[PATCH 2/2] evm: output EVM digest calculation info

nramas nramas at linux.microsoft.com
Tue Jun 8 16:06:00 UTC 2021


On Tue, 2021-06-08 at 09:29 -0400, Mimi Zohar wrote:
> Output the data used in calculating the EVM digest and the resulting
> digest as ascii hexadecimal strings.

Reviewed-by: Lakshmi Ramasubramanian <nramas at linux.microsoft.com>

> 
> Suggested-by: Lakshmi Ramasubramanian <nramas at linux.microsoft.com>
> (CONFIG_DYNAMIC_DEBUG)
> Signed-off-by: Mimi Zohar <zohar at linux.ibm.com>
> ---
> Changelog:
> - Use pr_debug *phN format
> - Define dump_security_xattr() for larger binary data
> - Based on CONFIG_DYNAMIC_DEBUG
> 
>  security/integrity/evm/evm_crypto.c | 42
> +++++++++++++++++++++++++++++
>  security/integrity/evm/evm_main.c   |  4 +++
>  2 files changed, 46 insertions(+)
> 
> diff --git a/security/integrity/evm/evm_crypto.c
> b/security/integrity/evm/evm_crypto.c
> index 1628e2ca9862..900cf8a157b6 100644
> --- a/security/integrity/evm/evm_crypto.c
> +++ b/security/integrity/evm/evm_crypto.c
> @@ -10,6 +10,8 @@
>   *	 Using root's kernel master key (kmk), calculate the HMAC
>   */
>  
> +#define pr_fmt(fmt) "EVM: "fmt
> +
>  #include <linux/export.h>
>  #include <linux/crypto.h>
>  #include <linux/xattr.h>
> @@ -175,6 +177,29 @@ static void hmac_add_misc(struct shash_desc
> *desc, struct inode *inode,
>  	    type != EVM_XATTR_PORTABLE_DIGSIG)
>  		crypto_shash_update(desc, (u8 *)&inode->i_sb->s_uuid,
> UUID_SIZE);
>  	crypto_shash_final(desc, digest);
> +
> +	pr_debug("hmac_misc: (%lu) [%*phN]\n", sizeof(struct h_misc),
> +		 (int) sizeof(struct h_misc), &hmac_misc);
> +}
> +
> +/*
> + * Dump large security xattr values as a continuous ascii
> hexademical string.
> + * (pr_debug is limited to 64 bytes.)
> + */
> +static void dump_security_xattr(const char *prefix, const void *src,
> size_t count)
> +{
> +#if defined(DEBUG) || defined(CONFIG_DYNAMIC_DEBUG)
> +	char *asciihex, *p;
> +
> +	p = asciihex = kmalloc(count * 2 + 1, GFP_KERNEL);
> +	if (!asciihex)
> +		return;
> +
> +	p = bin2hex(p, src, count);
> +	*p = 0;
> +	pr_debug("%s: (%lu) %.*s\n", prefix, count, (int) count * 2,
> asciihex);
> +	kfree(asciihex);
> +#endif
>  }
>  
>  /*
> @@ -230,6 +255,16 @@ static int evm_calc_hmac_or_hash(struct dentry
> *dentry,
>  					     req_xattr_value_len);
>  			if (is_ima)
>  				ima_present = true;
> +
> +			if (req_xattr_value_len < 64)
> +				pr_debug("%s: (%lu) [%*phN]\n",
> req_xattr_name,
> +					 req_xattr_value_len,
> +					 (int)req_xattr_value_len,
> +					 req_xattr_value);
> +			else
> +				dump_security_xattr(req_xattr_name,
> +						    req_xattr_value,
> +						    req_xattr_value_len
> );
>  			continue;
>  		}
>  		size = vfs_getxattr_alloc(&init_user_ns, dentry, xattr-
> >name,
> @@ -246,6 +281,13 @@ static int evm_calc_hmac_or_hash(struct dentry
> *dentry,
>  		crypto_shash_update(desc, (const u8 *)xattr_value,
> xattr_size);
>  		if (is_ima)
>  			ima_present = true;
> +
> +		if (xattr_size < 64)
> +			pr_debug("%s: (%lu) [%*phN]", xattr->name,
> xattr_size,
> +				 (int)xattr_size, xattr_value);
> +		else
> +			dump_security_xattr(xattr->name, xattr_value,
> +					    xattr_size);
>  	}
>  	hmac_add_misc(desc, inode, type, data->digest);
>  
> diff --git a/security/integrity/evm/evm_main.c
> b/security/integrity/evm/evm_main.c
> index 2c226e634ae9..059ac17a0041 100644
> --- a/security/integrity/evm/evm_main.c
> +++ b/security/integrity/evm/evm_main.c
> @@ -11,6 +11,8 @@
>   *	evm_inode_removexattr, and evm_verifyxattr
>   */
>  
> +#define pr_fmt(fmt) "EVM: "fmt
> +
>  #include <linux/init.h>
>  #include <linux/crypto.h>
>  #include <linux/audit.h>
> @@ -272,6 +274,8 @@ static enum integrity_status
> evm_verify_hmac(struct dentry *dentry,
>  		else
>  			evm_status = INTEGRITY_FAIL;
>  	}
> +	pr_debug("digest: (%d) [%*phN]\n", digest.hdr.length,
> digest.hdr.length,
> +		  digest.digest);
>  out:
>  	if (iint)
>  		iint->evm_status = evm_status;



More information about the Linux-security-module-archive mailing list