to the existing ima template >>> fields, which can be used to store/read the buffer itself. >>> Two new fields are added to the ima_event_data to carry the >>> buf and buf_len whenever necessary. >>> >>> Updated the process_buffer_measurement call to add the buf >>> to the ima_event_data. >>> process_buffer_measurement added in "Add a new ima hook >>> ima_kexec_cmdline to measure cmdline args" >>> >>> - Add a new template field 'buf' to be used to store/read >>> the buffer data. >>> - Added two new fields to ima_event_data to hold the buf and >>> buf_len [Suggested by Roberto] >>> -Updated process_buffer_meaurement to add the buffer to >>> ima_event_data >> >> This patch description can be written more concisely. >> >> Patch 1/3 in this series introduces measuring the kexec boot command >> line. This patch defines a new template field for storing the kexec >> boot command line in the measurement list in order for a remote >> attestation server to verify. >> >> As mentioned, the first patch description should include a shell >> command for verifying the digest in the kexec boot command line >> measurement list record against /proc/cmdline. This patch description >> should include a shell command showing how to verify the digest based >> on the new field. Should the new field in the ascii measurement list >> be displayed as a string, not hex? > > We should define a new type. If the type is DATA_FMT_STRING, spaces are > replaced with '_'. Or better. Leave it as hex, otherwise there would be a parsing problem if there are spaces in the data for a field. Roberto
> >> As mentioned, the first patch description should include a shell > >> command for verifying the digest in the kexec boot command line > >> measurement list record against /proc/cmdline. This patch description > >> should include a shell command showing how to verify the digest based > >> on the new field. Should the new field in the ascii measurement list > >> be displayed as a string, not hex? > > > > We should define a new type. If the type is DATA_FMT_STRING, spaces are > > replaced with '_'. > > Or better. Leave it as hex, otherwise there would be a parsing problem > if there are spaces in the data for a field. After making a few changes, the measurement list contains the following kexec-cmdline data: 10 edc32d1e3a5ba7272280a395b6fb56a5ef7c78c3 ima-buf sha256:4f43b7db850e 88c49dfeffd4b1eb4f021d78033dfb05b07e45eec8d0b45275 kexec-cmdline 726f6f 743d2f6465762f7364613420726f2072642e6c756b732e757569643d6c756b73 2d6637 3633643737632d653236622d343431642d613734652d62363633636334643832 656120 696d615f706f6c6963793d7463627c61707072616973655f746362 There's probably a better shell command, but the following works to verify the digest locally against the /proc/cmdline: $ echo -n -e `cat /proc/cmdline | sed 's/^.*root=/root=/'` | sha256sum 4f43b7db850e88c49dfeffd4b1eb4f021d78033dfb05b07e45eec8d0b4527f65 - If we leave the "buf" field as ascii-hex, what would the shell command look like when verifying the digest based on the "buf" field? Mimi
On Fri, May 24, 2019 at 11:09 AM Mimi Zohar <zohar@linux.ibm.com> wrote: > > > >> As mentioned, the first patch description should include a shell > > >> command for verifying the digest in the kexec boot command line > > >> measurement list record against /proc/cmdline. This patch description > > >> should include a shell command showing how to verify the digest based > > >> on the new field. Should the new field in the ascii measurement list > > >> be displayed as a string, not hex? > > > > > > We should define a new type. If the type is DATA_FMT_STRING, spaces are > > > replaced with '_'. > > > > Or better. Leave it as hex, otherwise there would be a parsing problem > > if there are spaces in the data for a field. > > After making a few changes, the measurement list contains the > following kexec-cmdline data: > > 10 edc32d1e3a5ba7272280a395b6fb56a5ef7c78c3 ima-buf > sha256:4f43b7db850e > 88c49dfeffd4b1eb4f021d78033dfb05b07e45eec8d0b45275 > kexec-cmdline > 726f6f > 743d2f6465762f7364613420726f2072642e6c756b732e757569643d6c756b73 > 2d6637 > 3633643737632d653236622d343431642d613734652d62363633636334643832 > 656120 > 696d615f706f6c6963793d7463627c61707072616973655f746362 > > There's probably a better shell command, but the following works to > verify the digest locally against the /proc/cmdline: > > $ echo -n -e `cat /proc/cmdline | sed 's/^.*root=/root=/'` | sha256sum > 4f43b7db850e88c49dfeffd4b1eb4f021d78033dfb05b07e45eec8d0b4527f65 - > > If we leave the "buf" field as ascii-hex, what would the shell command > look like when verifying the digest based on the "buf" field? > > Mimi > To quickly test the sha256 i used the my /proc/cmdline ro quiet splash vt.handoff=1 ima_policy=tcb ima_appraise=fix ima_template_fmt=n-ng|d-ng|sig|buf ima_hash=sha256 export $VAL= 726f2071756965742073706c6173682076742e68616e646f66663d3120 696d615f706f6c6963793d74636220696d615f61707072616973653d666 97820696d615f74656d706c6174655f666d743d6e2d6e677c642d6e677c 7369677c62756620696d615f686173683d736861323536 echo -n -e $VAL | xxd -r -p | sha256sum 0d0b891bb730120d9593799cba1a7b3febf68f2bb81fb1304b0c963f95f6bc58 - I will run it through the code as well, but the shell command should work. Thanks, Prakhar Srivastava
On Fri, 2019-05-24 at 12:00 -0700, prakhar srivastava wrote: > On Fri, May 24, 2019 at 11:09 AM Mimi Zohar <zohar@linux.ibm.com> wrote: > > > > > >> As mentioned, the first patch description should include a shell > > > >> command for verifying the digest in the kexec boot command line > > > >> measurement list record against /proc/cmdline. This patch description > > > >> should include a shell command showing how to verify the digest based > > > >> on the new field. Should the new field in the ascii measurement list > > > >> be displayed as a string, not hex? > > > > > > > > We should define a new type. If the type is DATA_FMT_STRING, spaces are > > > > replaced with '_'. > > > > > > Or better. Leave it as hex, otherwise there would be a parsing problem > > > if there are spaces in the data for a field. > > > > After making a few changes, the measurement list contains the > > following kexec-cmdline data: > > > > 10 edc32d1e3a5ba7272280a395b6fb56a5ef7c78c3 ima-buf > > sha256:4f43b7db850e > > 88c49dfeffd4b1eb4f021d78033dfb05b07e45eec8d0b45275 > > kexec-cmdline > > 726f6f > > 743d2f6465762f7364613420726f2072642e6c756b732e757569643d6c756b73 > > 2d6637 > > 3633643737632d653236622d343431642d613734652d62363633636334643832 > > 656120 > > 696d615f706f6c6963793d7463627c61707072616973655f746362 > > > > There's probably a better shell command, but the following works to > > verify the digest locally against the /proc/cmdline: > > > > $ echo -n -e `cat /proc/cmdline | sed 's/^.*root=/root=/'` | sha256sum > > 4f43b7db850e88c49dfeffd4b1eb4f021d78033dfb05b07e45eec8d0b4527f65 - > > > > If we leave the "buf" field as ascii-hex, what would the shell command > > look like when verifying the digest based on the "buf" field? > > > > Mimi > > > To quickly test the sha256 i used the my /proc/cmdline > ro quiet splash vt.handoff=1 ima_policy=tcb ima_appraise=fix > ima_template_fmt=n-ng|d-ng|sig|buf ima_hash=sha256 > > export $VAL= > 726f2071756965742073706c6173682076742e68616e646f66663d3120 > 696d615f706f6c6963793d74636220696d615f61707072616973653d666 > 97820696d615f74656d706c6174655f666d743d6e2d6e677c642d6e677c > 7369677c62756620696d615f686173683d736861323536 > > echo -n -e $VAL | xxd -r -p | sha256sum > 0d0b891bb730120d9593799cba1a7b3febf68f2bb81fb1304b0c963f95f6bc58 - > > I will run it through the code as well, but the shell command should work. Yes, that works. sudo cat /sys/kernel/security/integrity/ima/ascii_runtime_measurements | grep kexec-cmdline | cut -d' ' -f 6 | xxd -r -p | sha256sum Mimi
