Commit 40151ef2 authored by GONG Ruiqi's avatar GONG Ruiqi
Browse files

ima: rot: Prepare TPM as an RoT 

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/IB4I9O



--------------------------------

Adapt TPM devices into the RoT framework, mostly by separating
TPM-specific logic from the IMA code into the new ima_tpm.c file.

Note that although TPM has been set up for the RoT framework, at this
moment the framework doesn't start working yet, and in practice IMA
still runs the same way as before.

No functional change intended for this patch.

Signed-off-by: default avatarGONG Ruiqi <gongruiqi1@huawei.com>
parent 03601238

security/integrity/ima/Makefile

+1 −0
Original line number Diff line number Diff line
@@ -15,6 +15,7 @@ ima-$(CONFIG_IMA_BLACKLIST_KEYRING) += ima_mok.o 
ima-$(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) += ima_asymmetric_keys.o

ima-$(CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS) += ima_queue_keys.o

ima-$(CONFIG_IMA_DIGEST_LIST) += ima_digest_list.o

ima-$(CONFIG_TCG_TPM) += ima_tpm.o



ifeq ($(CONFIG_EFI),y)

ima-$(CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT) += ima_efi.o

security/integrity/ima/ima_crypto.c

+1 −9
Original line number Diff line number Diff line
@@ -21,6 +21,7 @@ 
#include <crypto/hash.h>



#include "ima.h"

#include "ima_tpm.h"



/* minimum file size for ahash use */

static unsigned long ima_ahash_minsize;
@@ -777,15 +778,6 @@ int ima_calc_buffer_hash(const void *buf, loff_t len, 
	return calc_buffer_shash(buf, len, hash);

}



static void ima_pcrread(u32 idx, struct tpm_digest *d)

{

	if (!ima_tpm_chip)

		return;



	if (tpm_pcr_read(ima_tpm_chip, idx, d) != 0)

		pr_err("Error Communicating to TPM chip\n");

}



/*

 * The boot_aggregate is a cumulative hash over TPM registers 0 - 7.  With

 * TPM 1.2 the boot_aggregate was based on reading the SHA1 PCRs, but with

security/integrity/ima/ima_init.c

+0 −1
Original line number Diff line number Diff line
@@ -23,7 +23,6 @@ 


/* name for boot aggregate entry */

const char boot_aggregate_name[] = "boot_aggregate";

struct tpm_chip *ima_tpm_chip;

struct ima_rot *ima_rot_inst;



/* Add the boot aggregate to the IMA measurement list and extend

security/integrity/ima/ima_queue.c

+1 −13
Original line number Diff line number Diff line
@@ -19,6 +19,7 @@ 
#include <linux/slab.h>

#include "ima.h"

#include "ima_cvm.h"

#include "ima_tpm.h"



#define AUDIT_CAUSE_LEN_MAX 32
@@ -136,19 +137,6 @@ unsigned long ima_get_binary_runtime_size(void) 
		return binary_runtime_size + sizeof(struct ima_kexec_hdr);

}



static int ima_pcr_extend(struct tpm_digest *digests_arg, int pcr)

{

	int result = 0;



	if (!ima_tpm_chip)

		return result;



	result = tpm_pcr_extend(ima_tpm_chip, pcr, digests_arg);

	if (result != 0)

		pr_err("Error Communicating to TPM chip, result: %d\n", result);

	return result;

}



/*

 * Add template entry to the measurement list and hash table, and

 * extend the pcr.

security/integrity/ima/ima_rot.c

+9 −0
Original line number Diff line number Diff line
@@ -14,6 +14,7 @@ 
#include <linux/gfp_types.h>



#include "ima.h"

#include "ima_tpm.h"



static const char *name_rot_prefered;
@@ -24,6 +25,14 @@ static const char *name_rot_prefered; 
 * IOW, RoT device that owns higher priority should be placed at the front.

 */

static struct ima_rot ima_rots[] = {

#ifdef CONFIG_TCG_TPM

	{

		.name = "tpm",

		.init = ima_tpm_init,

		.extend = ima_tpm_extend,

		.calc_boot_aggregate = ima_tpm_calc_boot_aggregate,

	},

#endif

};



static int __init ima_rot_name(char *str)