Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v5.14 2021-06-21T12:34:21Z 2021-06-21T12:34:21Z Roberto Sassu roberto.sassu@huawei.com 2021-06-21T12:29:12Z urn:sha1:907a399de7b0566236c480d0c01ff52220532fb1 The kernel and the user obtain an xattr value in two different ways: kernel (EVM): uses vfs_getxattr_alloc() which obtains the xattr value from the filesystem handler (raw value); user (ima-evm-utils): uses vfs_getxattr() which obtains the xattr value from the LSMs (normalized value). Normally, this does not have an impact unless security.selinux is set with setfattr, with a value not terminated by '\0' (this is not the recommended way, security.selinux should be set with the appropriate tools such as chcon and restorecon). In this case, the kernel and the user see two different xattr values: the former sees the xattr value without '\0' (raw value), the latter sees the value with '\0' (value normalized by SELinux). This could result in two different verification outcomes from EVM and ima-evm-utils, if a signature was calculated with a security.selinux value terminated by '\0' and the value set in the filesystem is not terminated by '\0'. The former would report verification failure due to the missing '\0', while the latter would report verification success (because it gets the normalized value with '\0'). This patch mitigates this issue by comparing in evm_calc_hmac_or_hash() the size of the xattr returned by the two xattr functions and by warning the user if there is a discrepancy. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Suggested-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2021-06-20T15:10:25Z Mimi Zohar zohar@linux.ibm.com 2021-05-13T22:36:04Z urn:sha1:87ac3d002d567fac3527d6612865e81cfd783727 Output the data used in calculating the EVM digest and the resulting digest as ascii hexadecimal strings. Suggested-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> (CONFIG_DYNAMIC_DEBUG) Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Reported-by: kernel test robot <lkp@intel.com> (Use %zu for size_t) Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2021-06-11T16:54:13Z Tushar Sugandhi tusharsu@linux.microsoft.com 2021-05-10T19:09:39Z urn:sha1:52c208397c246f0c31d031eb8c41f9c7e9fdec0e IMA measures contents of a given file/buffer/critical-data record, and properly re-measures it on change. However, IMA does not measure the duplicate value for a given record, since TPM extend is a very expensive operation. For example, if the record changes from value 'v#1' to 'v#2', and then back to 'v#1', IMA will not measure and log the last change to 'v#1', since the hash of 'v#1' for that record is already present in the IMA htable. This limits the ability of an external attestation service to accurately determine the current state of the system. The service would incorrectly conclude that the latest value of the given record on the system is 'v#2', and act accordingly. Define and use a new Kconfig option IMA_DISABLE_HTABLE to permit duplicate records in the IMA measurement list. In addition to the duplicate measurement records described above, other duplicate file measurement records may be included in the log, when CONFIG_IMA_DISABLE_HTABLE is enabled. For example, - i_version is not enabled, - i_generation changed, - same file present on different filesystems, - an inode is evicted from dcache Signed-off-by: Tushar Sugandhi <tusharsu@linux.microsoft.com> Reviewed-by: Petr Vorel <pvorel@suse.cz> [zohar@linux.ibm.com: updated list of duplicate measurement records] Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2021-06-11T15:27:03Z Lakshmi Ramasubramanian nramas@linux.microsoft.com 2021-06-10T17:15:52Z urn:sha1:c67913492fec317bc53ffdff496b6ba856d2868c The function prototype for ima_add_kexec_buffer() is present in 'linux/ima.h'. But this header file is not included in ima_kexec.c where the function is implemented. This results in the following compiler warning when "-Wmissing-prototypes" flag is turned on: security/integrity/ima/ima_kexec.c:81:6: warning: no previous prototype for function 'ima_add_kexec_buffer' [-Wmissing-prototypes] Include the header file 'linux/ima.h' in ima_kexec.c to fix the compiler warning. Fixes: dce92f6b11c3 (arm64: Enable passing IMA log to next kernel on kexec) Reported-by: kernel test robot <lkp@intel.com> Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Acked-by: Rob Herring <robh@kernel.org> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2021-06-10T20:36:41Z Mimi Zohar zohar@linux.ibm.com 2021-06-02T20:33:39Z urn:sha1:55748ac6a6d3e35f8fd0f5c9284df7c7f3b1705a Differentiate between an invalid EVM portable signature failure from other EVM HMAC/signature failures. Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2021-06-09T03:33:48Z Gustavo A. R. Silva gustavoars@kernel.org 2021-06-07T20:49:34Z urn:sha1:7d2201d46218df951004fc48897f89c6eb510b69 In preparation to enable -Wimplicit-fallthrough for Clang, fix a fall-through warning by explicitly adding a break statement instead of just letting the code fall through to the next case. Link: https://github.com/KSPP/linux/issues/115 Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2021-06-08T20:29:10Z Roberto Sassu roberto.sassu@huawei.com 2021-06-08T12:31:24Z urn:sha1:531bf6a88d9bd6c13d4fc3f05d2de799d627de3b This patch fixes the sparse warning: sparse: warning: Using plain integer as NULL pointer Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2021-06-08T20:29:10Z Roberto Sassu roberto.sassu@huawei.com 2021-06-08T12:31:23Z urn:sha1:8c559415f66a42721fcfdf321cb7a58df01a4c74 This patch fixes the sparse warning for ima_post_key_create_or_update() by adding the header file that defines the prototype (linux/ima.h). Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2021-06-08T20:29:10Z Roberto Sassu roberto.sassu@huawei.com 2021-06-08T12:31:22Z urn:sha1:6b26285f44c9306747c609cb304f787f1933594c The endianness of a variable written to the measurement list cannot be determined at compile time, as it depends on the value of the ima_canonical_fmt global variable (set through a kernel option with the same name if the machine is big endian). If ima_canonical_fmt is false, the endianness of a variable is the same as the machine; if ima_canonical_fmt is true, the endianness is little endian. The warning arises due to this type of instruction: var = cpu_to_leXX(var) which tries to assign a value in little endian to a variable with native endianness (little or big endian). Given that the variables set with this instruction are not used in any operation but just written to a buffer, it is safe to force the type of the value being set to be the same of the type of the variable with: var = (__force <var type>)cpu_to_leXX(var) Reported-by: kernel test robot <lkp@intel.com> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2021-06-08T20:29:10Z Roberto Sassu roberto.sassu@huawei.com 2021-06-08T12:31:21Z urn:sha1:24c9ae23bdfa0642228e747849dd052fd4295c6c The code expects that the values being parsed from a buffer when the ima_canonical_fmt global variable is true are in little endian. Thus, this patch sets the casting types accordingly. Reported-by: kernel test robot <lkp@intel.com> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>