[PATCH] ima: Use tpm_default_chip() and call TPM functions with a tpm_chip

Mimi Zohar zohar at linux.vnet.ibm.com
Mon Jul 2 17:00:39 UTC 2018


On Mon, 2018-07-02 at 11:24 -0400, Stefan Berger wrote:
> Rather than accessing the TPM functions by passing a NULL pointer for
> the tpm_chip, which causes a lookup for a suitable chip every time, get a
> hold of a tpm_chip and access the TPM functions using it. Also get rid of
> the ima_used_chip variable and use the new ima_tpm_chip variable instead
> for determining whether to call TPM functions.
> 
> Signed-off-by: Stefan Berger <stefanb at linux.vnet.ibm.com>
> Acked-by: Jarkko Sakkinen <jarkko.sakkinen at linux.intel.com>

Signed-off-by: Mimi Zohar <zohar at linux.vnet.ibm.com>

Jarkko, would you mind staging this patch with the rest of the patch
set?

Mimi


> ---
>  security/integrity/ima/ima.h        |  2 +-
>  security/integrity/ima/ima_crypto.c |  4 ++--
>  security/integrity/ima/ima_init.c   | 16 +++++-----------
>  security/integrity/ima/ima_queue.c  |  4 ++--
>  4 files changed, 10 insertions(+), 16 deletions(-)
> 
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index 354bb5716ce3..2ab1affffa36 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -53,9 +53,9 @@ enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 };
>  extern int ima_policy_flag;
> 
>  /* set during initialization */
> -extern int ima_used_chip;
>  extern int ima_hash_algo;
>  extern int ima_appraise;
> +extern struct tpm_chip *ima_tpm_chip;
> 
>  /* IMA event related data */
>  struct ima_event_data {
> diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
> index 4e085a17124f..7e7e7e7c250a 100644
> --- a/security/integrity/ima/ima_crypto.c
> +++ b/security/integrity/ima/ima_crypto.c
> @@ -631,10 +631,10 @@ int ima_calc_buffer_hash(const void *buf, loff_t len,
> 
>  static void __init ima_pcrread(int idx, u8 *pcr)
>  {
> -	if (!ima_used_chip)
> +	if (!ima_tpm_chip)
>  		return;
> 
> -	if (tpm_pcr_read(NULL, idx, pcr) != 0)
> +	if (tpm_pcr_read(ima_tpm_chip, idx, pcr) != 0)
>  		pr_err("Error Communicating to TPM chip\n");
>  }
> 
> diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
> index 29b72cd2502e..faac9ecaa0ae 100644
> --- a/security/integrity/ima/ima_init.c
> +++ b/security/integrity/ima/ima_init.c
> @@ -26,7 +26,7 @@
> 
>  /* name for boot aggregate entry */
>  static const char *boot_aggregate_name = "boot_aggregate";
> -int ima_used_chip;
> +struct tpm_chip *ima_tpm_chip;
> 
>  /* Add the boot aggregate to the IMA measurement list and extend
>   * the PCR register.
> @@ -64,7 +64,7 @@ static int __init ima_add_boot_aggregate(void)
>  	iint->ima_hash->algo = HASH_ALGO_SHA1;
>  	iint->ima_hash->length = SHA1_DIGEST_SIZE;
> 
> -	if (ima_used_chip) {
> +	if (ima_tpm_chip) {
>  		result = ima_calc_boot_aggregate(&hash.hdr);
>  		if (result < 0) {
>  			audit_cause = "hashing_error";
> @@ -106,17 +106,11 @@ void __init ima_load_x509(void)
> 
>  int __init ima_init(void)
>  {
> -	u8 pcr_i[TPM_DIGEST_SIZE];
>  	int rc;
> 
> -	ima_used_chip = 0;
> -	rc = tpm_pcr_read(NULL, 0, pcr_i);
> -	if (rc == 0)
> -		ima_used_chip = 1;
> -
> -	if (!ima_used_chip)
> -		pr_info("No TPM chip found, activating TPM-bypass! (rc=%d)\n",
> -			rc);
> +	ima_tpm_chip = tpm_default_chip();
> +	if (!ima_tpm_chip)
> +		pr_info("No TPM chip found, activating TPM-bypass!\n");
> 
>  	rc = integrity_init_keyring(INTEGRITY_KEYRING_IMA);
>  	if (rc)
> diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c
> index 418f35e38015..b186819bd5aa 100644
> --- a/security/integrity/ima/ima_queue.c
> +++ b/security/integrity/ima/ima_queue.c
> @@ -142,10 +142,10 @@ static int ima_pcr_extend(const u8 *hash, int pcr)
>  {
>  	int result = 0;
> 
> -	if (!ima_used_chip)
> +	if (!ima_tpm_chip)
>  		return result;
> 
> -	result = tpm_pcr_extend(NULL, pcr, hash);
> +	result = tpm_pcr_extend(ima_tpm_chip, pcr, hash);
>  	if (result != 0)
>  		pr_err("Error Communicating to TPM chip, result: %d\n", result);
>  	return result;

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



More information about the Linux-security-module-archive mailing list