Linux Integrity Measurement development
 help / color / mirror / Atom feed
* Re: [PATCH v8 04/12] tpm: Change tpm_get_random() opportunistic
From: Jarkko Sakkinen @ 2026-01-02 16:37 UTC (permalink / raw)
  To: Jonathan McDowell
  Cc: linux-integrity, David S . Miller, Herbert Xu, Eric Biggers,
	Peter Huewe, Jason Gunthorpe, David Howells, Paul Moore,
	James Morris, Serge E. Hallyn, open list, open list:KEYS/KEYRINGS,
	open list:SECURITY SUBSYSTEM
In-Reply-To: <aUUd760l89lrNOs-@earth.li>

On Fri, Dec 19, 2025 at 09:42:07AM +0000, Jonathan McDowell wrote:
> On Tue, Dec 16, 2025 at 11:21:38AM +0200, Jarkko Sakkinen wrote:
> > hwrng framework does not have a requirement that the all bytes requested
> > need to be provided. By enforcing such a requirement internally, TPM driver
> > can cause unpredictability in latency, as a single tpm_get_random() call
> > can result multiple TPM commands.
> > 
> > Especially, when TCG_TPM2_HMAC is enabled, extra roundtrips could have
> > significant effect to the system latency.
> > 
> > Thus, send TPM command only once and return bytes received instead of
> > committing to the number of requested bytes.
> 
> Function comment for tpm_get_random needs updated as well, as it currently
> says "until all of the @max bytes have been received", which is no longer
> true with this patch. With that:
> 
> Reviewed-by: Jonathan McDowell <noodles@meta.com>

Thank you and definitely can refine that comment. After holidays it is
probably to go through this patch set with time and send +1 iteration
:-)

BR, Jarkko

^ permalink raw reply

* Re: [PATCH v8 05/12] tpm2-sessions: Define TPM2_NAME_MAX_SIZE
From: Jarkko Sakkinen @ 2026-01-02 16:35 UTC (permalink / raw)
  To: Jonathan McDowell
  Cc: linux-integrity, Peter Huewe, Jason Gunthorpe, David Howells,
	Paul Moore, James Morris, Serge E. Hallyn, open list,
	open list:KEYS/KEYRINGS, open list:SECURITY SUBSYSTEM
In-Reply-To: <aUUbkosWlOjZ48YP@earth.li>

On Fri, Dec 19, 2025 at 09:32:02AM +0000, Jonathan McDowell wrote:
> On Tue, Dec 16, 2025 at 11:21:39AM +0200, Jarkko Sakkinen wrote:
> > Define TPM2_NAME_MAX_SIZE, which describes the maximum size for hashes
> > encoded as TPMT_HA, which the prime identifier used for persistent and
> > transient keys in TPM2 protocol.
> > 
> > Set its value to 'SHA512_DIGEST_SIZE + 2', as SHA512 has the largest
> > digest size of the algorithms in TCG algorithm repository.
> > 
> > In additionl, rename TPM2_NAME_SIZE as TPM2_NULL_NAME_SIZE in order to
> > avoid any possible confusion.
> 
> One minor capitalisation nit, otherwise:
> 
> Reviewed-by: Jonathan McDowell <noodles@meta.com>
> 
> > Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
> > ---
> > v6:
> > - Rewrote the commit message.
> > v2:
> > - Rename TPM2_NAME_SIZE as TPM2_NULL_NAME_SIZE.
> > ---
> > drivers/char/tpm/tpm-sysfs.c     |  2 +-
> > drivers/char/tpm/tpm2-sessions.c |  2 +-
> > include/linux/tpm.h              | 37 +++++++++++++++++++++-----------
> > 3 files changed, 27 insertions(+), 14 deletions(-)
> > 
> > diff --git a/drivers/char/tpm/tpm-sysfs.c b/drivers/char/tpm/tpm-sysfs.c
> > index 94231f052ea7..4a6a27ee295d 100644
> > --- a/drivers/char/tpm/tpm-sysfs.c
> > +++ b/drivers/char/tpm/tpm-sysfs.c
> > @@ -314,7 +314,7 @@ static ssize_t null_name_show(struct device *dev, struct device_attribute *attr,
> > 			      char *buf)
> > {
> > 	struct tpm_chip *chip = to_tpm_chip(dev);
> > -	int size = TPM2_NAME_SIZE;
> > +	int size = TPM2_NULL_NAME_SIZE;
> > 
> > 	bin2hex(buf, chip->null_key_name, size);
> > 	size *= 2;
> > diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c
> > index 4149379665c4..525b8622d1c3 100644
> > --- a/drivers/char/tpm/tpm2-sessions.c
> > +++ b/drivers/char/tpm/tpm2-sessions.c
> > @@ -137,7 +137,7 @@ struct tpm2_auth {
> > 	 * we must compute and remember
> > 	 */
> > 	u32 name_h[AUTH_MAX_NAMES];
> > -	u8 name[AUTH_MAX_NAMES][2 + SHA512_DIGEST_SIZE];
> > +	u8 name[AUTH_MAX_NAMES][TPM2_MAX_NAME_SIZE];
> > };
> > 
> > #ifdef CONFIG_TCG_TPM2_HMAC
> > diff --git a/include/linux/tpm.h b/include/linux/tpm.h
> > index 202da079d500..e10f2096eae7 100644
> > --- a/include/linux/tpm.h
> > +++ b/include/linux/tpm.h
> > @@ -27,9 +27,33 @@
> > 
> > #define TPM_DIGEST_SIZE 20	/* Max TPM v1.2 PCR size */
> > 
> > +/*
> > + * SHA-512 is, as of today, the largest digest in the TCG algorithm repository.
> > + */
> > #define TPM2_MAX_DIGEST_SIZE	SHA512_DIGEST_SIZE
> > +
> > +/*
> > + * A TPM name digest i.e., TPMT_HA, is a concatenation of TPM_ALG_ID of the
> > + * name algorithm and hash of TPMT_PUBLIC.
> > + */
> > +#define TPM2_MAX_NAME_SIZE	(TPM2_MAX_DIGEST_SIZE + 2)
> > +
> > +/*
> > + * The maximum number of PCR banks.
> > + */
> > #define TPM2_MAX_PCR_BANKS	8
> > 
> > +/*
> > + * fixed define for the size of a name.  This is actually HASHALG size
> 
> "Fixed define".

Thanks, yeah, I can fix this up :-)

> 
> > + * plus 2, so 32 for SHA256
> > + */
> > +#define TPM2_NULL_NAME_SIZE	34
> > +
> > +/*
> > + * The maximum size for an object context
> > + */
> > +#define TPM2_MAX_CONTEXT_SIZE	4096
> > +
> > struct tpm_chip;
> > struct trusted_key_payload;
> > struct trusted_key_options;
> > @@ -139,17 +163,6 @@ struct tpm_chip_seqops {
> > /* fixed define for the curve we use which is NIST_P256 */
> > #define EC_PT_SZ	32
> > 
> > -/*
> > - * fixed define for the size of a name.  This is actually HASHALG size
> > - * plus 2, so 32 for SHA256
> > - */
> > -#define TPM2_NAME_SIZE	34
> > -
> > -/*
> > - * The maximum size for an object context
> > - */
> > -#define TPM2_MAX_CONTEXT_SIZE 4096
> > -
> > struct tpm_chip {
> > 	struct device dev;
> > 	struct device devs;
> > @@ -211,7 +224,7 @@ struct tpm_chip {
> > 	/* saved context for NULL seed */
> > 	u8 null_key_context[TPM2_MAX_CONTEXT_SIZE];
> > 	 /* name of NULL seed */
> > -	u8 null_key_name[TPM2_NAME_SIZE];
> > +	u8 null_key_name[TPM2_NULL_NAME_SIZE];
> > 	u8 null_ec_key_x[EC_PT_SZ];
> > 	u8 null_ec_key_y[EC_PT_SZ];
> > 	struct tpm2_auth *auth;
> > -- 
> > 2.39.5
> > 
> > 
> 
> J.
> 
> -- 
> Why do I get the feeling I'm going to regret this?
> This .sig brought to you by the letter S and the number 50
> Product of the Republic of HuggieTag

BR, Jarkko

^ permalink raw reply

* Re: [PATCH v8 02/12] KEYS: trusted: Use get_random_bytes_wait() instead of tpm_get_random()
From: Jarkko Sakkinen @ 2026-01-02 16:34 UTC (permalink / raw)
  To: Jonathan McDowell
  Cc: linux-integrity, Eric Biggers, David Howells, Paul Moore,
	James Morris, Serge E. Hallyn, James Bottomley, Mimi Zohar,
	open list:KEYS/KEYRINGS, open list:SECURITY SUBSYSTEM, open list
In-Reply-To: <aUUZKu2xaZvEdq-2@earth.li>

On Fri, Dec 19, 2025 at 09:21:46AM +0000, Jonathan McDowell wrote:
> On Tue, Dec 16, 2025 at 11:21:36AM +0200, Jarkko Sakkinen wrote:
> > Substitute remaining tpm_get_random() calls in trusted_tpm1.c with
> > get_random_bytes_wait() thus aligning random number generation for TPM 1.2
> > with the removal of '.get_random' callback.
> 
> Had to double check we wouldn't end up not getting all the randomness we ask
> for, but get_random_bytes_wait does indeed DTRT.
> 
> Reviewed-by: Jonathan McDowell <noodles@meta.com>

Thank you.

BR, Jarkko

^ permalink raw reply

* Re: [PATCH v8 07/12] KEYS: trusted: Remove dead branch from tpm2_unseal_cmd
From: Jarkko Sakkinen @ 2026-01-02 16:31 UTC (permalink / raw)
  To: James Bottomley
  Cc: linux-integrity, David Howells, Paul Moore, James Morris,
	Serge E. Hallyn, Mimi Zohar, open list:KEYS/KEYRINGS,
	open list:SECURITY SUBSYSTEM, open list
In-Reply-To: <57e69d4fd5a40899cd779ee04f29f33009c97431.camel@HansenPartnership.com>

On Fri, Dec 19, 2025 at 03:54:47PM -0500, James Bottomley wrote:
> On Tue, 2025-12-16 at 11:21 +0200, Jarkko Sakkinen wrote:
> > TPM2_Unseal requires TPM2_ST_SESSIONS, and tpm2_unseal_cmd() always
> > does set up either password or HMAC session.
> > 
> > Remove the branch in tpm2_unseal_cmd() conditionally setting
> > TPM2_ST_NO_SESSIONS. It is faulty but luckily it is never exercised
> > at run-time, and thus does not cause regressions.
> 
> Shouldn't that also be
> 
> Fixes: b7960b904861 ("tpm2-sessions: Open code tpm_buf_append_hmac_session()")

The implementation has pre-existed before that commit so it did
not really cause it. The call path was just more masked before
open coding it.

The code is of course exercised in !TCG_TPM2_HMAC case but it 
by definition does nothing.

> 
> > Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
> > ---
> >  security/keys/trusted-keys/trusted_tpm2.c | 10 +---------
> >  1 file changed, 1 insertion(+), 9 deletions(-)
> > 
> > diff --git a/security/keys/trusted-keys/trusted_tpm2.c
> > b/security/keys/trusted-keys/trusted_tpm2.c
> > index d3a5c5f2b926..3666e3e48eab 100644
> > --- a/security/keys/trusted-keys/trusted_tpm2.c
> > +++ b/security/keys/trusted-keys/trusted_tpm2.c
> > @@ -451,10 +451,8 @@ static int tpm2_unseal_cmd(struct tpm_chip
> > *chip,
> >  			   struct trusted_key_options *options,
> >  			   u32 blob_handle)
> >  {
> > -	struct tpm_header *head;
> >  	struct tpm_buf buf;
> >  	u16 data_len;
> > -	int offset;
> >  	u8 *data;
> >  	int rc;
> >  
> > @@ -495,14 +493,8 @@ static int tpm2_unseal_cmd(struct tpm_chip
> > *chip,
> >  		tpm_buf_append_u16(&buf, options->blobauth_len);
> >  		tpm_buf_append(&buf, options->blobauth, options-
> > >blobauth_len);
> >  
> > -		if (tpm2_chip_auth(chip)) {
> > +		if (tpm2_chip_auth(chip))
> 
> Since the statement above is that the if is always true, why do you
> still have it here?

This is still necessary for !TCG_TPM2_HMAC case. The commit is pretty
much exactly in its described scope.

> 
> Regards,
> 
> James
> 

BR, Jarkko

^ permalink raw reply

* Re: [PATCH V2 1/1] IMA event log trimming
From: steven chen @ 2026-01-02 14:33 UTC (permalink / raw)
  To: Mimi Zohar, linux-integrity
  Cc: roberto.sassu, dmitry.kasatkin, eric.snowberg, corbet, serge,
	paul, jmorris, linux-security-module, anirudhve, gregorylumen,
	nramas, sushring, linux-doc, steven chen
In-Reply-To: <9a26898f46406314be1308e5416c0d51cedf44a4.camel@linux.ibm.com>

On 12/23/2025 2:32 PM, Mimi Zohar wrote:
> On Tue, 2025-12-16 at 11:59 -0800, steven chen wrote:
>>>>> +{
>>>>> +	struct ima_queue_entry *qe, *qe_tmp;
>>>>> +	LIST_HEAD(ima_measurements_staged);
>>>>> +	unsigned int i;
>>>>> +	long cur = number_logs;
>>> The variable name "number_logs" is confusing.  As I mentioned in the patch
>>> description, there is one measurement list with multiple records.  There aren't
>>> multiple logs in the kernel (other than the staged list).
>> Will update it to "req_value". Thanks!
> Please refer to the section titled "Naming" in Documentation/process/coding-
> style.rst.  Since this is the number of records being deleted, perhaps a better
> variable name would be "num_records".
>
Will update. Thanks

Steven


^ permalink raw reply

* Re: [PATCH v2 1/2] dt-bindings: tpm: Add st,st33tphf2ei2c
From: Shawn Guo @ 2025-12-31  2:25 UTC (permalink / raw)
  To: Marek Vasut
  Cc: linux-arm-kernel, Krzysztof Kozlowski, Conor Dooley,
	Fabio Estevam, Jarkko Sakkinen, Jason Gunthorpe,
	Krzysztof Kozlowski, Lukas Wunner, Pengutronix Kernel Team,
	Peter Huewe, Rob Herring, Sascha Hauer, devicetree, imx,
	linux-integrity, linux-kernel
In-Reply-To: <20251230014047.149677-1-marek.vasut@mailbox.org>

On Tue, Dec 30, 2025 at 02:40:34AM +0100, Marek Vasut wrote:
> Add the ST chip st33tphf2ei2c to the supported compatible strings of the
> TPM TIS I2C schema. The chip is compliant with the TCG PC Client TPM
> Profile specification.
> 
> For reference, a databrief is available at:
> https://www.st.com/resource/en/data_brief/st33tphf2ei2c.pdf
> 
> Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
> Signed-off-by: Marek Vasut <marek.vasut@mailbox.org>

Applied both, thanks!

^ permalink raw reply

* [PATCH v2 2/2] arm64: dts: imx8mp: Update Data Modul i.MX8M Plus eDM SBC DT to rev.903
From: Marek Vasut @ 2025-12-30  1:40 UTC (permalink / raw)
  To: linux-arm-kernel
  Cc: Marek Vasut, Conor Dooley, Fabio Estevam, Jarkko Sakkinen,
	Jason Gunthorpe, Krzysztof Kozlowski, Lukas Wunner,
	Pengutronix Kernel Team, Peter Huewe, Rob Herring, Sascha Hauer,
	Shawn Guo, devicetree, imx, linux-integrity, linux-kernel
In-Reply-To: <20251230014047.149677-1-marek.vasut@mailbox.org>

Update the DT to match newest Data Modul i.MX8M Plus eDM SBC rev.903
board which implements significant changes. Keep some of the rev.900
and rev.902 nodes in the DT so that a DTO can be used to support old
rev.900 and rev.902 boards easily.

The changes from rev.900 to rev.902 are:
- Both ethernet PHYs replaced from AR8031 to BCM54213PE
- Both ethernet PHYs MDIO address changed
- PCIe WiFi now comes with dedicated regulator
- I2C TPM chip address
- Additional GPIO expander for LVDS panel control added
- Current EEPROM I2C address changed
- Another optional EEPROM added onto another I2C bus

The changes from rev.902 to rev.903 are:
- Additional GPIO expander for WiFi and LVDS panel control added
- Multiple GPIOs are reassigned

Signed-off-by: Marek Vasut <marek.vasut@mailbox.org>
---
Cc: Conor Dooley <conor+dt@kernel.org>
Cc: Fabio Estevam <festevam@gmail.com>
Cc: Jarkko Sakkinen <jarkko@kernel.org>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Krzysztof Kozlowski <krzk+dt@kernel.org>
Cc: Lukas Wunner <lukas@wunner.de>
Cc: Pengutronix Kernel Team <kernel@pengutronix.de>
Cc: Peter Huewe <peterhuewe@gmx.de>
Cc: Rob Herring <robh@kernel.org>
Cc: Sascha Hauer <s.hauer@pengutronix.de>
Cc: Shawn Guo <shawnguo@kernel.org>
Cc: devicetree@vger.kernel.org
Cc: imx@lists.linux.dev
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-integrity@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
---
V2: - Rebase on current next, update email address
---
 .../freescale/imx8mp-data-modul-edm-sbc.dts   | 148 +++++++++++++++---
 1 file changed, 129 insertions(+), 19 deletions(-)

diff --git a/arch/arm64/boot/dts/freescale/imx8mp-data-modul-edm-sbc.dts b/arch/arm64/boot/dts/freescale/imx8mp-data-modul-edm-sbc.dts
index 16078ff60ef08..7e46537a22a01 100644
--- a/arch/arm64/boot/dts/freescale/imx8mp-data-modul-edm-sbc.dts
+++ b/arch/arm64/boot/dts/freescale/imx8mp-data-modul-edm-sbc.dts
@@ -93,6 +93,17 @@ reg_panel_vcc: regulator-panel-vcc {
 		status = "disabled";
 	};
 
+	reg_pcie0: regulator-pcie {
+		compatible = "regulator-fixed";
+		pinctrl-names = "default";
+		pinctrl-0 = <&pinctrl_wifi>;
+		regulator-name = "WIFI_BT_RST#";
+		regulator-min-microvolt = <3300000>;
+		regulator-max-microvolt = <3300000>;
+		gpio = <&gpio2 2 GPIO_ACTIVE_HIGH>;
+		enable-active-high;
+	};
+
 	reg_usdhc2_vmmc: regulator-usdhc2-vmmc {
 		compatible = "regulator-fixed";
 		pinctrl-names = "default";
@@ -190,7 +201,7 @@ &ecspi3 {	/* Display connector SPI */
 &eqos {	/* First ethernet */
 	pinctrl-names = "default";
 	pinctrl-0 = <&pinctrl_eqos>;
-	phy-handle = <&phy_eqos>;
+	phy-handle = <&phy_eqos_bcm>;
 	phy-mode = "rgmii-id";
 	status = "okay";
 
@@ -200,7 +211,7 @@ mdio {
 		#size-cells = <0>;
 
 		/* Atheros AR8031 PHY */
-		phy_eqos: ethernet-phy@0 {
+		phy_eqos_ath: ethernet-phy@0 {
 			compatible = "ethernet-phy-ieee802.3-c22";
 			reg = <0>;
 			/*
@@ -213,6 +224,7 @@ phy_eqos: ethernet-phy@0 {
 			reset-deassert-us = <10000>;
 			qca,keep-pll-enabled;
 			vddio-supply = <&vddio_eqos>;
+			status = "disabled";
 
 			vddio_eqos: vddio-regulator {
 				regulator-name = "VDDIO_EQOS";
@@ -224,13 +236,27 @@ vddh_eqos: vddh-regulator {
 				regulator-name = "VDDH_EQOS";
 			};
 		};
+
+		/* Broadcom BCM54213PE PHY */
+		phy_eqos_bcm: ethernet-phy@1 {
+			compatible = "ethernet-phy-ieee802.3-c22";
+			reg = <1>;
+			/*
+			 * Dedicated ENET_INT# and ENET_WOL# signals are
+			 * unused, the PHY does not provide cable detect
+			 * interrupt.
+			 */
+			reset-gpios = <&gpio1 15 GPIO_ACTIVE_LOW>;
+			reset-assert-us = <10000>;
+			reset-deassert-us = <10000>;
+		};
 	};
 };
 
 &fec {	/* Second ethernet */
 	pinctrl-names = "default";
 	pinctrl-0 = <&pinctrl_fec>;
-	phy-handle = <&phy_fec>;
+	phy-handle = <&phy_fec_bcm>;
 	phy-mode = "rgmii-id";
 	fsl,magic-packet;
 	status = "okay";
@@ -240,7 +266,7 @@ mdio {
 		#size-cells = <0>;
 
 		/* Atheros AR8031 PHY */
-		phy_fec: ethernet-phy@0 {
+		phy_fec_ath: ethernet-phy@0 {
 			compatible = "ethernet-phy-ieee802.3-c22";
 			reg = <0>;
 			/*
@@ -253,6 +279,7 @@ phy_fec: ethernet-phy@0 {
 			reset-deassert-us = <10000>;
 			qca,keep-pll-enabled;
 			vddio-supply = <&vddio_fec>;
+			status = "disabled";
 
 			vddio_fec: vddio-regulator {
 				regulator-name = "VDDIO_FEC";
@@ -264,6 +291,20 @@ vddh_fec: vddh-regulator {
 				regulator-name = "VDDH_FEC";
 			};
 		};
+
+		/* Broadcom BCM54213PE PHY */
+		phy_fec_bcm: ethernet-phy@1 {
+			compatible = "ethernet-phy-ieee802.3-c22";
+			reg = <1>;
+			/*
+			 * Dedicated ENET_INT# and ENET_WOL# signals are
+			 * unused, the PHY does not provide cable detect
+			 * interrupt.
+			 */
+			reset-gpios = <&gpio2 9 GPIO_ACTIVE_LOW>;
+			reset-assert-us = <10000>;
+			reset-deassert-us = <10000>;
+		};
 	};
 };
 
@@ -378,13 +419,26 @@ usb-hub@2c {
 		self-powered;
 	};
 
-	eeprom: eeprom@50 {
+	tpm: tpm@2e {
+		compatible = "st,st33tphf2ei2c", "tcg,tpm-tis-i2c";
+		reg = <0x2e>;
+	};
+
+	eeprom900: eeprom@50 {	/* board rev.900 */
 		compatible = "atmel,24c32";
 		reg = <0x50>;
 		pagesize = <32>;
+		status = "disabled";
+	};
+
+	eeprom902: eeprom@51 {	/* board rev.902 */
+		compatible = "atmel,24c32";
+		reg = <0x51>;
+		pagesize = <32>;
 	};
 
 	rtc: rtc@68 {
+		#clock-cells = <1>;
 		compatible = "st,m41t62";
 		reg = <0x68>;
 		pinctrl-names = "default";
@@ -408,6 +462,46 @@ &i2c2 {
 	scl-gpios = <&gpio5 16 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>;
 	sda-gpios = <&gpio5 17 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>;
 	status = "okay";
+
+	gpiolvds: io-expander@20 {
+		compatible = "nxp,pca9554";
+		reg = <0x20>;
+		gpio-controller;
+		#gpio-cells = <2>;
+		gpio-line-names =
+			"BL_ENABLE_V", "SEL_BL_12V",
+			"SEL_PANEL_5V", "SEL_PANEL_12V",
+			"SEL_BL_PWM", "SEL_BL_EN",
+			"REVERSE_SCAN_PANEL", "GND_REV903";
+	};
+
+	gpiowifi: io-expander@21 {
+		compatible = "nxp,pca9554";
+		reg = <0x21>;
+		gpio-controller;
+		#gpio-cells = <2>;
+		gpio-line-names =
+			"BL_LVDS_ENABLE_3V3", "BL_LVDS_PWM_3V3",
+			"M2_BT_WAKE_3V3#", "M2_W_DISABLE2_3V3#",
+			"TFT_PANEL_ENABLE_3V3", "TPM_RESET_3V3#",
+			"CSI2_PD_3V3", "CSI2_RESET_3V3#";
+
+		/* BL_LVDS_PWM_3V3 is patch-wired to BL_PWM_3V3 on rev.903 */
+		pwm-input-hog {
+			gpio-hog;
+			gpios = <1 0>;
+			input;
+			line-name = "BL_LVDS_PWM_3V3_HOG";
+		};
+	};
+
+	eepromlvds: eeprom@51 {
+		compatible = "atmel,24c32";
+		reg = <0x51>;
+		pagesize = <32>;
+		/* Optional EEPROM, disabled by default. */
+		status = "disabled";
+	};
 };
 
 &i2c3 {
@@ -521,6 +615,7 @@ &pcie {
 	pinctrl-0 = <&pinctrl_pcie0>;
 	fsl,max-link-speed = <3>;
 	reset-gpio = <&gpio1 5 GPIO_ACTIVE_LOW>;
+	vpcie-supply = <&reg_pcie0>;
 	status = "okay";
 };
 
@@ -598,7 +693,17 @@ &uart3 {	/* A53 Debug */
 &uart4 {
 	pinctrl-names = "default";
 	pinctrl-0 = <&pinctrl_uart4>;
-	status = "disabled";
+	uart-has-rtscts;
+	status = "okay";
+
+	bluetooth {
+		compatible = "infineon,cyw55572-bt";
+		brcm,requires-autobaud-mode;
+		clocks = <&rtc 0>;
+		clock-names = "txco";
+		max-speed = <921600>;
+		shutdown-gpios = <&gpiowifi 3 GPIO_ACTIVE_HIGH>;
+	};
 };
 
 &usb3_phy0 {
@@ -686,8 +791,6 @@ MX8MP_IOMUXC_ENET_RD2__ENET_QOS_RGMII_RD2	0x91
 			MX8MP_IOMUXC_ENET_RD3__ENET_QOS_RGMII_RD3	0x91
 			/* ENET_RST# */
 			MX8MP_IOMUXC_GPIO1_IO15__GPIO1_IO15		0x6
-			/* ENET_INT# */
-			MX8MP_IOMUXC_GPIO1_IO11__GPIO1_IO11		0x40000090
 		>;
 	};
 
@@ -709,8 +812,6 @@ MX8MP_IOMUXC_SAI1_TXD4__ENET1_RGMII_TX_CTL	0x1f
 			MX8MP_IOMUXC_SAI1_TXD5__ENET1_RGMII_TXC		0x1f
 			/* ENET2_RST# */
 			MX8MP_IOMUXC_SD1_DATA7__GPIO2_IO09		0x6
-			/* ENET2_INT# */
-			MX8MP_IOMUXC_SD1_DATA0__GPIO2_IO02		0x40000090
 		>;
 	};
 
@@ -754,10 +855,6 @@ MX8MP_IOMUXC_GPIO1_IO10__GPIO1_IO10		0x40000090
 
 			/* PG_V_IN_VAR# */
 			MX8MP_IOMUXC_NAND_CE0_B__GPIO3_IO01		0x40000000
-			/* CSI2_PD_1V8 */
-			MX8MP_IOMUXC_NAND_DATA02__GPIO3_IO08		0x0
-			/* CSI2_RESET_1V8# */
-			MX8MP_IOMUXC_NAND_DATA03__GPIO3_IO09		0x0
 
 			/* DIS_USB_DN1 */
 			MX8MP_IOMUXC_SAI2_RXFS__GPIO4_IO21		0x0
@@ -771,8 +868,14 @@ MX8MP_IOMUXC_SAI5_RXD0__GPIO3_IO21		0x0
 			/* GRAPHICS_PRSNT_1V8# */
 			MX8MP_IOMUXC_SAI1_TXD6__GPIO4_IO18		0x40000000
 
+			/* TOUCH_RESET_3V3# */
+			MX8MP_IOMUXC_GPIO1_IO00__GPIO1_IO00		0x2
+			/* TOUCH_INT# */
+			MX8MP_IOMUXC_GPIO1_IO10__GPIO1_IO10		0x40000140
 			/* CLK_CCM_CLKO1_3V3 */
 			MX8MP_IOMUXC_GPIO1_IO14__CCM_CLKO1		0x10
+			/* ENET_INT# (rev.900,901) or M2_WDIS_BTIRQ_3V3# (rev.903) */
+			MX8MP_IOMUXC_GPIO1_IO11__GPIO1_IO11		0x40000092
 		>;
 	};
 
@@ -875,12 +978,10 @@ pinctrl_pcie0: pcie-grp {
 		fsl,pins = <
 			/* M2_PCIE_RST# */
 			MX8MP_IOMUXC_GPIO1_IO05__GPIO1_IO05		0x2
-			/* M2_W_DISABLE1_1V8# */
+			/* M2_PCIE_WAKE_1V8# */
 			MX8MP_IOMUXC_SAI5_RXD2__GPIO3_IO23		0x2
-			/* M2_W_DISABLE2_1V8# */
-			MX8MP_IOMUXC_SAI5_RXD3__GPIO3_IO24		0x2
-			/* CLK_M2_32K768 */
-			MX8MP_IOMUXC_GPIO1_IO00__CCM_EXT_CLK1		0x14
+			/* M2_UART_WAKE_1V8# */
+			MX8MP_IOMUXC_SAI5_RXD3__GPIO3_IO24		0x40000002
 			/* M2_PCIE_WAKE# */
 			MX8MP_IOMUXC_GPIO1_IO06__GPIO1_IO06		0x40000140
 			/* M2_PCIE_CLKREQ# */
@@ -974,6 +1075,8 @@ pinctrl_uart4: uart4-grp {
 		fsl,pins = <
 			MX8MP_IOMUXC_UART4_RXD__UART4_DCE_RX		0x49
 			MX8MP_IOMUXC_UART4_TXD__UART4_DCE_TX		0x49
+			MX8MP_IOMUXC_NAND_DATA02__UART4_DCE_CTS		0x149
+			MX8MP_IOMUXC_NAND_DATA03__UART4_DCE_RTS		0x149
 		>;
 	};
 
@@ -1100,4 +1203,11 @@ MX8MP_IOMUXC_SPDIF_EXT_CLK__GPIO5_IO05		0x6
 			MX8MP_IOMUXC_SD1_DATA6__GPIO2_IO08		0x26
 		>;
 	};
+
+	pinctrl_wifi: wifi-grp {
+		fsl,pins = <
+			/* WIFI_BT_RST_3V3# */
+			MX8MP_IOMUXC_SD1_DATA0__GPIO2_IO02		0x40000090
+		>;
+	};
 };
-- 
2.51.0


^ permalink raw reply related

* [PATCH v2 1/2] dt-bindings: tpm: Add st,st33tphf2ei2c
From: Marek Vasut @ 2025-12-30  1:40 UTC (permalink / raw)
  To: linux-arm-kernel
  Cc: Marek Vasut, Krzysztof Kozlowski, Conor Dooley, Fabio Estevam,
	Jarkko Sakkinen, Jason Gunthorpe, Krzysztof Kozlowski,
	Lukas Wunner, Pengutronix Kernel Team, Peter Huewe, Rob Herring,
	Sascha Hauer, Shawn Guo, devicetree, imx, linux-integrity,
	linux-kernel

Add the ST chip st33tphf2ei2c to the supported compatible strings of the
TPM TIS I2C schema. The chip is compliant with the TCG PC Client TPM
Profile specification.

For reference, a databrief is available at:
https://www.st.com/resource/en/data_brief/st33tphf2ei2c.pdf

Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Marek Vasut <marek.vasut@mailbox.org>
---
Cc: Conor Dooley <conor+dt@kernel.org>
Cc: Fabio Estevam <festevam@gmail.com>
Cc: Jarkko Sakkinen <jarkko@kernel.org>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Krzysztof Kozlowski <krzk+dt@kernel.org>
Cc: Lukas Wunner <lukas@wunner.de>
Cc: Pengutronix Kernel Team <kernel@pengutronix.de>
Cc: Peter Huewe <peterhuewe@gmx.de>
Cc: Rob Herring <robh@kernel.org>
Cc: Sascha Hauer <s.hauer@pengutronix.de>
Cc: Shawn Guo <shawnguo@kernel.org>
Cc: devicetree@vger.kernel.org
Cc: imx@lists.linux.dev
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-integrity@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
---
V2: - Rebase on current next, update email address
    - Add AB from Krzysztof
---
 Documentation/devicetree/bindings/tpm/tcg,tpm-tis-i2c.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Documentation/devicetree/bindings/tpm/tcg,tpm-tis-i2c.yaml b/Documentation/devicetree/bindings/tpm/tcg,tpm-tis-i2c.yaml
index af7720dc4a12c..fdd7fd874e01e 100644
--- a/Documentation/devicetree/bindings/tpm/tcg,tpm-tis-i2c.yaml
+++ b/Documentation/devicetree/bindings/tpm/tcg,tpm-tis-i2c.yaml
@@ -33,6 +33,7 @@ properties:
               - infineon,slb9673
               - nuvoton,npct75x
               - st,st33ktpm2xi2c
+              - st,st33tphf2ei2c
           - const: tcg,tpm-tis-i2c
 
       - description: TPM 1.2 and 2.0 chips with vendor-specific I²C interface
-- 
2.51.0


^ permalink raw reply related

* Re: [PATCH v3] ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec()
From: Mimi Zohar @ 2025-12-29 21:13 UTC (permalink / raw)
  To: Chris J Arges, roberto.sassu
  Cc: kernel-team, Dmitry Kasatkin, Eric Snowberg, Paul Moore,
	James Morris, Serge E. Hallyn, Mickaël Salaün,
	Kees Cook, linux-integrity, linux-security-module, linux-kernel
In-Reply-To: <20251228031914.47618-1-carges@cloudflare.com>

On Sat, 2025-12-27 at 21:18 -0600, Chris J Arges wrote:
> KASAN reported a stack-out-of-bounds access in ima_appraise_measurement
> from is_bprm_creds_for_exec:
> 
> BUG: KASAN: stack-out-of-bounds in ima_appraise_measurement+0x12dc/0x16a0
>  Read of size 1 at addr ffffc9000160f940 by task sudo/550
> The buggy address belongs to stack of task sudo/550
> and is located at offset 24 in frame:
>   ima_appraise_measurement+0x0/0x16a0
> This frame has 2 objects:
>   [48, 56) 'file'
>   [80, 148) 'hash'
> 
> This is caused by using container_of on the *file pointer. This offset
> calculation is what triggers the stack-out-of-bounds error.
> 
> In order to fix this, pass in a bprm_is_check boolean which can be set
> depending on how process_measurement is called. If the caller has a
> linux_binprm pointer and the function is BPRM_CHECK we can determine
> is_check and set it then. Otherwise set it to false.
> 
> Fixes: 95b3cdafd7cb7 ("ima: instantiate the bprm_creds_for_exec() hook")
> 
> Signed-off-by: Chris J Arges <carges@cloudflare.com>

Thanks, Chris.  The patch is now queued in the linux-integrity/next-integrity
branch.

Mimi

^ permalink raw reply

* [PATCH RFC] ima: Fallback to a ctime guard without i_version updates
From: Frederick Lawler @ 2025-12-29 17:52 UTC (permalink / raw)
  To: Mimi Zohar, Roberto Sassu, Dmitry Kasatkin, Eric Snowberg,
	Paul Moore, James Morris, Serge E. Hallyn, Darrick J. Wong,
	Christian Brauner, Josef Bacik, Jeff Layton
  Cc: linux-kernel, linux-integrity, linux-security-module, kernel-team,
	Frederick Lawler

Since commit 1cf7e834a6fb ("xfs: switch to multigrain timestamps"), IMA
is no longer able to correctly track inode.i_version due to the struct
kstat.change_cookie no longer containing an updated i_version.

Introduce a fallback mechanism for IMA that instead tracks a
integrity_ctime_guard() in absence of or outdated i_version
for stacked file systems.

EVM is left alone since it mostly cares about the backing inode.

Link: https://lore.kernel.org/all/aTspr4_h9IU4EyrR@CMGLRV3
Fixes: 1cf7e834a6fb ("xfs: switch to multigrain timestamps")
Suggested-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Frederick Lawler <fred@cloudflare.com>
---
The motivation behind this was that file systems that use the
cookie to set the i_version for stacked file systems may still do so.
Then add in the ctime_guard as a fallback if there's a detected change.
The assumption is that the ctime will be different if the i_version is
different anyway for non-stacked file systems.

I'm not too pleased with passing in struct file* to
integrity_inode_attrs_changed() since EVM doesn't currently use
that for now, but I couldn't come up with another idea to get the
stat without coming up with a new stat function to accommodate just
the file path, fully separate out IMA/EVM checks, or lastly add stacked
file system support to EVM (which doesn't make much sense to me
at the moment).

I plan on adding in self test infrastructure for the v1, but I would
like to get some early feedback on the approach first.
---
 include/linux/integrity.h           | 29 ++++++++++++++++++++++++-----
 security/integrity/evm/evm_crypto.c |  2 +-
 security/integrity/evm/evm_main.c   |  2 +-
 security/integrity/ima/ima_api.c    | 21 +++++++++++++++------
 security/integrity/ima/ima_main.c   | 17 ++++++++++-------
 5 files changed, 51 insertions(+), 20 deletions(-)

diff --git a/include/linux/integrity.h b/include/linux/integrity.h
index f5842372359be5341b6870a43b92e695e8fc78af..4964c0f2bbda0ca450d135b9b738bc92256c375a 100644
--- a/include/linux/integrity.h
+++ b/include/linux/integrity.h
@@ -31,19 +31,27 @@ static inline void integrity_load_keys(void)
 
 /* An inode's attributes for detection of changes */
 struct integrity_inode_attributes {
+	u64 ctime_guard;
 	u64 version;		/* track inode changes */
 	unsigned long ino;
 	dev_t dev;
 };
 
+static inline u64 integrity_ctime_guard(struct kstat stat)
+{
+	return stat.ctime.tv_sec ^ stat.ctime.tv_nsec;
+}
+
 /*
  * On stacked filesystems the i_version alone is not enough to detect file data
  * or metadata change. Additional metadata is required.
  */
 static inline void
 integrity_inode_attrs_store(struct integrity_inode_attributes *attrs,
-			    u64 i_version, const struct inode *inode)
+			    u64 i_version, u64 ctime_guard,
+			    const struct inode *inode)
 {
+	attrs->ctime_guard = ctime_guard;
 	attrs->version = i_version;
 	attrs->dev = inode->i_sb->s_dev;
 	attrs->ino = inode->i_ino;
@@ -54,11 +62,22 @@ integrity_inode_attrs_store(struct integrity_inode_attributes *attrs,
  */
 static inline bool
 integrity_inode_attrs_changed(const struct integrity_inode_attributes *attrs,
-			      const struct inode *inode)
+			      struct file *file, struct inode *inode)
 {
-	return (inode->i_sb->s_dev != attrs->dev ||
-		inode->i_ino != attrs->ino ||
-		!inode_eq_iversion(inode, attrs->version));
+	struct kstat stat;
+
+	if (inode->i_sb->s_dev != attrs->dev ||
+	    inode->i_ino != attrs->ino)
+		return true;
+
+	if (inode_eq_iversion(inode, attrs->version))
+		return false;
+
+	if (!file || vfs_getattr_nosec(&file->f_path, &stat, STATX_CTIME,
+				       AT_STATX_SYNC_AS_STAT))
+		return true;
+
+	return attrs->ctime_guard != integrity_ctime_guard(stat);
 }
 
 
diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
index a5e730ffda57fbc0a91124adaa77b946a12d08b4..2d89c0e8d9360253f8dad52d2a8168127bb4d3b8 100644
--- a/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@ -300,7 +300,7 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry,
 		if (IS_I_VERSION(inode))
 			i_version = inode_query_iversion(inode);
 		integrity_inode_attrs_store(&iint->metadata_inode, i_version,
-					    inode);
+					    0, inode);
 	}
 
 	/* Portable EVM signatures must include an IMA hash */
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 73d500a375cb37a54f295b0e1e93fd6e5d9ecddc..0712802628fd6533383f9855687e19bef7b771c7 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -754,7 +754,7 @@ bool evm_metadata_changed(struct inode *inode, struct inode *metadata_inode)
 	if (iint) {
 		ret = (!IS_I_VERSION(metadata_inode) ||
 		       integrity_inode_attrs_changed(&iint->metadata_inode,
-						     metadata_inode));
+			       NULL, metadata_inode));
 		if (ret)
 			iint->evm_status = INTEGRITY_UNKNOWN;
 	}
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index c35ea613c9f8d404ba4886e3b736c3bab29d1668..72bba8daa588a0f4e45e4249276edb54ca3d77ef 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -254,6 +254,7 @@ int ima_collect_measurement(struct ima_iint_cache *iint, struct file *file,
 	int length;
 	void *tmpbuf;
 	u64 i_version = 0;
+	u64 ctime_guard = 0;
 
 	/*
 	 * Always collect the modsig, because IMA might have already collected
@@ -272,10 +273,16 @@ int ima_collect_measurement(struct ima_iint_cache *iint, struct file *file,
 	 * to an initial measurement/appraisal/audit, but was modified to
 	 * assume the file changed.
 	 */
-	result = vfs_getattr_nosec(&file->f_path, &stat, STATX_CHANGE_COOKIE,
+	result = vfs_getattr_nosec(&file->f_path, &stat,
+				   STATX_CHANGE_COOKIE | STATX_CTIME,
 				   AT_STATX_SYNC_AS_STAT);
-	if (!result && (stat.result_mask & STATX_CHANGE_COOKIE))
-		i_version = stat.change_cookie;
+	if (!result) {
+		if (stat.result_mask & STATX_CHANGE_COOKIE)
+			i_version = stat.change_cookie;
+
+		if (stat.result_mask & STATX_CTIME)
+			ctime_guard = integrity_ctime_guard(stat);
+	}
 	hash.hdr.algo = algo;
 	hash.hdr.length = hash_digest_size[algo];
 
@@ -305,11 +312,13 @@ int ima_collect_measurement(struct ima_iint_cache *iint, struct file *file,
 
 	iint->ima_hash = tmpbuf;
 	memcpy(iint->ima_hash, &hash, length);
-	if (real_inode == inode)
+	if (real_inode == inode) {
 		iint->real_inode.version = i_version;
-	else
+		iint->real_inode.ctime_guard = ctime_guard;
+	} else {
 		integrity_inode_attrs_store(&iint->real_inode, i_version,
-					    real_inode);
+				ctime_guard, real_inode);
+	}
 
 	/* Possibly temporary failure due to type of read (eg. O_DIRECT) */
 	if (!result)
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 5770cf691912aa912fc65280c59f5baac35dd725..6051ea4a472fc0b0dd7b4e81da36eff8bd048c62 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -22,6 +22,7 @@
 #include <linux/mount.h>
 #include <linux/mman.h>
 #include <linux/slab.h>
+#include <linux/stat.h>
 #include <linux/xattr.h>
 #include <linux/ima.h>
 #include <linux/fs.h>
@@ -185,6 +186,7 @@ static void ima_check_last_writer(struct ima_iint_cache *iint,
 {
 	fmode_t mode = file->f_mode;
 	bool update;
+	int ret;
 
 	if (!(mode & FMODE_WRITE))
 		return;
@@ -197,12 +199,13 @@ static void ima_check_last_writer(struct ima_iint_cache *iint,
 
 		update = test_and_clear_bit(IMA_UPDATE_XATTR,
 					    &iint->atomic_flags);
-		if ((iint->flags & IMA_NEW_FILE) ||
-		    vfs_getattr_nosec(&file->f_path, &stat,
-				      STATX_CHANGE_COOKIE,
-				      AT_STATX_SYNC_AS_STAT) ||
-		    !(stat.result_mask & STATX_CHANGE_COOKIE) ||
-		    stat.change_cookie != iint->real_inode.version) {
+		ret = vfs_getattr_nosec(&file->f_path, &stat,
+					STATX_CHANGE_COOKIE | STATX_CTIME,
+					AT_STATX_SYNC_AS_STAT);
+		if ((iint->flags & IMA_NEW_FILE) || ret ||
+		    (!ret && stat.change_cookie != iint->real_inode.version) ||
+		    (!ret && integrity_ctime_guard(stat) !=
+		     iint->real_inode.ctime_guard)) {
 			iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE);
 			iint->measured_pcrs = 0;
 			if (update)
@@ -330,7 +333,7 @@ static int process_measurement(struct file *file, const struct cred *cred,
 	    (action & IMA_DO_MASK) && (iint->flags & IMA_DONE_MASK)) {
 		if (!IS_I_VERSION(real_inode) ||
 		    integrity_inode_attrs_changed(&iint->real_inode,
-						  real_inode)) {
+						  file, real_inode)) {
 			iint->flags &= ~IMA_DONE_MASK;
 			iint->measured_pcrs = 0;
 		}

---
base-commit: 8f0b4cce4481fb22653697cced8d0d04027cb1e8
change-id: 20251212-xfs-ima-fixup-931780a62c2c

Best regards,
-- 
Frederick Lawler <fred@cloudflare.com>


^ permalink raw reply related

* Re: [syzbot] [lsm?] [integrity?] INFO: task hung in process_measurement (3)
From: syzbot @ 2025-12-28  6:29 UTC (permalink / raw)
  To: bfoster, dmitry.kasatkin, eric.snowberg, jmorris, kent.overstreet,
	linux-bcachefs, linux-integrity, linux-kernel,
	linux-security-module, paul, roberto.sassu, serge, syzkaller-bugs,
	torvalds, zohar
In-Reply-To: <682e11b1.050a0220.ade60.09e5.GAE@google.com>

syzbot suspects this issue was fixed by commit:

commit f2c61db29f277b9c80de92102fc532cc247495cd
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Mon Sep 29 20:43:52 2025 +0000

    Remove bcachefs core code

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=10499e2a580000
start commit:   172a9d94339c Merge tag '6.15-rc6-smb3-client-fixes' of git..
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=ea35e429f965296e
dashboard link: https://syzkaller.appspot.com/bug?extid=cb9e66807bcb882cd0c5
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16836e70580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1617a2d4580000

If the result looks correct, please mark the issue as fixed by replying with:

#syz fix: Remove bcachefs core code

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

^ permalink raw reply

* [PATCH v3] ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec()
From: Chris J Arges @ 2025-12-28  3:18 UTC (permalink / raw)
  To: zohar, roberto.sassu
  Cc: kernel-team, Chris J Arges, Dmitry Kasatkin, Eric Snowberg,
	Paul Moore, James Morris, Serge E. Hallyn,
	Mickaël Salaün, Kees Cook, linux-integrity,
	linux-security-module, linux-kernel
In-Reply-To: <3aeed1ff9388f09555bf5c6ade03cbe9ce93ff14.camel@linux.ibm.com>

KASAN reported a stack-out-of-bounds access in ima_appraise_measurement
from is_bprm_creds_for_exec:

BUG: KASAN: stack-out-of-bounds in ima_appraise_measurement+0x12dc/0x16a0
 Read of size 1 at addr ffffc9000160f940 by task sudo/550
The buggy address belongs to stack of task sudo/550
and is located at offset 24 in frame:
  ima_appraise_measurement+0x0/0x16a0
This frame has 2 objects:
  [48, 56) 'file'
  [80, 148) 'hash'

This is caused by using container_of on the *file pointer. This offset
calculation is what triggers the stack-out-of-bounds error.

In order to fix this, pass in a bprm_is_check boolean which can be set
depending on how process_measurement is called. If the caller has a
linux_binprm pointer and the function is BPRM_CHECK we can determine
is_check and set it then. Otherwise set it to false.

Fixes: 95b3cdafd7cb7 ("ima: instantiate the bprm_creds_for_exec() hook")

Signed-off-by: Chris J Arges <carges@cloudflare.com>
---
 security/integrity/ima/ima.h          |  6 ++++--
 security/integrity/ima/ima_appraise.c | 16 +++-------------
 security/integrity/ima/ima_main.c     | 22 +++++++++++++---------
 3 files changed, 20 insertions(+), 24 deletions(-)

diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index e3d71d8d56e3..89ebe98ffc5e 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -441,7 +441,8 @@ int ima_check_blacklist(struct ima_iint_cache *iint,
 int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint,
 			     struct file *file, const unsigned char *filename,
 			     struct evm_ima_xattr_data *xattr_value,
-			     int xattr_len, const struct modsig *modsig);
+			     int xattr_len, const struct modsig *modsig,
+			     bool bprm_is_check);
 int ima_must_appraise(struct mnt_idmap *idmap, struct inode *inode,
 		      int mask, enum ima_hooks func);
 void ima_update_xattr(struct ima_iint_cache *iint, struct file *file);
@@ -466,7 +467,8 @@ static inline int ima_appraise_measurement(enum ima_hooks func,
 					   const unsigned char *filename,
 					   struct evm_ima_xattr_data *xattr_value,
 					   int xattr_len,
-					   const struct modsig *modsig)
+					   const struct modsig *modsig,
+					   bool bprm_is_check)
 {
 	return INTEGRITY_UNKNOWN;
 }
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 5149ff4fd50d..16c20c578ea8 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -470,17 +470,6 @@ int ima_check_blacklist(struct ima_iint_cache *iint,
 	return rc;
 }
 
-static bool is_bprm_creds_for_exec(enum ima_hooks func, struct file *file)
-{
-	struct linux_binprm *bprm;
-
-	if (func == BPRM_CHECK) {
-		bprm = container_of(&file, struct linux_binprm, file);
-		return bprm->is_check;
-	}
-	return false;
-}
-
 /*
  * ima_appraise_measurement - appraise file measurement
  *
@@ -492,7 +481,8 @@ static bool is_bprm_creds_for_exec(enum ima_hooks func, struct file *file)
 int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint,
 			     struct file *file, const unsigned char *filename,
 			     struct evm_ima_xattr_data *xattr_value,
-			     int xattr_len, const struct modsig *modsig)
+			     int xattr_len, const struct modsig *modsig,
+			     bool bprm_is_check)
 {
 	static const char op[] = "appraise_data";
 	int audit_msgno = AUDIT_INTEGRITY_DATA;
@@ -514,7 +504,7 @@ int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint,
 	 * of the script interpreter(userspace). Differentiate kernel and
 	 * userspace enforced integrity audit messages.
 	 */
-	if (is_bprm_creds_for_exec(func, file))
+	if (bprm_is_check)
 		audit_msgno = AUDIT_INTEGRITY_USERSPACE;
 
 	/* If reading the xattr failed and there's no modsig, error out. */
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 5770cf691912..1d6229b156fb 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -236,7 +236,8 @@ static void ima_file_free(struct file *file)
 static int process_measurement(struct file *file, const struct cred *cred,
 			       struct lsm_prop *prop, char *buf, loff_t size,
 			       int mask, enum ima_hooks func,
-			       enum kernel_read_file_id read_id)
+			       enum kernel_read_file_id read_id,
+			       bool bprm_is_check)
 {
 	struct inode *real_inode, *inode = file_inode(file);
 	struct ima_iint_cache *iint = NULL;
@@ -426,7 +427,8 @@ static int process_measurement(struct file *file, const struct cred *cred,
 			inode_lock(inode);
 			rc = ima_appraise_measurement(func, iint, file,
 						      pathname, xattr_value,
-						      xattr_len, modsig);
+						      xattr_len, modsig,
+						      bprm_is_check);
 			inode_unlock(inode);
 		}
 		if (!rc)
@@ -493,14 +495,15 @@ static int ima_file_mmap(struct file *file, unsigned long reqprot,
 
 	if (reqprot & PROT_EXEC) {
 		ret = process_measurement(file, current_cred(), &prop, NULL,
-					  0, MAY_EXEC, MMAP_CHECK_REQPROT, 0);
+					  0, MAY_EXEC, MMAP_CHECK_REQPROT, 0,
+					  false);
 		if (ret)
 			return ret;
 	}
 
 	if (prot & PROT_EXEC)
 		return process_measurement(file, current_cred(), &prop, NULL,
-					   0, MAY_EXEC, MMAP_CHECK, 0);
+					   0, MAY_EXEC, MMAP_CHECK, 0, false);
 
 	return 0;
 }
@@ -584,7 +587,8 @@ static int ima_bprm_check(struct linux_binprm *bprm)
 
 	security_current_getlsmprop_subj(&prop);
 	return process_measurement(bprm->file, current_cred(),
-				   &prop, NULL, 0, MAY_EXEC, BPRM_CHECK, 0);
+				   &prop, NULL, 0, MAY_EXEC, BPRM_CHECK, 0,
+				   bprm->is_check);
 }
 
 /**
@@ -614,7 +618,7 @@ static int ima_creds_check(struct linux_binprm *bprm, const struct file *file)
 
 	security_current_getlsmprop_subj(&prop);
 	return process_measurement((struct file *)file, bprm->cred, &prop, NULL,
-				   0, MAY_EXEC, CREDS_CHECK, 0);
+				   0, MAY_EXEC, CREDS_CHECK, 0, false);
 }
 
 /**
@@ -662,7 +666,7 @@ static int ima_file_check(struct file *file, int mask)
 	security_current_getlsmprop_subj(&prop);
 	return process_measurement(file, current_cred(), &prop, NULL, 0,
 				   mask & (MAY_READ | MAY_WRITE | MAY_EXEC |
-					   MAY_APPEND), FILE_CHECK, 0);
+					   MAY_APPEND), FILE_CHECK, 0, false);
 }
 
 static int __ima_inode_hash(struct inode *inode, struct file *file, char *buf,
@@ -881,7 +885,7 @@ static int ima_read_file(struct file *file, enum kernel_read_file_id read_id,
 	func = read_idmap[read_id] ?: FILE_CHECK;
 	security_current_getlsmprop_subj(&prop);
 	return process_measurement(file, current_cred(), &prop, NULL, 0,
-				   MAY_READ, func, 0);
+				   MAY_READ, func, 0, false);
 }
 
 const int read_idmap[READING_MAX_ID] = {
@@ -925,7 +929,7 @@ static int ima_post_read_file(struct file *file, char *buf, loff_t size,
 	func = read_idmap[read_id] ?: FILE_CHECK;
 	security_current_getlsmprop_subj(&prop);
 	return process_measurement(file, current_cred(), &prop, buf, size,
-				   MAY_READ, func, read_id);
+				   MAY_READ, func, read_id, false);
 }
 
 /**
-- 
2.43.0


^ permalink raw reply related

* Re: [PATCH v2] ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec()
From: Chris Arges @ 2025-12-28  3:16 UTC (permalink / raw)
  To: Mimi Zohar
  Cc: roberto.sassu, kernel-team, Dmitry Kasatkin, Eric Snowberg,
	Paul Moore, James Morris, Serge E. Hallyn,
	Mickaël Salaün, Kees Cook, linux-integrity,
	linux-security-module, linux-kernel
In-Reply-To: <3aeed1ff9388f09555bf5c6ade03cbe9ce93ff14.camel@linux.ibm.com>

On 2025-12-23 16:58:26, Mimi Zohar wrote:
> Hi Chris,
> 
> On Sun, 2025-12-21 at 12:01 -0600, Chris J Arges wrote:
> > KASAN reported a stack-out-of-bounds access in ima_appraise_measurement
> > from is_bprm_creds_for_exec:
> > 
> > BUG: KASAN: stack-out-of-bounds in ima_appraise_measurement+0x12dc/0x16a0
> >  Read of size 1 at addr ffffc9000160f940 by task sudo/550
> > The buggy address belongs to stack of task sudo/550
> > and is located at offset 24 in frame:
> >   ima_appraise_measurement+0x0/0x16a0
> > This frame has 2 objects:
> >   [48, 56) 'file'
> >   [80, 148) 'hash'
> > 
> > This is caused by using container_of on the *file pointer. This offset
> > calculation is what triggers the stack-out-of-bounds error.
> > 
> > In order to fix this, pass in a bprm_is_check boolean which can be set
> > depending on how process_measurement is called. If the caller has a
> > linux_binprm pointer and the function is BPRM_CHECK we can determine
> > is_check and set it then. Otherwise set it to false.
> > 
> > Fixes: 95b3cdafd7cb7 ("ima: instantiate the bprm_creds_for_exec() hook")
> > 
> > Signed-off-by: Chris J Arges <carges@cloudflare.com>
> 
> Thank you!  I'd appreciate your limiting the line lengths to 80 chars (e.g.
> scripts/checkpatch.pl --max-line-length=80).
> 
> -- 
> thanks,
> 
> Mimi

Sure thing, I'll make that adjustment and send v3.
--chris

^ permalink raw reply

* [PATCH] tpm: st33zp24: Fix missing cleanup on get_burstcount() error
From: Alper Ak @ 2025-12-26 12:09 UTC (permalink / raw)
  To: peterhuewe, jarkko
  Cc: Alper Ak, Jason Gunthorpe, Stefano Garzarella, Christophe Ricard,
	linux-integrity, linux-kernel

get_burstcount() can return -EBUSY on timeout. When this happens,
st33zp24_send() returns directly without releasing the locality
acquired earlier.

Use goto out_err to ensure proper cleanup when get_burstcount() fails.

Fixes: bf38b8710892 ("tpm/tpm_i2c_stm_st33: Split tpm_i2c_tpm_st33 in 2 layers (core + phy)")
Signed-off-by: Alper Ak <alperyasinak1@gmail.com>
---
 drivers/char/tpm/st33zp24/st33zp24.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/char/tpm/st33zp24/st33zp24.c b/drivers/char/tpm/st33zp24/st33zp24.c
index 2ed7815e4899..e2b7451ea7cc 100644
--- a/drivers/char/tpm/st33zp24/st33zp24.c
+++ b/drivers/char/tpm/st33zp24/st33zp24.c
@@ -328,8 +328,10 @@ static int st33zp24_send(struct tpm_chip *chip, unsigned char *buf,
 
 	for (i = 0; i < len - 1;) {
 		burstcnt = get_burstcount(chip);
-		if (burstcnt < 0)
-			return burstcnt;
+		if (burstcnt < 0) {
+			ret = burstcnt;
+			goto out_err;
+		}
 		size = min_t(int, len - i - 1, burstcnt);
 		ret = tpm_dev->ops->send(tpm_dev->phy_id, TPM_DATA_FIFO,
 					 buf + i, size);
-- 
2.43.0


^ permalink raw reply related

* [PATCH] tpm: tpm_tis_spi: Initialize ret variable in tpm_tis_spi_transfer_half()
From: Alper Ak @ 2025-12-26 11:35 UTC (permalink / raw)
  To: peterhuewe, jarkko
  Cc: Alper Ak, Jason Gunthorpe, Krishna Yarlagadda, linux-integrity,
	linux-kernel

When len is 0, the while loop in tpm_tis_spi_transfer_half() is never
entered and the function returns an uninitialized ret variable.

Initialize ret to 0 to correctly handle this case. This is consistent
with tpm_tis_spi_transfer_full(), which already initializes ret to 0
before the loop.

Fixes: a86a42ac2bd6 ("tpm_tis_spi: Add hardware wait polling")
Signed-off-by: Alper Ak <alperyasinak1@gmail.com>
---
 drivers/char/tpm/tpm_tis_spi_main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/char/tpm/tpm_tis_spi_main.c b/drivers/char/tpm/tpm_tis_spi_main.c
index 61b42c83ced8..1b6d79662ca1 100644
--- a/drivers/char/tpm/tpm_tis_spi_main.c
+++ b/drivers/char/tpm/tpm_tis_spi_main.c
@@ -85,7 +85,7 @@ static int tpm_tis_spi_transfer_half(struct tpm_tis_data *data,	u32 addr,
 	struct spi_transfer spi_xfer[3];
 	struct spi_message m;
 	u8 transfer_len;
-	int ret;
+	int ret = 0;
 
 	while (len) {
 		transfer_len = min_t(u16, len, MAX_SPI_FRAMESIZE);
-- 
2.43.0


^ permalink raw reply related

* [PATCH] tpm: tpm2-space: Skip handle check when context load returns -ENOENT
From: Alper Ak @ 2025-12-26 11:12 UTC (permalink / raw)
  To: peterhuewe, jarkko
  Cc: Alper Ak, Jason Gunthorpe, James Bottomley, linux-integrity,
	linux-kernel

When tpm2_load_context() returns -ENOENT, the session is marked as
forgotten by setting session_tbl[i] to 0. Although tpm2_load_context()
also sets handle to 0 in this case, the subsequent comparison
"handle != space->session_tbl[i]" (0 != 0) is always false and serves
no purpose.

Add continue to skip this unnecessary comparison when load fails with
-ENOENT, making the control flow clearer and fix possible
uninitialized 'handle' variable.

