[PATCH] ipe: use SHA-256 library API instead of crypto_shash API
Eric Biggers
ebiggers at kernel.org
Wed May 14 05:05:46 UTC 2025
From: Eric Biggers <ebiggers at google.com>
audit_policy() does not support any other algorithm, so the crypto_shash
abstraction provides no value. Just use the SHA-256 library API
instead, which is much simpler and easier to use.
Signed-off-by: Eric Biggers <ebiggers at google.com>
---
security/ipe/Kconfig | 1 +
security/ipe/audit.c | 33 +++++----------------------------
2 files changed, 6 insertions(+), 28 deletions(-)
diff --git a/security/ipe/Kconfig b/security/ipe/Kconfig
index 3c75bf267da46..a110a6cd848b7 100644
--- a/security/ipe/Kconfig
+++ b/security/ipe/Kconfig
@@ -4,10 +4,11 @@
#
menuconfig SECURITY_IPE
bool "Integrity Policy Enforcement (IPE)"
depends on SECURITY && SECURITYFS && AUDIT && AUDITSYSCALL
+ select CRYPTO_LIB_SHA256
select PKCS7_MESSAGE_PARSER
select SYSTEM_DATA_VERIFICATION
select IPE_PROP_DM_VERITY if DM_VERITY
select IPE_PROP_DM_VERITY_SIGNATURE if DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG
select IPE_PROP_FS_VERITY if FS_VERITY
diff --git a/security/ipe/audit.c b/security/ipe/audit.c
index 9668ecc5acd53..de5fed62592e1 100644
--- a/security/ipe/audit.c
+++ b/security/ipe/audit.c
@@ -4,22 +4,22 @@
*/
#include <linux/slab.h>
#include <linux/audit.h>
#include <linux/types.h>
-#include <crypto/hash.h>
+#include <crypto/sha2.h>
#include "ipe.h"
#include "eval.h"
#include "hooks.h"
#include "policy.h"
#include "audit.h"
#include "digest.h"
#define ACTSTR(x) ((x) == IPE_ACTION_ALLOW ? "ALLOW" : "DENY")
-#define IPE_AUDIT_HASH_ALG "sha256"
+#define IPE_AUDIT_HASH_ALG "sha256" /* keep in sync with audit_policy() */
#define AUDIT_POLICY_LOAD_FMT "policy_name=\"%s\" policy_version=%hu.%hu.%hu "\
"policy_digest=" IPE_AUDIT_HASH_ALG ":"
#define AUDIT_POLICY_LOAD_NULL_FMT "policy_name=? policy_version=? "\
"policy_digest=?"
@@ -180,41 +180,18 @@ void ipe_audit_match(const struct ipe_eval_ctx *const ctx,
*/
static void audit_policy(struct audit_buffer *ab,
const char *audit_format,
const struct ipe_policy *const p)
{
- SHASH_DESC_ON_STACK(desc, tfm);
- struct crypto_shash *tfm;
- u8 *digest = NULL;
+ u8 digest[SHA256_DIGEST_SIZE];
- tfm = crypto_alloc_shash(IPE_AUDIT_HASH_ALG, 0, 0);
- if (IS_ERR(tfm))
- return;
-
- desc->tfm = tfm;
-
- digest = kzalloc(crypto_shash_digestsize(tfm), GFP_KERNEL);
- if (!digest)
- goto out;
-
- if (crypto_shash_init(desc))
- goto out;
-
- if (crypto_shash_update(desc, p->pkcs7, p->pkcs7len))
- goto out;
-
- if (crypto_shash_final(desc, digest))
- goto out;
+ sha256(p->pkcs7, p->pkcs7len, digest);
audit_log_format(ab, audit_format, p->parsed->name,
p->parsed->version.major, p->parsed->version.minor,
p->parsed->version.rev);
- audit_log_n_hex(ab, digest, crypto_shash_digestsize(tfm));
-
-out:
- kfree(digest);
- crypto_free_shash(tfm);
+ audit_log_n_hex(ab, digest, sizeof(digest));
}
/**
* ipe_audit_policy_activation() - Audit a policy being activated.
* @op: Supplies a pointer to the previously activated policy to audit.
base-commit: aa94665adc28f3fdc3de2979ac1e98bae961d6ca
--
2.49.0
More information about the Linux-security-module-archive
mailing list