From: Jia Zhang <zhang.jia@linux.alibaba.com>
To: pvorel@suse.cz, zohar@linux.ibm.com
Cc: linux-integrity@vger.kernel.org, ltp@lists.linux.it,
zhang.jia@linux.alibaba.com
Subject: [PATCH v3 3/6] ima/ima_boot_aggregate: Fix extending PCRs beyond PCR 0-7
Date: Wed, 16 Jan 2019 10:57:38 +0800 [thread overview]
Message-ID: <1547607461-11233-4-git-send-email-zhang.jia@linux.alibaba.com> (raw)
In-Reply-To: <1547607461-11233-1-git-send-email-zhang.jia@linux.alibaba.com>
The boot aggragate calculation should never touch PCRs beyond PCR 0-7,
even a PCR extension really manipulates out-of-domain PCRs.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
---
.../security/integrity/ima/src/ima_boot_aggregate.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c b/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c
index 67be6a7..98893b9 100644
--- a/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c
+++ b/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c
@@ -93,11 +93,16 @@ int main(int argc, char *argv[])
printf("%03u ", event.header.pcr);
display_sha1_digest(event.header.digest);
}
- SHA1_Init(&c);
- SHA1_Update(&c, pcr[event.header.pcr].digest,
- SHA_DIGEST_LENGTH);
- SHA1_Update(&c, event.header.digest, SHA_DIGEST_LENGTH);
- SHA1_Final(pcr[event.header.pcr].digest, &c);
+
+ if (event.header.pcr < NUM_PCRS) {
+ SHA1_Init(&c);
+ SHA1_Update(&c, pcr[event.header.pcr].digest,
+ SHA_DIGEST_LENGTH);
+ SHA1_Update(&c, event.header.digest,
+ SHA_DIGEST_LENGTH);
+ SHA1_Final(pcr[event.header.pcr].digest, &c);
+ }
+
#if MAX_EVENT_DATA_SIZE < USHRT_MAX
if (event.header.len > MAX_EVENT_DATA_SIZE) {
printf("Error event too long\n");
--
1.8.3.1
next prev parent reply other threads:[~2019-01-16 2:58 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-16 2:57 [LTP][PATCH v3 0/6] LTP IMA fix bundle Jia Zhang
2019-01-16 2:57 ` [PATCH v3 1/6] ima/ima_boot_aggregate: Fix the definition of event log Jia Zhang
2019-01-20 18:13 ` Mimi Zohar
2019-01-20 18:37 ` Mimi Zohar
2019-01-16 2:57 ` [PATCH v3 2/6] ima/ima_boot_aggregate: Don't hard code the length of sha1 hash Jia Zhang
2019-01-16 2:57 ` Jia Zhang [this message]
2019-01-16 2:57 ` [PATCH v3 4/6] ima: Code cleanup Jia Zhang
2019-01-16 2:57 ` [PATCH v3 5/6] ima: Rename the folder name for policy files to datafiles Jia Zhang
2019-01-23 17:04 ` Petr Vorel
2019-01-24 5:11 ` Jia Zhang
2019-01-16 2:57 ` [PATCH v3 6/6] ima/ima_violations: Temporarily remove the printk rate limit Jia Zhang
2019-01-20 18:38 ` Mimi Zohar
2019-01-16 7:20 ` [LTP][PATCH v3 0/6] LTP IMA fix bundle Petr Vorel
2019-01-20 14:59 ` Jia Zhang
2019-01-24 2:19 ` Jia Zhang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1547607461-11233-4-git-send-email-zhang.jia@linux.alibaba.com \
--to=zhang.jia@linux.alibaba.com \
--cc=linux-integrity@vger.kernel.org \
--cc=ltp@lists.linux.it \
--cc=pvorel@suse.cz \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).