Re: [PATCH 7/8] evm: introduce EVM hmac attribute list

Mimi Zohar Mon, 03 Mar 2014 18:10:14 -0800

On Fri, 2014-02-28 at 16:59 +0200, Dmitry Kasatkin wrote: 
> This patch replaces using of hmac version configuration parameter
> with attribute list. It allows to build kernels which works with
> previously labeled filesystems.
> 
> Currently supported attribute is 'fsuuid' which is equivalent of
> former version 2.
> 
> Signed-off-by: Dmitry Kasatkin <d.kasat...@samsung.com>


Please include the new boot command line option in
Documentation/kernel-parameters.txt.

Mimi

> ---
>  security/integrity/evm/Kconfig      | 19 ++++++++++---------
>  security/integrity/evm/evm.h        |  4 +++-
>  security/integrity/evm/evm_crypto.c |  2 +-
>  security/integrity/evm/evm_main.c   | 21 ++++++++++++++++++++-
>  4 files changed, 34 insertions(+), 12 deletions(-)
> 
> diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig
> index d35b491..2be51fa 100644
> --- a/security/integrity/evm/Kconfig
> +++ b/security/integrity/evm/Kconfig
> @@ -12,15 +12,16 @@ config EVM
> 
>         If you are unsure how to answer this question, answer N.
> 
> -config EVM_HMAC_VERSION
> -     int "EVM HMAC version"
> -     depends on EVM
> -     default 2
> -     help
> -       This options adds EVM HMAC version support.
> -       1 - original version
> -       2 - add per filesystem unique identifier (UUID) (default)
> +config EVM_HMAC_ATTRS
> +     string "HMAC attributes"
> +     default "fsuuid"
> +     help
> +       This options allows to specify list of optional attributes included 
> into HMAC
> +       calculation. It makes it possible easily upgrade to newer kernels.
> +      
> +       Default value is 'fsuuid', which is former version 2.
> +       if blank, it is equivalent of version 1
> 
>         WARNING: changing the HMAC calculation method or adding 
>         additional info to the calculation, requires existing EVM
> -       labeled file systems to be relabeled.  
> +       labeled file systems to be relabeled.
> diff --git a/security/integrity/evm/evm.h b/security/integrity/evm/evm.h
> index 37c88dd..c8fa0aa 100644
> --- a/security/integrity/evm/evm.h
> +++ b/security/integrity/evm/evm.h
> @@ -24,11 +24,13 @@
>  extern int evm_initialized;
>  extern char *evm_hmac;
>  extern char *evm_hash;
> -extern int evm_hmac_version;
> +extern int evm_hmac_attrs;
> 
>  extern struct crypto_shash *hmac_tfm;
>  extern struct crypto_shash *hash_tfm;
> 
> +#define EVM_HMAC_ATTR_FSUUID         0x0001
> +
>  /* List of EVM protected security xattrs */
>  extern char *evm_config_xattrnames[];
> 
> diff --git a/security/integrity/evm/evm_crypto.c 
> b/security/integrity/evm/evm_crypto.c
> index babd862..ab034e5 100644
> --- a/security/integrity/evm/evm_crypto.c
> +++ b/security/integrity/evm/evm_crypto.c
> @@ -112,7 +112,7 @@ static void hmac_add_misc(struct shash_desc *desc, struct 
> inode *inode,
>       hmac_misc.gid = from_kgid(&init_user_ns, inode->i_gid);
>       hmac_misc.mode = inode->i_mode;
>       crypto_shash_update(desc, (const u8 *)&hmac_misc, sizeof(hmac_misc));
> -     if (evm_hmac_version > 1)
> +     if (evm_hmac_attrs & EVM_HMAC_ATTR_FSUUID)
>               crypto_shash_update(desc, inode->i_sb->s_uuid,
>                                   sizeof(inode->i_sb->s_uuid));
>       crypto_shash_final(desc, digest);
> diff --git a/security/integrity/evm/evm_main.c 
> b/security/integrity/evm/evm_main.c
> index 996092f..9c05929 100644
> --- a/security/integrity/evm/evm_main.c
> +++ b/security/integrity/evm/evm_main.c
> @@ -32,7 +32,7 @@ static char *integrity_status_msg[] = {
>  };
>  char *evm_hmac = "hmac(sha1)";
>  char *evm_hash = "sha1";
> -int evm_hmac_version = CONFIG_EVM_HMAC_VERSION;
> +int evm_hmac_attrs;
> 
>  char *evm_config_xattrnames[] = {
>  #ifdef CONFIG_SECURITY_SELINUX
> @@ -57,6 +57,19 @@ static int __init evm_set_fixmode(char *str)
>  }
>  __setup("evm=", evm_set_fixmode);
> 
> +static int __init evm_init_config(void)
> +{
> +     char *attrs = CONFIG_EVM_HMAC_ATTRS;
> +     char *p;
> +
> +     while ((p = strsep(&attrs, ", \t"))) {
> +             if (!strcmp(p, "fsuuid"))
> +                     evm_hmac_attrs |= EVM_HMAC_ATTR_FSUUID;
> +     }
> +     pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs);
> +     return 0;
> +}
> +
>  static int evm_find_protected_xattrs(struct dentry *dentry)
>  {
>       struct inode *inode = dentry->d_inode;
> @@ -432,6 +445,12 @@ static int __init init_evm(void)
>  {
>       int error;
> 
> +     error = evm_init_config();
> +     if (error < 0) {
> +             pr_info("Error parsing config lists\n");
> +             goto err;
> +     }
> +
>       error = evm_init_secfs();
>       if (error < 0) {
>               pr_info("Error registering secfs\n");


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [PATCH 7/8] evm: introduce EVM hmac attribute list

Reply via email to