[PATCH -next RFC 4/4] ima: rot: Involve per-RoT default PCR index

GONG Ruiqi gongruiqi1 at huawei.com
Mon Jun 30 12:59:28 UTC 2025 

As both the extend operation and the measurement list require a PCR
index, the concept of PCR needs to be somehow applied to RoTs besides
TPM as well, and each type of RoT device should have its own PCR index,
no matter it's actually used or not.

The original CONFIG_IMA_MEASURE_PCR_IDX in fact has two roles:

  1. It specifies the default index of TPM's PCR that IMA will use.
  2. It provides a dummy PCR index (as a placeholder in the measurement
     list) when TPM (now generalized to RoT) is unavailable.

Now rename this config to emphasize its first role, and create another
macro, IMA_DEFAULT_PCR_IDX, to take up the second role.

Signed-off-by: GONG Ruiqi <gongruiqi1 at huawei.com>
---
 security/integrity/ima/Kconfig    | 12 ++++++++----
 security/integrity/ima/ima.h      |  3 +++
 security/integrity/ima/ima_api.c  |  2 +-
 security/integrity/ima/ima_init.c |  2 +-
 security/integrity/ima/ima_main.c |  4 ++--
 security/integrity/ima/ima_rot.c  |  2 +-
 6 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 976e75f9b9ba..5e3b4ddea9ab 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -44,14 +44,18 @@ config IMA_KEXEC
 	   Depending on the IMA policy, the measurement list can grow to
 	   be very large.
 
-config IMA_MEASURE_PCR_IDX
+config IMA_ROT_TPM_PCR_IDX
 	int
 	range 8 14
 	default 10
 	help
-	  IMA_MEASURE_PCR_IDX determines the TPM PCR register index
-	  that IMA uses to maintain the integrity aggregate of the
-	  measurement list.  If unsure, use the default 10.
+	  IMA_ROT_TPM_PCR_IDX determines the index of PCR that IMA, when
+	  choosing TPM as the Root of Trust (RoT), would use to maintain
+	  the integrity aggregate of the measurement list. Its value is
+	  also used as a dummy PCR index IMA would use in the absence of
+	  RoT.
+
+	  If unsure, use the default 10.
 
 config IMA_LSM_RULES
 	bool
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 31e3f76cdda6..f64fde127006 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -42,6 +42,9 @@ enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8, TPM_PCR10 = 10 };
 #define IMA_TEMPLATE_IMA_NAME "ima"
 #define IMA_TEMPLATE_IMA_FMT "d|n"
 
+#define IMA_DEFAULT_PCR_IDX CONFIG_IMA_ROT_TPM_PCR_IDX
+#define IMA_MEASURE_PCR_IDX (ima_rot_inst ? ima_rot_inst->default_pcr : IMA_DEFAULT_PCR_IDX)
+
 #define NR_BANKS(rot) ((rot != NULL) ? rot->nr_allocated_banks : 0)
 
 /* current content of the policy */
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index 65cf5b2400f2..94201216225d 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -152,7 +152,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename,
 		goto err_out;
 	}
 	result = ima_store_template(entry, violation, inode,
-				    filename, CONFIG_IMA_MEASURE_PCR_IDX);
+				    filename, IMA_MEASURE_PCR_IDX);
 	if (result < 0)
 		ima_free_template_entry(entry);
 err_out:
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
index 096eaa7a7666..a63a5d8355df 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -87,7 +87,7 @@ static int __init ima_add_boot_aggregate(void)
 
 	result = ima_store_template(entry, violation, NULL,
 				    boot_aggregate_name,
-				    CONFIG_IMA_MEASURE_PCR_IDX);
+				    IMA_MEASURE_PCR_IDX);
 	if (result < 0) {
 		ima_free_template_entry(entry);
 		audit_cause = "store_entry";
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index cdd225f65a62..ed13966dc562 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -245,7 +245,7 @@ static int process_measurement(struct file *file, const struct cred *cred,
 	char filename[NAME_MAX];
 	const char *pathname = NULL;
 	int rc = 0, action, must_appraise = 0;
-	int pcr = CONFIG_IMA_MEASURE_PCR_IDX;
+	int pcr = IMA_MEASURE_PCR_IDX;
 	struct evm_ima_xattr_data *xattr_value = NULL;
 	struct modsig *modsig = NULL;
 	int xattr_len = 0;
@@ -1060,7 +1060,7 @@ int process_buffer_measurement(struct mnt_idmap *idmap,
 	}
 
 	if (!pcr)
-		pcr = CONFIG_IMA_MEASURE_PCR_IDX;
+		pcr = IMA_MEASURE_PCR_IDX;
 
 	iint.ima_hash = hash_hdr;
 	iint.ima_hash->algo = ima_hash_algo;
diff --git a/security/integrity/ima/ima_rot.c b/security/integrity/ima/ima_rot.c
index 0083d9c4e64e..ed32a48bef8d 100644
--- a/security/integrity/ima/ima_rot.c
+++ b/security/integrity/ima/ima_rot.c
@@ -38,7 +38,7 @@ static struct ima_rot ima_rots[] = {
 #ifdef CONFIG_TCG_TPM
 	{
 		.name = "tpm",
-		.default_pcr = CONFIG_IMA_MEASURE_PCR_IDX,
+		.default_pcr = CONFIG_IMA_ROT_TPM_PCR_IDX,
 		.init = ima_tpm_init,
 		.extend = ima_tpm_extend,
 		.calc_boot_aggregate = ima_tpm_calc_boot_aggregate,
-- 
2.25.1

More information about the Linux-security-module-archive mailing list