From: nramas <nramas@linux.microsoft.com>
To: Mimi Zohar <zohar@linux.ibm.com>, linux-integrity@vger.kernel.org
Cc: Roberto Sassu <roberto.sassu@huawei.com>,
Stefan Berger <stefanb@linux.ibm.com>,
Russell Coker <russell@coker.com.au>
Subject: Re: [RFC PATCH 2/2] evm: output EVM digest calculation info needed for debugging
Date: Thu, 03 Jun 2021 09:34:43 -0700 [thread overview]
Message-ID: <a994cedd0b2a07faf8d1949448ec9c14b3dba34c.camel@linux.microsoft.com> (raw)
In-Reply-To: <20210603151819.242247-3-zohar@linux.ibm.com>
On Thu, 2021-06-03 at 11:18 -0400, Mimi Zohar wrote:
Hi Mimi,
> Convert and output the binary data used in calculating the EVM digest
> to a hexadecimal string.
>
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
> security/integrity/evm/evm.h | 1 +
> security/integrity/evm/evm_crypto.c | 7 +++++++
> security/integrity/evm/evm_main.c | 19 +++++++++++++++++++
> 3 files changed, 27 insertions(+)
>
> diff --git a/security/integrity/evm/evm.h
> b/security/integrity/evm/evm.h
> index 0d44f41d16f8..3d2d2da8fa97 100644
> --- a/security/integrity/evm/evm.h
> +++ b/security/integrity/evm/evm.h
> @@ -64,5 +64,6 @@ int evm_calc_hash(struct dentry *dentry, const char
> *req_xattr_name,
> int (struct inode *inode, const struct xattr *xattr,
> char *hmac_val);
> int evm_init_secfs(void);
> +void evm_bin2hex_print(const char *prefix, const void *src, size_t
> count);
>
For evm_bin2hex_print() can we could do the following in evm.h?
#ifdef DEBUG
void evm_bin2hex_print(const char *prefix, const void *src, size_t
count);
#else
void evm_bin2hex_print(const char *prefix, const void *src, size_t
count) {}
#endif /* DEBUG */
> void evm_bin2hex_print(const char *prefix, const void *src, size_t
> count);
> #endif
> diff --git a/security/integrity/evm/evm_crypto.c
> b/security/integrity/evm/evm_crypto.c
> index 1628e2ca9862..7601aa29c6d3 100644
> --- a/security/integrity/evm/evm_crypto.c
> +++ b/security/integrity/evm/evm_crypto.c
> @@ -175,6 +175,8 @@ static void hmac_add_misc(struct shash_desc
> *desc, struct inode *inode,
> type != EVM_XATTR_PORTABLE_DIGSIG)
> crypto_shash_update(desc, (u8 *)&inode->i_sb->s_uuid,
> UUID_SIZE);
> crypto_shash_final(desc, digest);
> +
> + evm_bin2hex_print("hmac_misc", &hmac_misc, sizeof(struct
> h_misc));
> }
>
> /*
> @@ -230,6 +232,9 @@ static int evm_calc_hmac_or_hash(struct dentry
> *dentry,
> req_xattr_value_len);
> if (is_ima)
> ima_present = true;
> +
> + evm_bin2hex_print(req_xattr_name,
> req_xattr_value,
> + req_xattr_value_len);
> continue;
> }
> size = vfs_getxattr_alloc(&init_user_ns, dentry, xattr-
> >name,
> @@ -246,6 +251,8 @@ static int evm_calc_hmac_or_hash(struct dentry
> *dentry,
> crypto_shash_update(desc, (const u8 *)xattr_value,
> xattr_size);
> if (is_ima)
> ima_present = true;
> +
> + evm_bin2hex_print(xattr->name, xattr_value,
> xattr_size);
> }
> hmac_add_misc(desc, inode, type, data->digest);
>
> diff --git a/security/integrity/evm/evm_main.c
> b/security/integrity/evm/evm_main.c
> index 2c226e634ae9..03d963fe2e67 100644
> --- a/security/integrity/evm/evm_main.c
> +++ b/security/integrity/evm/evm_main.c
> @@ -155,6 +155,23 @@ static int evm_find_protected_xattrs(struct
> dentry *dentry)
> return count;
> }
>
> +void evm_bin2hex_print(const char *prefix, const void *src, size_t
> count)
> +{
> +#ifdef DEBUG
> + char *asciihex, *p;
> +
> + p = asciihex = kmalloc(count * 2 + 1, GFP_KERNEL);
> + if (!asciihex)
> + return;
> +
> + p = bin2hex(p, src, count);
> + *p = 0;
> + printk("%s: (%lu) %.*s\n", prefix, count, (int) count * 2,
> asciihex);
Prefix the message with, say, "evm:".
thanks,
-lakshmi
> +
> + kfree(asciihex);
> +#endif
> +}
> +
> /*
> * evm_verify_hmac - calculate and compare the HMAC with the EVM
> xattr
> *
> @@ -272,6 +289,8 @@ static enum integrity_status
> evm_verify_hmac(struct dentry *dentry,
> else
> evm_status = INTEGRITY_FAIL;
> }
> +
> + evm_bin2hex_print("evm digest", digest.digest,
> digest.hdr.length);
> out:
> if (iint)
> iint->evm_status = evm_status;
next prev parent reply other threads:[~2021-06-03 16:34 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-03 15:18 [RFC PATCH 0/2] EVM: add some debugging info Mimi Zohar
2021-06-03 15:18 ` [RFC PATCH 1/2] ima: differentiate between EVM failures in the audit log Mimi Zohar
2021-06-04 6:37 ` Roberto Sassu
2021-06-03 15:18 ` [RFC PATCH 2/2] evm: output EVM digest calculation info needed for debugging Mimi Zohar
2021-06-03 16:34 ` nramas [this message]
2021-06-03 16:55 ` Mimi Zohar
2021-06-03 17:48 ` nramas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a994cedd0b2a07faf8d1949448ec9c14b3dba34c.camel@linux.microsoft.com \
--to=nramas@linux.microsoft.com \
--cc=linux-integrity@vger.kernel.org \
--cc=roberto.sassu@huawei.com \
--cc=russell@coker.com.au \
--cc=stefanb@linux.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox