~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/security/integrity/ima/ima_init.c

Version: ~ [ linux-5.13-rc7 ] ~ [ linux-5.12.12 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.45 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.127 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.195 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.237 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.273 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.273 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.18.140 ] ~ [ linux-3.16.85 ] ~ [ linux-3.14.79 ] ~ [ linux-3.12.74 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 // SPDX-License-Identifier: GPL-2.0-only
  2 /*
  3  * Copyright (C) 2005,2006,2007,2008 IBM Corporation
  4  *
  5  * Authors:
  6  * Reiner Sailer      <sailer@watson.ibm.com>
  7  * Leendert van Doorn <leendert@watson.ibm.com>
  8  * Mimi Zohar         <zohar@us.ibm.com>
  9  *
 10  * File: ima_init.c
 11  *             initialization and cleanup functions
 12  */
 13 
 14 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 15 
 16 #include <linux/init.h>
 17 #include <linux/scatterlist.h>
 18 #include <linux/slab.h>
 19 #include <linux/err.h>
 20 
 21 #include "ima.h"
 22 
 23 /* name for boot aggregate entry */
 24 static const char boot_aggregate_name[] = "boot_aggregate";
 25 struct tpm_chip *ima_tpm_chip;
 26 
 27 /* Add the boot aggregate to the IMA measurement list and extend
 28  * the PCR register.
 29  *
 30  * Calculate the boot aggregate, a SHA1 over tpm registers 0-7,
 31  * assuming a TPM chip exists, and zeroes if the TPM chip does not
 32  * exist.  Add the boot aggregate measurement to the measurement
 33  * list and extend the PCR register.
 34  *
 35  * If a tpm chip does not exist, indicate the core root of trust is
 36  * not hardware based by invalidating the aggregate PCR value.
 37  * (The aggregate PCR value is invalidated by adding one value to
 38  * the measurement list and extending the aggregate PCR value with
 39  * a different value.) Violations add a zero entry to the measurement
 40  * list and extend the aggregate PCR value with ff...ff's.
 41  */
 42 static int __init ima_add_boot_aggregate(void)
 43 {
 44         static const char op[] = "add_boot_aggregate";
 45         const char *audit_cause = "ENOMEM";
 46         struct ima_template_entry *entry;
 47         struct integrity_iint_cache tmp_iint, *iint = &tmp_iint;
 48         struct ima_event_data event_data = { .iint = iint,
 49                                              .filename = boot_aggregate_name };
 50         int result = -ENOMEM;
 51         int violation = 0;
 52         struct {
 53                 struct ima_digest_data hdr;
 54                 char digest[TPM_DIGEST_SIZE];
 55         } hash;
 56 
 57         memset(iint, 0, sizeof(*iint));
 58         memset(&hash, 0, sizeof(hash));
 59         iint->ima_hash = &hash.hdr;
 60         iint->ima_hash->algo = HASH_ALGO_SHA1;
 61         iint->ima_hash->length = SHA1_DIGEST_SIZE;
 62 
 63         if (ima_tpm_chip) {
 64                 result = ima_calc_boot_aggregate(&hash.hdr);
 65                 if (result < 0) {
 66                         audit_cause = "hashing_error";
 67                         goto err_out;
 68                 }
 69         }
 70 
 71         result = ima_alloc_init_template(&event_data, &entry, NULL);
 72         if (result < 0) {
 73                 audit_cause = "alloc_entry";
 74                 goto err_out;
 75         }
 76 
 77         result = ima_store_template(entry, violation, NULL,
 78                                     boot_aggregate_name,
 79                                     CONFIG_IMA_MEASURE_PCR_IDX);
 80         if (result < 0) {
 81                 ima_free_template_entry(entry);
 82                 audit_cause = "store_entry";
 83                 goto err_out;
 84         }
 85         return 0;
 86 err_out:
 87         integrity_audit_msg(AUDIT_INTEGRITY_PCR, NULL, boot_aggregate_name, op,
 88                             audit_cause, result, 0);
 89         return result;
 90 }
 91 
 92 #ifdef CONFIG_IMA_LOAD_X509
 93 void __init ima_load_x509(void)
 94 {
 95         int unset_flags = ima_policy_flag & IMA_APPRAISE;
 96 
 97         ima_policy_flag &= ~unset_flags;
 98         integrity_load_x509(INTEGRITY_KEYRING_IMA, CONFIG_IMA_X509_PATH);
 99         ima_policy_flag |= unset_flags;
100 }
101 #endif
102 
103 int __init ima_init(void)
104 {
105         int rc;
106 
107         ima_tpm_chip = tpm_default_chip();
108         if (!ima_tpm_chip)
109                 pr_info("No TPM chip found, activating TPM-bypass!\n");
110 
111         rc = integrity_init_keyring(INTEGRITY_KEYRING_IMA);
112         if (rc)
113                 return rc;
114 
115         rc = ima_init_crypto();
116         if (rc)
117                 return rc;
118         rc = ima_init_template();
119         if (rc != 0)
120                 return rc;
121 
122         /* It can be called before ima_init_digests(), it does not use TPM. */
123         ima_load_kexec_buffer();
124 
125         rc = ima_init_digests();
126         if (rc != 0)
127                 return rc;
128         rc = ima_add_boot_aggregate();  /* boot aggregate must be first entry */
129         if (rc != 0)
130                 return rc;
131 
132         ima_init_policy();
133 
134         return ima_fs_init();
135 }
136 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp