lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <7e7d730961ee65dd063755f6a1ff9aefdcdff430.camel@linux.ibm.com>
Date: Mon, 17 Mar 2025 21:57:02 -0400
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Nicolai Stange <nstange@...e.de>,
        Roberto Sassu
 <roberto.sassu@...wei.com>,
        Dmitry Kasatkin <dmitry.kasatkin@...il.com>
Cc: Eric Snowberg <eric.snowberg@...cle.com>, linux-integrity@...r.kernel.org,
        linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH v1 3/7] ima: move INVALID_PCR() to ima.h

On Thu, 2025-03-13 at 18:33 +0100, Nicolai Stange wrote:
> Make the INVALID_PCR() #define available to other compilation units
> by moving it from ima_policy.c to ima.h and renaming it to
> IMA_INVALID_PCR() in the course.
> 
> Signed-off-by: Nicolai Stange <nstange@...e.de>

Restoring the IMA measurement list doesn't involve extending the TPM.  The hash
specific measurements have already been extended into the respective TPM banks.
Is this and the subsequent patch necessary?

Mimi


> ---
>  security/integrity/ima/ima.h        | 4 ++++
>  security/integrity/ima/ima_policy.c | 5 +----
>  2 files changed, 5 insertions(+), 4 deletions(-)
> 
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index a4f284bd846c..1158a7b8bf6b 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -198,6 +198,10 @@ struct ima_iint_cache {
>  	struct ima_digest_data *ima_hash;
>  };
>  
> +#define IMA_INVALID_PCR(a) (((a) < 0) || \
> +	(a) >= (sizeof_field(struct ima_iint_cache, measured_pcrs) * 8))
> +
> +
>  extern struct lsm_blob_sizes ima_blob_sizes;
>  
>  static inline struct ima_iint_cache *
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 128fab897930..d9e4210ea814 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -48,9 +48,6 @@
>  #define HASH		0x0100
>  #define DONT_HASH	0x0200
>  
> -#define INVALID_PCR(a) (((a) < 0) || \
> -	(a) >= (sizeof_field(struct ima_iint_cache, measured_pcrs) * 8))
> -
>  int ima_policy_flag;
>  static int temp_ima_appraise;
>  static int build_ima_appraise __ro_after_init;
> @@ -1855,7 +1852,7 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
>  			ima_log_string(ab, "pcr", args[0].from);
>  
>  			result = kstrtoint(args[0].from, 10, &entry->pcr);
> -			if (result || INVALID_PCR(entry->pcr))
> +			if (result || IMA_INVALID_PCR(entry->pcr))
>  				result = -EINVAL;
>  			else
>  				entry->flags |= IMA_PCR;


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