Fixes: 4d57856a21ed2 ("tpm2: add session handle context saving and restoring to the space code")
Signed-off-by: Alper Ak <alperyasinak1@gmail.com>
---
 drivers/char/tpm/tpm2-space.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/char/tpm/tpm2-space.c b/drivers/char/tpm/tpm2-space.c
index 60354cd53b5c..7dfbe07ecf5b 100644
--- a/drivers/char/tpm/tpm2-space.c
+++ b/drivers/char/tpm/tpm2-space.c
@@ -213,6 +213,7 @@ static int tpm2_load_space(struct tpm_chip *chip)
 		if (rc == -ENOENT) {
 			/* load failed, just forget session */
 			space->session_tbl[i] = 0;
+			continue;
 		} else if (rc) {
 			tpm2_flush_space(chip);
 			return rc;
-- 
2.43.0


^ permalink raw reply related

* [PATCH] tpm: tpm_i2c_infineon: Fix locality leak on get_burstcount() failure
From: Alper Ak @ 2025-12-26 10:23 UTC (permalink / raw)
  To: peterhuewe, jarkko
  Cc: Alper Ak, Jason Gunthorpe, Bryan Freed, Andi Shyti, Kent Yoder,
	Marcel Selhorst, linux-integrity, linux-kernel

get_burstcount() can return -EBUSY on timeout. When this happens, the
function returns directly without releasing the locality that was
acquired at the beginning of tpm_tis_i2c_send().

Use goto out_err to ensure proper cleanup when get_burstcount() fails.

Fixes: aad628c1d91a ("char/tpm: Add new driver for Infineon I2C TIS TPM")
Signed-off-by: Alper Ak <alperyasinak1@gmail.com>
---
 drivers/char/tpm/tpm_i2c_infineon.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/char/tpm/tpm_i2c_infineon.c b/drivers/char/tpm/tpm_i2c_infineon.c
index bdf1f329a679..8b7d32de0b2e 100644
--- a/drivers/char/tpm/tpm_i2c_infineon.c
+++ b/drivers/char/tpm/tpm_i2c_infineon.c
@@ -544,8 +544,10 @@ static int tpm_tis_i2c_send(struct tpm_chip *chip, u8 *buf, size_t bufsiz,
 		burstcnt = get_burstcount(chip);
 
 		/* burstcnt < 0 = TPM is busy */
-		if (burstcnt < 0)
-			return burstcnt;
+		if (burstcnt < 0) {
+			rc = burstcnt;
+			goto out_err;
+		}
 
 		if (burstcnt > (len - 1 - count))
 			burstcnt = len - 1 - count;
-- 
2.43.0


^ permalink raw reply related

* Re: [PATCH V2 1/1] IMA event log trimming
From: Mimi Zohar @ 2025-12-23 22:32 UTC (permalink / raw)
  To: steven chen, linux-integrity
  Cc: roberto.sassu, dmitry.kasatkin, eric.snowberg, corbet, serge,
	paul, jmorris, linux-security-module, anirudhve, gregorylumen,
	nramas, sushring, linux-doc
In-Reply-To: <b9d7bcea-3784-4ad6-b494-374db0c00cc6@linux.microsoft.com>

On Tue, 2025-12-16 at 11:59 -0800, steven chen wrote:
> > > > +{
> > > > +	struct ima_queue_entry *qe, *qe_tmp;
> > > > +	LIST_HEAD(ima_measurements_staged);
> > > > +	unsigned int i;
> > > > +	long cur = number_logs;
> > The variable name "number_logs" is confusing.  As I mentioned in the patch
> > description, there is one measurement list with multiple records.  There aren't
> > multiple logs in the kernel (other than the staged list).
> 
> Will update it to "req_value". Thanks!

Please refer to the section titled "Naming" in Documentation/process/coding-
style.rst.  Since this is the number of records being deleted, perhaps a better
variable name would be "num_records".

-- 
thanks,

Mimi


^ permalink raw reply

* Re: [PATCH v2] ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec()
From: Mimi Zohar @ 2025-12-23 21:58 UTC (permalink / raw)
  To: Chris J Arges, roberto.sassu
  Cc: kernel-team, Dmitry Kasatkin, Eric Snowberg, Paul Moore,
	James Morris, Serge E. Hallyn, Mickaël Salaün,
	Kees Cook, linux-integrity, linux-security-module, linux-kernel
In-Reply-To: <20251221180128.1026760-1-carges@cloudflare.com>

Hi Chris,

On Sun, 2025-12-21 at 12:01 -0600, Chris J Arges wrote:
> KASAN reported a stack-out-of-bounds access in ima_appraise_measurement
> from is_bprm_creds_for_exec:
> 
> BUG: KASAN: stack-out-of-bounds in ima_appraise_measurement+0x12dc/0x16a0
>  Read of size 1 at addr ffffc9000160f940 by task sudo/550
> The buggy address belongs to stack of task sudo/550
> and is located at offset 24 in frame:
>   ima_appraise_measurement+0x0/0x16a0
> This frame has 2 objects:
>   [48, 56) 'file'
>   [80, 148) 'hash'
> 
> This is caused by using container_of on the *file pointer. This offset
> calculation is what triggers the stack-out-of-bounds error.
> 
> In order to fix this, pass in a bprm_is_check boolean which can be set
> depending on how process_measurement is called. If the caller has a
> linux_binprm pointer and the function is BPRM_CHECK we can determine
> is_check and set it then. Otherwise set it to false.
> 
> Fixes: 95b3cdafd7cb7 ("ima: instantiate the bprm_creds_for_exec() hook")
> 
> Signed-off-by: Chris J Arges <carges@cloudflare.com>

Thank you!  I'd appreciate your limiting the line lengths to 80 chars (e.g.
scripts/checkpatch.pl --max-line-length=80).

-- 
thanks,

Mimi

^ permalink raw reply

* Re: [PATCH v2] module: Only declare set_module_sig_enforced when CONFIG_MODULE_SIG=y
From: Sami Tolvanen @ 2025-12-22 20:24 UTC (permalink / raw)
  To: linux-modules, Coiby Xu
  Cc: Sami Tolvanen, linux-integrity, kernel test robot, Aaron Tomlin,
	Daniel Gomez, Luis Chamberlain, Petr Pavlu, Daniel Gomez,
	linux-kernel
In-Reply-To: <20251201030606.2295399-1-coxu@redhat.com>

On Mon, 01 Dec 2025 11:06:05 +0800, Coiby Xu wrote:
> Currently if set_module_sig_enforced is called with CONFIG_MODULE_SIG=n
> e.g. [1], it can lead to a linking error,
> 
>     ld: security/integrity/ima/ima_appraise.o: in function `ima_appraise_measurement':
>     security/integrity/ima/ima_appraise.c:587:(.text+0xbbb): undefined reference to `set_module_sig_enforced'
> 
> This happens because the actual implementation of
> set_module_sig_enforced comes from CONFIG_MODULE_SIG but both the
> function declaration and the empty stub definition are tied to
> CONFIG_MODULES.
> 
> [...]

Applied to modules-next, thanks!

[1/1] module: Only declare set_module_sig_enforced when CONFIG_MODULE_SIG=y
      commit: 1ae719a43b0336678172b3eb55c5187816f9a130

Best regards,

	Sami


^ permalink raw reply

* Re: [RFC][PATCH v2 2/2] ima: measure buffer sent to securityfs policy file
From: Mimi Zohar @ 2025-12-22 14:01 UTC (permalink / raw)
  To: Enrico Bravi, linux-integrity, dmitry.kasatkin, roberto.sassu
  Cc: eric.snowberg
In-Reply-To: <20251216165620.683529-3-enrico.bravi@polito.it>

Hi Enrico,

On Tue, 2025-12-16 at 17:56 +0100, Enrico Bravi wrote:
> When signed a policy is not mandatory, it is possile to write the IMA
> policy directly on the corresponding securityfs file:
> 
> echo -e "measure func=BPRM_CHECK mask=MAY_EXEC\n" \
>         "audit func=BPRM_CHECK mask=MAY_EXEC\n" \
>      > /sys/kernel/security/ima/policy
> 
> Add input buffer measurement that can be caught when 'measure
> func=POLICY_CHECK' is enabled (e.g., ima_policy=tcb).
> 
> Suggested-by: Roberto Sassu <roberto.sassu@huawei.com>
> Signed-off-by: Enrico Bravi <enrico.bravi@polito.it>
> ---
>  security/integrity/ima/ima.h      |  1 +
>  security/integrity/ima/ima_fs.c   |  1 +
>  security/integrity/ima/ima_main.c | 38 +++++++++++++++++++++++++++++++
>  3 files changed, 40 insertions(+)
> 
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index ca7b96663623..3b00c298355b 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -426,6 +426,7 @@ void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos);
>  void ima_policy_stop(struct seq_file *m, void *v);
>  int ima_policy_show(struct seq_file *m, void *v);
>  void ima_measure_loaded_policy(void);
> +int ima_measure_policy_write(char *buf, size_t size);
>  
>  /* Appraise integrity measurements */
>  #define IMA_APPRAISE_ENFORCE	0x01
> diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
> index 89946d803d44..f1a5edd060ad 100644
> --- a/security/integrity/ima/ima_fs.c
> +++ b/security/integrity/ima/ima_fs.c
> @@ -362,6 +362,7 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf,
>  				    1, 0);
>  		result = -EACCES;
>  	} else {
> +		ima_measure_policy_write(data, datalen);
>  		result = ima_parse_add_rule(data);
>  	}
>  	mutex_unlock(&ima_write_mutex);
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index cdd225f65a62..6a8ad4714881 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -28,6 +28,7 @@
>  #include <linux/iversion.h>
>  #include <linux/evm.h>
>  #include <linux/crash_dump.h>
> +#include <linux/shmem_fs.h>
>  
>  #include "ima.h"
>  
> @@ -986,6 +987,43 @@ static int ima_post_load_data(char *buf, loff_t size,
>  	return 0;
>  }
>  
> +/**
> + * ima_measure_policy_write - Measure the policy write buffer
> + * @buf: pointer to the buffer containing the policy write data
> + * @size: size of the buffer
> + *
> + * Measure the buffer sent to the IMA policy securityfs file.
> + *
> + * Return 0 on success, a negative value otherwise.
> + */
> +int ima_measure_policy_write(char *buf, size_t size0
> +{
> +	static const char op[] = "measure_ima_policy_write";
> +	const char *file_name = "ima_write_policy_buffer";
> +	static char *audit_cause = "ENOMEM";
> +	struct file *policy_file = NULL;
> +	struct lsm_prop prop;
> +	int ret = 0;
> +
> +	policy_file = shmem_kernel_file_setup(file_name, 0, 0);
> +	if (IS_ERR(policy_file)) {
> +		ret = PTR_ERR(policy_file);
> +		audit_cause = "alloc_file";
> +		integrity_audit_msg(AUDIT_INTEGRITY_PCR, NULL, "ima_policy_write",
> +				    op, audit_cause, ret, 1);
> +		goto out;
> +	}
> +
> +	security_current_getlsmprop_subj(&prop);
> +
> +	ret = process_measurement(policy_file, current_cred(), &prop, buf, size,
> +				  MAY_READ, POLICY_CHECK);

The purpose of this patch is to measure IMA policy rules as they're written to
the <securityfs> IMA policy file, based on the IMA "measure func=POLICY_CHECK"
policy rule.

Like critical data, it should be calling process_buffer_measurement(), not
process_measurement().

The functions ima_match_rules() and ima_match_rule_data() need to be updated to
support POLICY_CHECK.

This function naming is off and should be renamed to ima_measure_policy_buf().

Please update the patch description accordingly.

Mimi

> +	fput(policy_file);
> +
> +out:
> +	return ret;
> +}
> +
>  /**
>   * process_buffer_measurement - Measure the buffer or the buffer data hash
>   * @idmap: idmap of the mount the inode was found from


^ permalink raw reply

* Re: [PATCHv3 1/2] kernel/kexec: Change the prototype of kimage_map_segment()
From: Baoquan He @ 2025-12-22  2:09 UTC (permalink / raw)
  To: Pingfan Liu
  Cc: kexec, linux-integrity, Andrew Morton, Mimi Zohar, Roberto Sassu,
	Alexander Graf, Steven Chen, linux-kernel, stable
In-Reply-To: <20251216014852.8737-1-piliu@redhat.com>

On 12/16/25 at 09:48am, Pingfan Liu wrote:
> The kexec segment index will be required to extract the corresponding
> information for that segment in kimage_map_segment(). Additionally,
> kexec_segment already holds the kexec relocation destination address and
> size. Therefore, the prototype of kimage_map_segment() can be changed.
> 
> Fixes: 07d24902977e ("kexec: enable CMA based contiguous allocation")
> Signed-off-by: Pingfan Liu <piliu@redhat.com>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: Baoquan He <bhe@redhat.com>
> Cc: Mimi Zohar <zohar@linux.ibm.com>
> Cc: Roberto Sassu <roberto.sassu@huawei.com>
> Cc: Alexander Graf <graf@amazon.com>
> Cc: Steven Chen <chenste@linux.microsoft.com>
> Cc: linux-kernel@vger.kernel.org
> Cc: <stable@vger.kernel.org>
> To: kexec@lists.infradead.org
> To: linux-integrity@vger.kernel.org
> ---
>  include/linux/kexec.h              | 4 ++--
>  kernel/kexec_core.c                | 9 ++++++---
>  security/integrity/ima/ima_kexec.c | 4 +---
>  3 files changed, 9 insertions(+), 8 deletions(-)

Ack the series:

Acked-by: Baoquan He <bhe@redhat.com>


^ permalink raw reply

* [PATCH v2] ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec()
From: Chris J Arges @ 2025-12-21 18:01 UTC (permalink / raw)
  To: zohar, roberto.sassu
  Cc: kernel-team, Chris J Arges, Dmitry Kasatkin, Eric Snowberg,
	Paul Moore, James Morris, Serge E. Hallyn,
	Mickaël Salaün, Kees Cook, linux-integrity,
	linux-security-module, linux-kernel
In-Reply-To: <20251219195456.912190-1-carges@cloudflare.com>

KASAN reported a stack-out-of-bounds access in ima_appraise_measurement
from is_bprm_creds_for_exec:

BUG: KASAN: stack-out-of-bounds in ima_appraise_measurement+0x12dc/0x16a0
 Read of size 1 at addr ffffc9000160f940 by task sudo/550
The buggy address belongs to stack of task sudo/550
and is located at offset 24 in frame:
  ima_appraise_measurement+0x0/0x16a0
This frame has 2 objects:
  [48, 56) 'file'
  [80, 148) 'hash'

This is caused by using container_of on the *file pointer. This offset
calculation is what triggers the stack-out-of-bounds error.

In order to fix this, pass in a bprm_is_check boolean which can be set
depending on how process_measurement is called. If the caller has a
linux_binprm pointer and the function is BPRM_CHECK we can determine
is_check and set it then. Otherwise set it to false.

Fixes: 95b3cdafd7cb7 ("ima: instantiate the bprm_creds_for_exec() hook")

Signed-off-by: Chris J Arges <carges@cloudflare.com>
---
 security/integrity/ima/ima.h          |  4 ++--
 security/integrity/ima/ima_appraise.c | 15 ++-------------
 security/integrity/ima/ima_main.c     | 18 +++++++++---------
 3 files changed, 13 insertions(+), 24 deletions(-)

diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index e3d71d8d56e3..2c9e50c02634 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -441,7 +441,7 @@ int ima_check_blacklist(struct ima_iint_cache *iint,
 int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint,
 			     struct file *file, const unsigned char *filename,
 			     struct evm_ima_xattr_data *xattr_value,
-			     int xattr_len, const struct modsig *modsig);
+			     int xattr_len, const struct modsig *modsig, bool bprm_is_check);
 int ima_must_appraise(struct mnt_idmap *idmap, struct inode *inode,
 		      int mask, enum ima_hooks func);
 void ima_update_xattr(struct ima_iint_cache *iint, struct file *file);
@@ -466,7 +466,7 @@ static inline int ima_appraise_measurement(enum ima_hooks func,
 					   const unsigned char *filename,
 					   struct evm_ima_xattr_data *xattr_value,
 					   int xattr_len,
-					   const struct modsig *modsig)
+					   const struct modsig *modsig, bool bprm_is_check)
 {
 	return INTEGRITY_UNKNOWN;
 }
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 5149ff4fd50d..ea2079417318 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -470,17 +470,6 @@ int ima_check_blacklist(struct ima_iint_cache *iint,
 	return rc;
 }
 
-static bool is_bprm_creds_for_exec(enum ima_hooks func, struct file *file)
-{
-	struct linux_binprm *bprm;
-
-	if (func == BPRM_CHECK) {
-		bprm = container_of(&file, struct linux_binprm, file);
-		return bprm->is_check;
-	}
-	return false;
-}
-
 /*
  * ima_appraise_measurement - appraise file measurement
  *
@@ -492,7 +481,7 @@ static bool is_bprm_creds_for_exec(enum ima_hooks func, struct file *file)
 int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint,
 			     struct file *file, const unsigned char *filename,
 			     struct evm_ima_xattr_data *xattr_value,
-			     int xattr_len, const struct modsig *modsig)
+			     int xattr_len, const struct modsig *modsig, bool bprm_is_check)
 {
 	static const char op[] = "appraise_data";
 	int audit_msgno = AUDIT_INTEGRITY_DATA;
@@ -514,7 +503,7 @@ int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint,
 	 * of the script interpreter(userspace). Differentiate kernel and
 	 * userspace enforced integrity audit messages.
 	 */
-	if (is_bprm_creds_for_exec(func, file))
+	if (bprm_is_check)
 		audit_msgno = AUDIT_INTEGRITY_USERSPACE;
 
 	/* If reading the xattr failed and there's no modsig, error out. */
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 5770cf691912..36ce07063dc7 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -236,7 +236,7 @@ static void ima_file_free(struct file *file)
 static int process_measurement(struct file *file, const struct cred *cred,
 			       struct lsm_prop *prop, char *buf, loff_t size,
 			       int mask, enum ima_hooks func,
-			       enum kernel_read_file_id read_id)
+			       enum kernel_read_file_id read_id, bool bprm_is_check)
 {
 	struct inode *real_inode, *inode = file_inode(file);
 	struct ima_iint_cache *iint = NULL;
@@ -426,7 +426,7 @@ static int process_measurement(struct file *file, const struct cred *cred,
 			inode_lock(inode);
 			rc = ima_appraise_measurement(func, iint, file,
 						      pathname, xattr_value,
-						      xattr_len, modsig);
+						      xattr_len, modsig, bprm_is_check);
 			inode_unlock(inode);
 		}
 		if (!rc)
@@ -493,14 +493,14 @@ static int ima_file_mmap(struct file *file, unsigned long reqprot,
 
 	if (reqprot & PROT_EXEC) {
 		ret = process_measurement(file, current_cred(), &prop, NULL,
-					  0, MAY_EXEC, MMAP_CHECK_REQPROT, 0);
+					  0, MAY_EXEC, MMAP_CHECK_REQPROT, 0, false);
 		if (ret)
 			return ret;
 	}
 
 	if (prot & PROT_EXEC)
 		return process_measurement(file, current_cred(), &prop, NULL,
-					   0, MAY_EXEC, MMAP_CHECK, 0);
+					   0, MAY_EXEC, MMAP_CHECK, 0, false);
 
 	return 0;
 }
@@ -584,7 +584,7 @@ static int ima_bprm_check(struct linux_binprm *bprm)
 
 	security_current_getlsmprop_subj(&prop);
 	return process_measurement(bprm->file, current_cred(),
-				   &prop, NULL, 0, MAY_EXEC, BPRM_CHECK, 0);
+				   &prop, NULL, 0, MAY_EXEC, BPRM_CHECK, 0, bprm->is_check);
 }
 
 /**
@@ -614,7 +614,7 @@ static int ima_creds_check(struct linux_binprm *bprm, const struct file *file)
 
 	security_current_getlsmprop_subj(&prop);
 	return process_measurement((struct file *)file, bprm->cred, &prop, NULL,
-				   0, MAY_EXEC, CREDS_CHECK, 0);
+				   0, MAY_EXEC, CREDS_CHECK, 0, false);
 }
 
 /**
@@ -662,7 +662,7 @@ static int ima_file_check(struct file *file, int mask)
 	security_current_getlsmprop_subj(&prop);
 	return process_measurement(file, current_cred(), &prop, NULL, 0,
 				   mask & (MAY_READ | MAY_WRITE | MAY_EXEC |
-					   MAY_APPEND), FILE_CHECK, 0);
+					   MAY_APPEND), FILE_CHECK, 0, false);
 }
 
 static int __ima_inode_hash(struct inode *inode, struct file *file, char *buf,
@@ -881,7 +881,7 @@ static int ima_read_file(struct file *file, enum kernel_read_file_id read_id,
 	func = read_idmap[read_id] ?: FILE_CHECK;
 	security_current_getlsmprop_subj(&prop);
 	return process_measurement(file, current_cred(), &prop, NULL, 0,
-				   MAY_READ, func, 0);
+				   MAY_READ, func, 0, false);
 }
 
 const int read_idmap[READING_MAX_ID] = {
@@ -925,7 +925,7 @@ static int ima_post_read_file(struct file *file, char *buf, loff_t size,
 	func = read_idmap[read_id] ?: FILE_CHECK;
 	security_current_getlsmprop_subj(&prop);
 	return process_measurement(file, current_cred(), &prop, buf, size,
-				   MAY_READ, func, read_id);
+				   MAY_READ, func, read_id, false);
 }
 
 /**
-- 
2.43.0


^ permalink raw reply related

* Re: [PATCH] ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec()
From: kernel test robot @ 2025-12-20 18:37 UTC (permalink / raw)
  To: Chris J Arges, zohar, roberto.sassu
  Cc: oe-kbuild-all, kernel-team, Chris J Arges, Dmitry Kasatkin,
	Eric Snowberg, Paul Moore, James Morris, Serge E. Hallyn,
	Mickaël Salaün, Kees Cook, linux-integrity,
	linux-security-module, linux-kernel
In-Reply-To: <20251219195456.912190-1-carges@cloudflare.com>

Hi Chris,

kernel test robot noticed the following build errors:

[auto build test ERROR on zohar-integrity/next-integrity]
[also build test ERROR on linus/master v6.19-rc1 next-20251219]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Chris-J-Arges/ima-Fix-stack-out-of-bounds-in-is_bprm_creds_for_exec/20251220-035711
base:   https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git next-integrity
patch link:    https://lore.kernel.org/r/20251219195456.912190-1-carges%40cloudflare.com
patch subject: [PATCH] ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec()
config: powerpc64-allnoconfig-bpf (https://download.01.org/0day-ci/archive/20251220/202512201956.LY8Y70Fd-lkp@intel.com/config)
compiler: powerpc64-linux-gcc (GCC) 15.1.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251220/202512201956.LY8Y70Fd-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202512201956.LY8Y70Fd-lkp@intel.com/

All errors (new ones prefixed by >>):

   security/integrity/ima/ima_main.c: In function 'process_measurement':
>> security/integrity/ima/ima_main.c:427:30: error: too many arguments to function 'ima_appraise_measurement'; expected 7, have 8
     427 |                         rc = ima_appraise_measurement(func, iint, file,
         |                              ^~~~~~~~~~~~~~~~~~~~~~~~
     428 |                                                       pathname, xattr_value,
     429 |                                                       xattr_len, modsig, bprm_is_check);
         |                                                                          ~~~~~~~~~~~~~
   In file included from security/integrity/ima/ima_main.c:32:
   security/integrity/ima/ima.h:463:19: note: declared here
     463 | static inline int ima_appraise_measurement(enum ima_hooks func,
         |                   ^~~~~~~~~~~~~~~~~~~~~~~~


