This is the 3rd of 4 patches that constitute the IBM Integrity
Measurement Architecture (IMA). This patch includes the main IMA
functionality as a Linux Security Module.
This patch applies to the clean 2.6.12-rc4 test kernel.
Signed-off-by: Reiner Sailer <sailer@private>
---
diff -uprN linux-2.6.12-rc4/security/ima/ima.h linux-2.6.12-rc4-ima/security/ima/ima.h
--- linux-2.6.12-rc4/security/ima/ima.h 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.12-rc4-ima/security/ima/ima.h 2005-05-19 17:59:20.000000000 -0400
@@ -0,0 +1,227 @@
+/*
+ * Copyright (C) 2005 IBM Corporation
+ *
+ * Authors:
+ * Reiner Sailer <sailer@private>
+ *
+ * Maintained by: TBD
+ *
+ * LSM IBM Integrity Measurement Architecture.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ * File: ima.h
+ * defs
+ */
+#ifndef __LINUX_IMA_H
+#define __LINUX_IMA_H
+
+#include <linux/types.h>
+#include <linux/fs.h>
+#include <linux/security.h>
+
+#define ima_printk(level, format, arg...) \
+ printk(level "ima (%s): " format ,__func__, ## arg)
+
+#define ima_error(format, arg...) \
+ ima_printk(KERN_ERR, format, ## arg)
+
+#define ima_info(format, arg...) \
+ ima_printk(KERN_INFO, format, ## arg)
+
+/* set during registering as lsm */
+extern unsigned char ima_terminating;
+
+#define IMA_MEASURE_MODULE_NAME "IMA"
+#define IMA_MEASURE_PROC_NAME "ima"
+
+/* file systems we expect to change without
+ * our inode_permission hook being called (nfs, remote fs) */
+#define NFS_SUPER_MAGIC 0x6969
+
+/* file systems we won't measure
+ (invalidate TPM PCR when executing one of these) */
+#define DEVFS_SUPER_MAGIC 0x1373
+#define PROC_SUPER_MAGIC 0x9fa0
+#define SYSFS_MAGIC 0x62656572
+
+/*
+ * request structure fd: file descriptor
+ * label: sec label defined in user space or in kernel
+ * flags: store the hook that initiated measurement and more
+ */
+#define FLAG_HOOK_MASK 0x0f
+#define MMAP_MEASURE_FLAG 0x01
+#define MODULE_MEASURE_FLAG 0x02
+#define USER_MEASURE_FLAG 0x04
+struct measure_request {
+ int fd;
+ unsigned short label;
+ unsigned long flags;
+};
+
+#define MEASURE_HTABLE_SIZE 512
+/* key = lowest two bytes of inode_number */
+#define HASH_KEY(inode_number) ((inode_number) % MEASURE_HTABLE_SIZE)
+#define SHA_KEY(sha_value) (((sha_value)[18] << 8 | (sha_value)[19]) % MEASURE_HTABLE_SIZE)
+typedef enum { CLEAN, DIRTY, CHANGED } ima_entry_flags;
+
+/* security structure appended to inodes */
+#define IMA_MAGIC 0x9999
+struct ima_inode {
+ unsigned short magic;
+ atomic_t measure_count; /* # processes currently using this file in measure-mode */
+ ima_entry_flags dirty;
+ char *file_name; /* points to measure entry->fileName */
+};
+
+/* security structure appended to measured files*/
+struct ima_file {
+ unsigned short magic; /* identify our struct format */
+ char is_measuring; /* identify fds that are "measuring" */
+};
+
+/* get/store security state information;
+ * if stacking were to be implemented, this would be the place */
+#define ima_get_inode_security(inode) \
+ ((struct ima_inode *) ((inode)->i_security))
+
+#define ima_store_inode_security(inode,sec_struct) \
+ ((inode)->i_security = (sec_struct))
+
+#define ima_get_file_security(file) \
+ ((struct ima_file *) ((file)->f_security))
+
+#define ima_store_file_security(file, sec_struct) \
+ ((file)->f_security = (sec_struct))
+
+#define ENTRY_MAXFILENAME 50
+struct measure_entry {
+ struct measure_request mr; /* keep info from measure request if applies */
+ unsigned long inodeNr;
+ dev_t devId;
+ ima_entry_flags dirty;
+ u8 digest[20]; /* sha1 measurement hash */
+ char fileName[51]; /* max first 50 characters of name + \0 */
+ unsigned long fsMagic; /* file system magic (distinuish local/remote files) */
+ struct super_block *superBlock; /* super block link (for umount-dirty flagging) */
+};
+
+struct sha_entry {
+ struct sha_entry *next;
+ u8 *digest;
+ struct measure_entry *m_entry;
+};
+
+struct queue_entry {
+ struct queue_entry *next;
+ struct queue_entry *later;
+ struct measure_entry *entry;
+};
+
+extern struct queue_entry *first_measurement; /* for printing */
+extern struct queue_entry *latest_measurement; /* for adding */
+
+/* hash table to keep fast access to past measurements
+ * uses one global lock for now (read/write) */
+extern struct semaphore h_table_mutex;
+
+struct h_table {
+ atomic_t len;
+ atomic_t sysfs;
+ atomic_t cleanInodeHits; /* times we find an inode clean when measuring */
+ atomic_t cleanTableHits; /* times we find a clean htable hit */
+ atomic_t dirtyTableHits; /* times we find a dirty htable hit */
+ atomic_t changedFiles; /* times we realize a dirty marked entry really changed */
+ unsigned int max_htable_size;
+ u8 terminating;
+ struct queue_entry *queue[MEASURE_HTABLE_SIZE];
+ atomic_t queueLen[MEASURE_HTABLE_SIZE];
+ spinlock_t lock;
+};
+
+struct sha_table {
+ atomic_t len;
+ unsigned int max_htable_size;
+ u8 terminating;
+ struct sha_entry *queue[MEASURE_HTABLE_SIZE];
+ atomic_t queueLen[MEASURE_HTABLE_SIZE];
+ spinlock_t lock;
+};
+
+/* configuration options*/
+extern int ima_test_mode;
+extern int skip_boot_aggregate;
+extern int ram_bypass_protection;
+extern int hd_sd_bypass_protection;
+extern int kmem_bypass_protection;
+extern int mem_bypass_protection;
+
+static inline void read_configs(void)
+{
+#ifdef CONFIG_IMA_TEST_MODE
+ ima_test_mode = 1;
+#else
+ ima_test_mode = 0;
+#endif
+
+#ifdef CONFIG_IMA_SKIP_BOOT_AGGREGATE
+ skip_boot_aggregate = 1;
+#else
+ skip_boot_aggregate = 0;
+#endif
+
+#ifdef CONFIG_IMA_RAM_BYPASS_PROTECTION
+ ram_bypass_protection = 1;
+#else
+ ram_bypass_protection = 0;
+#endif
+
+#ifdef CONFIG_IMA_HD_SD_BYPASS_PROTECTION
+ hd_sd_bypass_protection = 1;
+#else
+ hd_sd_bypass_protection = 0;
+#endif
+
+#ifdef CONFIG_IMA_KMEM_BYPASS_PROTECTION
+ kmem_bypass_protection = 1;
+#else
+ kmem_bypass_protection = 0;
+#endif
+
+#ifdef CONFIG_IMA_MEM_BYPASS_PROTECTION
+ mem_bypass_protection = 1;
+#else
+ mem_bypass_protection = 0;
+#endif
+}
+
+#ifdef CONFIG_TCG_TPM
+struct tpm_chip;
+
+extern ssize_t tpm_transmit(struct tpm_chip *chip, const char *buf, size_t bufsiz);
+
+extern struct tpm_chip *tpm_chip_lookup(int chip_num);
+#else
+struct tpm_chip {
+ char dummy;
+};
+
+static inline ssize_t tpm_transmit(struct tpm_chip *chip, const char *buf, size_t bufsiz)
+{
+ return 0;
+}
+
+static inline struct tpm_chip *tpm_chip_lookup(int chip_num)
+{
+ return NULL;
+}
+#endif
+
+/* general prototypes */
+void invalidate_pcr(char *);
+
+#endif
diff -uprN linux-2.6.12-rc4/security/ima/ima_init.c linux-2.6.12-rc4-ima/security/ima/ima_init.c
--- linux-2.6.12-rc4/security/ima/ima_init.c 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.12-rc4-ima/security/ima/ima_init.c 2005-05-19 17:59:20.000000000 -0400
@@ -0,0 +1,161 @@
+/*
+ * Copyright (C) 2005 IBM Corporation
+ *
+ * Authors:
+ * Reiner Sailer <sailer@private>
+ *
+ * Contributions:
+ * Leendert van Doorn <leendert@private>
+ *
+ * Maintained by: TBD
+ *
+ * LSM IBM Integrity Measurement Architecture.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ * File: ima_init.c
+ * init functions to start up IBM IMA as LSM
+ */
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/linkage.h>
+#include <linux/time.h>
+#include <linux/types.h>
+#include <linux/fcntl.h>
+#include <asm/uaccess.h>
+#include <linux/file.h>
+#include <linux/slab.h>
+#include <linux/errno.h>
+#include <linux/crypto.h>
+#include <linux/fs.h>
+#include <linux/init.h>
+#include "ima.h"
+
+/* These identify the driver base version and may not be removed. */
+static const char version[] = "v2.0 05/18/2005";
+static const char illegal_pcr[20] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
+
+/* configuration parameters */
+int ima_test_mode;
+int skip_boot_aggregate;
+int ram_bypass_protection;
+int hd_sd_bypass_protection;
+int kmem_bypass_protection;
+int mem_bypass_protection;
+
+void create_htable(void);
+void destroy_htable(void);
+void create_sha_htable(void);
+void ima_proc_init(void);
+void ima_sysfs_init(void);
+void ima_sysfs_remove(void);
+void ima_add_boot_aggregate(void);
+void ima_lsm_init(void);
+void tpm_extend(int index, const u8 * digest);
+
+int ima_enabled = 0;
+struct tpm_chip *ima_used_chip;
+
+static int __init ima_enabled_setup(char *str)
+{
+ ima_enabled = simple_strtol(str, NULL, 0);
+ return 1;
+}
+
+__setup("ima=", ima_enabled_setup);
+
+
+/* general invalidation function called by the measurement code */
+void invalidate_pcr(char *cause)
+{
+ /* extend pcr with illegal digest (no digest yields 0) */
+ /* extending twice is obviously flagging the exception condition... */
+ ima_error("INVALIDATING PCR AGGREGATE. Cause=%s.\n", cause);
+ tpm_extend(CONFIG_IMA_MEASURE_PCR_IDX, illegal_pcr);
+ tpm_extend(CONFIG_IMA_MEASURE_PCR_IDX, illegal_pcr);
+ /* now indicate that we invalidated pcr in another pcr (not mandatory) */
+ tpm_extend(CONFIG_IMA_MEASURE_INVALIDATE_INDICATION_IDX, illegal_pcr);
+}
+
+static int __init measure_init(void)
+{
+ struct crypto_tfm *tfm;
+ struct security_operations null_ops;
+
+ printk(KERN_INFO "IBM Integrity Measurement Architecture (IBM IMA %s).\n",
+ version);
+ read_configs();
+
+ /* check pre-conditions and dependencies */
+ if (!ima_test_mode) {
+ ima_enabled = 1; /* unconditionally */
+ } else {
+ if (!ima_enabled) {
+ printk(KERN_INFO " IMA (not enabled in kernel command line) aborting!\n");
+ return 0;
+ }
+ printk(KERN_INFO " IMA (test mode)\n");
+ }
+ ima_used_chip = tpm_chip_lookup(0);
+ if (ima_used_chip == NULL) {
+ if (ima_test_mode) {
+ printk(KERN_INFO " IMA (TPM/BYPASS - no TPM chip found)\n");
+ } else {
+ /* no way to invalidate pcr and inform remote party */
+ panic("IMA: TPM/no support and IMA not in test mode!\n");
+ }
+ }
+ if ((tfm = crypto_alloc_tfm("sha1", 0)) == NULL) {
+ if (ima_test_mode) {
+ printk(KERN_INFO " IMA (SHA-1/no support) aborting!\n");
+ ima_enabled = 0;
+ return -EFAULT;
+ } else {
+ invalidate_pcr("No SHA1 support in real mode!");
+ }
+ } else {
+ crypto_free_tfm(tfm);
+ }
+ /* check for LSM availability */
+ memset(&null_ops, 0, sizeof(struct security_operations));
+ if (!register_security(&null_ops)) {
+ unregister_security(&null_ops);
+ } else {
+ if (ima_test_mode) {
+ ima_enabled = 0;
+ printk(KERN_INFO " IMA (LSM/not free) aborting!\n");
+ return -EFAULT;
+ } else {
+ invalidate_pcr("LSM/not free in real mode!\n");
+ }
+ }
+ create_htable(); /* for measurements */
+ create_sha_htable();
+ /* boot aggregate must be very first entry */
+ if (!skip_boot_aggregate)
+ ima_add_boot_aggregate();
+ ima_lsm_init();
+ ima_sysfs_init();
+ ima_proc_init();
+ return 0;
+}
+
+static void __exit measure_exit(void)
+{
+ if (!ima_enabled)
+ return;
+ ima_sysfs_remove();
+}
+
+__initcall(measure_init);
+__exitcall(measure_exit);
+
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Reiner Sailer <sailer@private>");
+MODULE_DESCRIPTION
+ ("Run-time LSM-based IBM Integrity Measurement Architecture");
diff -uprN linux-2.6.12-rc4/security/ima/ima_lsmhooks.c linux-2.6.12-rc4-ima/security/ima/ima_lsmhooks.c
--- linux-2.6.12-rc4/security/ima/ima_lsmhooks.c 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.12-rc4-ima/security/ima/ima_lsmhooks.c 2005-05-19 17:59:20.000000000 -0400
@@ -0,0 +1,242 @@
+/*
+ * Copyright (C) 2005 IBM Corporation
+ *
+ * Authors:
+ * Reiner Sailer <sailer@private>
+ *
+ * Maintained by: TBD
+ *
+ * LSM IBM Integrity Measurement Architecture.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ * File: ima_lsmhooks.c
+ * implements Linux Security Modules hooks that call into
+ * into the measurement functions
+ */
+#include <linux/config.h>
+#include <linux/module.h>
+#include <linux/init.h>
+#include <linux/kernel.h>
+#include <asm/mman.h>
+#include <linux/fs.h>
+#include <linux/mount.h>
+#include <linux/namei.h>
+#include "ima.h"
+
+#define MEMORY_MAJOR 1
+#define RAMDISK_MAJOR 1
+#define HD_MAJOR 3
+#define SD_MAJOR 8
+#define MEM_MINOR 1
+#define KMEM_MINOR 2
+
+/* if set, then hooks do nothing
+ * (controls non-lsm module hook as well) */
+unsigned char ima_terminating = 1;
+
+/* keeps track of calls to mmap_measure */
+atomic_t global_count_mmap_measure;
+
+int measure_file_exec(struct file *, const struct measure_request *);
+int measure_dirty_flag_inode(struct inode *);
+int measure_dirty_flag_super(struct super_block *);
+
+/* measure files mmapped with exec permission */
+int ima_file_mmap(struct file *file, unsigned long reqprot, unsigned long prot, unsigned long flags)
+{
+ static struct measure_request mr = {
+ .fd = 0, .label = 0,
+ .flags = MMAP_MEASURE_FLAG
+ };
+
+ if (ima_terminating)
+ return 0;
+
+ /* filter interesting calls that actually map files executable */
+ if (!(reqprot & PROT_EXEC) || !file || !file->f_op)
+ return 0;
+
+ /* now check protection */
+ if (reqprot & MAP_SHARED & PROT_EXEC & PROT_WRITE) {
+ ima_error("MMAP protection flag error!!!\n");
+ invalidate_pcr("MMAP protection flag violation!");
+ }
+ atomic_inc(&global_count_mmap_measure);
+ measure_file_exec(file, &mr);
+ /* IMA is non-intrusive, so we always map */
+ return 0;
+}
+
+/* dirty flags on access with MAY_WRITE|MAY_APPEND */
+int ima_inode_permission(struct inode *inode, int mask, struct nameidata *nd)
+{
+ struct ima_inode *i_security = NULL;
+ unsigned int major, minor;
+
+ if (ima_terminating)
+ return 0;
+
+ /* filter interesting permissions for dirty-flagging */
+ if (!(mask & (MAY_WRITE | MAY_APPEND)) || !inode)
+ return 0;
+
+ major = imajor(inode);
+ minor = iminor(inode);
+ /* check for write/append on /dev/kmem, major=1,minor=2 */
+ if ((major == MEMORY_MAJOR) && S_ISCHR(inode->i_mode)) {
+ if (kmem_bypass_protection && (minor == KMEM_MINOR)) {
+ invalidate_pcr("/dev/kmem write violation");
+ /* if needed, get cmdline as done in /fs/proc/base.c */
+ }
+ /* X uses it all over the place ... */
+ if (mem_bypass_protection && (minor == MEM_MINOR)) {
+ invalidate_pcr("/dev/mmem write violation");
+ }
+ } else if (ram_bypass_protection && (major == RAMDISK_MAJOR)
+ && S_ISBLK(inode->i_mode)) {
+ invalidate_pcr("/dev/ram write violation");
+ } else if (hd_sd_bypass_protection && (major == HD_MAJOR)
+ && S_ISBLK(inode->i_mode)) {
+ invalidate_pcr("/dev/hdx write violation");
+ } else if (hd_sd_bypass_protection && (major == SD_MAJOR)
+ && S_ISBLK(inode->i_mode)) {
+ invalidate_pcr("/dev/sdx write violation");
+ }
+ /* else dirty-flag file if measurement bit set in inode-extension */
+ i_security = ima_get_inode_security(inode);
+ /* now check whether this is a file that is currently measured */
+ if (i_security == NULL)
+ goto out;
+ if (i_security->magic != IMA_MAGIC) {
+ invalidate_pcr("IILLEGAL IMA INODE magic found.\n");
+ return 0;
+ }
+ if (!i_security->file_name) {
+ /* no file name; don't dirty flag */
+ return 0;
+ }
+ if (atomic_read(&(i_security->measure_count))) {
+ /* write permission on measured file was granted!
+ * should never occur to file_mmap-ed files but
+ * only to instrumented measures from user space */
+ ima_error("ToMToU VIOLATION on file=%s!\n",
+ i_security->file_name ?
+ i_security->file_name : "NONAME");
+ invalidate_pcr("ToMToU violation");
+ }
+ out:
+ /* dirty-flag flag in inode and htable */
+ measure_dirty_flag_inode(inode);
+ return 0;
+}
+
+/* dirty flag files on an umounted file system */
+int ima_sb_umount(struct vfsmount *mnt, int flags)
+{
+ if (ima_terminating)
+ return 0;
+
+ measure_dirty_flag_super(mnt->mnt_sb);
+ return 0;
+}
+
+/* free security structure if applies */
+static void ima_inode_free_security(struct inode *inode)
+{
+ struct ima_inode *i_security;
+
+ if (ima_terminating)
+ return;
+
+ i_security = ima_get_inode_security(inode);
+ if (i_security) {
+ if (i_security->magic != IMA_MAGIC) {
+ ima_error("ILLEGAL IMA INODE magic=%x in ima_inode_free_security.\n",
+ i_security->magic);
+ return;
+ }
+ kfree(i_security);
+ ima_store_inode_security(inode, NULL);
+ }
+ return;
+}
+
+static void ima_file_free_security(struct file *file)
+{
+ struct ima_file *f_security;
+ struct ima_inode *i_security = NULL;
+
+ if (ima_terminating)
+ return;
+
+ f_security = ima_get_file_security(file);
+ /* decrease measure count if file is measured */
+ if (f_security == NULL)
+ return;
+ if (f_security->magic != IMA_MAGIC) {
+ ima_error("ILLEGAL IMA FILE magic=%x in ima_file_free_security.\n",
+ f_security->magic);
+ return;
+ }
+ i_security = ima_get_inode_security(file->f_dentry->d_inode);
+ if (i_security) {
+ if (f_security->is_measuring) {
+ atomic_dec(&(i_security->measure_count));
+ }
+ }
+ kfree(f_security);
+ ima_store_file_security(file, NULL);
+ return;
+}
+
+/* module stacking operations */
+int ima_register_security(const char *name, struct security_operations *ops)
+{
+ /* no stacking */
+ return -EFAULT;
+}
+
+int ima_unregister_security(const char *name, struct security_operations *ops)
+{
+ /* no stacking */
+ return -EFAULT;
+}
+
+struct security_operations ima_ops;
+
+/* IMA requires early initialization in order measure
+ all executables etc from the very beginning. */
+void ima_lsm_init(void)
+{
+ atomic_set(&global_count_mmap_measure, 0);
+
+ /* prepare ima_ops struct */
+ memset(&ima_ops, 0, sizeof(struct security_operations));
+ /* set the few non-null elements */
+ ima_ops.file_mmap = ima_file_mmap;
+ ima_ops.file_free_security = ima_file_free_security;
+ ima_ops.inode_permission = ima_inode_permission;
+ ima_ops.inode_free_security = ima_inode_free_security;
+ ima_ops.sb_umount = ima_sb_umount;
+ ima_ops.register_security = ima_register_security;
+ ima_ops.unregister_security = ima_unregister_security;
+ /* rest will be taken care of by registration (fixup) */
+ if (register_security(&ima_ops)) {
+ invalidate_pcr("IMA: Unable to register with kernel.\n");
+ return;
+ }
+ /* lsm callback and module hooks become hot now ... */
+ ima_terminating = 0;
+}
+
+void ima_remove(void)
+{
+ ima_terminating = 1;
+ /* now unregister the security module */
+ unregister_security(&ima_ops);
+}
+
diff -uprN linux-2.6.12-rc4/security/ima/ima_main.c linux-2.6.12-rc4-ima/security/ima/ima_main.c
--- linux-2.6.12-rc4/security/ima/ima_main.c 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.12-rc4-ima/security/ima/ima_main.c 2005-05-19 17:59:20.000000000 -0400
@@ -0,0 +1,596 @@
+/*
+ * Copyright (C) 2005 IBM Corporation
+ *
+ * Authors:
+ * Reiner Sailer <sailer@private>
+ *
+ * Maintained by: TBD
+ *
+ * LSM IBM Integrity Measurement Architecture.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ * File: ima_main.c
+ * implements run-time measurements
+ */
+#include <linux/init.h>
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/linkage.h>
+#include <linux/time.h>
+#include <linux/types.h>
+#include <linux/fcntl.h>
+#include <asm/uaccess.h>
+#include <asm/atomic.h>
+#include <linux/file.h>
+#include <linux/slab.h>
+#include <linux/crypto.h>
+#include <linux/stat.h>
+#include "ima.h"
+
+/* name for boot aggregate entry */
+char *boot_aggregate_name = "boot_aggregate";
+
+extern struct h_table htable;
+extern struct sha_table sha_htable;
+
+struct sha_entry *ima_lookup_sha_entry(u8 * sha_value);
+struct measure_entry *ima_lookup_measure_entry(unsigned long, dev_t);
+int ima_add_measure_entry(struct measure_entry *);
+int measure_dirty_flag_inode(struct inode *);
+extern struct tpm_chip *ima_used_chip;
+void tpm_extend(int index, const u8 * digest);
+void tpm_pcrread(int index, u8 * hash);
+
+static inline void *crypto_tfm_ctx(struct crypto_tfm *tfm)
+{
+ return (void *) &tfm[1];
+}
+
+void ima_add_boot_aggregate(void)
+{
+ /* cumulative sha1 the first 8 tpm registers */
+ struct measure_entry *entry;
+ size_t count;
+
+ /* create new entry for boot aggregate */
+ entry = (struct measure_entry *)
+ kmalloc(sizeof(struct measure_entry), GFP_KERNEL);
+ if (entry == NULL) {
+ invalidate_pcr("error allocating new measurement entry");
+ return;
+ }
+ entry->inodeNr = 0; /* 0,0 are special (no files) */
+ entry->devId = 0;
+ entry->fsMagic = 0;
+ entry->dirty = DIRTY;
+ entry->superBlock = NULL;
+ memset(entry->digest, 0, 20);
+ if ((count = strlen(boot_aggregate_name)) > ENTRY_MAXFILENAME)
+ count = ENTRY_MAXFILENAME;
+ memcpy(entry->fileName, boot_aggregate_name, count);
+ entry->fileName[count] = '\0'; /* ez-print */
+ if (ima_used_chip != NULL) {
+ int i;
+ u8 pcr_i[20];
+ struct crypto_tfm *tfm;
+
+ tfm = crypto_alloc_tfm("sha1", 0);
+ if (tfm == NULL) {
+ ima_error("Digest init failed ERROR.\n");
+ return;
+ }
+ crypto_digest_init(tfm);
+
+ for (i = 0; i < 8; i++) {
+ tpm_pcrread(i, pcr_i);
+ /* now accumulate with current aggregate */
+ tfm->__crt_alg->cra_digest.
+ dia_update(crypto_tfm_ctx(tfm), pcr_i, 20);
+ }
+ crypto_digest_final(tfm, entry->digest);
+ crypto_free_tfm(tfm);
+ } else
+ memset(entry->digest, 0xff, 20);
+
+ /* now add measurement; if TPM bypassed, we have a 0..0 entry */
+ if (ima_add_measure_entry(entry) < 0) {
+ kfree(entry);
+ invalidate_pcr("error adding boot aggregate");
+ } else { /* extend PCR */
+ tpm_extend(CONFIG_IMA_MEASURE_PCR_IDX, entry->digest);
+ }
+}
+
+/*
+ * Returns the dirty flag setting for an inode
+ * (nfs, windows fs, etc. since we don't control changes)
+ */
+static inline ima_entry_flags get_default_dirty_setting(struct inode *inode)
+{
+ switch (inode->i_sb->s_magic) {
+ case NFS_SUPER_MAGIC:
+ return DIRTY; /* dirty */
+ break;
+ default: /* local fs etc. */
+ return CLEAN; /* clean */
+ }
+}
+
+/* returns >0 if measurement can be skipped
+ * returns =0 if measurement must be done
+ */
+static int skip_measurement(struct file *file)
+{
+ /* what could we exclude
+ * - non-executable/non-library files ?
+ * - /proc /dev ?
+ */
+ struct inode *inode = file->f_dentry->d_inode;
+
+ if (!(file->f_op) || !(file->f_op->read))
+ return 1; /* no file to measure */
+ if ((inode->i_sb->s_magic == DEVFS_SUPER_MAGIC) ||
+ (inode->i_sb->s_magic == PROC_SUPER_MAGIC) ||
+ (inode->i_sb->s_magic == SYSFS_MAGIC)) {
+ invalidate_pcr("CANNOT measure fs type.\n");
+ return 1; /*can't measure */
+ }
+ if (S_ISLNK(inode->i_mode) ||
+ S_ISCHR(inode->i_mode) || S_ISBLK(inode->i_mode) ||
+ S_ISFIFO(inode->i_mode) || S_ISSOCK(inode->i_mode)) {
+ return 1; /* don't measure */
+ }
+ return 0; /* measure */
+}
+
+
+/*
+ * measures new file and
+ * adds it to measurement list
+ */
+static struct measure_entry *measure_file(struct file *file, struct dentry *dentry, struct inode *inode)
+{
+ struct ima_inode *i_security = NULL;
+ mm_segment_t oldfs;
+ int error = 0;
+ loff_t offset = 0;
+ size_t count;
+ struct crypto_tfm *tfm;
+ struct measure_entry *entry;
+
+ char *bufp = NULL;
+ /* create read buffer */
+ if ((bufp =
+ (char *) kmalloc(PAGE_SIZE, GFP_KERNEL)) == 0) {
+ ima_error("no memory for read buffer\n");
+ error = -ENOMEM;
+ goto out; /* invalidate pcr */
+ }
+ /* create new entry and measure */
+ entry = (struct measure_entry *)
+ kmalloc(sizeof(struct measure_entry), GFP_KERNEL);
+ if (entry == NULL) {
+ error = -ENOMEM;
+ ima_error("error allocating new measurement entry");
+ kfree(bufp);
+ goto out; /* invalidate pcr */
+ }
+ entry->inodeNr = inode->i_ino;
+ entry->devId = inode->i_rdev;
+ entry->fsMagic = inode->i_sb->s_magic;
+ entry->dirty = get_default_dirty_setting(inode);
+ entry->superBlock = inode->i_sb;
+ if ((count = dentry->d_name.len) > ENTRY_MAXFILENAME)
+ count = ENTRY_MAXFILENAME;
+ memcpy(entry->fileName, dentry->d_name.name, count);
+ entry->fileName[count] = '\0'; /* ez-print */
+ error = 0;
+ /* second add sha1 over file contents */
+ /* init context */
+ tfm = crypto_alloc_tfm("sha1", 0);
+ if (tfm == NULL) {
+ ima_error("Digest init failed ERROR.\n");
+ goto outm;
+ }
+ crypto_digest_init(tfm);
+
+ /* set fs so that kernel writes into kernel segment */
+ oldfs = get_fs();
+ set_fs(KERNEL_DS);
+ do {
+ if ((count =
+ (file->f_op->read) (file,
+ (char __user *) bufp,
+ PAGE_SIZE,
+ &offset)) < 0) {
+ error = count;
+ ima_error("Error reading from file (%d)\n", error);
+ goto outf;
+ }
+ /* update hash with this part */
+ tfm->__crt_alg->cra_digest.dia_update(crypto_tfm_ctx(tfm),
+ bufp, count);
+ } while (count);
+ set_fs(oldfs);
+
+ /* complete hash */
+ crypto_digest_final(tfm, entry->digest);
+ crypto_free_tfm(tfm);
+ /* before returning, replicate important information into inode->i_security */
+ i_security = ima_get_inode_security(inode);
+ if (i_security != NULL) {
+ /* update */
+ if (i_security->magic != IMA_MAGIC) {
+ invalidate_pcr("Illegal magic in i_security structure");
+ goto outm;
+ } else {
+ i_security->dirty = entry->dirty;
+ /* measure_count was increased in local_measure already */
+ i_security->file_name = (char *) (entry->fileName);
+ /* increase #procs measuring; dec on file-close */
+ }
+ } else
+ panic("IMA: never should we end up here! No security structure in measure!\n");
+
+ kfree(bufp);
+ return (entry);
+
+ /* error exits */
+ outf:
+ set_fs(oldfs);
+ outm:
+ kfree(entry);
+ kfree(bufp);
+ out:
+ /* invalidate TPM */
+ invalidate_pcr("error measuring file");
+ return (NULL);
+}
+
+/* measure memory */
+int do_measure_memory(void *start, unsigned long len, const struct measure_request *mr, char *name)
+{
+ struct crypto_tfm *tfm;
+ u8 mem_digest[20];
+ int error = 0;
+ struct measure_entry *entry;
+
+ /* init context */
+ tfm = crypto_alloc_tfm("sha1", 0);
+ if (tfm == NULL) {
+ invalidate_pcr("No SHA1 available");
+ return -EFAULT;
+ }
+ crypto_digest_init(tfm);
+ /* now measure the memory ... */
+ tfm->__crt_alg->cra_digest.dia_update(crypto_tfm_ctx(tfm), start,
+ len);
+ crypto_digest_final(tfm, mem_digest);
+ crypto_free_tfm(tfm);
+
+ down(&h_table_mutex);
+ if (!ima_lookup_sha_entry(mem_digest)) {
+ /* create new entry and measure */
+ entry = (struct measure_entry *)
+ kmalloc(sizeof(struct measure_entry), GFP_KERNEL);
+ if (entry == NULL) {
+ invalidate_pcr("OUT OF MEMORY");
+ error = -EFAULT;
+ goto out;
+ }
+ entry->inodeNr = 0; /* special entries, no file entries */
+ entry->devId = 0;
+ entry->fsMagic = 0;
+ entry->dirty = DIRTY;
+ entry->superBlock = NULL;
+ memcpy(entry->digest, mem_digest, 20);
+ strncpy(entry->fileName, name, ENTRY_MAXFILENAME); /* ez-print */
+ if (mr != NULL) {
+ memcpy(&(entry->mr), mr,
+ sizeof(struct measure_request));
+ } else {
+ memset(&(entry->mr), 0,
+ sizeof(struct measure_request));
+ }
+
+ if ((error = ima_add_measure_entry(entry)) < 0) {
+ kfree(entry);
+ invalidate_pcr
+ ("error adding new measurement entry");;
+ goto out;
+ } else { /* extend PCR */
+ tpm_extend(CONFIG_IMA_MEASURE_PCR_IDX, entry->digest);
+ }
+ } /* else we already have this hash value from an exec/file that was running earlier */
+ up(&h_table_mutex);
+ return 0;
+ out:
+ up(&h_table_mutex);
+ return -EFAULT;
+}
+
+static unsigned int find_mod_sec(Elf_Ehdr * hdr, Elf_Shdr * sechdrs, const char *secstrings, const char *name)
+{
+ unsigned int i;
+ for (i = 1; i < hdr->e_shnum; i++)
+ /* Alloc bit cleared means "here is nothing to look for (ignore)" */
+ if ((sechdrs[i].sh_flags & SHF_ALLOC)
+ && strcmp(secstrings + sechdrs[i].sh_name, name) == 0)
+ return i;
+ return 0;
+}
+
+/* Measure kernel modules in-memory before relocation */
+void measure_kernel_module(void *start, unsigned long len, const char __user * uargs)
+{
+ Elf_Ehdr *hdr;
+ Elf_Shdr *sechdrs;
+ struct module *mod;
+ unsigned int modindex;
+ char *args, *secstrings;
+ long arglen;
+ struct measure_request mr = {.fd = 0, .label = 0,
+ .flags = MODULE_MEASURE_FLAG
+ };
+ arglen = strlen_user(uargs);
+ if (!arglen) {
+ invalidate_pcr("ERROR measuring kernel module!");
+ return;
+ }
+ args = kmalloc(arglen, GFP_KERNEL);
+ if (!args) {
+ invalidate_pcr("OUT OF MEMORY measuring kernel module!");
+ return;
+ }
+ if (copy_from_user(args, uargs, arglen) != 0) {
+ invalidate_pcr("ERROR measuring kernel module!");
+ return;
+ }
+ /* get the module name for entry */
+ hdr = (Elf_Ehdr *) start;
+ sechdrs = (void *) hdr + hdr->e_shoff;
+ secstrings = (void *) hdr + sechdrs[hdr->e_shstrndx].sh_offset;
+
+ modindex = find_mod_sec(hdr, sechdrs, secstrings,
+ ".gnu.linkonce.this_module");
+ if (!modindex) {
+ ima_error("No module found in object\n");
+ invalidate_pcr("Module without name?!");
+ return;
+ }
+ mod = (void *) ((size_t) hdr + sechdrs[modindex].sh_offset);
+ do_measure_memory(start, len, &mr, mod->name);
+ return;
+}
+
+
+/* Measure files mapped as executable */
+int measure_file_exec(struct file *file, const struct measure_request *mr)
+{
+ struct dentry *dentry;
+ struct inode *inode;
+ int error = 0;
+ struct measure_entry *entry, *new_entry;
+ struct ima_file *f_security = NULL;
+ struct ima_inode *i_security = NULL;
+
+ if (!file || !file->f_op) {
+ ima_error("File not found Error!\n");
+ return -EACCES;
+ }
+ if (!file->f_dentry || !file->f_dentry->d_inode) {
+ ima_error("File dentry or inode connection broken (NULL) ERROR!\n");
+ return -EACCES;
+ }
+ /* here we skip unnecessary measurements */
+ if (skip_measurement(file)) {
+ return 0;
+ }
+ dentry = file->f_dentry;
+ inode = dentry->d_inode;
+ /* save information in file in order to dec measure_count in inode once
+ * file is closed ... */
+ f_security = ima_get_file_security(file);
+ if (f_security != NULL) {
+ if (f_security->magic != IMA_MAGIC) {
+ invalidate_pcr("Internal inconsistency error (f_security with illegal magic).\n");
+ return -EFAULT;
+ } else {
+ /* HERE file struct is being re-used (not freed) .. happens more and more */
+ i_security =
+ ima_get_inode_security(file->f_dentry->
+ d_inode);
+ if ((i_security == NULL)
+ || (i_security->magic != IMA_MAGIC)) {
+ invalidate_pcr("Internal inconsistency error (f_security not free but no i_security).\n");
+ return -EFAULT;
+ }
+ }
+ } else {
+ /* file->f_security = NULL; normal case */
+ f_security = kmalloc(sizeof(struct ima_file), GFP_KERNEL);
+ if (f_security == NULL) {
+ invalidate_pcr("out of memory error");
+ return -EFAULT;
+ } else {
+ f_security->magic = IMA_MAGIC;
+ f_security->is_measuring = 1;
+ ima_store_file_security(file, f_security);
+ }
+ /* a) we maintain an inode copy of clean etc. to speed up clean hits */
+ i_security = ima_get_inode_security(inode);
+ if (i_security != NULL) {
+ if (i_security->magic != IMA_MAGIC) {
+ invalidate_pcr
+ ("PANIC! Unexpected i_security MAGIC!");
+ return -EFAULT;
+ }
+ /* only increment it once for any open file, thus here in the "f_security==null" case */
+ atomic_inc(&(i_security->measure_count));
+ } else {
+ /* create ima_inode structure */
+ i_security =
+ kmalloc(sizeof(struct ima_inode), GFP_KERNEL);
+ if (i_security == NULL) {;
+ invalidate_pcr("out of memory error");
+ return -EFAULT;
+ } else {
+ i_security->magic = IMA_MAGIC;
+ i_security->dirty = DIRTY;
+ /* is reset later after measuring file */
+ atomic_set(&(i_security->measure_count),
+ 1);
+ i_security->file_name = NULL;
+ ima_store_inode_security(inode,
+ i_security);
+ }
+ }
+ }
+ /* a) catch most cases */
+ i_security = ima_get_inode_security(inode);
+ if ((i_security) && (i_security->dirty == CLEAN)) {
+ atomic_inc(&htable.cleanInodeHits);
+ return 0; /* clean hit */
+ }
+ /* b) if there is already a writer on this file --> error!
+ * only i_writecount < 0 disables writers;
+ * do this test AFTER setting inode->i_security->measure_count!
+ */
+ if (atomic_read(&(inode->i_writecount)) > 0) {
+ invalidate_pcr("Measured file has writers.");
+ return -EFAULT;
+ }
+ /* c) real measure work */
+ down(&h_table_mutex);
+ entry = ima_lookup_measure_entry(inode->i_ino, inode->i_rdev);
+ if ((entry != NULL) && (entry->dirty == CLEAN)) {
+ goto out; /* release lock; nothing to measure */
+ }
+ new_entry = measure_file(file, dentry, inode);
+ /* now we adjust the entry table:
+ * -- if there was no entry, we just add the new one
+ * -- if there was one but different hash, we add the new one
+ * -- if there was one and same hash, we clear dirty bit on existing one
+ */
+ if (!new_entry) {
+ /* internal error, make sure attestation fails from now on */
+ invalidate_pcr("internal error"); /* expand with illegal entry */
+ error = -EFAULT;
+ goto out;
+ }
+ if (mr != NULL) {
+ memcpy(&(new_entry->mr), mr,
+ sizeof(struct measure_request));
+ } else {
+ memset(&(new_entry->mr), 0,
+ sizeof(struct measure_request));
+ }
+ if (entry == NULL) { /* no old entry for this inode found */
+ /* add if no same-hash recorded (i.e., no copy measured yet) */
+ if (!ima_lookup_sha_entry(new_entry->digest)) {
+ if ((error = ima_add_measure_entry(new_entry)) < 0) {
+ kfree(new_entry);
+ invalidate_pcr
+ ("error adding measurement entry");
+ error = -EFAULT;
+ } else { /* extend PCR */
+ tpm_extend(CONFIG_IMA_MEASURE_PCR_IDX,
+ new_entry->digest);
+ }
+ }
+ } else { /* old entry exists */
+ if (!memcmp(entry->digest, new_entry->digest, 20)) {
+ entry->dirty = get_default_dirty_setting(inode);
+ /* re-label with default (not to ever clean nfs etc. files) */
+ kfree(new_entry);
+ } else {
+ /* dirty and look whether to add new entry */
+ entry->dirty = CHANGED;
+ atomic_inc(&htable.changedFiles);
+ if (!ima_lookup_sha_entry(new_entry->digest)) {
+ if ((error =
+ ima_add_measure_entry(new_entry)) <
+ 0) {
+ kfree(new_entry);
+ invalidate_pcr
+ ("error adding measurement entry");
+ error = -EFAULT;
+ } else { /* extend PCR */
+ tpm_extend(CONFIG_IMA_MEASURE_PCR_IDX,
+ new_entry->digest);
+ }
+ }
+ }
+ }
+ out:
+ up(&h_table_mutex);
+ return (error);
+}
+
+/* called permission for dirty-flagging
+ * we are moving towards inode-based flagging
+ * and thus avoiding table lookup for dirty flagging
+ */
+int measure_dirty_flag_inode(struct inode *inode)
+{
+ struct measure_entry *entry;
+ struct ima_inode *i_security = NULL;
+
+ if (!inode) {
+ /* not a file to measure */
+ return 0;
+ }
+ down(&h_table_mutex);
+ if ((entry =
+ ima_lookup_measure_entry(inode->i_ino, inode->i_rdev))) {
+ if (entry->dirty == CLEAN)
+ entry->dirty = DIRTY;
+ /* change from clean to dirty only, leave "changed" unchanged */
+ /* inode dirty flag must be set, too */
+ if ((i_security = ima_get_inode_security(inode)) != NULL) {
+ if (i_security->dirty == CLEAN) {
+ i_security->dirty = DIRTY;
+ }
+ }
+ }
+ up(&h_table_mutex);
+ return 0;
+}
+
+/* called by mount to dirty-flag on "umount" */
+int measure_dirty_flag_super(struct super_block *super)
+{
+ /* here we go through the whole hash table and look
+ * for entries with this superblock to mark them dirty if clean
+ */
+ struct queue_entry *qe;
+ int j;
+
+ if (htable.terminating)
+ return 0;
+
+ down(&h_table_mutex);
+ for (j = 0; j < htable.max_htable_size; j++) {
+ /* walk the whole hash table */
+ qe = htable.queue[j];
+ while (qe != NULL) {
+ if (qe->entry->superBlock == super) {
+ if (qe->entry->dirty == CLEAN)
+ qe->entry->dirty = DIRTY;
+ }
+ qe = qe->next;
+ }
+ }
+ up(&h_table_mutex);
+ return 0;
+}
+
+EXPORT_SYMBOL(measure_file_exec);
+EXPORT_SYMBOL(measure_kernel_module);
+EXPORT_SYMBOL(measure_dirty_flag_super);
+EXPORT_SYMBOL(measure_dirty_flag_inode);
diff -uprN linux-2.6.12-rc4/security/ima/ima_proc.c linux-2.6.12-rc4-ima/security/ima/ima_proc.c
--- linux-2.6.12-rc4/security/ima/ima_proc.c 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.12-rc4-ima/security/ima/ima_proc.c 2005-05-19 17:59:20.000000000 -0400
@@ -0,0 +1,444 @@
+/*
+ * Copyright (C) 2005 IBM Corporation
+ *
+ * Authors:
+ * Reiner Sailer <sailer@private>
+ *
+ * Maintained by: TBD
+ *
+ * LSM IBM Integrity Measurement Architecture.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ * File: ima_proc.c
+ * implements proc fs for measurements;
+ * added static large buffer for /proc/ima/xmlmeasurements
+ */
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/linkage.h>
+#include <linux/time.h>
+#include <linux/types.h>
+#include <linux/fcntl.h>
+#include <asm/uaccess.h>
+#include <linux/file.h>
+#include <linux/slab.h>
+#include <linux/crypto.h>
+#include <linux/string.h>
+#include <linux/proc_fs.h>
+
+#include "ima.h"
+
+#define MAXPROCMEM 128*1024
+static struct proc_dir_entry *tpm_dir;
+static char *xmlmem = NULL;
+extern atomic_t global_count_sysfs;
+extern atomic_t global_count_sysfs_measure;
+extern atomic_t global_count_mmap_measure;
+extern struct h_table htable;
+
+/*
+ * /proc filesystem interface
+ */
+static int ima_proc_read_htable(char *page, char **start, off_t off, int count, int *eof, void *data)
+{
+ ssize_t len = 0;
+
+ down(&h_table_mutex);
+ if (count - len > 0)
+ len +=
+ snprintf(page + len, count - len,
+ "\nTCG MEASUREMENT HASH TABLE: \n");
+ if (count - len > 0)
+ len +=
+ snprintf(page + len, count - len,
+ "len\t\tcleanIHit\tcleanHit\tdirtyHit\tchangedFiles\n");
+ if (count - len > 0) {
+ len +=
+ snprintf(page + len, count - len,
+ "%i\t\t%i\t\t%i\t\t%i\t\t%i\n\n",
+ atomic_read(&htable.len),
+ atomic_read(&htable.cleanInodeHits),
+ atomic_read(&htable.cleanTableHits),
+ atomic_read(&htable.dirtyTableHits),
+ atomic_read(&htable.changedFiles)
+ );
+ }
+ if (count - len > 0)
+ len +=
+ snprintf(page + len, count - len,
+ "sysfs\t\tsysfs_measure\t\tmmap_measure\t\ttermFlag\n");
+ if (count - len > 0) {
+ len +=
+ snprintf(page + len, count - len,
+ "%i\t\t%i\t\t\t%i\t\t\t%i\n\n",
+ atomic_read(&global_count_sysfs),
+ atomic_read(&global_count_sysfs_measure),
+ atomic_read(&global_count_mmap_measure),
+ htable.terminating);
+ }
+
+ *eof = 1;
+ up(&h_table_mutex);
+ if (len > count)
+ len = count;
+
+ return len;
+}
+
+
+static int print_measure_entry(struct measure_entry *e, char *buf, int count, int nr)
+{
+ return snprintf(buf, count,
+ "#%03d: %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X"
+ "%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X [%s] %s\n",
+ nr, e->digest[0], e->digest[1], e->digest[2],
+ e->digest[3], e->digest[4], e->digest[5],
+ e->digest[6], e->digest[7], e->digest[8],
+ e->digest[9], e->digest[10], e->digest[11],
+ e->digest[12], e->digest[13], e->digest[14],
+ e->digest[15], e->digest[16], e->digest[17],
+ e->digest[18], e->digest[19],
+ (e->dirty ==
+ DIRTY) ? "remeasure" : ((e->dirty ==
+ CHANGED) ? "changed" :
+ "clean"), e->fileName);
+}
+
+
+static int ima_proc_read_measurements(char *page, char **start, off_t off, int count, int *eof, void *data)
+{
+ struct queue_entry *qe;
+ static unsigned int len, i;
+ static unsigned int nextpos;
+ int ret = 0;
+
+ down(&h_table_mutex);
+ /* first reset pos for new requests */
+ if (!off)
+ nextpos = 0;
+
+ /* ALWAYS set page here... otherwise it uses running offset */
+ *start = page;
+ ret = 0;
+ *eof = 0;
+
+ /* now overread the first "nextpos" elements */
+ for (qe = first_measurement, i = 0;
+ qe && qe->entry && (i < nextpos); qe = qe->later, i++);
+
+ /* make sure the next entry fits completely */
+ while ((count > 500) && qe && qe->entry) {
+ /* now fill rest of page */
+ len =
+ print_measure_entry(qe->entry, page + ret, count,
+ nextpos);
+ qe = qe->later;
+ count -= len;
+ ret += len;
+ nextpos += 1;
+ }
+ /* do we have more elements? */
+ if (!qe) {
+ *eof = 1;
+ }
+ up(&h_table_mutex);
+ return ret;
+}
+
+/* print format: 32bit-le=pcr#||char[20]=digest||filename||'\0' len(filename)<40*/
+static int print_measure_event_entry(struct measure_entry *e, char *buf, int count, int nr)
+{
+#define TCG_EVENT_NAME_LEN_MAX 40
+
+ void *ptr = (void *) buf;
+ int filename_len = strlen(e->fileName);
+
+ /* 1st: PCR used is always the same (config option) in little-endian format */
+ *((u32 *) ptr) = (u32) CONFIG_IMA_MEASURE_PCR_IDX;
+ ptr += 4;
+
+ /* 2nd: SHA1 ... */
+ memcpy(ptr, e->digest, 20);
+ ptr += 20;
+
+ /* 3rd: filename <=40 + \'0' delimiter */
+ if (filename_len > (TCG_EVENT_NAME_LEN_MAX - 1))
+ filename_len = TCG_EVENT_NAME_LEN_MAX - 1;
+
+ memcpy(ptr, e->fileName, filename_len);
+ ptr += filename_len;
+
+ /* 4th: delimiter */
+ *((char *) ptr) = '\0';
+ ptr += 1;
+
+ return ((u32) ptr - (u32) buf);
+}
+
+
+static int ima_proc_read_measurement_events(char *page, char **start, off_t off, int count, int *eof, void *data)
+{
+ struct queue_entry *qe;
+ static unsigned int len, i;
+ static unsigned int nextpos;
+ int ret = 0;
+
+ down(&h_table_mutex);
+ /* first reset pos for new requests */
+ if (!off)
+ nextpos = 0;
+
+ *start = page;
+ ret = 0;
+ *eof = 0;
+
+ /* now overread the first "nextpos" elements */
+ for (qe = first_measurement, i = 0;
+ qe && qe->entry && (i < nextpos); qe = qe->later, i++);
+
+ /* make sure the next entry fits completely */
+ while ((count > 500) && qe && qe->entry) {
+ /* now fill rest of page */
+ len =
+ print_measure_event_entry(qe->entry, page + ret, count,
+ nextpos);
+ qe = qe->later;
+ count -= len;
+ ret += len;
+ nextpos += 1;
+ }
+ /* do we have more elements or not ? */
+ if (!qe) {
+ *eof = 1;
+ }
+ up(&h_table_mutex);
+ return ret;
+}
+
+#define mr_hook(e) \
+ (((e)->mr.flags & MMAP_MEASURE_FLAG) ? \
+ "mmap" : \
+ ((e)->mr.flags & MODULE_MEASURE_FLAG) ? \
+ "module" : \
+ ((e)->mr.flags & USER_MEASURE_FLAG) ? \
+ "user" : "UNKNOWN")
+
+static int print_extmeasure_entry(struct measure_entry *e, char *buf, int count, int nr)
+{
+ return snprintf(buf, count,
+ "#%03d: %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X"
+ "%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X [%s] %s L[%u,%lu,%s]\n",
+ nr, e->digest[0], e->digest[1], e->digest[2],
+ e->digest[3], e->digest[4], e->digest[5],
+ e->digest[6], e->digest[7], e->digest[8],
+ e->digest[9], e->digest[10], e->digest[11],
+ e->digest[12], e->digest[13], e->digest[14],
+ e->digest[15], e->digest[16], e->digest[17],
+ e->digest[18], e->digest[19],
+ (e->dirty ==
+ DIRTY) ? "remeasure" : ((e->dirty ==
+ CHANGED) ? "changed" :
+ "clean"), e->fileName,
+ e->mr.label, e->mr.flags, mr_hook(e));
+}
+
+
+static int ima_proc_read_extmeasurements(char *page, char **start, off_t off, int count, int *eof, void *data)
+{
+ struct queue_entry *qe;
+ static unsigned int len, i;
+ static unsigned int nextpos;
+ int ret = 0;
+
+ down(&h_table_mutex);
+ /* first reset pos for new requests */
+ if (!off)
+ nextpos = 0;
+
+ /* ALWAYS set page here... otherwise it uses running offset not return value! */
+ *start = page;
+ ret = 0;
+ *eof = 0;
+
+ /* now overread the first "nextpos" elements */
+ for (qe = first_measurement, i = 0;
+ qe && qe->entry && (i < nextpos); qe = qe->later, i++);
+
+ /* make sure the next entry fits completely */
+ while ((count > 500) && qe && qe->entry) {
+ /* now fill rest of page */
+ len =
+ print_extmeasure_entry(qe->entry, page + ret, count,
+ nextpos);
+ qe = qe->later;
+ count -= len;
+ ret += len;
+ nextpos += 1;
+ }
+ /* do we have more elements or not ? */
+ if (!qe) {
+ *eof = 1;
+ }
+ up(&h_table_mutex);
+ return ret;
+}
+
+
+static int print_xmlmeasure_entry(struct measure_entry *e, char *buf, int count, int nr)
+{
+ return snprintf(buf, count,
+ "<NUM>%03d</NUM><SHA1>%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X"
+ "%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X</SHA1><STATUS>%s</STATUS><NAME>%s</NAME>\n",
+ nr, e->digest[0], e->digest[1], e->digest[2],
+ e->digest[3], e->digest[4], e->digest[5],
+ e->digest[6], e->digest[7], e->digest[8],
+ e->digest[9], e->digest[10], e->digest[11],
+ e->digest[12], e->digest[13], e->digest[14],
+ e->digest[15], e->digest[16], e->digest[17],
+ e->digest[18], e->digest[19],
+ (e->dirty ==
+ DIRTY) ? "remeasure" : ((e->dirty ==
+ CHANGED) ? "changed" :
+ "clean"), e->fileName);
+}
+
+
+static int ima_proc_read_xmlmeasurements(char *page, char **start, off_t off, int count, int *eof, void *data)
+{
+ struct queue_entry *qe;
+ static unsigned int len, i;
+ static unsigned int nextpos;
+ int ret = 0;
+
+ down(&h_table_mutex);
+ /* first reset pos for new requests */
+ if (!off)
+ nextpos = 0;
+
+ *start = page;
+ ret = 0;
+ *eof = 0;
+
+ /* now overread the first "nextpos" elements */
+ for (qe = first_measurement, i = 0;
+ qe && qe->entry && (i < nextpos); qe = qe->later, i++);
+
+ /* make sure the next entry fits completely */
+ while ((count > 500) && qe && qe->entry) {
+ /* now fill rest of page */
+ len =
+ print_xmlmeasure_entry(qe->entry, page + ret, count,
+ nextpos);
+ qe = qe->later;
+ count -= len;
+ ret += len;
+ nextpos += 1;
+ }
+ /* do we have more elements or not ? */
+ if (!qe) {
+ *eof = 1;
+ }
+ up(&h_table_mutex);
+ return ret;
+}
+
+
+void ima_proc_init(void)
+{
+ struct proc_dir_entry *entry;
+
+ tpm_dir = proc_mkdir(IMA_MEASURE_PROC_NAME, NULL);
+ if (tpm_dir == NULL)
+ return;
+
+ if ((xmlmem = kmalloc(MAXPROCMEM, GFP_KERNEL)) == NULL) {
+ ima_error("proc XMLmeasurements out of memory ERROR.\n");
+ remove_proc_entry(IMA_MEASURE_MODULE_NAME, NULL);
+ return;
+ }
+
+ entry = create_proc_read_entry("measurements",
+ 0444, tpm_dir,
+ ima_proc_read_measurements, NULL);
+ if (entry == NULL) {
+ remove_proc_entry(IMA_MEASURE_MODULE_NAME, NULL);
+ if (xmlmem != NULL)
+ kfree(xmlmem);
+ return;
+ }
+ entry->owner = THIS_MODULE;
+
+ entry = create_proc_read_entry("xmlmeasurements",
+ 0444, tpm_dir,
+ ima_proc_read_xmlmeasurements,
+ NULL);
+ if (entry == NULL) {
+ remove_proc_entry(IMA_MEASURE_MODULE_NAME, NULL);
+ remove_proc_entry("measurements", tpm_dir);
+ if (xmlmem != NULL)
+ kfree(xmlmem);
+ return;
+ }
+ entry->owner = THIS_MODULE;
+
+ entry = create_proc_read_entry("extmeasurements",
+ 0444, tpm_dir,
+ ima_proc_read_extmeasurements,
+ NULL);
+ if (entry == NULL) {
+ remove_proc_entry(IMA_MEASURE_MODULE_NAME, NULL);
+ remove_proc_entry("measurements", tpm_dir);
+ remove_proc_entry("xmlmeasurements", tpm_dir);
+ if (xmlmem != NULL)
+ kfree(xmlmem);
+ return;
+ }
+ entry->owner = THIS_MODULE;
+
+ entry = create_proc_read_entry("measurement_events",
+ 0444, tpm_dir,
+ ima_proc_read_measurement_events,
+ NULL);
+ if (entry == NULL) {
+ remove_proc_entry(IMA_MEASURE_MODULE_NAME, NULL);
+ remove_proc_entry("measurements", tpm_dir);
+ remove_proc_entry("xmlmeasurements", tpm_dir);
+ remove_proc_entry("extmeasurements", tpm_dir);
+ if (xmlmem != NULL)
+ kfree(xmlmem);
+ return;
+ }
+ entry->owner = THIS_MODULE;
+
+ entry = create_proc_read_entry("htable",
+ 0444, tpm_dir, ima_proc_read_htable,
+ NULL);
+ if (entry == NULL) {
+ remove_proc_entry("measurements", tpm_dir);
+ remove_proc_entry("xmlmeasurements", tpm_dir);
+ remove_proc_entry("extmeasurements", tpm_dir);
+ remove_proc_entry("measurement_events", tpm_dir);
+ remove_proc_entry(IMA_MEASURE_MODULE_NAME, NULL);
+ if (xmlmem != NULL)
+ kfree(xmlmem);
+ return;
+ }
+ entry->owner = THIS_MODULE;
+}
+
+void ima_proc_cleanup(void)
+{
+ remove_proc_entry("htable", tpm_dir);
+ remove_proc_entry("measurements", tpm_dir);
+ remove_proc_entry("xmlmeasurements", tpm_dir);
+ remove_proc_entry("extmeasurements", tpm_dir);
+ remove_proc_entry("measurement_events", tpm_dir);
+ remove_proc_entry(IMA_MEASURE_PROC_NAME, NULL);
+ if (xmlmem != NULL)
+ kfree(xmlmem);
+}
diff -uprN linux-2.6.12-rc4/security/ima/ima_queue.c linux-2.6.12-rc4-ima/security/ima/ima_queue.c
--- linux-2.6.12-rc4/security/ima/ima_queue.c 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.12-rc4-ima/security/ima/ima_queue.c 2005-05-19 17:59:20.000000000 -0400
@@ -0,0 +1,241 @@
+/*
+ * Copyright (C) 2005 IBM Corporation
+ *
+ * Authors:
+ * Reiner Sailer <sailer@private>
+ *
+ * Maintained by: TBD
+ *
+ * LSM IBM Integrity Measurement Architecture.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ * File: ima_queue.c
+ * implements queues for run-time measurement
+ * functions based on SHA1
+ */
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/linkage.h>
+#include <linux/time.h>
+#include <linux/types.h>
+#include <linux/fcntl.h>
+#include <asm/uaccess.h>
+#include <linux/file.h>
+#include <linux/slab.h>
+#include <linux/crypto.h>
+
+#include "ima.h"
+
+/* pointer to very first and latest measurement (time-ordered) */
+struct queue_entry *first_measurement = NULL; /* for printing */
+struct queue_entry *latest_measurement = NULL; /* for adding */
+
+struct h_table htable; /* key: inode (before secure-hashing a file) */
+struct sha_table sha_htable; /* key: hash (after secure-hashing a file) */
+int ima_add_sha_entry(struct measure_entry *);
+
+DECLARE_MUTEX_LOCKED(h_table_mutex);
+
+void create_sha_htable(void)
+{
+ int i;
+
+ atomic_set(&sha_htable.len, 0);
+ sha_htable.max_htable_size = MEASURE_HTABLE_SIZE;
+ sha_htable.terminating = 0;
+ for (i = 0; i < sha_htable.max_htable_size; i++) {
+ sha_htable.queue[i] = NULL;
+ atomic_set(&sha_htable.queueLen[i], 0);
+ }
+}
+
+void create_htable(void)
+{
+ int i;
+
+ init_MUTEX_LOCKED(&h_table_mutex);
+ first_measurement = NULL;
+ latest_measurement = NULL;
+ atomic_set(&htable.len, 0);
+ atomic_set(&htable.cleanInodeHits, 0);
+ atomic_set(&htable.cleanTableHits, 0);
+ atomic_set(&htable.dirtyTableHits, 0);
+ atomic_set(&htable.changedFiles, 0);
+ htable.max_htable_size = MEASURE_HTABLE_SIZE;
+ htable.terminating = 0;
+ for (i = 0; i < htable.max_htable_size; i++) {
+ htable.queue[i] = NULL;
+ atomic_set(&htable.queueLen[i], 0);
+ }
+ up(&h_table_mutex);
+}
+
+void destroy_sha_htable(void)
+{
+ struct sha_entry *qe;
+ int i;
+
+ sha_htable.terminating = 1;
+ /* now release queues */
+ for (i = 0; i < sha_htable.max_htable_size; i++) {
+ while ((qe = sha_htable.queue[i]) != NULL) {
+ sha_htable.queue[i] = qe->next;
+ kfree(qe);
+ }
+ sha_htable.queue[i] = NULL;
+ atomic_set(&sha_htable.queueLen[i], 0);
+ }
+ return;
+}
+
+void destroy_htable(void)
+{
+ struct queue_entry *qe;
+ int i;
+
+ down(&h_table_mutex);
+ first_measurement = NULL;
+ latest_measurement = NULL;
+ htable.terminating = 1;
+ /* now release queues */
+ for (i = 0; i < htable.max_htable_size; i++) {
+ while ((qe = htable.queue[i]) != NULL) {
+ htable.queue[i] = qe->next;
+ if (qe->entry)
+ kfree(qe->entry);
+ kfree(qe);
+ }
+ htable.queue[i] = NULL;
+ atomic_set(&htable.queueLen[i], 0);
+ }
+ /* no up until create */
+ return;
+}
+
+/*
+ * also sets clean and dirty table hit marks
+ */
+struct measure_entry *ima_lookup_measure_entry(unsigned long inodeNumber, dev_t devNumber)
+{
+ struct queue_entry *qe;
+ struct measure_entry *me;
+
+ if (htable.terminating)
+ return NULL;
+
+ /* fill in later */
+ qe = htable.queue[HASH_KEY(inodeNumber)];
+ while ((qe != NULL) && ((qe->entry->inodeNr != inodeNumber)
+ || (qe->entry->devId != devNumber)))
+ qe = qe->next;
+
+ if (qe != NULL) {
+ if (qe->entry->dirty != CLEAN) {
+ atomic_inc(&htable.dirtyTableHits);
+ } else {
+ atomic_inc(&htable.cleanTableHits);
+ }
+ me = qe->entry;
+ } else {
+ me = NULL;
+ }
+ return me;
+}
+
+
+
+struct sha_entry *ima_lookup_sha_entry(u8 * sha_value)
+{
+ struct sha_entry *se;
+ unsigned int key;
+
+ if (sha_htable.terminating)
+ return NULL;
+
+ key = SHA_KEY(sha_value);
+ se = sha_htable.queue[key];
+ while ((se != NULL) && (memcmp(se->digest, sha_value, 20))) {
+ /* unequal hash */
+ se = se->next;
+ }
+ return se;
+}
+
+
+int ima_add_measure_entry(struct measure_entry *entry)
+{
+ unsigned int key;
+ struct queue_entry *qe;
+ int error = 0;
+
+ /* new measurement -> add */
+ if (htable.terminating)
+ return -1;
+
+ /* calculate key */
+ key = HASH_KEY(entry->inodeNr);
+
+ /* create queue_entry */
+ if ((qe = kmalloc(sizeof(struct queue_entry), GFP_KERNEL)) == NULL) {
+ ima_error("OUT OF MEMORY in %s.\n", __func__);
+ error = -ENOMEM;
+ goto out;
+ }
+ qe->entry = entry;
