Linaro Git Browser
Code Review Sign In
review.linaro.org / kernel / linux-linaro-stable.git / 8a95b5736641a5cd3996e4fe4c0af6ea05cfa86c / . / security / integrity / ima / ima_crypto.c
blob: 9da974c0f958ea72e5f54f0d169b480c57d76f1c [file] [log] [blame]
Mimi Zohar3323eec92009-02-04 09:06:58 -0500[diff] [blame]1/*
2 * Copyright (C) 2005,2006,2007,2008 IBM Corporation
3 *
4 * Authors:
5 * Mimi Zohar <zohar@us.ibm.com>
6 * Kylene Hall <kjhall@us.ibm.com>
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation, version 2 of the License.
11 *
12 * File: ima_crypto.c
13 * Calculates md5/sha1 file hash, template hash, boot-aggreate hash
14 */
15
16#include <linux/kernel.h>
17#include <linux/file.h>
18#include <linux/crypto.h>
19#include <linux/scatterlist.h>
20#include <linux/err.h>
Tejun Heo5a0e3ad2010-03-24 17:04:11 +0900[diff] [blame]21#include <linux/slab.h>
Dmitry Kasatkin76bb28f2012-06-08 10:42:30 +0300[diff] [blame]22#include <crypto/hash.h>
Mimi Zohar3323eec92009-02-04 09:06:58 -0500[diff] [blame]23#include "ima.h"
24
Dmitry Kasatkin76bb28f2012-06-08 10:42:30 +0300[diff] [blame]25static struct crypto_shash *ima_shash_tfm;
Mimi Zohar3323eec92009-02-04 09:06:58 -0500[diff] [blame]26
Dmitry Kasatkin8b46db32014-05-08 14:03:22 +0300[diff] [blame]27/**
28 * ima_kernel_read - read file content
29 *
30 * This is a function for reading file content instead of kernel_read().
31 * It does not perform locking checks to ensure it cannot be blocked.
32 * It does not perform security checks because it is irrelevant for IMA.
33 *
34 */
35static int ima_kernel_read(struct file *file, loff_t offset,
36 char *addr, unsigned long count)
37{
38 mm_segment_t old_fs;
39 char __user *buf = addr;
40 ssize_t ret;
41
42 if (!(file->f_mode & FMODE_READ))
43 return -EBADF;
44 if (!file->f_op->read && !file->f_op->aio_read)
45 return -EINVAL;
46
47 old_fs = get_fs();
48 set_fs(get_ds());
49 if (file->f_op->read)
50 ret = file->f_op->read(file, buf, count, &offset);
51 else
52 ret = do_sync_read(file, buf, count, &offset);
53 set_fs(old_fs);
54 return ret;
55}
56
Dmitry Kasatkin76bb28f2012-06-08 10:42:30 +0300[diff] [blame]57int ima_init_crypto(void)
58{
59 long rc;
60
61 ima_shash_tfm = crypto_alloc_shash(ima_hash, 0, 0);
62 if (IS_ERR(ima_shash_tfm)) {
63 rc = PTR_ERR(ima_shash_tfm);
64 pr_err("Can not allocate %s (reason: %ld)\n", ima_hash, rc);
Mimi Zohar3323eec92009-02-04 09:06:58 -0500[diff] [blame]65 return rc;
66 }
Dmitry Kasatkin76bb28f2012-06-08 10:42:30 +0300[diff] [blame]67 return 0;
Mimi Zohar3323eec92009-02-04 09:06:58 -0500[diff] [blame]68}
69
70/*
71 * Calculate the MD5/SHA1 file digest
72 */
Dmitry Kasatkin50af5542012-05-14 14:13:56 +0300[diff] [blame]73int ima_calc_file_hash(struct file *file, char *digest)
Mimi Zohar3323eec92009-02-04 09:06:58 -0500[diff] [blame]74{
Mimi Zohar16bfa382009-08-21 14:32:49 -0400[diff] [blame]75 loff_t i_size, offset = 0;
Mimi Zohar3323eec92009-02-04 09:06:58 -0500[diff] [blame]76 char *rbuf;
Mimi Zohar2fe5d6d2012-02-13 10:15:05 -0500[diff] [blame]77 int rc, read = 0;
Dmitry Kasatkin76bb28f2012-06-08 10:42:30 +0300[diff] [blame]78 struct {
79 struct shash_desc shash;
80 char ctx[crypto_shash_descsize(ima_shash_tfm)];
81 } desc;
Mimi Zohar3323eec92009-02-04 09:06:58 -0500[diff] [blame]82
Dmitry Kasatkin76bb28f2012-06-08 10:42:30 +0300[diff] [blame]83 desc.shash.tfm = ima_shash_tfm;
84 desc.shash.flags = 0;
85
86 rc = crypto_shash_init(&desc.shash);
Mimi Zohar3323eec92009-02-04 09:06:58 -0500[diff] [blame]87 if (rc != 0)
88 return rc;
89
90 rbuf = kzalloc(PAGE_SIZE, GFP_KERNEL);
91 if (!rbuf) {
92 rc = -ENOMEM;
93 goto out;
94 }
Mimi Zohar2fe5d6d2012-02-13 10:15:05 -0500[diff] [blame]95 if (!(file->f_mode & FMODE_READ)) {
96 file->f_mode |= FMODE_READ;
97 read = 1;
98 }
Al Viro496ad9a2013-01-23 17:07:38 -0500[diff] [blame]99 i_size = i_size_read(file_inode(file));
Mimi Zohar3323eec92009-02-04 09:06:58 -0500[diff] [blame]100 while (offset < i_size) {
101 int rbuf_len;
102
Dmitry Kasatkin8b46db32014-05-08 14:03:22 +0300[diff] [blame]103 rbuf_len = ima_kernel_read(file, offset, rbuf, PAGE_SIZE);
Mimi Zohar3323eec92009-02-04 09:06:58 -0500[diff] [blame]104 if (rbuf_len < 0) {
105 rc = rbuf_len;
106 break;
107 }
Mimi Zohar16bfa382009-08-21 14:32:49 -0400[diff] [blame]108 if (rbuf_len == 0)
109 break;
Mimi Zohar3323eec92009-02-04 09:06:58 -0500[diff] [blame]110 offset += rbuf_len;
Mimi Zohar3323eec92009-02-04 09:06:58 -0500[diff] [blame]111
Dmitry Kasatkin76bb28f2012-06-08 10:42:30 +0300[diff] [blame]112 rc = crypto_shash_update(&desc.shash, rbuf, rbuf_len);
Mimi Zohar3323eec92009-02-04 09:06:58 -0500[diff] [blame]113 if (rc)
114 break;
115 }
116 kfree(rbuf);
117 if (!rc)
Dmitry Kasatkin76bb28f2012-06-08 10:42:30 +0300[diff] [blame]118 rc = crypto_shash_final(&desc.shash, digest);
Mimi Zohar2fe5d6d2012-02-13 10:15:05 -0500[diff] [blame]119 if (read)
120 file->f_mode &= ~FMODE_READ;
Mimi Zohar3323eec92009-02-04 09:06:58 -0500[diff] [blame]121out:
Mimi Zohar3323eec92009-02-04 09:06:58 -0500[diff] [blame]122 return rc;
123}
124
125/*
Dmitry Kasatkin50af5542012-05-14 14:13:56 +0300[diff] [blame]126 * Calculate the hash of a given buffer
Mimi Zohar3323eec92009-02-04 09:06:58 -0500[diff] [blame]127 */
Dmitry Kasatkin50af5542012-05-14 14:13:56 +0300[diff] [blame]128int ima_calc_buffer_hash(const void *data, int len, char *digest)
Mimi Zohar3323eec92009-02-04 09:06:58 -0500[diff] [blame]129{
Dmitry Kasatkin76bb28f2012-06-08 10:42:30 +0300[diff] [blame]130 struct {
131 struct shash_desc shash;
132 char ctx[crypto_shash_descsize(ima_shash_tfm)];
133 } desc;
Mimi Zohar3323eec92009-02-04 09:06:58 -0500[diff] [blame]134
Dmitry Kasatkin76bb28f2012-06-08 10:42:30 +0300[diff] [blame]135 desc.shash.tfm = ima_shash_tfm;
136 desc.shash.flags = 0;
Mimi Zohar3323eec92009-02-04 09:06:58 -0500[diff] [blame]137
Dmitry Kasatkin50af5542012-05-14 14:13:56 +0300[diff] [blame]138 return crypto_shash_digest(&desc.shash, data, len, digest);
Mimi Zohar3323eec92009-02-04 09:06:58 -0500[diff] [blame]139}
140
Eric Paris932995f2009-05-21 15:43:32 -0400[diff] [blame]141static void __init ima_pcrread(int idx, u8 *pcr)
Mimi Zohar3323eec92009-02-04 09:06:58 -0500[diff] [blame]142{
143 if (!ima_used_chip)
144 return;
145
146 if (tpm_pcr_read(TPM_ANY_NUM, idx, pcr) != 0)
Eric Pariseb8dae92010-04-22 10:49:36 -0400[diff] [blame]147 pr_err("IMA: Error Communicating to TPM chip\n");
Mimi Zohar3323eec92009-02-04 09:06:58 -0500[diff] [blame]148}
149
150/*
151 * Calculate the boot aggregate hash
152 */
Eric Paris932995f2009-05-21 15:43:32 -0400[diff] [blame]153int __init ima_calc_boot_aggregate(char *digest)
Mimi Zohar3323eec92009-02-04 09:06:58 -0500[diff] [blame]154{
Mimi Zohar3323eec92009-02-04 09:06:58 -0500[diff] [blame]155 u8 pcr_i[IMA_DIGEST_SIZE];
156 int rc, i;
Dmitry Kasatkin76bb28f2012-06-08 10:42:30 +0300[diff] [blame]157 struct {
158 struct shash_desc shash;
159 char ctx[crypto_shash_descsize(ima_shash_tfm)];
160 } desc;
Mimi Zohar3323eec92009-02-04 09:06:58 -0500[diff] [blame]161
Dmitry Kasatkin76bb28f2012-06-08 10:42:30 +0300[diff] [blame]162 desc.shash.tfm = ima_shash_tfm;
163 desc.shash.flags = 0;
164
165 rc = crypto_shash_init(&desc.shash);
Mimi Zohar3323eec92009-02-04 09:06:58 -0500[diff] [blame]166 if (rc != 0)
167 return rc;
168
169 /* cumulative sha1 over tpm registers 0-7 */
170 for (i = TPM_PCR0; i < TPM_PCR8; i++) {
171 ima_pcrread(i, pcr_i);
172 /* now accumulate with current aggregate */
Dmitry Kasatkin76bb28f2012-06-08 10:42:30 +0300[diff] [blame]173 rc = crypto_shash_update(&desc.shash, pcr_i, IMA_DIGEST_SIZE);
Mimi Zohar3323eec92009-02-04 09:06:58 -0500[diff] [blame]174 }
175 if (!rc)
Dmitry Kasatkin76bb28f2012-06-08 10:42:30 +0300[diff] [blame]176 crypto_shash_final(&desc.shash, digest);
Mimi Zohar3323eec92009-02-04 09:06:58 -0500[diff] [blame]177 return rc;
178}