vim +/ima_appraise_measurement +427 security/integrity/ima/ima_main.c

3323eec921efd8 Mimi Zohar            2009-02-04  235  
d906c10d8a3165 Matthew Garrett       2018-01-08  236  static int process_measurement(struct file *file, const struct cred *cred,
37f670aacd4811 Casey Schaufler       2024-10-09  237  			       struct lsm_prop *prop, char *buf, loff_t size,
c200892b46ba3d Coiby Xu              2025-11-19  238  			       int mask, enum ima_hooks func,
073872ff30b34d Chris J Arges         2025-12-19  239  			       enum kernel_read_file_id read_id, bool bprm_is_check)
3323eec921efd8 Mimi Zohar            2009-02-04  240  {
c21632b66895eb Stefan Berger         2024-02-23  241  	struct inode *real_inode, *inode = file_inode(file);
4de2f084fbff41 Roberto Sassu         2024-02-15  242  	struct ima_iint_cache *iint = NULL;
19453ce0bcfbdf Matthew Garrett       2019-06-19  243  	struct ima_template_desc *template_desc = NULL;
cd9b909a117210 Stefan Berger         2024-02-23  244  	struct inode *metadata_inode;
ea1046d4c57ee6 Dmitry Kasatkin       2012-09-04  245  	char *pathbuf = NULL;
bc15ed663e7e53 Mimi Zohar            2017-01-17  246  	char filename[NAME_MAX];
ea1046d4c57ee6 Dmitry Kasatkin       2012-09-04  247  	const char *pathname = NULL;
0d73a55208e94f Dmitry Kasatkin       2017-12-05  248  	int rc = 0, action, must_appraise = 0;
725de7fabb9fe4 Eric Richter          2016-06-01  249  	int pcr = CONFIG_IMA_MEASURE_PCR_IDX;
1525b06d99b117 Dmitry Kasatkin       2014-10-30  250  	struct evm_ima_xattr_data *xattr_value = NULL;
39b07096364a42 Thiago Jung Bauermann 2019-06-27  251  	struct modsig *modsig = NULL;
d3634d0f426bde Dmitry Kasatkin       2013-04-25  252  	int xattr_len = 0;
f7a859ff7395c0 Roberto Sassu         2014-09-12  253  	bool violation_check;
1525b06d99b117 Dmitry Kasatkin       2014-10-30  254  	enum hash_algo hash_algo;
1624dc0086056c THOBY Simon           2021-08-16  255  	unsigned int allowed_algos = 0;
3323eec921efd8 Mimi Zohar            2009-02-04  256  
a756024efea259 Roberto Sassu         2014-09-12  257  	if (!ima_policy_flag || !S_ISREG(inode->i_mode))
3323eec921efd8 Mimi Zohar            2009-02-04  258  		return 0;
bc7d2a3e66b404 Eric Paris            2010-10-25  259  
d79d72e02485c0 Mimi Zohar            2012-12-03  260  	/* Return an IMA_MEASURE, IMA_APPRAISE, IMA_AUDIT action
d79d72e02485c0 Mimi Zohar            2012-12-03  261  	 * bitmask based on the appraise/audit/measurement policy.
d79d72e02485c0 Mimi Zohar            2012-12-03  262  	 * Included is the appraise submask.
d79d72e02485c0 Mimi Zohar            2012-12-03  263  	 */
37f670aacd4811 Casey Schaufler       2024-10-09  264  	action = ima_get_action(file_mnt_idmap(file), inode, cred, prop,
1624dc0086056c THOBY Simon           2021-08-16  265  				mask, func, &pcr, &template_desc, NULL,
1624dc0086056c THOBY Simon           2021-08-16  266  				&allowed_algos);
4958db3245fa65 Roberto Sassu         2023-01-31  267  	violation_check = ((func == FILE_CHECK || func == MMAP_CHECK ||
4958db3245fa65 Roberto Sassu         2023-01-31  268  			    func == MMAP_CHECK_REQPROT) &&
30d68cb0c37ebe Frederick Lawler      2025-03-27  269  			   (ima_policy_flag & IMA_MEASURE) &&
30d68cb0c37ebe Frederick Lawler      2025-03-27  270  			   ((action & IMA_MEASURE) ||
30d68cb0c37ebe Frederick Lawler      2025-03-27  271  			    (file->f_mode & FMODE_WRITE)));
f7a859ff7395c0 Roberto Sassu         2014-09-12  272  	if (!action && !violation_check)
2fe5d6def1672a Mimi Zohar            2012-02-13  273  		return 0;
2fe5d6def1672a Mimi Zohar            2012-02-13  274  
2fe5d6def1672a Mimi Zohar            2012-02-13  275  	must_appraise = action & IMA_APPRAISE;
bc7d2a3e66b404 Eric Paris            2010-10-25  276  
5a73fcfa8875a9 Mimi Zohar            2012-12-05  277  	/*  Is the appraise rule hook specific?  */
3a8a2eadc4946c Dmitry Kasatkin       2014-09-03  278  	if (action & IMA_FILE_APPRAISE)
4ad87a3d7444de Mimi Zohar            2016-01-14  279  		func = FILE_CHECK;
5a73fcfa8875a9 Mimi Zohar            2012-12-05  280  
5955102c9984fa Al Viro               2016-01-22  281  	inode_lock(inode);
2fe5d6def1672a Mimi Zohar            2012-02-13  282  
f7a859ff7395c0 Roberto Sassu         2014-09-12  283  	if (action) {
4de2f084fbff41 Roberto Sassu         2024-02-15  284  		iint = ima_inode_get(inode);
bf2276d10ce58f Dmitry Kasatkin       2011-10-19  285  		if (!iint)
0d73a55208e94f Dmitry Kasatkin       2017-12-05  286  			rc = -ENOMEM;
f7a859ff7395c0 Roberto Sassu         2014-09-12  287  	}
f7a859ff7395c0 Roberto Sassu         2014-09-12  288  
0d73a55208e94f Dmitry Kasatkin       2017-12-05  289  	if (!rc && violation_check)
1b68bdf9cded82 Roberto Sassu         2014-09-12  290  		ima_rdwr_violation_check(file, iint, action & IMA_MEASURE,
4e8581eefe720f Roberto Sassu         2017-11-30  291  					 &pathbuf, &pathname, filename);
0d73a55208e94f Dmitry Kasatkin       2017-12-05  292  
0d73a55208e94f Dmitry Kasatkin       2017-12-05  293  	inode_unlock(inode);
0d73a55208e94f Dmitry Kasatkin       2017-12-05  294  
0d73a55208e94f Dmitry Kasatkin       2017-12-05  295  	if (rc)
0d73a55208e94f Dmitry Kasatkin       2017-12-05  296  		goto out;
0d73a55208e94f Dmitry Kasatkin       2017-12-05  297  	if (!action)
0d73a55208e94f Dmitry Kasatkin       2017-12-05  298  		goto out;
0d73a55208e94f Dmitry Kasatkin       2017-12-05  299  
0d73a55208e94f Dmitry Kasatkin       2017-12-05  300  	mutex_lock(&iint->mutex);
0d73a55208e94f Dmitry Kasatkin       2017-12-05  301  
0d73a55208e94f Dmitry Kasatkin       2017-12-05  302  	if (test_and_clear_bit(IMA_CHANGE_ATTR, &iint->atomic_flags))
57a0ef02fefafc Roberto Sassu         2025-02-04  303  		/*
57a0ef02fefafc Roberto Sassu         2025-02-04  304  		 * Reset appraisal flags (action and non-action rule-specific)
57a0ef02fefafc Roberto Sassu         2025-02-04  305  		 * if ima_inode_post_setattr was called.
57a0ef02fefafc Roberto Sassu         2025-02-04  306  		 */
0d73a55208e94f Dmitry Kasatkin       2017-12-05  307  		iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
0d73a55208e94f Dmitry Kasatkin       2017-12-05  308  				 IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
57a0ef02fefafc Roberto Sassu         2025-02-04  309  				 IMA_NONACTION_RULE_FLAGS);
0d73a55208e94f Dmitry Kasatkin       2017-12-05  310  
d77ccdc644a59b Mimi Zohar            2018-02-21  311  	/*
d77ccdc644a59b Mimi Zohar            2018-02-21  312  	 * Re-evaulate the file if either the xattr has changed or the
d77ccdc644a59b Mimi Zohar            2018-02-21  313  	 * kernel has no way of detecting file change on the filesystem.
d77ccdc644a59b Mimi Zohar            2018-02-21  314  	 * (Limited to privileged mounted filesystems.)
d77ccdc644a59b Mimi Zohar            2018-02-21  315  	 */
d77ccdc644a59b Mimi Zohar            2018-02-21  316  	if (test_and_clear_bit(IMA_CHANGE_XATTR, &iint->atomic_flags) ||
d77ccdc644a59b Mimi Zohar            2018-02-21  317  	    ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) &&
9e67028e76514a Mimi Zohar            2018-02-21  318  	     !(inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) &&
9e67028e76514a Mimi Zohar            2018-02-21  319  	     !(action & IMA_FAIL_UNVERIFIABLE_SIGS))) {
0d73a55208e94f Dmitry Kasatkin       2017-12-05  320  		iint->flags &= ~IMA_DONE_MASK;
d77ccdc644a59b Mimi Zohar            2018-02-21  321  		iint->measured_pcrs = 0;
d77ccdc644a59b Mimi Zohar            2018-02-21  322  	}
bf2276d10ce58f Dmitry Kasatkin       2011-10-19  323  
c21632b66895eb Stefan Berger         2024-02-23  324  	/*
cd9b909a117210 Stefan Berger         2024-02-23  325  	 * On stacked filesystems, detect and re-evaluate file data and
cd9b909a117210 Stefan Berger         2024-02-23  326  	 * metadata changes.
c21632b66895eb Stefan Berger         2024-02-23  327  	 */
c21632b66895eb Stefan Berger         2024-02-23  328  	real_inode = d_real_inode(file_dentry(file));
c21632b66895eb Stefan Berger         2024-02-23  329  	if (real_inode != inode &&
b836c4d29f2744 Mimi Zohar            2023-10-18  330  	    (action & IMA_DO_MASK) && (iint->flags & IMA_DONE_MASK)) {
c21632b66895eb Stefan Berger         2024-02-23  331  		if (!IS_I_VERSION(real_inode) ||
309e2b775da8b2 Stefan Berger         2024-02-23  332  		    integrity_inode_attrs_changed(&iint->real_inode,
309e2b775da8b2 Stefan Berger         2024-02-23  333  						  real_inode)) {
b836c4d29f2744 Mimi Zohar            2023-10-18  334  			iint->flags &= ~IMA_DONE_MASK;
b836c4d29f2744 Mimi Zohar            2023-10-18  335  			iint->measured_pcrs = 0;
b836c4d29f2744 Mimi Zohar            2023-10-18  336  		}
cd9b909a117210 Stefan Berger         2024-02-23  337  
cd9b909a117210 Stefan Berger         2024-02-23  338  		/*
cd9b909a117210 Stefan Berger         2024-02-23  339  		 * Reset the EVM status when metadata changed.
cd9b909a117210 Stefan Berger         2024-02-23  340  		 */
cd9b909a117210 Stefan Berger         2024-02-23  341  		metadata_inode = d_inode(d_real(file_dentry(file),
cd9b909a117210 Stefan Berger         2024-02-23  342  					 D_REAL_METADATA));
cd9b909a117210 Stefan Berger         2024-02-23  343  		if (evm_metadata_changed(inode, metadata_inode))
cd9b909a117210 Stefan Berger         2024-02-23  344  			iint->flags &= ~(IMA_APPRAISED |
cd9b909a117210 Stefan Berger         2024-02-23  345  					 IMA_APPRAISED_SUBMASK);
b836c4d29f2744 Mimi Zohar            2023-10-18  346  	}
b836c4d29f2744 Mimi Zohar            2023-10-18  347  
2fe5d6def1672a Mimi Zohar            2012-02-13  348  	/* Determine if already appraised/measured based on bitmask
d79d72e02485c0 Mimi Zohar            2012-12-03  349  	 * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED,
d79d72e02485c0 Mimi Zohar            2012-12-03  350  	 *  IMA_AUDIT, IMA_AUDITED)
d79d72e02485c0 Mimi Zohar            2012-12-03  351  	 */
2fe5d6def1672a Mimi Zohar            2012-02-13  352  	iint->flags |= action;
0e5a247cb37a97 Dmitry Kasatkin       2012-06-08  353  	action &= IMA_DO_MASK;
a422638d492a35 Eric Richter          2016-06-01  354  	action &= ~((iint->flags & (IMA_DONE_MASK ^ IMA_MEASURED)) >> 1);
a422638d492a35 Eric Richter          2016-06-01  355  
a422638d492a35 Eric Richter          2016-06-01  356  	/* If target pcr is already measured, unset IMA_MEASURE action */
a422638d492a35 Eric Richter          2016-06-01  357  	if ((action & IMA_MEASURE) && (iint->measured_pcrs & (0x1 << pcr)))
a422638d492a35 Eric Richter          2016-06-01  358  		action ^= IMA_MEASURE;
2fe5d6def1672a Mimi Zohar            2012-02-13  359  
da1b0029f527a9 Mimi Zohar            2016-09-29  360  	/* HASH sets the digital signature and update flags, nothing else */
da1b0029f527a9 Mimi Zohar            2016-09-29  361  	if ((action & IMA_HASH) &&
da1b0029f527a9 Mimi Zohar            2016-09-29  362  	    !(test_bit(IMA_DIGSIG, &iint->atomic_flags))) {
f6fbd8cbf3ed19 Paul Moore            2022-11-09  363  		xattr_len = ima_read_xattr(file_dentry(file),
f6fbd8cbf3ed19 Paul Moore            2022-11-09  364  					   &xattr_value, xattr_len);
da1b0029f527a9 Mimi Zohar            2016-09-29  365  		if ((xattr_value && xattr_len > 2) &&
da1b0029f527a9 Mimi Zohar            2016-09-29  366  		    (xattr_value->type == EVM_IMA_XATTR_DIGSIG))
da1b0029f527a9 Mimi Zohar            2016-09-29  367  			set_bit(IMA_DIGSIG, &iint->atomic_flags);
da1b0029f527a9 Mimi Zohar            2016-09-29  368  		iint->flags |= IMA_HASHED;
da1b0029f527a9 Mimi Zohar            2016-09-29  369  		action ^= IMA_HASH;
da1b0029f527a9 Mimi Zohar            2016-09-29  370  		set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
da1b0029f527a9 Mimi Zohar            2016-09-29  371  	}
da1b0029f527a9 Mimi Zohar            2016-09-29  372  
2fe5d6def1672a Mimi Zohar            2012-02-13  373  	/* Nothing to do, just return existing appraised status */
2fe5d6def1672a Mimi Zohar            2012-02-13  374  	if (!action) {
2cd4737bc85022 Mimi Zohar            2019-04-30  375  		if (must_appraise) {
2cd4737bc85022 Mimi Zohar            2019-04-30  376  			rc = mmap_violation_check(func, file, &pathbuf,
2cd4737bc85022 Mimi Zohar            2019-04-30  377  						  &pathname, filename);
2cd4737bc85022 Mimi Zohar            2019-04-30  378  			if (!rc)
4ad87a3d7444de Mimi Zohar            2016-01-14  379  				rc = ima_get_cache_status(iint, func);
2cd4737bc85022 Mimi Zohar            2019-04-30  380  		}
0d73a55208e94f Dmitry Kasatkin       2017-12-05  381  		goto out_locked;
2fe5d6def1672a Mimi Zohar            2012-02-13  382  	}
3323eec921efd8 Mimi Zohar            2009-02-04  383  
f68c05f4d2d4e1 Dmitry Kasatkin       2014-08-22  384  	if ((action & IMA_APPRAISE_SUBMASK) ||
39b07096364a42 Thiago Jung Bauermann 2019-06-27  385  	    strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0) {
1525b06d99b117 Dmitry Kasatkin       2014-10-30  386  		/* read 'security.ima' */
f6fbd8cbf3ed19 Paul Moore            2022-11-09  387  		xattr_len = ima_read_xattr(file_dentry(file),
f6fbd8cbf3ed19 Paul Moore            2022-11-09  388  					   &xattr_value, xattr_len);
d3634d0f426bde Dmitry Kasatkin       2013-04-25  389  
e5092255bb3967 Thiago Jung Bauermann 2019-06-27  390  		/*
e5092255bb3967 Thiago Jung Bauermann 2019-06-27  391  		 * Read the appended modsig if allowed by the policy, and allow
e5092255bb3967 Thiago Jung Bauermann 2019-06-27  392  		 * an additional measurement list entry, if needed, based on the
e5092255bb3967 Thiago Jung Bauermann 2019-06-27  393  		 * template format and whether the file was already measured.
e5092255bb3967 Thiago Jung Bauermann 2019-06-27  394  		 */
e5092255bb3967 Thiago Jung Bauermann 2019-06-27  395  		if (iint->flags & IMA_MODSIG_ALLOWED) {
e5092255bb3967 Thiago Jung Bauermann 2019-06-27  396  			rc = ima_read_modsig(func, buf, size, &modsig);
e5092255bb3967 Thiago Jung Bauermann 2019-06-27  397  
e5092255bb3967 Thiago Jung Bauermann 2019-06-27  398  			if (!rc && ima_template_has_modsig(template_desc) &&
e5092255bb3967 Thiago Jung Bauermann 2019-06-27  399  			    iint->flags & IMA_MEASURED)
e5092255bb3967 Thiago Jung Bauermann 2019-06-27  400  				action |= IMA_MEASURE;
e5092255bb3967 Thiago Jung Bauermann 2019-06-27  401  		}
39b07096364a42 Thiago Jung Bauermann 2019-06-27  402  	}
39b07096364a42 Thiago Jung Bauermann 2019-06-27  403  
1525b06d99b117 Dmitry Kasatkin       2014-10-30  404  	hash_algo = ima_get_hash_algo(xattr_value, xattr_len);
1525b06d99b117 Dmitry Kasatkin       2014-10-30  405  
15588227e086ec Thiago Jung Bauermann 2019-06-27  406  	rc = ima_collect_measurement(iint, file, buf, size, hash_algo, modsig);
6dc387d52eb67f Matt Bobrowski        2023-01-04  407  	if (rc != 0 && rc != -EBADF && rc != -EINVAL)
0d73a55208e94f Dmitry Kasatkin       2017-12-05  408  		goto out_locked;
08e1b76ae399a0 Mimi Zohar            2012-06-20  409  
c200892b46ba3d Coiby Xu              2025-11-19  410  	/* Defer measuring/appraising kernel modules to READING_MODULE */
c200892b46ba3d Coiby Xu              2025-11-19  411  	if (read_id == READING_MODULE_COMPRESSED) {
c200892b46ba3d Coiby Xu              2025-11-19  412  		must_appraise = 0;
c200892b46ba3d Coiby Xu              2025-11-19  413  		goto out_locked;
c200892b46ba3d Coiby Xu              2025-11-19  414  	}
c200892b46ba3d Coiby Xu              2025-11-19  415  
bc15ed663e7e53 Mimi Zohar            2017-01-17  416  	if (!pathbuf)	/* ima_rdwr_violation possibly pre-fetched */
bc15ed663e7e53 Mimi Zohar            2017-01-17  417  		pathname = ima_d_path(&file->f_path, &pathbuf, filename);
08e1b76ae399a0 Mimi Zohar            2012-06-20  418  
2fe5d6def1672a Mimi Zohar            2012-02-13  419  	if (action & IMA_MEASURE)
bcbc9b0cf6d8f3 Mimi Zohar            2013-07-23  420  		ima_store_measurement(iint, file, pathname,
3878d505aa718b Thiago Jung Bauermann 2019-06-27  421  				      xattr_value, xattr_len, modsig, pcr,
19453ce0bcfbdf Matthew Garrett       2019-06-19  422  				      template_desc);
0d73a55208e94f Dmitry Kasatkin       2017-12-05  423  	if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) {
273df864cf7466 Nayna Jain            2019-10-30  424  		rc = ima_check_blacklist(iint, modsig, pcr);
273df864cf7466 Nayna Jain            2019-10-30  425  		if (rc != -EPERM) {
0d73a55208e94f Dmitry Kasatkin       2017-12-05  426  			inode_lock(inode);
273df864cf7466 Nayna Jain            2019-10-30 @427  			rc = ima_appraise_measurement(func, iint, file,
273df864cf7466 Nayna Jain            2019-10-30  428  						      pathname, xattr_value,
073872ff30b34d Chris J Arges         2025-12-19  429  						      xattr_len, modsig, bprm_is_check);
0d73a55208e94f Dmitry Kasatkin       2017-12-05  430  			inode_unlock(inode);
273df864cf7466 Nayna Jain            2019-10-30  431  		}
2cd4737bc85022 Mimi Zohar            2019-04-30  432  		if (!rc)
2cd4737bc85022 Mimi Zohar            2019-04-30  433  			rc = mmap_violation_check(func, file, &pathbuf,
2cd4737bc85022 Mimi Zohar            2019-04-30  434  						  &pathname, filename);
0d73a55208e94f Dmitry Kasatkin       2017-12-05  435  	}
e7c568e0fd0cf6 Peter Moody           2012-06-14  436  	if (action & IMA_AUDIT)
ea1046d4c57ee6 Dmitry Kasatkin       2012-09-04  437  		ima_audit_measurement(iint, pathname);
f7a859ff7395c0 Roberto Sassu         2014-09-12  438  
f3cc6b25dcc561 Mimi Zohar            2017-06-17  439  	if ((file->f_flags & O_DIRECT) && (iint->flags & IMA_PERMIT_DIRECTIO))
f3cc6b25dcc561 Mimi Zohar            2017-06-17  440  		rc = 0;
1624dc0086056c THOBY Simon           2021-08-16  441  
1624dc0086056c THOBY Simon           2021-08-16  442  	/* Ensure the digest was generated using an allowed algorithm */
1624dc0086056c THOBY Simon           2021-08-16  443  	if (rc == 0 && must_appraise && allowed_algos != 0 &&
1624dc0086056c THOBY Simon           2021-08-16  444  	    (allowed_algos & (1U << hash_algo)) == 0) {
1624dc0086056c THOBY Simon           2021-08-16  445  		rc = -EACCES;
1624dc0086056c THOBY Simon           2021-08-16  446  
1624dc0086056c THOBY Simon           2021-08-16  447  		integrity_audit_msg(AUDIT_INTEGRITY_DATA, file_inode(file),
1624dc0086056c THOBY Simon           2021-08-16  448  				    pathname, "collect_data",
1624dc0086056c THOBY Simon           2021-08-16  449  				    "denied-hash-algorithm", rc, 0);
1624dc0086056c THOBY Simon           2021-08-16  450  	}
0d73a55208e94f Dmitry Kasatkin       2017-12-05  451  out_locked:
0d73a55208e94f Dmitry Kasatkin       2017-12-05  452  	if ((mask & MAY_WRITE) && test_bit(IMA_DIGSIG, &iint->atomic_flags) &&
05d1a717ec0430 Mimi Zohar            2016-02-29  453  	     !(iint->flags & IMA_NEW_FILE))
a175b8bb29ebba Dmitry Kasatkin       2012-09-27  454  		rc = -EACCES;
0d73a55208e94f Dmitry Kasatkin       2017-12-05  455  	mutex_unlock(&iint->mutex);
f7a859ff7395c0 Roberto Sassu         2014-09-12  456  	kfree(xattr_value);
39b07096364a42 Thiago Jung Bauermann 2019-06-27  457  	ima_free_modsig(modsig);
0d73a55208e94f Dmitry Kasatkin       2017-12-05  458  out:
456f5fd3f6017f Dmitry Kasatkin       2014-10-01  459  	if (pathbuf)
456f5fd3f6017f Dmitry Kasatkin       2014-10-01  460  		__putname(pathbuf);
0d73a55208e94f Dmitry Kasatkin       2017-12-05  461  	if (must_appraise) {
0d73a55208e94f Dmitry Kasatkin       2017-12-05  462  		if (rc && (ima_appraise & IMA_APPRAISE_ENFORCE))
750943a30714b7 Dmitry Kasatkin       2012-09-27  463  			return -EACCES;
0d73a55208e94f Dmitry Kasatkin       2017-12-05  464  		if (file->f_mode & FMODE_WRITE)
0d73a55208e94f Dmitry Kasatkin       2017-12-05  465  			set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
0d73a55208e94f Dmitry Kasatkin       2017-12-05  466  	}
750943a30714b7 Dmitry Kasatkin       2012-09-27  467  	return 0;
3323eec921efd8 Mimi Zohar            2009-02-04  468  }
3323eec921efd8 Mimi Zohar            2009-02-04  469  