+
+ /* insert entry at beginning of queue */
+ qe->next = htable.queue[key];
+ qe->later = NULL;
+ htable.queue[key] = qe;
+ atomic_inc(&htable.queueLen[key]);
+ /* update later list */
+ if (first_measurement == NULL) {
+ first_measurement = qe;
+ } else {
+ latest_measurement->later = qe;
+ }
+ latest_measurement = qe;
+ atomic_inc(&htable.len);
+ /* now add to sha hash table, too */
+ if (ima_add_sha_entry(entry))
+ error = -ENOMEM;
+ out:
+ return error;
+}
+
+
+
+int ima_add_sha_entry(struct measure_entry *entry)
+{
+ unsigned int key;
+ struct sha_entry *se;
+
+ if (sha_htable.terminating)
+ return -1;
+
+ /* calculate key */
+ key = SHA_KEY(entry->digest);
+ /* create queue_entry */
+ if ((se = kmalloc(sizeof(struct sha_entry), GFP_KERNEL)) == NULL)
+ goto out;
+ se->m_entry = entry;
+ se->digest = entry->digest;
+ se->next = NULL;
+
+ /* insert entry at beginning of queue */
+ se->next = sha_htable.queue[key];
+ sha_htable.queue[key] = se;
+ atomic_inc(&sha_htable.queueLen[key]);
+ /* update later list */
+ atomic_inc(&sha_htable.len);
+ return 0;
+
+ out:
+ ima_error("OUT OF MEMORY ERROR creating queue entry.\n");
+ return -ENOMEM;
+}
diff -uprN linux-2.6.12-rc4/security/ima/ima_sysfs.c linux-2.6.12-rc4-ima/security/ima/ima_sysfs.c
--- linux-2.6.12-rc4/security/ima/ima_sysfs.c 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.12-rc4-ima/security/ima/ima_sysfs.c 2005-05-19 17:59:20.000000000 -0400
@@ -0,0 +1,150 @@
+/*
+ * Copyright (C) 2005 IBM Corporation
+ *
+ * Authors:
+ * Reiner Sailer <sailer@private>
+ *
+ * Maintained by: TBD
+ *
+ * LSM IBM Integrity Measurement Architecture.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ * File: ima_sysfs.c
+ * sysfs interface to request measurements
+ * through instrumented user applications
+ */
+#include <linux/config.h>
+#include <linux/module.h>
+#include <linux/fs.h>
+#include <linux/file.h>
+#include <linux/init.h>
+#include <linux/spinlock.h>
+#include <linux/kmod.h>
+#include <linux/kobj_map.h>
+#include <linux/sysfs.h>
+#include "ima.h"
+
+static struct subsystem security_subsys;
+
+atomic_t global_count_sysfs;
+atomic_t global_count_sysfs_measure;
+
+int measure_file_exec(struct file *, const struct measure_request *);
+
+static ssize_t security_attr_show(struct kobject *kobj,
+ struct attribute *attr, char *page)
+{
+ /* get security attribute */
+ struct subsys_attribute *security_attr =
+ container_of(attr, struct subsys_attribute, attr);
+
+ if (security_attr->show)
+ security_attr->show(&security_subsys, page);
+ else
+ ima_error("Attr method >show< not defined.\n");
+
+ return (ssize_t) 0;
+}
+
+static ssize_t security_attr_store(struct kobject *kobj,struct attribute *attr,
+ const char *page, size_t count)
+{
+ /* get security attribute */
+ struct subsys_attribute *security_attr =
+ container_of(attr, struct subsys_attribute, attr);
+ if (security_attr->store)
+ security_attr->store(&security_subsys, page, count);
+ else
+ ima_error("Attr method >store< not defined.\n");
+
+ return (ssize_t) count;
+}
+
+static struct sysfs_ops security_sysfs_ops = {
+ .show = &security_attr_show,
+ .store = &security_attr_store,
+};
+
+static ssize_t measurements_read(struct subsystem *sub, char *page)
+{
+ char *msg = "Hi There! Read is not supported :-)\n";
+ strncpy(page, msg, PAGE_SIZE);
+ return (strlen(msg));
+}
+
+static ssize_t measurement_store(struct subsystem *sub, const char *page,
+ size_t count)
+{
+ struct measure_request *mr;
+ struct file *file;
+ int error = -EINVAL;
+
+ atomic_inc(&global_count_sysfs);
+ if (count != sizeof(struct measure_request)) {
+ ima_error("illegal request size (%d, expected %d).\n",
+ count, sizeof(struct measure_request));
+ return -EIO;
+ }
+ mr = (struct measure_request *) page;
+ if (mr->fd < 0)
+ return -EBADF;
+
+ file = fget(mr->fd);
+ if (!file)
+ return -EACCES;
+ mr->flags = ((mr->flags) & (~FLAG_HOOK_MASK)) || USER_MEASURE_FLAG;
+ /* future: check inode->security to see if measure necessary */
+ atomic_inc(&global_count_sysfs_measure);
+ error = measure_file_exec(file, mr);
+ fput(file);
+ if (error)
+ return error;
+ else
+ return (ssize_t) count; /* length of written data */
+}
+
+static struct subsys_attribute security_attr_measure = {
+ .attr = {.name = "measure",.mode = S_IRUGO | S_IWUGO},
+ .show = measurements_read,
+ .store = measurement_store,
+};
+
+static struct attribute *default_security_attrs[] = {
+ &security_attr_measure.attr,
+ NULL,
+};
+
+static void security_object_release(struct kobject *kobj)
+{
+ return;
+}
+
+static struct kobj_type ktype_security = {
+ .release = security_object_release,
+ .sysfs_ops = &security_sysfs_ops,
+ .default_attrs = default_security_attrs,
+};
+
+/* declare security_subsys. */
+static decl_subsys(security, &ktype_security, NULL);
+
+
+int ima_sysfs_init(void)
+{
+ atomic_set(&global_count_sysfs, 0);
+ atomic_set(&global_count_sysfs_measure, 0);
+ subsystem_register(&security_subsys);
+ subsys_create_file(&security_subsys, &security_attr_measure);
+ return 0;
+}
+
+int ima_sysfs_remove(void)
+{
+ subsys_remove_file(&security_subsys, &security_attr_measure);
+ subsystem_unregister(&security_subsys);
+ return 0;
+}
diff -uprN linux-2.6.12-rc4/security/ima/ima_tpm_glue.c linux-2.6.12-rc4-ima/security/ima/ima_tpm_glue.c
--- linux-2.6.12-rc4/security/ima/ima_tpm_glue.c 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.12-rc4-ima/security/ima/ima_tpm_glue.c 2005-05-19 17:59:20.000000000 -0400
@@ -0,0 +1,105 @@
+/*
+ * Copyright (C) 2005 IBM Corporation
+ *
+ * Authors:
+ * Reiner Sailer <sailer@private>
+ *
+ * Maintained by: TBD
+ *
+ * LSM IBM Integrity Measurement Architecture.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ * File: ima_tpm_glue.c
+ * implements glue code to connect IMA to the TPM driver
+ * by protecting new measurements in the TPM PCR
+ * (glues to tpmdd on www.sourceforge.net/tpmdd)
+ */
+#include <linux/config.h>
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/linkage.h>
+#include <linux/time.h>
+#include <linux/types.h>
+#include <linux/fcntl.h>
+#include <asm/uaccess.h>
+#include <linux/slab.h>
+#include <linux/errno.h>
+#include <linux/fs.h>
+#include "ima.h"
+
+#define TPM_BUFSIZE 2048
+
+extern struct tpm_chip *ima_used_chip;
+void tpm_extend(int index, const u8 * digest);
+void tpm_pcrread(int index, u8 * hash);
+
+static u32 decode_u32(u8 * buf)
+{
+ u32 val = buf[0];
+ val = (val << 8) | (u8) buf[1];
+ val = (val << 8) | (u8) buf[2];
+ val = (val << 8) | (u8) buf[3];
+ return val;
+}
+
+static void encode_u32(u8 * buf, u32 val)
+{
+ buf[0] = (u8) val >> 24;
+ buf[1] = (u8) val >> 16;
+ buf[2] = (u8) val >> 8;
+ buf[3] = (u8) val >> 0;
+}
+
+static u8 pcrread[] = {
+ 0, 193, /* TPM_TAG_RQU_COMMAND */
+ 0, 0, 0, 14, /* length */
+ 0, 0, 0, 21, /* TPM_ORD_PcrRead */
+ 0, 0, 0, 0 /* PCR index */
+};
+
+
+void tpm_pcrread(int index, u8 * hash)
+{
+ u8 data[TPM_BUFSIZE];
+ ssize_t len;
+
+ if (ima_used_chip == NULL)
+ return;
+
+ memcpy(data, pcrread, sizeof(pcrread));
+ encode_u32(data + 10, index);
+ if (((len = tpm_transmit(ima_used_chip, data, sizeof(data))) >= 30) &&
+ (decode_u32(data + 6) == 0))
+ memcpy(hash, data + 10, 20);
+}
+
+
+static u8 extend[] = {
+ 0, 193, /* TPM_TAG_RQU_COMMAND */
+ 0, 0, 0, 34, /* length */
+ 0, 0, 0, 20, /* TPM_ORD_Extend */
+ 0, 0, 0, 0 /* PCR index */
+};
+
+void tpm_extend(int index, const u8 * digest)
+{
+ u8 data[TPM_BUFSIZE];
+ int len;
+
+ if (ima_used_chip == NULL)
+ return;
+
+ memcpy(data, extend, sizeof(extend));
+ encode_u32(data + 10, index);
+ memcpy(data + 14, digest, 20);
+ if (((len = tpm_transmit(ima_used_chip, data, sizeof(data))) < 30) ||
+ (decode_u32(data + 6) != 0)) {
+ if (!ima_test_mode)
+ panic("IMA: Error Communicating to TPM chip and IMA not in test mode!\n");
+ }
+}
diff -uprN linux-2.6.12-rc4/security/ima/INSTALL linux-2.6.12-rc4-ima/security/ima/INSTALL
--- linux-2.6.12-rc4/security/ima/INSTALL 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.12-rc4-ima/security/ima/INSTALL 2005-05-19 17:59:20.000000000 -0400
@@ -0,0 +1,124 @@
+File: INSTALL
+
+Installation File for
+IBM Integrity Measurement Architecture
+
+Copyright IBM (c) April 30, 2005
+Author: Reiner Sailer, sailer@private
+
+For background information, examples, and publications
+ on this topic, please visit:
+ http://www.research.ibm.com/secure_systems_department/projects/tcglinux/
+
+The following instructions work for Fedora Core3 but should be
+generic (you just need a configuration file that works for the kernel)
+
+1. Required kernel configuration options
+========================================
+ a) crypto->SHA1 is (y)
+ [IMA needs sha before modules are loaded]
+
+ b) security->Default Linux Capabilities (n)
+ [IMA cannot share LSM with the capabilities]
+
+ c) choose (y) for "TCG run-time Integrity Measurement Architecture"
+ [switchtes IMA measurements on]
+
+ d) choose (y) for "IMA test mode"
+ This option tells IMA to try to use a real hw TPM or bypass it
+ if in test mode.
+ Choose (y) if you don't have a TPM on your machine or if you
+ have a TPM on your machine but you want to test IMA and the
+ dependencies first. In any case, make sure you have a TPM
+ driver with the internal kernel interface patch posted to
+ LKML 05/2005. If you choose (n) and IMA can't start up for any
+ reason, it will panic the kernel to protect attestation.
+ If unsure, say (y). Say (y) only after testing.
+
+ e) If you'd like to compile SELinux and IMA and choose between
+ them at boot-time then configure:
+ NSA SELinux boot paramter
+ NSA SELinux boot parameter default value to (0)
+ (see 3 for kernel command line options)
+
+
+2. Compile and install the new kernel and initrd
+================================================
+make all; make modules_install; make install
+
+
+3. Change kernel command line options
+=====================================
+to activate the Integrity Measurement Architecture at boot-time,
+add: 'ima=1', to deactivate use 'ima=0' (default)
+
+If you have both SELinux and IBM IMA support compiled into
+the kernel, then switch at least one of:
+ 'ima=1 selinux=0' activates the Integrity Measurement Architecture
+ 'ima=0 selinux=1' activates SELinux
+
+You can't activate both because the kernel does not
+support LSM stacking.
+
+
+4. Trouble-shooting (restart your system to activate new kernel)
+================================================================
+Use `dmesg |grep IMA` to print IMA status startup information:
+You may find the following output:
+
+ a) you are fine if you see
+ the following lines (if you have TPM hardware):
+ ----
+ IBM Integrity Measurement Architecture (IBM IMA v2.0 05/18/2005).
+ IMA (test mode)
+ ----
+ or the following lines (if you don't have TPM hardware):
+ ----
+ IBM Integrity Measurement Architecture (IBM IMA v2.0 05/18/2005).
+ IMA (test mode)
+ IMA (TPM/BYPASS - no TPM chip found)
+ ----
+
+ b) you need to add the "ima=1" kernel boot paramter if you see:
+ ---
+ IBM Integrity Measurement Architecture (IBM IMA v2.0 05/18/2005).
+ IMA (not enabled in kernel command line) aborting!
+ ---
+
+ c) you need to compile SHA1 support statically into the kernel
+ (see configuration requirements) if you see:
+ ---
+ IBM Integrity Measurement Architecture (IBM IMA v2.0 05/18/2005).
+ IMA (test mode)
+ IMA (SHA-1/no support) aborting!
+ ---
+
+ d) you need to disable security->Default Linux Capabilities or
+ SELinux (see configuration requirements) if you see:
+ ---
+ IBM Integrity Measurement Architecture (IBM IMA v2.0 05/18/2005).
+ IMA (test mode)
+ IMA (LSM/not free) aborting!
+ ---
+
+5. Measurement example
+======================
+# cat /proc/ima/measurements
+
+#000: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF [remeasure] boot_aggregate
+#001: E2594BF3AA97ED8824A84F7D9ADAE054A7BAB788 [clean] nash
+#002: 2A954FC4EBAC54BA26909A5AD52AEE5848425C3F [clean] udev
+#003: BD145AE0CFC2021C065AEAE52355FEFEA741A0E2 [clean] insmod
+#004: 6A82A9D8537E7767CC0DC980912CE2949EEFF265 [remeasure] jbd
+#005: CB3A142617B950CC180E737EE0C4EC9C082A8D7C [remeasure] ext3
+#006: F3B8622110E3979FC4DE41598157C80F5F688AC6 [clean] init
+#007: 5ACBD4089B3BBAD951AD13775B41BB951EAE306C [clean] ld-2.3.5.so
+#008: 99554AD938DB53DDEAF1EFFBE472F05BF5F95878 [clean] libsepol.so.1
+#009: E9114FC95121F4F04EBEEE500107C80732279F87 [clean] libselinux.so.1
+#010: DCDDF67F5239F6E029CA7FA4C1332A7A109A22E2 [clean] libc-2.3.5.so
+#011: F49DD0EA2ED1547B6F1B1BEC085A685404303646 [clean] modprobe
+#012: 645C2BFC2D6EEF4AA807213295948AA0DB048577 [clean] bash
+ ....
+
+
+
diff -uprN linux-2.6.12-rc4/security/ima/Kconfig linux-2.6.12-rc4-ima/security/ima/Kconfig
--- linux-2.6.12-rc4/security/ima/Kconfig 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.12-rc4-ima/security/ima/Kconfig 2005-05-19 17:59:20.000000000 -0400
@@ -0,0 +1,103 @@
+#
+# IBM Integrity Measurement Architecture
+#
+
+#menu "TPM-based Integrity Measurement Architecture"
+
+config IMA_MEASURE
+ bool "TCG run-time Integrity Measurement Architecture"
+ depends on SECURITY && CRYPTO_SHA1
+ help
+ To measure executable code running on this
+ system, say Y. If you say Y, you must disable
+ any other security modules because LSM are
+ currently not stackable.To actually start IMA,
+ you need to set a kernel boot parameter "ima=1".
+ If unsure, say N.
+
+config IMA_TEST_MODE
+ bool "IMA test mode"
+ depends on IMA_MEASURE
+ help
+ If you would like to test the measurement
+ architecture but you do not have a TPM hardware
+ on your system, say Y. Otherwise say N. If you say
+ Y and IMA does not find a TPM chip it will just bypass
+
+config IMA_MEASURE_PCR_IDX
+ int "PCR for Aggregate (8<= Index <= 15)"
+ depends on IMA_MEASURE
+ range 8 15
+ default 10
+ help
+ This determines the PCR index used for aggregating the
+ measurement list into the TPM hardware.
+ If unsure, use the default 10.
+
+config IMA_MEASURE_INVALIDATE_INDICATION_IDX
+ int "PCR for indicating invalidated PCR (8<= Index <= 15)"
+ depends on IMA_MEASURE
+ range 0 15
+ default 9
+ help
+ This determines the PCR index used to indicate that the
+ main measure pcr IMA_MEASURE_PCR_IDX aggregate has been
+ invalidated due to suspicious activity. This is just for
+ easily spotting invalidated IMA_MEASURE_PCR_IDX.
+ The main pcr was invalidated if
+ IMA_MEASURE_INVALIDATE_INDICATION_IDX is !=0.
+ If unsure, use the default pcr number 9.
+
+config IMA_SKIP_BOOT_AGGREGATE
+ bool "Skip Boot Aggregate Creation"
+ depends on IMA_MEASURE
+ help
+ If y, the usual aggregate over the boot PCRs
+ of the TPM is not calculated and not added to
+ the measurement list. If unsure, say N.
+
+config IMA_KMEM_BYPASS_PROTECTION
+ bool "Invalidate PCR on /dev/kmem write"
+ depends on IMA_MEASURE
+ help
+ This setting enforces TPM PCR invalidation if /dev/kmem
+ is written (bypass of measurements possible). Usually,
+ this does not restrict normal systems.
+ If unsure, say Y.
+
+config IMA_RAM_BYPASS_PROTECTION
+ bool "Invalidate PCR on /dev/ram write"
+ depends on IMA_MEASURE
+ help
+ This setting enforces TPM PCR invalidation if /dev/ram
+ is written (bypass of measurements possible). If you use
+ ramdisk, you might have a problem.
+ If unsure, say N.
+
+config IMA_HD_SD_BYPASS_PROTECTION
+ bool "Invalidate PCR on /dev/hdx /dev/sdx write"
+ depends on IMA_MEASURE
+ help
+ This setting enforces TPM PCR invalidation if /dev/hda,
+ /dev/hdb ... or /dev/sda, /dev/sdb ... are written
+ directly (bypass of measurement dirty flagging possible).
+ This requires some changes in /etc/rc.sysinit:
+ * check filesystems readonly (in rc.sysinit add "-n" fsck
+ option, remove -a where it appears
+ * switch off swapping (kernel controlled open on rw)
+ otherwise the PCRs will usually be invalidated.
+ If unsure, say N.
+
+config IMA_MEM_BYPASS_PROTECTION
+ bool "Invalidate PCR on /dev/mem write"
+ depends on IMA_MEASURE
+ help
+ This setting enforces TPM PCR invalidation if /dev/mem
+ is written (bypass of measurements possible). X needs
+ currently to write directly to /dev/mem. For client systems,
+ you might want to chose N here. For server systems not running X,
+ it is safe to say yes.
+ If unsure, say N.
+
+#endmenu
+
diff -uprN linux-2.6.12-rc4/security/ima/Makefile linux-2.6.12-rc4-ima/security/ima/Makefile
--- linux-2.6.12-rc4/security/ima/Makefile 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.12-rc4-ima/security/ima/Makefile 2005-05-19 17:59:20.000000000 -0400
@@ -0,0 +1,12 @@
+#
+# Makefile for the TCG run-time Measurements
+#
+# Author: sailer@private
+# adapted to 2.6 kernel
+
+ifdef CONFIG_IMA_MEASURE
+obj-$(CONFIG_IMA_MEASURE) += ima_init.o ima_sysfs.o ima_main.o ima_proc.o \
+ ima_queue.o ima_lsmhooks.o ima_tpm_glue.o
+
+endif
+
diff -uprN linux-2.6.12-rc4/security/Kconfig linux-2.6.12-rc4-ima/security/Kconfig
--- linux-2.6.12-rc4/security/Kconfig 2005-05-07 01:20:31.000000000 -0400
+++ linux-2.6.12-rc4-ima/security/Kconfig 2005-05-19 17:59:20.000000000 -0400
@@ -86,6 +86,7 @@ config SECURITY_SECLVL
If you are unsure how to answer this question, answer N.
source security/selinux/Kconfig
+source security/ima/Kconfig
endmenu
diff -uprN linux-2.6.12-rc4/security/Makefile linux-2.6.12-rc4-ima/security/Makefile
--- linux-2.6.12-rc4/security/Makefile 2005-05-07 01:20:31.000000000 -0400
+++ linux-2.6.12-rc4-ima/security/Makefile 2005-05-19 17:59:20.000000000 -0400
@@ -4,6 +4,7 @@
obj-$(CONFIG_KEYS) += keys/
subdir-$(CONFIG_SECURITY_SELINUX) += selinux
+subdir-$(CONFIG_IMA_MEASURE) += ima
# if we don't select a security model, use the default capabilities
ifneq ($(CONFIG_SECURITY),y)
@@ -14,6 +15,7 @@ endif
obj-$(CONFIG_SECURITY) += security.o dummy.o
# Must precede capability.o in order to stack properly.
obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o
+obj-$(CONFIG_IMA_MEASURE) += ima/built-in.o
obj-$(CONFIG_SECURITY_CAPABILITIES) += commoncap.o capability.o
obj-$(CONFIG_SECURITY_ROOTPLUG) += commoncap.o root_plug.o
obj-$(CONFIG_SECURITY_SECLVL) += seclvl.o
This archive was generated by hypermail 2.1.3 : Fri May 20 2005 - 11:48:13 PDT