diff --git a/Documentation/security/IMA-templates.rst b/Documentation/security/IMA-templates.rst index 2cd0e273cc9a..9cddb66727ee 100644 --- a/Documentation/security/IMA-templates.rst +++ b/Documentation/security/IMA-templates.rst @@ -70,7 +70,7 @@ descriptors by adding their identifier to the format string prefix is shown only if the hash algorithm is not SHA1 or MD5); - 'n-ng': the name of the event, without size limitations; - 'sig': the file signature. - + - 'buf': the buffer data that was used to generate the hash without size limitations. Below, there is the list of defined template descriptors: diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 226a26d8de09..4a82541dc3b6 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -65,6 +65,8 @@ struct ima_event_data { struct evm_ima_xattr_data *xattr_value; int xattr_len; const char *violation; + const void *buf; + int buf_len; }; /* IMA template field data definition */ diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 800d965232e5..c12f1cd38f8f 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -134,7 +134,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename, struct ima_template_entry *entry; struct inode *inode = file_inode(file); struct ima_event_data event_data = {iint, file, filename, NULL, 0, - cause}; + cause, NULL, 0}; int violation = 1; int result; @@ -286,7 +286,7 @@ void ima_store_measurement(struct integrity_iint_cache *iint, struct inode *inode = file_inode(file); struct ima_template_entry *entry; struct ima_event_data event_data = {iint, file, filename, xattr_value, - xattr_len, NULL}; + xattr_len, NULL, NULL, 0}; int violation = 0; if (iint->measured_pcrs & (0x1 << pcr)) diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c index 6c9295449751..0c34d3100b5b 100644 --- a/security/integrity/ima/ima_init.c +++ b/security/integrity/ima/ima_init.c @@ -50,7 +50,7 @@ static int __init ima_add_boot_aggregate(void) struct ima_template_entry *entry; struct integrity_iint_cache tmp_iint, *iint = &tmp_iint; struct ima_event_data event_data = {iint, NULL, boot_aggregate_name, - NULL, 0, NULL}; + NULL, 0, NULL, NULL, 0}; int result = -ENOMEM; int violation = 0; struct { diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index a88c28918a63..6c5691b65b84 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -594,7 +594,7 @@ static void process_buffer_measurement(const void *buf, int size, struct ima_template_entry *entry = NULL; struct integrity_iint_cache tmp_iint, *iint = &tmp_iint; struct ima_event_data event_data = {iint, NULL, NULL, - NULL, 0, NULL}; + NULL, 0, NULL, NULL, 0}; struct { struct ima_digest_data hdr; char digest[IMA_MAX_DIGEST_SIZE]; @@ -611,6 +611,8 @@ static void process_buffer_measurement(const void *buf, int size, memset(&hash, 0, sizeof(hash)); event_data.filename = eventname; + event_data.buf = buf; + event_data.buf_len = size; iint->ima_hash = &hash.hdr; iint->ima_hash->algo = ima_hash_algo; diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c index b631b8bc7624..a76d1c04162a 100644 --- a/security/integrity/ima/ima_template.c +++ b/security/integrity/ima/ima_template.c @@ -43,6 +43,8 @@ static const struct ima_template_field supported_fields[] = { .field_show = ima_show_template_string}, {.field_id = "sig", .field_init = ima_eventsig_init, .field_show = ima_show_template_sig}, + {.field_id = "buf", .field_init = ima_eventbuf_init, + .field_show = ima_show_template_buf}, }; #define MAX_TEMPLATE_NAME_LEN 15 diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c index 513b457ae900..43d1404141c1 100644 --- a/security/integrity/ima/ima_template_lib.c +++ b/security/integrity/ima/ima_template_lib.c @@ -162,6 +162,12 @@ void ima_show_template_sig(struct seq_file *m, enum ima_show_type show, ima_show_template_field_data(m, show, DATA_FMT_HEX, field_data); } +void ima_show_template_buf(struct seq_file *m, enum ima_show_type show, + struct ima_field_data *field_data) +{ + ima_show_template_field_data(m, show, DATA_FMT_HEX, field_data); +} + /** * ima_parse_buf() - Parses lengths and data from an input buffer * @bufstartp: Buffer start address. @@ -389,3 +395,17 @@ int ima_eventsig_init(struct ima_event_data *event_data, return ima_write_template_field_data(xattr_value, event_data->xattr_len, DATA_FMT_HEX, field_data); } + +/* + * ima_eventbuf_init - include the buffer(kexec-cmldine) as part of the + * template data. + */ +int ima_eventbuf_init(struct ima_event_data *event_data, + struct ima_field_data *field_data) +{ + if ((!event_data->buf) || (event_data->buf_len == 0)) + return 0; + + return ima_write_template_field_data(event_data->buf, event_data->buf_len, + DATA_FMT_HEX, field_data); +} diff --git a/security/integrity/ima/ima_template_lib.h b/security/integrity/ima/ima_template_lib.h index 6a3d8b831deb..f0178bc60c55 100644 --- a/security/integrity/ima/ima_template_lib.h +++ b/security/integrity/ima/ima_template_lib.h @@ -29,6 +29,8 @@ void ima_show_template_string(struct seq_file *m, enum ima_show_type show, struct ima_field_data *field_data); void ima_show_template_sig(struct seq_file *m, enum ima_show_type show, struct ima_field_data *field_data); +void ima_show_template_buf(struct seq_file *m, enum ima_show_type show, + struct ima_field_data *field_data); int ima_parse_buf(void *bufstartp, void *bufendp, void **bufcurp, int maxfields, struct ima_field_data *fields, int *curfields, unsigned long *len_mask, int enforce_mask, char *bufname); @@ -42,4 +44,6 @@ int ima_eventname_ng_init(struct ima_event_data *event_data, struct ima_field_data *field_data); int ima_eventsig_init(struct ima_event_data *event_data, struct ima_field_data *field_data); +int ima_eventbuf_init(struct ima_event_data *event_data, + struct ima_field_data *field_data); #endif /* __LINUX_IMA_TEMPLATE_LIB_H */
A buffer(cmdline args) measured into ima cannot be appraised without already being aware of the buffer contents.Since we don't know what cmdline args will be passed (or need to validate what was passed) it is not possible to appraise it. Since hashs are non reversible the raw buffer is needed to recompute the hash. To regenrate the hash of the buffer and appraise the same the contents of the buffer need to be available. A new template field buf is added to the existing ima template fields, which can be used to store/read the buffer itself. Two new fields are added to the ima_event_data to carry the buf and buf_len whenever necessary. Updated the process_buffer_measurement call to add the buf to the ima_event_data. process_buffer_measurement added in "Add a new ima hook ima_kexec_cmdline to measure cmdline args" - Add a new template field 'buf' to be used to store/read the buffer data. - Added two new fields to ima_event_data to hold the buf and buf_len [Suggested by Roberto] -Updated process_buffer_meaurement to add the buffer to ima_event_data Signed-off-by: Prakhar Srivastava <prsriva02@gmail.com> --- Documentation/security/IMA-templates.rst | 2 +- security/integrity/ima/ima.h | 2 ++ security/integrity/ima/ima_api.c | 4 ++-- security/integrity/ima/ima_init.c | 2 +- security/integrity/ima/ima_main.c | 4 +++- security/integrity/ima/ima_template.c | 2 ++ security/integrity/ima/ima_template_lib.c | 20 ++++++++++++++++++++ security/integrity/ima/ima_template_lib.h | 4 ++++ 8 files changed, 35 insertions(+), 5 deletions(-)