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

^ permalink raw reply

* Re: [PATCH] ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec()
From: kernel test robot @ 2025-12-20 15:21 UTC (permalink / raw)
  To: Chris J Arges, zohar, roberto.sassu
  Cc: oe-kbuild-all, kernel-team, Chris J Arges, Dmitry Kasatkin,
	Eric Snowberg, Paul Moore, James Morris, Serge E. Hallyn,
	Mickaël Salaün, Kees Cook, linux-integrity,
	linux-security-module, linux-kernel
In-Reply-To: <20251219195456.912190-1-carges@cloudflare.com>

Hi Chris,

kernel test robot noticed the following build errors:

[auto build test ERROR on zohar-integrity/next-integrity]
[also build test ERROR on linus/master v6.19-rc1 next-20251219]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Chris-J-Arges/ima-Fix-stack-out-of-bounds-in-is_bprm_creds_for_exec/20251220-035711
base:   https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git next-integrity
patch link:    https://lore.kernel.org/r/20251219195456.912190-1-carges%40cloudflare.com
patch subject: [PATCH] ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec()
config: i386-allnoconfig-bpf (https://download.01.org/0day-ci/archive/20251220/202512201634.hYE4i2PX-lkp@intel.com/config)
compiler: clang version 20.1.8 (https://github.com/llvm/llvm-project 87f0227cb60147a26a1eeb4fb06e3b505e9c7261)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251220/202512201634.hYE4i2PX-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202512201634.hYE4i2PX-lkp@intel.com/

All errors (new ones prefixed by >>):

>> security/integrity/ima/ima_main.c:429:32: error: too many arguments to function call, expected 7, have 8
     427 |                         rc = ima_appraise_measurement(func, iint, file,
         |                              ~~~~~~~~~~~~~~~~~~~~~~~~
     428 |                                                       pathname, xattr_value,
     429 |                                                       xattr_len, modsig, bprm_is_check);
         |                                                                          ^~~~~~~~~~~~~
   security/integrity/ima/ima.h:463:19: note: 'ima_appraise_measurement' declared here
     463 | static inline int ima_appraise_measurement(enum ima_hooks func,
         |                   ^                        ~~~~~~~~~~~~~~~~~~~~
     464 |                                            struct ima_iint_cache *iint,
         |                                            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     465 |                                            struct file *file,
         |                                            ~~~~~~~~~~~~~~~~~~
     466 |                                            const unsigned char *filename,
         |                                            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     467 |                                            struct evm_ima_xattr_data *xattr_value,
         |                                            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     468 |                                            int xattr_len,
         |                                            ~~~~~~~~~~~~~~
     469 |                                            const struct modsig *modsig)
         |                                            ~~~~~~~~~~~~~~~~~~~~~~~~~~~
   1 error generated.


vim +429 security/integrity/ima/ima_main.c

   235	
   236	static int process_measurement(struct file *file, const struct cred *cred,
   237				       struct lsm_prop *prop, char *buf, loff_t size,
   238				       int mask, enum ima_hooks func,
   239				       enum kernel_read_file_id read_id, bool bprm_is_check)
   240	{
   241		struct inode *real_inode, *inode = file_inode(file);
   242		struct ima_iint_cache *iint = NULL;
   243		struct ima_template_desc *template_desc = NULL;
   244		struct inode *metadata_inode;
   245		char *pathbuf = NULL;
   246		char filename[NAME_MAX];
   247		const char *pathname = NULL;
   248		int rc = 0, action, must_appraise = 0;
   249		int pcr = CONFIG_IMA_MEASURE_PCR_IDX;
   250		struct evm_ima_xattr_data *xattr_value = NULL;
   251		struct modsig *modsig = NULL;
   252		int xattr_len = 0;
   253		bool violation_check;
   254		enum hash_algo hash_algo;
   255		unsigned int allowed_algos = 0;
   256	
   257		if (!ima_policy_flag || !S_ISREG(inode->i_mode))
   258			return 0;
   259	
   260		/* Return an IMA_MEASURE, IMA_APPRAISE, IMA_AUDIT action
   261		 * bitmask based on the appraise/audit/measurement policy.
   262		 * Included is the appraise submask.
   263		 */
   264		action = ima_get_action(file_mnt_idmap(file), inode, cred, prop,
   265					mask, func, &pcr, &template_desc, NULL,
   266					&allowed_algos);
   267		violation_check = ((func == FILE_CHECK || func == MMAP_CHECK ||
   268				    func == MMAP_CHECK_REQPROT) &&
   269				   (ima_policy_flag & IMA_MEASURE) &&
   270				   ((action & IMA_MEASURE) ||
   271				    (file->f_mode & FMODE_WRITE)));
   272		if (!action && !violation_check)
   273			return 0;
   274	
   275		must_appraise = action & IMA_APPRAISE;
   276	
   277		/*  Is the appraise rule hook specific?  */
   278		if (action & IMA_FILE_APPRAISE)
   279			func = FILE_CHECK;
   280	
   281		inode_lock(inode);
   282	
   283		if (action) {
   284			iint = ima_inode_get(inode);
   285			if (!iint)
   286				rc = -ENOMEM;
   287		}
   288	
   289		if (!rc && violation_check)
   290			ima_rdwr_violation_check(file, iint, action & IMA_MEASURE,
   291						 &pathbuf, &pathname, filename);
   292	
   293		inode_unlock(inode);
   294	
   295		if (rc)
   296			goto out;
   297		if (!action)
   298			goto out;
   299	
   300		mutex_lock(&iint->mutex);
   301	
   302		if (test_and_clear_bit(IMA_CHANGE_ATTR, &iint->atomic_flags))
   303			/*
   304			 * Reset appraisal flags (action and non-action rule-specific)
   305			 * if ima_inode_post_setattr was called.
   306			 */
   307			iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
   308					 IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
   309					 IMA_NONACTION_RULE_FLAGS);
   310	
   311		/*
   312		 * Re-evaulate the file if either the xattr has changed or the
   313		 * kernel has no way of detecting file change on the filesystem.
   314		 * (Limited to privileged mounted filesystems.)
   315		 */
   316		if (test_and_clear_bit(IMA_CHANGE_XATTR, &iint->atomic_flags) ||
   317		    ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) &&
   318		     !(inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) &&
   319		     !(action & IMA_FAIL_UNVERIFIABLE_SIGS))) {
   320			iint->flags &= ~IMA_DONE_MASK;
   321			iint->measured_pcrs = 0;
   322		}
   323	
   324		/*
   325		 * On stacked filesystems, detect and re-evaluate file data and
   326		 * metadata changes.
   327		 */
   328		real_inode = d_real_inode(file_dentry(file));
   329		if (real_inode != inode &&
   330		    (action & IMA_DO_MASK) && (iint->flags & IMA_DONE_MASK)) {
   331			if (!IS_I_VERSION(real_inode) ||
   332			    integrity_inode_attrs_changed(&iint->real_inode,
   333							  real_inode)) {
   334				iint->flags &= ~IMA_DONE_MASK;
   335				iint->measured_pcrs = 0;
   336			}
   337	
   338			/*
   339			 * Reset the EVM status when metadata changed.
   340			 */
   341			metadata_inode = d_inode(d_real(file_dentry(file),
   342						 D_REAL_METADATA));
   343			if (evm_metadata_changed(inode, metadata_inode))
   344				iint->flags &= ~(IMA_APPRAISED |
   345						 IMA_APPRAISED_SUBMASK);
   346		}
   347	
   348		/* Determine if already appraised/measured based on bitmask
   349		 * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED,
   350		 *  IMA_AUDIT, IMA_AUDITED)
   351		 */
   352		iint->flags |= action;
   353		action &= IMA_DO_MASK;
   354		action &= ~((iint->flags & (IMA_DONE_MASK ^ IMA_MEASURED)) >> 1);
   355	
   356		/* If target pcr is already measured, unset IMA_MEASURE action */
   357		if ((action & IMA_MEASURE) && (iint->measured_pcrs & (0x1 << pcr)))
   358			action ^= IMA_MEASURE;
   359	
   360		/* HASH sets the digital signature and update flags, nothing else */
   361		if ((action & IMA_HASH) &&
   362		    !(test_bit(IMA_DIGSIG, &iint->atomic_flags))) {
   363			xattr_len = ima_read_xattr(file_dentry(file),
   364						   &xattr_value, xattr_len);
   365			if ((xattr_value && xattr_len > 2) &&
   366			    (xattr_value->type == EVM_IMA_XATTR_DIGSIG))
   367				set_bit(IMA_DIGSIG, &iint->atomic_flags);
   368			iint->flags |= IMA_HASHED;
   369			action ^= IMA_HASH;
   370			set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
   371		}
   372	
   373		/* Nothing to do, just return existing appraised status */
   374		if (!action) {
   375			if (must_appraise) {
   376				rc = mmap_violation_check(func, file, &pathbuf,
   377							  &pathname, filename);
   378				if (!rc)
   379					rc = ima_get_cache_status(iint, func);
   380			}
   381			goto out_locked;
   382		}
   383	
   384		if ((action & IMA_APPRAISE_SUBMASK) ||
   385		    strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0) {
   386			/* read 'security.ima' */
   387			xattr_len = ima_read_xattr(file_dentry(file),
   388						   &xattr_value, xattr_len);
   389	
   390			/*
   391			 * Read the appended modsig if allowed by the policy, and allow
   392			 * an additional measurement list entry, if needed, based on the
   393			 * template format and whether the file was already measured.
   394			 */
   395			if (iint->flags & IMA_MODSIG_ALLOWED) {
   396				rc = ima_read_modsig(func, buf, size, &modsig);
   397	
   398				if (!rc && ima_template_has_modsig(template_desc) &&
   399				    iint->flags & IMA_MEASURED)
   400					action |= IMA_MEASURE;
   401			}
   402		}
   403	
   404		hash_algo = ima_get_hash_algo(xattr_value, xattr_len);
   405	
   406		rc = ima_collect_measurement(iint, file, buf, size, hash_algo, modsig);
   407		if (rc != 0 && rc != -EBADF && rc != -EINVAL)
   408			goto out_locked;
   409	
   410		/* Defer measuring/appraising kernel modules to READING_MODULE */
   411		if (read_id == READING_MODULE_COMPRESSED) {
   412			must_appraise = 0;
   413			goto out_locked;
   414		}
   415	
   416		if (!pathbuf)	/* ima_rdwr_violation possibly pre-fetched */
   417			pathname = ima_d_path(&file->f_path, &pathbuf, filename);
   418	
   419		if (action & IMA_MEASURE)
   420			ima_store_measurement(iint, file, pathname,
   421					      xattr_value, xattr_len, modsig, pcr,
   422					      template_desc);
   423		if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) {
   424			rc = ima_check_blacklist(iint, modsig, pcr);
   425			if (rc != -EPERM) {
   426				inode_lock(inode);
   427				rc = ima_appraise_measurement(func, iint, file,
   428							      pathname, xattr_value,
 > 429							      xattr_len, modsig, bprm_is_check);
   430				inode_unlock(inode);
   431			}
   432			if (!rc)
   433				rc = mmap_violation_check(func, file, &pathbuf,
   434							  &pathname, filename);
   435		}
   436		if (action & IMA_AUDIT)
   437			ima_audit_measurement(iint, pathname);
   438	
   439		if ((file->f_flags & O_DIRECT) && (iint->flags & IMA_PERMIT_DIRECTIO))
   440			rc = 0;
   441	
   442		/* Ensure the digest was generated using an allowed algorithm */
   443		if (rc == 0 && must_appraise && allowed_algos != 0 &&
   444		    (allowed_algos & (1U << hash_algo)) == 0) {
   445			rc = -EACCES;
   446	
   447			integrity_audit_msg(AUDIT_INTEGRITY_DATA, file_inode(file),
   448					    pathname, "collect_data",
   449					    "denied-hash-algorithm", rc, 0);
   450		}
   451	out_locked:
   452		if ((mask & MAY_WRITE) && test_bit(IMA_DIGSIG, &iint->atomic_flags) &&
   453		     !(iint->flags & IMA_NEW_FILE))
   454			rc = -EACCES;
   455		mutex_unlock(&iint->mutex);
   456		kfree(xattr_value);
   457		ima_free_modsig(modsig);
   458	out:
   459		if (pathbuf)
   460			__putname(pathbuf);
   461		if (must_appraise) {
   462			if (rc && (ima_appraise & IMA_APPRAISE_ENFORCE))
   463				return -EACCES;
   464			if (file->f_mode & FMODE_WRITE)
   465				set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
   466		}
   467		return 0;
   468	}
   469	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

^ permalink raw reply


This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox