[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <7e7d730961ee65dd063755f6a1ff9aefdcdff430.camel@linux.ibm.com>
Date: Mon, 17 Mar 2025 21:57:02 -0400
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Nicolai Stange <nstange@...e.de>,
Roberto Sassu
<roberto.sassu@...wei.com>,
Dmitry Kasatkin <dmitry.kasatkin@...il.com>
Cc: Eric Snowberg <eric.snowberg@...cle.com>, linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH v1 3/7] ima: move INVALID_PCR() to ima.h
On Thu, 2025-03-13 at 18:33 +0100, Nicolai Stange wrote:
> Make the INVALID_PCR() #define available to other compilation units
> by moving it from ima_policy.c to ima.h and renaming it to
> IMA_INVALID_PCR() in the course.
>
> Signed-off-by: Nicolai Stange <nstange@...e.de>
Restoring the IMA measurement list doesn't involve extending the TPM. The hash
specific measurements have already been extended into the respective TPM banks.
Is this and the subsequent patch necessary?
Mimi
> ---
> security/integrity/ima/ima.h | 4 ++++
> security/integrity/ima/ima_policy.c | 5 +----
> 2 files changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index a4f284bd846c..1158a7b8bf6b 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -198,6 +198,10 @@ struct ima_iint_cache {
> struct ima_digest_data *ima_hash;
> };
>
> +#define IMA_INVALID_PCR(a) (((a) < 0) || \
> + (a) >= (sizeof_field(struct ima_iint_cache, measured_pcrs) * 8))
> +
> +
> extern struct lsm_blob_sizes ima_blob_sizes;
>
> static inline struct ima_iint_cache *
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 128fab897930..d9e4210ea814 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -48,9 +48,6 @@
> #define HASH 0x0100
> #define DONT_HASH 0x0200
>
> -#define INVALID_PCR(a) (((a) < 0) || \
> - (a) >= (sizeof_field(struct ima_iint_cache, measured_pcrs) * 8))
> -
> int ima_policy_flag;
> static int temp_ima_appraise;
> static int build_ima_appraise __ro_after_init;
> @@ -1855,7 +1852,7 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
> ima_log_string(ab, "pcr", args[0].from);
>
> result = kstrtoint(args[0].from, 10, &entry->pcr);
> - if (result || INVALID_PCR(entry->pcr))
> + if (result || IMA_INVALID_PCR(entry->pcr))
> result = -EINVAL;
> else
> entry->flags |= IMA_PCR;
Powered by blists - more mailing lists