* [PATCH v3] IMA: support for duplicate measurement records
@ 2021-02-19 1:00 Tushar Sugandhi
2021-02-24 0:18 ` Petr Vorel
0 siblings, 1 reply; 3+ messages in thread
From: Tushar Sugandhi @ 2021-02-19 1:00 UTC (permalink / raw
To: zohar; +Cc: tyhicks, sashal, jmorris, nramas, linux-integrity, linux-kernel
IMA does not include duplicate file, buffer, or critical data
measurement records since TPM extend is a very expensive
operation. However, in some cases, the measurement of duplicate
records is necessary to accurately determine the current state of the
system. For instance - the file, buffer, or critical data measurement
record may change from some value 'val#1', to 'val#2', and then back
to 'val#1'. Currently, IMA will not measure the last change to 'val#1',
since the hash of 'val#1' for the given record is already present in the
measurement log. This limits the ability of the attestation service to
accurately determine the current state of the system, because it would
be interpreted as the system having 'val#2' for the given record.
Update ima_add_template_entry() to support measurement of duplicate
records, driven by a Kconfig option - IMA_DISABLE_HTABLE.
Signed-off-by: Tushar Sugandhi <tusharsu@linux.microsoft.com>
---
Change Log v3:
- Incorporated feedback from Mimi on v2.
- Updated patch title and description to make it generic.
- Changed config description word 'data' to 'records'.
- Tested use cases for boot param "ima_policy=tcb".
Change Log v2:
- Incorporated feedback from Mimi on v1.
- The fix is not just applicable to measurement of critical data,
it now applies to other buffers and file data as well.
- the fix is driven by a Kconfig option IMA_DISABLE_HTABLE, rather
than a IMA policy condition - allow_dup.
security/integrity/ima/Kconfig | 7 +++++++
security/integrity/ima/ima_queue.c | 5 +++--
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 12e9250c1bec..d0ceada99243 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -334,3 +334,10 @@ config IMA_SECURE_AND_OR_TRUSTED_BOOT
help
This option is selected by architectures to enable secure and/or
trusted boot based on IMA runtime policies.
+
+config IMA_DISABLE_HTABLE
+ bool "Disable htable to allow measurement of duplicate records"
+ depends on IMA
+ default n
+ help
+ This option disables htable to allow measurement of duplicate records.
diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c
index c096ef8945c7..532da87ce519 100644
--- a/security/integrity/ima/ima_queue.c
+++ b/security/integrity/ima/ima_queue.c
@@ -168,7 +168,7 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation,
int result = 0, tpmresult = 0;
mutex_lock(&ima_extend_list_mutex);
- if (!violation) {
+ if (!violation && !IS_ENABLED(CONFIG_IMA_DISABLE_HTABLE)) {
if (ima_lookup_digest_entry(digest, entry->pcr)) {
audit_cause = "hash_exists";
result = -EEXIST;
@@ -176,7 +176,8 @@ int ima_add_template_entry(struct ima_template_entry *entry, int violation,
}
}
- result = ima_add_digest_entry(entry, 1);
+ result = ima_add_digest_entry(entry,
+ !IS_ENABLED(CONFIG_IMA_DISABLE_HTABLE));
if (result < 0) {
audit_cause = "ENOMEM";
audit_info = 0;
--
2.17.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH v3] IMA: support for duplicate measurement records
2021-02-19 1:00 [PATCH v3] IMA: support for duplicate measurement records Tushar Sugandhi
@ 2021-02-24 0:18 ` Petr Vorel
2021-02-24 0:25 ` Tushar Sugandhi
0 siblings, 1 reply; 3+ messages in thread
From: Petr Vorel @ 2021-02-24 0:18 UTC (permalink / raw
To: Tushar Sugandhi
Cc: zohar, tyhicks, sashal, jmorris, nramas, linux-integrity,
linux-kernel
Hi Tushar,
> Change Log v3:
> - Incorporated feedback from Mimi on v2.
> - Updated patch title and description to make it generic.
> - Changed config description word 'data' to 'records'.
> - Tested use cases for boot param "ima_policy=tcb".
LGTM.
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Kind regards,
Petr
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v3] IMA: support for duplicate measurement records
2021-02-24 0:18 ` Petr Vorel
@ 2021-02-24 0:25 ` Tushar Sugandhi
0 siblings, 0 replies; 3+ messages in thread
From: Tushar Sugandhi @ 2021-02-24 0:25 UTC (permalink / raw
To: Petr Vorel
Cc: zohar, tyhicks, sashal, jmorris, nramas, linux-integrity,
linux-kernel
Hello Petr,
On 2021-02-23 4:18 p.m., Petr Vorel wrote:
> Hi Tushar,
>
>> Change Log v3:
>> - Incorporated feedback from Mimi on v2.
>> - Updated patch title and description to make it generic.
>> - Changed config description word 'data' to 'records'.
>> - Tested use cases for boot param "ima_policy=tcb".
>
> LGTM.
> Reviewed-by: Petr Vorel <pvorel@suse.cz>
>
Thank you taking a look at the patch, and the 'Reviewed-by' tag.
~Tushar
> Kind regards,
> Petr
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-02-24 1:11 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-02-19 1:00 [PATCH v3] IMA: support for duplicate measurement records Tushar Sugandhi
2021-02-24 0:18 ` Petr Vorel
2021-02-24 0:25 ` Tushar Sugandhi
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.