[RFC][PATCH 6/7] ima: Skip measurement of files found in DIGLIM hash table

Roberto Sassu roberto.sassu at huawei.com
Thu Sep 30 11:55:32 UTC 2021

Skip a file measurement if the IMA policy allows the usage of DIGLIM with
the use_diglim directive, if the content or metadata digests were found in
the DIGLIM hash table and if at least one of the digest lists containing
the found digest has the action COMPACT_ACTION_IMA_MEASURED set.

Since the usage of the use_diglim directive requires to specify a different
PCR than the default one, this avoids confusion with the standard IMA
measurement list where if a file is missing it means that it was not

The new meaning of measurements done with the use_diglim directive is that
if a file is missing, it was not accessed or it was accessed, was found in
the DIGLIM hash table, and the measurement of at least one digest list
containing its content or metadata digest is in the measurement list.

Files not found in the DIGLIM hash table or files whose content or metadata
digest was not measured will still appear in the measurement list.

Given that with the new behavior it cannot be determined whether a file was
accessed or not, remote verifiers must assume the worst case where every
file, whose content or metadata digest is in a measured digest list, was
accessed. With this assumption, it is safe to assume the measurement list
generated with the new behavior as complete.

Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com>
 security/integrity/ima/ima_main.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 84ccb76f6c3c..7add0e70f67a 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -442,6 +442,15 @@ static int process_measurement(struct file *file, const struct cred *cred,
 	if (must_appraise)
 		if (rc && (ima_appraise & IMA_APPRAISE_ENFORCE))
 			action &= ~(IMA_MEASURE | IMA_AUDIT);
+	/* Use DIGLIM method for measurement if enabled in the policy. */
+	if (action & IMA_MEASURE && (iint->flags & IMA_USE_DIGLIM_MEASURE)) {
+		if (file_actions & (1 << COMPACT_ACTION_IMA_MEASURED) ||
+		    metadata_actions & (1 << COMPACT_ACTION_IMA_MEASURED)) {
+			iint->flags |= IMA_MEASURED;
+			iint->measured_pcrs |= (0x1 << pcr);
+			action &= ~IMA_MEASURE;
+		}
+	}
 	if (action & IMA_MEASURE)
 		ima_store_measurement(iint, file, pathname,
 				      xattr_value, xattr_len, modsig, pcr,

More information about the Linux-security-module-archive mailing list