ima: add support for measuring and appraising firmware

The "security: introduce kernel_fw_from_file hook" patch defined a new security hook to evaluate any loaded firmware that wasn't built into the kernel. This patch defines ima_fw_from_file(), which is called from the new security hook, to measure and/or appraise the loaded firmware's integrity. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: Kees Cook <keescook@chromium.org>
author: Mimi Zohar <zohar@linux.vnet.ibm.com> 2014-07-22 10:39:48 -0400
committer: Kees Cook <keescook@chromium.org> 2014-07-25 11:47:46 -0700
commit: 5a9196d715607f76d6b7d96a0970d6065335e62b (patch)
tree: df323588d1026b947e489c5fb9c83299dbcb9689 /security/security.c
parent: 6593d9245bc66e6e3cf4ba6d365a7833110c1402 (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/security/security.c b/security/security.c
index 35d37d0f0d49..e41b1a8d7644 100644
--- a/security/security.c
+++ b/security/security.c
@@ -847,7 +847,12 @@ int security_kernel_create_files_as(struct cred *new, struct inode *inode)
 
 int security_kernel_fw_from_file(struct file *file, char *buf, size_t size)
 {
-	return security_ops->kernel_fw_from_file(file, buf, size);
+	int ret;
+
+	ret = security_ops->kernel_fw_from_file(file, buf, size);
+	if (ret)
+		return ret;
+	return ima_fw_from_file(file, buf, size);
 }
 EXPORT_SYMBOL_GPL(security_kernel_fw_from_file);
author	Mimi Zohar <zohar@linux.vnet.ibm.com>	2014-07-22 10:39:48 -0400
committer	Kees Cook <keescook@chromium.org>	2014-07-25 11:47:46 -0700
commit	5a9196d715607f76d6b7d96a0970d6065335e62b (patch)
tree	df323588d1026b947e489c5fb9c83299dbcb9689 /security/security.c
parent	6593d9245bc66e6e3cf4ba6d365a7833110c1402 (diff)