Unverified Commit 3fd8a0ad authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!13257 IMA RoT 

Merge Pull Request from: @ci-robot 
 
PR sync from: GONG Ruiqi <gongruiqi1@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/DNHR5XPXZLAYOKWM4NTJAIUIFVA6HXW3/ 
This patch set introduces IMA's Root of Trust (RoT), which is to support
new RoT implementations such as Intel TDX and VirtCCA, as well as the
classic TPM.

Reference for Intel TDX with IMA:
https://www.intel.cn/content/www/cn/zh/developer/articles/community/runtime-integrity-measure-and-attest-trust-domain.html

Reference for VirtCCA:
https://gitee.com/openeuler/kernel/blob/OLK-6.6/Documentation/virtcca/virtcca.txt

GONG Ruiqi (5):
  ima: rot: Introduce basic framework
  ima: rot: Prepare TPM as an RoT
  ima: rot: Make RoT kick in
  ima: Rename ima_cvm to ima_virtcca
  ima: rot: Adapt VirtCCA into Rot


-- 
2.25.1
 
https://gitee.com/openeuler/kernel/issues/IB4I9O 
 
Link:https://gitee.com/openeuler/kernel/pulls/13257

 

Reviewed-by: default avatarZhang Peng <zhangpeng362@huawei.com>
Signed-off-by: default avatarZhang Peng <zhangpeng362@huawei.com>
parents ed398fe1 24ac42fb

security/integrity/ima/Makefile

+3 −2
Original line number Diff line number Diff line
@@ -7,7 +7,7 @@ 
obj-$(CONFIG_IMA) += ima.o



ima-y := ima_fs.o ima_queue.o ima_init.o ima_main.o ima_crypto.o ima_api.o \

	 ima_policy.o ima_template.o ima_template_lib.o

	 ima_policy.o ima_template.o ima_template_lib.o ima_rot.o

ima-$(CONFIG_IMA_APPRAISE) += ima_appraise.o

ima-$(CONFIG_IMA_APPRAISE_MODSIG) += ima_modsig.o

ima-$(CONFIG_HAVE_IMA_KEXEC) += ima_kexec.o
@@ -15,9 +15,10 @@ ima-$(CONFIG_IMA_BLACKLIST_KEYRING) += ima_mok.o 
ima-$(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) += ima_asymmetric_keys.o

ima-$(CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS) += ima_queue_keys.o

ima-$(CONFIG_IMA_DIGEST_LIST) += ima_digest_list.o

ima-$(CONFIG_TCG_TPM) += ima_tpm.o



ifeq ($(CONFIG_EFI),y)

ima-$(CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT) += ima_efi.o

endif



ima-$(CONFIG_HISI_VIRTCCA_GUEST) += ima_cvm.o
 
ima-$(CONFIG_HISI_VIRTCCA_GUEST) += ima_virtcca.o

security/integrity/ima/ima.h

+3 −2
Original line number Diff line number Diff line
@@ -23,6 +23,7 @@ 
#include <crypto/hash_info.h>



#include "../integrity.h"

#include "ima_rot.h"



enum ima_show_type { IMA_SHOW_BINARY, IMA_SHOW_BINARY_NO_FIELD_LEN,

		     IMA_SHOW_BINARY_OLD_STRING_FMT, IMA_SHOW_ASCII };
@@ -41,7 +42,7 @@ enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8, TPM_PCR10 = 10 }; 
#define IMA_TEMPLATE_IMA_NAME "ima"

#define IMA_TEMPLATE_IMA_FMT "d|n"



#define NR_BANKS(chip) ((chip != NULL) ? chip->nr_allocated_banks : 0)

#define NR_BANKS(rot) ((rot != NULL) ? rot->nr_allocated_banks : 0)



/* current content of the policy */

extern int ima_policy_flag;
@@ -55,7 +56,7 @@ extern int ima_sha1_idx __ro_after_init; 
extern int ima_hash_algo_idx __ro_after_init;

extern int ima_extra_slots __ro_after_init;

extern int ima_appraise;

extern struct tpm_chip *ima_tpm_chip;

extern struct ima_rot *ima_rot_inst;

extern const char boot_aggregate_name[];

#ifdef CONFIG_IMA_DIGEST_LIST

extern int ima_digest_list_pcr;

security/integrity/ima/ima_api.c

+1 −1
Original line number Diff line number Diff line
@@ -52,7 +52,7 @@ int ima_alloc_init_template(struct ima_event_data *event_data, 
	if (!*entry)

		return -ENOMEM;



	digests = kcalloc(NR_BANKS(ima_tpm_chip) + ima_extra_slots,

	digests = kcalloc(NR_BANKS(ima_rot_inst) + ima_extra_slots,

			  sizeof(*digests), GFP_NOFS);

	if (!digests) {

		kfree(*entry);

security/integrity/ima/ima_crypto.c

+20 −28
Original line number Diff line number Diff line
@@ -21,6 +21,7 @@ 
#include <crypto/hash.h>



#include "ima.h"

#include "ima_tpm.h"



/* minimum file size for ahash use */

static unsigned long ima_ahash_minsize;
@@ -99,7 +100,7 @@ static struct crypto_shash *ima_alloc_tfm(enum hash_algo algo) 
	if (algo == ima_hash_algo)

		return tfm;



	for (i = 0; i < NR_BANKS(ima_tpm_chip) + ima_extra_slots; i++)

	for (i = 0; i < NR_BANKS(ima_rot_inst) + ima_extra_slots; i++)

		if (ima_algo_array[i].tfm && ima_algo_array[i].algo == algo)

			return ima_algo_array[i].tfm;
@@ -125,8 +126,8 @@ int __init ima_init_crypto(void) 
	ima_sha1_idx = -1;

	ima_hash_algo_idx = -1;



	for (i = 0; i < NR_BANKS(ima_tpm_chip); i++) {

		algo = ima_tpm_chip->allocated_banks[i].crypto_id;

	for (i = 0; i < NR_BANKS(ima_rot_inst); i++) {

		algo = ima_rot_inst->allocated_banks[i].crypto_id;

		if (algo == HASH_ALGO_SHA1)

			ima_sha1_idx = i;
@@ -135,23 +136,23 @@ int __init ima_init_crypto(void) 
	}



	if (ima_sha1_idx < 0) {

		ima_sha1_idx = NR_BANKS(ima_tpm_chip) + ima_extra_slots++;

		ima_sha1_idx = NR_BANKS(ima_rot_inst) + ima_extra_slots++;

		if (ima_hash_algo == HASH_ALGO_SHA1)

			ima_hash_algo_idx = ima_sha1_idx;

	}



	if (ima_hash_algo_idx < 0)

		ima_hash_algo_idx = NR_BANKS(ima_tpm_chip) + ima_extra_slots++;

		ima_hash_algo_idx = NR_BANKS(ima_rot_inst) + ima_extra_slots++;



	ima_algo_array = kcalloc(NR_BANKS(ima_tpm_chip) + ima_extra_slots,

	ima_algo_array = kcalloc(NR_BANKS(ima_rot_inst) + ima_extra_slots,

				 sizeof(*ima_algo_array), GFP_KERNEL);

	if (!ima_algo_array) {

		rc = -ENOMEM;

		goto out;

	}



	for (i = 0; i < NR_BANKS(ima_tpm_chip); i++) {

		algo = ima_tpm_chip->allocated_banks[i].crypto_id;

	for (i = 0; i < NR_BANKS(ima_rot_inst); i++) {

		algo = ima_rot_inst->allocated_banks[i].crypto_id;

		ima_algo_array[i].algo = algo;



		/* unknown TPM algorithm */
@@ -175,7 +176,7 @@ int __init ima_init_crypto(void) 
		}

	}



	if (ima_sha1_idx >= NR_BANKS(ima_tpm_chip)) {

	if (ima_sha1_idx >= NR_BANKS(ima_rot_inst)) {

		if (ima_hash_algo == HASH_ALGO_SHA1) {

			ima_algo_array[ima_sha1_idx].tfm = ima_shash_tfm;

		} else {
@@ -190,7 +191,7 @@ int __init ima_init_crypto(void) 
		ima_algo_array[ima_sha1_idx].algo = HASH_ALGO_SHA1;

	}



	if (ima_hash_algo_idx >= NR_BANKS(ima_tpm_chip) &&

	if (ima_hash_algo_idx >= NR_BANKS(ima_rot_inst) &&

	    ima_hash_algo_idx != ima_sha1_idx) {

		ima_algo_array[ima_hash_algo_idx].tfm = ima_shash_tfm;

		ima_algo_array[ima_hash_algo_idx].algo = ima_hash_algo;
@@ -198,7 +199,7 @@ int __init ima_init_crypto(void) 


	return 0;

out_array:

	for (i = 0; i < NR_BANKS(ima_tpm_chip) + ima_extra_slots; i++) {

	for (i = 0; i < NR_BANKS(ima_rot_inst) + ima_extra_slots; i++) {

		if (!ima_algo_array[i].tfm ||

		    ima_algo_array[i].tfm == ima_shash_tfm)

			continue;
@@ -218,7 +219,7 @@ static void ima_free_tfm(struct crypto_shash *tfm) 
	if (tfm == ima_shash_tfm)

		return;



	for (i = 0; i < NR_BANKS(ima_tpm_chip) + ima_extra_slots; i++)

	for (i = 0; i < NR_BANKS(ima_rot_inst) + ima_extra_slots; i++)

		if (ima_algo_array[i].tfm == tfm)

			return;
@@ -636,12 +637,12 @@ int ima_calc_field_array_hash(struct ima_field_data *field_data, 


	entry->digests[ima_sha1_idx].alg_id = TPM_ALG_SHA1;



	for (i = 0; i < NR_BANKS(ima_tpm_chip) + ima_extra_slots; i++) {

	for (i = 0; i < NR_BANKS(ima_rot_inst) + ima_extra_slots; i++) {

		if (i == ima_sha1_idx)

			continue;



		if (i < NR_BANKS(ima_tpm_chip)) {

			alg_id = ima_tpm_chip->allocated_banks[i].alg_id;

		if (i < NR_BANKS(ima_rot_inst)) {

			alg_id = ima_rot_inst->allocated_banks[i].alg_id;

			entry->digests[i].alg_id = alg_id;

		}
@@ -777,15 +778,6 @@ int ima_calc_buffer_hash(const void *buf, loff_t len, 
	return calc_buffer_shash(buf, len, hash);

}



static void ima_pcrread(u32 idx, struct tpm_digest *d)

{

	if (!ima_tpm_chip)

		return;



	if (tpm_pcr_read(ima_tpm_chip, idx, d) != 0)

		pr_err("Error Communicating to TPM chip\n");

}



/*

 * The boot_aggregate is a cumulative hash over TPM registers 0 - 7.  With

 * TPM 1.2 the boot_aggregate was based on reading the SHA1 PCRs, but with
@@ -847,8 +839,8 @@ int ima_calc_boot_aggregate(struct ima_digest_data *hash) 
	u16 crypto_id, alg_id;

	int rc, i, bank_idx = -1;



	for (i = 0; i < ima_tpm_chip->nr_allocated_banks; i++) {

		crypto_id = ima_tpm_chip->allocated_banks[i].crypto_id;

	for (i = 0; i < NR_BANKS(ima_rot_inst); i++) {

		crypto_id = ima_rot_inst->allocated_banks[i].crypto_id;

		if (crypto_id == hash->algo) {

			bank_idx = i;

			break;
@@ -866,14 +858,14 @@ int ima_calc_boot_aggregate(struct ima_digest_data *hash) 
		return 0;

	}



	hash->algo = ima_tpm_chip->allocated_banks[bank_idx].crypto_id;

	hash->algo = ima_rot_inst->allocated_banks[bank_idx].crypto_id;



	tfm = ima_alloc_tfm(hash->algo);

	if (IS_ERR(tfm))

		return PTR_ERR(tfm);



	hash->length = crypto_shash_digestsize(tfm);

	alg_id = ima_tpm_chip->allocated_banks[bank_idx].alg_id;

	alg_id = ima_rot_inst->allocated_banks[bank_idx].alg_id;

	rc = ima_calc_boot_aggregate_tfm(hash->digest, alg_id, tfm);



	ima_free_tfm(tfm);

security/integrity/ima/ima_cvm.h

deleted100644 → 0
+0 −36
Original line number Diff line number Diff line 
/* SPDX-License-Identifier: GPL-2.0 */

/*

 * Copyright (C) 2024. Huawei Technologies Co., Ltd. All rights reserved.

 */

#ifndef __LINUX_IMA_CVM_H

#define __LINUX_IMA_CVM_H



#include "ima.h"



#ifdef CONFIG_HISI_VIRTCCA_GUEST

int __init ima_cvm_init(void);

bool ima_cvm_available(void);

int ima_cvm_extend(struct tpm_digest *digests_arg);

int ima_calc_cvm_boot_aggregate(struct ima_digest_data *hash);

#else

static inline int __init ima_cvm_init(void)

{

	return -ENODEV;

}



static inline bool ima_cvm_available(void)

{

	return false;

}



static inline int ima_cvm_extend(struct tpm_digest *digests_arg)

{

	return -ENODEV;

}



static inline int ima_calc_cvm_boot_aggregate(struct ima_digest_data *hash)

{

	return -ENODEV;

}

#endif

#endif