* Re: [PATCH v8 04/12] tpm: Change tpm_get_random() opportunistic
From: Jarkko Sakkinen @ 2026-01-02 16:37 UTC (permalink / raw)
To: Jonathan McDowell
Cc: linux-integrity, David S . Miller, Herbert Xu, Eric Biggers,
Peter Huewe, Jason Gunthorpe, David Howells, Paul Moore,
James Morris, Serge E. Hallyn, open list, open list:KEYS/KEYRINGS,
open list:SECURITY SUBSYSTEM
In-Reply-To: <aUUd760l89lrNOs-@earth.li>
On Fri, Dec 19, 2025 at 09:42:07AM +0000, Jonathan McDowell wrote:
> On Tue, Dec 16, 2025 at 11:21:38AM +0200, Jarkko Sakkinen wrote:
> > hwrng framework does not have a requirement that the all bytes requested
> > need to be provided. By enforcing such a requirement internally, TPM driver
> > can cause unpredictability in latency, as a single tpm_get_random() call
> > can result multiple TPM commands.
> >
> > Especially, when TCG_TPM2_HMAC is enabled, extra roundtrips could have
> > significant effect to the system latency.
> >
> > Thus, send TPM command only once and return bytes received instead of
> > committing to the number of requested bytes.
>
> Function comment for tpm_get_random needs updated as well, as it currently
> says "until all of the @max bytes have been received", which is no longer
> true with this patch. With that:
>
> Reviewed-by: Jonathan McDowell <noodles@meta.com>
Thank you and definitely can refine that comment. After holidays it is
probably to go through this patch set with time and send +1 iteration
:-)
BR, Jarkko
^ permalink raw reply
* Re: [PATCH v8 05/12] tpm2-sessions: Define TPM2_NAME_MAX_SIZE
From: Jarkko Sakkinen @ 2026-01-02 16:35 UTC (permalink / raw)
To: Jonathan McDowell
Cc: linux-integrity, Peter Huewe, Jason Gunthorpe, David Howells,
Paul Moore, James Morris, Serge E. Hallyn, open list,
open list:KEYS/KEYRINGS, open list:SECURITY SUBSYSTEM
In-Reply-To: <aUUbkosWlOjZ48YP@earth.li>
On Fri, Dec 19, 2025 at 09:32:02AM +0000, Jonathan McDowell wrote:
> On Tue, Dec 16, 2025 at 11:21:39AM +0200, Jarkko Sakkinen wrote:
> > Define TPM2_NAME_MAX_SIZE, which describes the maximum size for hashes
> > encoded as TPMT_HA, which the prime identifier used for persistent and
> > transient keys in TPM2 protocol.
> >
> > Set its value to 'SHA512_DIGEST_SIZE + 2', as SHA512 has the largest
> > digest size of the algorithms in TCG algorithm repository.
> >
> > In additionl, rename TPM2_NAME_SIZE as TPM2_NULL_NAME_SIZE in order to
> > avoid any possible confusion.
>
> One minor capitalisation nit, otherwise:
>
> Reviewed-by: Jonathan McDowell <noodles@meta.com>
>
> > Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
> > ---
> > v6:
> > - Rewrote the commit message.
> > v2:
> > - Rename TPM2_NAME_SIZE as TPM2_NULL_NAME_SIZE.
> > ---
> > drivers/char/tpm/tpm-sysfs.c | 2 +-
> > drivers/char/tpm/tpm2-sessions.c | 2 +-
> > include/linux/tpm.h | 37 +++++++++++++++++++++-----------
> > 3 files changed, 27 insertions(+), 14 deletions(-)
> >
> > diff --git a/drivers/char/tpm/tpm-sysfs.c b/drivers/char/tpm/tpm-sysfs.c
> > index 94231f052ea7..4a6a27ee295d 100644
> > --- a/drivers/char/tpm/tpm-sysfs.c
> > +++ b/drivers/char/tpm/tpm-sysfs.c
> > @@ -314,7 +314,7 @@ static ssize_t null_name_show(struct device *dev, struct device_attribute *attr,
> > char *buf)
> > {
> > struct tpm_chip *chip = to_tpm_chip(dev);
> > - int size = TPM2_NAME_SIZE;
> > + int size = TPM2_NULL_NAME_SIZE;
> >
> > bin2hex(buf, chip->null_key_name, size);
> > size *= 2;
> > diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c
> > index 4149379665c4..525b8622d1c3 100644
> > --- a/drivers/char/tpm/tpm2-sessions.c
> > +++ b/drivers/char/tpm/tpm2-sessions.c
> > @@ -137,7 +137,7 @@ struct tpm2_auth {
> > * we must compute and remember
> > */
> > u32 name_h[AUTH_MAX_NAMES];
> > - u8 name[AUTH_MAX_NAMES][2 + SHA512_DIGEST_SIZE];
> > + u8 name[AUTH_MAX_NAMES][TPM2_MAX_NAME_SIZE];
> > };
> >
> > #ifdef CONFIG_TCG_TPM2_HMAC
> > diff --git a/include/linux/tpm.h b/include/linux/tpm.h
> > index 202da079d500..e10f2096eae7 100644
> > --- a/include/linux/tpm.h
> > +++ b/include/linux/tpm.h
> > @@ -27,9 +27,33 @@
> >
> > #define TPM_DIGEST_SIZE 20 /* Max TPM v1.2 PCR size */
> >
> > +/*
> > + * SHA-512 is, as of today, the largest digest in the TCG algorithm repository.
> > + */
> > #define TPM2_MAX_DIGEST_SIZE SHA512_DIGEST_SIZE
> > +
> > +/*
> > + * A TPM name digest i.e., TPMT_HA, is a concatenation of TPM_ALG_ID of the
> > + * name algorithm and hash of TPMT_PUBLIC.
> > + */
> > +#define TPM2_MAX_NAME_SIZE (TPM2_MAX_DIGEST_SIZE + 2)
> > +
> > +/*
> > + * The maximum number of PCR banks.
> > + */
> > #define TPM2_MAX_PCR_BANKS 8
> >
> > +/*
> > + * fixed define for the size of a name. This is actually HASHALG size
>
> "Fixed define".
Thanks, yeah, I can fix this up :-)
>
> > + * plus 2, so 32 for SHA256
> > + */
> > +#define TPM2_NULL_NAME_SIZE 34
> > +
> > +/*
> > + * The maximum size for an object context
> > + */
> > +#define TPM2_MAX_CONTEXT_SIZE 4096
> > +
> > struct tpm_chip;
> > struct trusted_key_payload;
> > struct trusted_key_options;
> > @@ -139,17 +163,6 @@ struct tpm_chip_seqops {
> > /* fixed define for the curve we use which is NIST_P256 */
> > #define EC_PT_SZ 32
> >
> > -/*
> > - * fixed define for the size of a name. This is actually HASHALG size
> > - * plus 2, so 32 for SHA256
> > - */
> > -#define TPM2_NAME_SIZE 34
> > -
> > -/*
> > - * The maximum size for an object context
> > - */
> > -#define TPM2_MAX_CONTEXT_SIZE 4096
> > -
> > struct tpm_chip {
> > struct device dev;
> > struct device devs;
> > @@ -211,7 +224,7 @@ struct tpm_chip {
> > /* saved context for NULL seed */
> > u8 null_key_context[TPM2_MAX_CONTEXT_SIZE];
> > /* name of NULL seed */
> > - u8 null_key_name[TPM2_NAME_SIZE];
> > + u8 null_key_name[TPM2_NULL_NAME_SIZE];
> > u8 null_ec_key_x[EC_PT_SZ];
> > u8 null_ec_key_y[EC_PT_SZ];
> > struct tpm2_auth *auth;
> > --
> > 2.39.5
> >
> >
>
> J.
>
> --
> Why do I get the feeling I'm going to regret this?
> This .sig brought to you by the letter S and the number 50
> Product of the Republic of HuggieTag
BR, Jarkko
^ permalink raw reply
* Re: [PATCH v8 02/12] KEYS: trusted: Use get_random_bytes_wait() instead of tpm_get_random()
From: Jarkko Sakkinen @ 2026-01-02 16:34 UTC (permalink / raw)
To: Jonathan McDowell
Cc: linux-integrity, Eric Biggers, David Howells, Paul Moore,
James Morris, Serge E. Hallyn, James Bottomley, Mimi Zohar,
open list:KEYS/KEYRINGS, open list:SECURITY SUBSYSTEM, open list
In-Reply-To: <aUUZKu2xaZvEdq-2@earth.li>
On Fri, Dec 19, 2025 at 09:21:46AM +0000, Jonathan McDowell wrote:
> On Tue, Dec 16, 2025 at 11:21:36AM +0200, Jarkko Sakkinen wrote:
> > Substitute remaining tpm_get_random() calls in trusted_tpm1.c with
> > get_random_bytes_wait() thus aligning random number generation for TPM 1.2
> > with the removal of '.get_random' callback.
>
> Had to double check we wouldn't end up not getting all the randomness we ask
> for, but get_random_bytes_wait does indeed DTRT.
>
> Reviewed-by: Jonathan McDowell <noodles@meta.com>
Thank you.
BR, Jarkko
^ permalink raw reply
* Re: [PATCH v8 07/12] KEYS: trusted: Remove dead branch from tpm2_unseal_cmd
From: Jarkko Sakkinen @ 2026-01-02 16:31 UTC (permalink / raw)
To: James Bottomley
Cc: linux-integrity, David Howells, Paul Moore, James Morris,
Serge E. Hallyn, Mimi Zohar, open list:KEYS/KEYRINGS,
open list:SECURITY SUBSYSTEM, open list
In-Reply-To: <57e69d4fd5a40899cd779ee04f29f33009c97431.camel@HansenPartnership.com>
On Fri, Dec 19, 2025 at 03:54:47PM -0500, James Bottomley wrote:
> On Tue, 2025-12-16 at 11:21 +0200, Jarkko Sakkinen wrote:
> > TPM2_Unseal requires TPM2_ST_SESSIONS, and tpm2_unseal_cmd() always
> > does set up either password or HMAC session.
> >
> > Remove the branch in tpm2_unseal_cmd() conditionally setting
> > TPM2_ST_NO_SESSIONS. It is faulty but luckily it is never exercised
> > at run-time, and thus does not cause regressions.
>
> Shouldn't that also be
>
> Fixes: b7960b904861 ("tpm2-sessions: Open code tpm_buf_append_hmac_session()")
The implementation has pre-existed before that commit so it did
not really cause it. The call path was just more masked before
open coding it.
The code is of course exercised in !TCG_TPM2_HMAC case but it
by definition does nothing.
>
> > Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
> > ---
> > security/keys/trusted-keys/trusted_tpm2.c | 10 +---------
> > 1 file changed, 1 insertion(+), 9 deletions(-)
> >
> > diff --git a/security/keys/trusted-keys/trusted_tpm2.c
> > b/security/keys/trusted-keys/trusted_tpm2.c
> > index d3a5c5f2b926..3666e3e48eab 100644
> > --- a/security/keys/trusted-keys/trusted_tpm2.c
> > +++ b/security/keys/trusted-keys/trusted_tpm2.c
> > @@ -451,10 +451,8 @@ static int tpm2_unseal_cmd(struct tpm_chip
> > *chip,
> > struct trusted_key_options *options,
> > u32 blob_handle)
> > {
> > - struct tpm_header *head;
> > struct tpm_buf buf;
> > u16 data_len;
> > - int offset;
> > u8 *data;
> > int rc;
> >
> > @@ -495,14 +493,8 @@ static int tpm2_unseal_cmd(struct tpm_chip
> > *chip,
> > tpm_buf_append_u16(&buf, options->blobauth_len);
> > tpm_buf_append(&buf, options->blobauth, options-
> > >blobauth_len);
> >
> > - if (tpm2_chip_auth(chip)) {
> > + if (tpm2_chip_auth(chip))
>
> Since the statement above is that the if is always true, why do you
> still have it here?
This is still necessary for !TCG_TPM2_HMAC case. The commit is pretty
much exactly in its described scope.
>
> Regards,
>
> James
>
BR, Jarkko
^ permalink raw reply
* Re: [PATCH V2 1/1] IMA event log trimming
From: steven chen @ 2026-01-02 14:33 UTC (permalink / raw)
To: Mimi Zohar, linux-integrity
Cc: roberto.sassu, dmitry.kasatkin, eric.snowberg, corbet, serge,
paul, jmorris, linux-security-module, anirudhve, gregorylumen,
nramas, sushring, linux-doc, steven chen
In-Reply-To: <9a26898f46406314be1308e5416c0d51cedf44a4.camel@linux.ibm.com>
On 12/23/2025 2:32 PM, Mimi Zohar wrote:
> On Tue, 2025-12-16 at 11:59 -0800, steven chen wrote:
>>>>> +{
>>>>> + struct ima_queue_entry *qe, *qe_tmp;
>>>>> + LIST_HEAD(ima_measurements_staged);
>>>>> + unsigned int i;
>>>>> + long cur = number_logs;
>>> The variable name "number_logs" is confusing. As I mentioned in the patch
>>> description, there is one measurement list with multiple records. There aren't
>>> multiple logs in the kernel (other than the staged list).
>> Will update it to "req_value". Thanks!
> Please refer to the section titled "Naming" in Documentation/process/coding-
> style.rst. Since this is the number of records being deleted, perhaps a better
> variable name would be "num_records".
>
Will update. Thanks
Steven
^ permalink raw reply
* Re: [PATCH v2 1/2] dt-bindings: tpm: Add st,st33tphf2ei2c
From: Shawn Guo @ 2025-12-31 2:25 UTC (permalink / raw)
To: Marek Vasut
Cc: linux-arm-kernel, Krzysztof Kozlowski, Conor Dooley,
Fabio Estevam, Jarkko Sakkinen, Jason Gunthorpe,
Krzysztof Kozlowski, Lukas Wunner, Pengutronix Kernel Team,
Peter Huewe, Rob Herring, Sascha Hauer, devicetree, imx,
linux-integrity, linux-kernel
In-Reply-To: <20251230014047.149677-1-marek.vasut@mailbox.org>
On Tue, Dec 30, 2025 at 02:40:34AM +0100, Marek Vasut wrote:
> Add the ST chip st33tphf2ei2c to the supported compatible strings of the
> TPM TIS I2C schema. The chip is compliant with the TCG PC Client TPM
> Profile specification.
>
> For reference, a databrief is available at:
> https://www.st.com/resource/en/data_brief/st33tphf2ei2c.pdf
>
> Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
> Signed-off-by: Marek Vasut <marek.vasut@mailbox.org>
Applied both, thanks!
^ permalink raw reply
* [PATCH v2 2/2] arm64: dts: imx8mp: Update Data Modul i.MX8M Plus eDM SBC DT to rev.903
From: Marek Vasut @ 2025-12-30 1:40 UTC (permalink / raw)
To: linux-arm-kernel
Cc: Marek Vasut, Conor Dooley, Fabio Estevam, Jarkko Sakkinen,
Jason Gunthorpe, Krzysztof Kozlowski, Lukas Wunner,
Pengutronix Kernel Team, Peter Huewe, Rob Herring, Sascha Hauer,
Shawn Guo, devicetree, imx, linux-integrity, linux-kernel
In-Reply-To: <20251230014047.149677-1-marek.vasut@mailbox.org>
Update the DT to match newest Data Modul i.MX8M Plus eDM SBC rev.903
board which implements significant changes. Keep some of the rev.900
and rev.902 nodes in the DT so that a DTO can be used to support old
rev.900 and rev.902 boards easily.
The changes from rev.900 to rev.902 are:
- Both ethernet PHYs replaced from AR8031 to BCM54213PE
- Both ethernet PHYs MDIO address changed
- PCIe WiFi now comes with dedicated regulator
- I2C TPM chip address
- Additional GPIO expander for LVDS panel control added
- Current EEPROM I2C address changed
- Another optional EEPROM added onto another I2C bus
The changes from rev.902 to rev.903 are:
- Additional GPIO expander for WiFi and LVDS panel control added
- Multiple GPIOs are reassigned
Signed-off-by: Marek Vasut <marek.vasut@mailbox.org>
---
Cc: Conor Dooley <conor+dt@kernel.org>
Cc: Fabio Estevam <festevam@gmail.com>
Cc: Jarkko Sakkinen <jarkko@kernel.org>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Krzysztof Kozlowski <krzk+dt@kernel.org>
Cc: Lukas Wunner <lukas@wunner.de>
Cc: Pengutronix Kernel Team <kernel@pengutronix.de>
Cc: Peter Huewe <peterhuewe@gmx.de>
Cc: Rob Herring <robh@kernel.org>
Cc: Sascha Hauer <s.hauer@pengutronix.de>
Cc: Shawn Guo <shawnguo@kernel.org>
Cc: devicetree@vger.kernel.org
Cc: imx@lists.linux.dev
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-integrity@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
---
V2: - Rebase on current next, update email address
---
.../freescale/imx8mp-data-modul-edm-sbc.dts | 148 +++++++++++++++---
1 file changed, 129 insertions(+), 19 deletions(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mp-data-modul-edm-sbc.dts b/arch/arm64/boot/dts/freescale/imx8mp-data-modul-edm-sbc.dts
index 16078ff60ef08..7e46537a22a01 100644
--- a/arch/arm64/boot/dts/freescale/imx8mp-data-modul-edm-sbc.dts
+++ b/arch/arm64/boot/dts/freescale/imx8mp-data-modul-edm-sbc.dts
@@ -93,6 +93,17 @@ reg_panel_vcc: regulator-panel-vcc {
status = "disabled";
};
+ reg_pcie0: regulator-pcie {
+ compatible = "regulator-fixed";
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_wifi>;
+ regulator-name = "WIFI_BT_RST#";
+ regulator-min-microvolt = <3300000>;
+ regulator-max-microvolt = <3300000>;
+ gpio = <&gpio2 2 GPIO_ACTIVE_HIGH>;
+ enable-active-high;
+ };
+
reg_usdhc2_vmmc: regulator-usdhc2-vmmc {
compatible = "regulator-fixed";
pinctrl-names = "default";
@@ -190,7 +201,7 @@ &ecspi3 { /* Display connector SPI */
&eqos { /* First ethernet */
pinctrl-names = "default";
pinctrl-0 = <&pinctrl_eqos>;
- phy-handle = <&phy_eqos>;
+ phy-handle = <&phy_eqos_bcm>;
phy-mode = "rgmii-id";
status = "okay";
@@ -200,7 +211,7 @@ mdio {
#size-cells = <0>;
/* Atheros AR8031 PHY */
- phy_eqos: ethernet-phy@0 {
+ phy_eqos_ath: ethernet-phy@0 {
compatible = "ethernet-phy-ieee802.3-c22";
reg = <0>;
/*
@@ -213,6 +224,7 @@ phy_eqos: ethernet-phy@0 {
reset-deassert-us = <10000>;
qca,keep-pll-enabled;
vddio-supply = <&vddio_eqos>;
+ status = "disabled";
vddio_eqos: vddio-regulator {
regulator-name = "VDDIO_EQOS";
@@ -224,13 +236,27 @@ vddh_eqos: vddh-regulator {
regulator-name = "VDDH_EQOS";
};
};
+
+ /* Broadcom BCM54213PE PHY */
+ phy_eqos_bcm: ethernet-phy@1 {
+ compatible = "ethernet-phy-ieee802.3-c22";
+ reg = <1>;
+ /*
+ * Dedicated ENET_INT# and ENET_WOL# signals are
+ * unused, the PHY does not provide cable detect
+ * interrupt.
+ */
+ reset-gpios = <&gpio1 15 GPIO_ACTIVE_LOW>;
+ reset-assert-us = <10000>;
+ reset-deassert-us = <10000>;
+ };
};
};
&fec { /* Second ethernet */
pinctrl-names = "default";
pinctrl-0 = <&pinctrl_fec>;
- phy-handle = <&phy_fec>;
+ phy-handle = <&phy_fec_bcm>;
phy-mode = "rgmii-id";
fsl,magic-packet;
status = "okay";
@@ -240,7 +266,7 @@ mdio {
#size-cells = <0>;
/* Atheros AR8031 PHY */
- phy_fec: ethernet-phy@0 {
+ phy_fec_ath: ethernet-phy@0 {
compatible = "ethernet-phy-ieee802.3-c22";
reg = <0>;
/*
@@ -253,6 +279,7 @@ phy_fec: ethernet-phy@0 {
reset-deassert-us = <10000>;
qca,keep-pll-enabled;
vddio-supply = <&vddio_fec>;
+ status = "disabled";
vddio_fec: vddio-regulator {
regulator-name = "VDDIO_FEC";
@@ -264,6 +291,20 @@ vddh_fec: vddh-regulator {
regulator-name = "VDDH_FEC";
};
};
+
+ /* Broadcom BCM54213PE PHY */
+ phy_fec_bcm: ethernet-phy@1 {
+ compatible = "ethernet-phy-ieee802.3-c22";
+ reg = <1>;
+ /*
+ * Dedicated ENET_INT# and ENET_WOL# signals are
+ * unused, the PHY does not provide cable detect
+ * interrupt.
+ */
+ reset-gpios = <&gpio2 9 GPIO_ACTIVE_LOW>;
+ reset-assert-us = <10000>;
+ reset-deassert-us = <10000>;
+ };
};
};
@@ -378,13 +419,26 @@ usb-hub@2c {
self-powered;
};
- eeprom: eeprom@50 {
+ tpm: tpm@2e {
+ compatible = "st,st33tphf2ei2c", "tcg,tpm-tis-i2c";
+ reg = <0x2e>;
+ };
+
+ eeprom900: eeprom@50 { /* board rev.900 */
compatible = "atmel,24c32";
reg = <0x50>;
pagesize = <32>;
+ status = "disabled";
+ };
+
+ eeprom902: eeprom@51 { /* board rev.902 */
+ compatible = "atmel,24c32";
+ reg = <0x51>;
+ pagesize = <32>;
};
rtc: rtc@68 {
+ #clock-cells = <1>;
compatible = "st,m41t62";
reg = <0x68>;
pinctrl-names = "default";
@@ -408,6 +462,46 @@ &i2c2 {
scl-gpios = <&gpio5 16 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>;
sda-gpios = <&gpio5 17 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>;
status = "okay";
+
+ gpiolvds: io-expander@20 {
+ compatible = "nxp,pca9554";
+ reg = <0x20>;
+ gpio-controller;
+ #gpio-cells = <2>;
+ gpio-line-names =
+ "BL_ENABLE_V", "SEL_BL_12V",
+ "SEL_PANEL_5V", "SEL_PANEL_12V",
+ "SEL_BL_PWM", "SEL_BL_EN",
+ "REVERSE_SCAN_PANEL", "GND_REV903";
+ };
+
+ gpiowifi: io-expander@21 {
+ compatible = "nxp,pca9554";
+ reg = <0x21>;
+ gpio-controller;
+ #gpio-cells = <2>;
+ gpio-line-names =
+ "BL_LVDS_ENABLE_3V3", "BL_LVDS_PWM_3V3",
+ "M2_BT_WAKE_3V3#", "M2_W_DISABLE2_3V3#",
+ "TFT_PANEL_ENABLE_3V3", "TPM_RESET_3V3#",
+ "CSI2_PD_3V3", "CSI2_RESET_3V3#";
+
+ /* BL_LVDS_PWM_3V3 is patch-wired to BL_PWM_3V3 on rev.903 */
+ pwm-input-hog {
+ gpio-hog;
+ gpios = <1 0>;
+ input;
+ line-name = "BL_LVDS_PWM_3V3_HOG";
+ };
+ };
+
+ eepromlvds: eeprom@51 {
+ compatible = "atmel,24c32";
+ reg = <0x51>;
+ pagesize = <32>;
+ /* Optional EEPROM, disabled by default. */
+ status = "disabled";
+ };
};
&i2c3 {
@@ -521,6 +615,7 @@ &pcie {
pinctrl-0 = <&pinctrl_pcie0>;
fsl,max-link-speed = <3>;
reset-gpio = <&gpio1 5 GPIO_ACTIVE_LOW>;
+ vpcie-supply = <®_pcie0>;
status = "okay";
};
@@ -598,7 +693,17 @@ &uart3 { /* A53 Debug */
&uart4 {
pinctrl-names = "default";
pinctrl-0 = <&pinctrl_uart4>;
- status = "disabled";
+ uart-has-rtscts;
+ status = "okay";
+
+ bluetooth {
+ compatible = "infineon,cyw55572-bt";
+ brcm,requires-autobaud-mode;
+ clocks = <&rtc 0>;
+ clock-names = "txco";
+ max-speed = <921600>;
+ shutdown-gpios = <&gpiowifi 3 GPIO_ACTIVE_HIGH>;
+ };
};
&usb3_phy0 {
@@ -686,8 +791,6 @@ MX8MP_IOMUXC_ENET_RD2__ENET_QOS_RGMII_RD2 0x91
MX8MP_IOMUXC_ENET_RD3__ENET_QOS_RGMII_RD3 0x91
/* ENET_RST# */
MX8MP_IOMUXC_GPIO1_IO15__GPIO1_IO15 0x6
- /* ENET_INT# */
- MX8MP_IOMUXC_GPIO1_IO11__GPIO1_IO11 0x40000090
>;
};
@@ -709,8 +812,6 @@ MX8MP_IOMUXC_SAI1_TXD4__ENET1_RGMII_TX_CTL 0x1f
MX8MP_IOMUXC_SAI1_TXD5__ENET1_RGMII_TXC 0x1f
/* ENET2_RST# */
MX8MP_IOMUXC_SD1_DATA7__GPIO2_IO09 0x6
- /* ENET2_INT# */
- MX8MP_IOMUXC_SD1_DATA0__GPIO2_IO02 0x40000090
>;
};
@@ -754,10 +855,6 @@ MX8MP_IOMUXC_GPIO1_IO10__GPIO1_IO10 0x40000090
/* PG_V_IN_VAR# */
MX8MP_IOMUXC_NAND_CE0_B__GPIO3_IO01 0x40000000
- /* CSI2_PD_1V8 */
- MX8MP_IOMUXC_NAND_DATA02__GPIO3_IO08 0x0
- /* CSI2_RESET_1V8# */
- MX8MP_IOMUXC_NAND_DATA03__GPIO3_IO09 0x0
/* DIS_USB_DN1 */
MX8MP_IOMUXC_SAI2_RXFS__GPIO4_IO21 0x0
@@ -771,8 +868,14 @@ MX8MP_IOMUXC_SAI5_RXD0__GPIO3_IO21 0x0
/* GRAPHICS_PRSNT_1V8# */
MX8MP_IOMUXC_SAI1_TXD6__GPIO4_IO18 0x40000000
+ /* TOUCH_RESET_3V3# */
+ MX8MP_IOMUXC_GPIO1_IO00__GPIO1_IO00 0x2
+ /* TOUCH_INT# */
+ MX8MP_IOMUXC_GPIO1_IO10__GPIO1_IO10 0x40000140
/* CLK_CCM_CLKO1_3V3 */
MX8MP_IOMUXC_GPIO1_IO14__CCM_CLKO1 0x10
+ /* ENET_INT# (rev.900,901) or M2_WDIS_BTIRQ_3V3# (rev.903) */
+ MX8MP_IOMUXC_GPIO1_IO11__GPIO1_IO11 0x40000092
>;
};
@@ -875,12 +978,10 @@ pinctrl_pcie0: pcie-grp {
fsl,pins = <
/* M2_PCIE_RST# */
MX8MP_IOMUXC_GPIO1_IO05__GPIO1_IO05 0x2
- /* M2_W_DISABLE1_1V8# */
+ /* M2_PCIE_WAKE_1V8# */
MX8MP_IOMUXC_SAI5_RXD2__GPIO3_IO23 0x2
- /* M2_W_DISABLE2_1V8# */
- MX8MP_IOMUXC_SAI5_RXD3__GPIO3_IO24 0x2
- /* CLK_M2_32K768 */
- MX8MP_IOMUXC_GPIO1_IO00__CCM_EXT_CLK1 0x14
+ /* M2_UART_WAKE_1V8# */
+ MX8MP_IOMUXC_SAI5_RXD3__GPIO3_IO24 0x40000002
/* M2_PCIE_WAKE# */
MX8MP_IOMUXC_GPIO1_IO06__GPIO1_IO06 0x40000140
/* M2_PCIE_CLKREQ# */
@@ -974,6 +1075,8 @@ pinctrl_uart4: uart4-grp {
fsl,pins = <
MX8MP_IOMUXC_UART4_RXD__UART4_DCE_RX 0x49
MX8MP_IOMUXC_UART4_TXD__UART4_DCE_TX 0x49
+ MX8MP_IOMUXC_NAND_DATA02__UART4_DCE_CTS 0x149
+ MX8MP_IOMUXC_NAND_DATA03__UART4_DCE_RTS 0x149
>;
};
@@ -1100,4 +1203,11 @@ MX8MP_IOMUXC_SPDIF_EXT_CLK__GPIO5_IO05 0x6
MX8MP_IOMUXC_SD1_DATA6__GPIO2_IO08 0x26
>;
};
+
+ pinctrl_wifi: wifi-grp {
+ fsl,pins = <
+ /* WIFI_BT_RST_3V3# */
+ MX8MP_IOMUXC_SD1_DATA0__GPIO2_IO02 0x40000090
+ >;
+ };
};
--
2.51.0
^ permalink raw reply related
* [PATCH v2 1/2] dt-bindings: tpm: Add st,st33tphf2ei2c
From: Marek Vasut @ 2025-12-30 1:40 UTC (permalink / raw)
To: linux-arm-kernel
Cc: Marek Vasut, Krzysztof Kozlowski, Conor Dooley, Fabio Estevam,
Jarkko Sakkinen, Jason Gunthorpe, Krzysztof Kozlowski,
Lukas Wunner, Pengutronix Kernel Team, Peter Huewe, Rob Herring,
Sascha Hauer, Shawn Guo, devicetree, imx, linux-integrity,
linux-kernel
Add the ST chip st33tphf2ei2c to the supported compatible strings of the
TPM TIS I2C schema. The chip is compliant with the TCG PC Client TPM
Profile specification.
For reference, a databrief is available at:
https://www.st.com/resource/en/data_brief/st33tphf2ei2c.pdf
Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Marek Vasut <marek.vasut@mailbox.org>
---
Cc: Conor Dooley <conor+dt@kernel.org>
Cc: Fabio Estevam <festevam@gmail.com>
Cc: Jarkko Sakkinen <jarkko@kernel.org>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Krzysztof Kozlowski <krzk+dt@kernel.org>
Cc: Lukas Wunner <lukas@wunner.de>
Cc: Pengutronix Kernel Team <kernel@pengutronix.de>
Cc: Peter Huewe <peterhuewe@gmx.de>
Cc: Rob Herring <robh@kernel.org>
Cc: Sascha Hauer <s.hauer@pengutronix.de>
Cc: Shawn Guo <shawnguo@kernel.org>
Cc: devicetree@vger.kernel.org
Cc: imx@lists.linux.dev
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-integrity@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
---
V2: - Rebase on current next, update email address
- Add AB from Krzysztof
---
Documentation/devicetree/bindings/tpm/tcg,tpm-tis-i2c.yaml | 1 +
1 file changed, 1 insertion(+)
diff --git a/Documentation/devicetree/bindings/tpm/tcg,tpm-tis-i2c.yaml b/Documentation/devicetree/bindings/tpm/tcg,tpm-tis-i2c.yaml
index af7720dc4a12c..fdd7fd874e01e 100644
--- a/Documentation/devicetree/bindings/tpm/tcg,tpm-tis-i2c.yaml
+++ b/Documentation/devicetree/bindings/tpm/tcg,tpm-tis-i2c.yaml
@@ -33,6 +33,7 @@ properties:
- infineon,slb9673
- nuvoton,npct75x
- st,st33ktpm2xi2c
+ - st,st33tphf2ei2c
- const: tcg,tpm-tis-i2c
- description: TPM 1.2 and 2.0 chips with vendor-specific I²C interface
--
2.51.0
^ permalink raw reply related
* Re: [PATCH v3] ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec()
From: Mimi Zohar @ 2025-12-29 21:13 UTC (permalink / raw)
To: Chris J Arges, roberto.sassu
Cc: kernel-team, Dmitry Kasatkin, Eric Snowberg, Paul Moore,
James Morris, Serge E. Hallyn, Mickaël Salaün,
Kees Cook, linux-integrity, linux-security-module, linux-kernel
In-Reply-To: <20251228031914.47618-1-carges@cloudflare.com>
On Sat, 2025-12-27 at 21:18 -0600, Chris J Arges wrote:
> KASAN reported a stack-out-of-bounds access in ima_appraise_measurement
> from is_bprm_creds_for_exec:
>
> BUG: KASAN: stack-out-of-bounds in ima_appraise_measurement+0x12dc/0x16a0
> Read of size 1 at addr ffffc9000160f940 by task sudo/550
> The buggy address belongs to stack of task sudo/550
> and is located at offset 24 in frame:
> ima_appraise_measurement+0x0/0x16a0
> This frame has 2 objects:
> [48, 56) 'file'
> [80, 148) 'hash'
>
> This is caused by using container_of on the *file pointer. This offset
> calculation is what triggers the stack-out-of-bounds error.
>
> In order to fix this, pass in a bprm_is_check boolean which can be set
> depending on how process_measurement is called. If the caller has a
> linux_binprm pointer and the function is BPRM_CHECK we can determine
> is_check and set it then. Otherwise set it to false.
>
> Fixes: 95b3cdafd7cb7 ("ima: instantiate the bprm_creds_for_exec() hook")
>
> Signed-off-by: Chris J Arges <carges@cloudflare.com>
Thanks, Chris. The patch is now queued in the linux-integrity/next-integrity
branch.
Mimi
^ permalink raw reply
* [PATCH RFC] ima: Fallback to a ctime guard without i_version updates
From: Frederick Lawler @ 2025-12-29 17:52 UTC (permalink / raw)
To: Mimi Zohar, Roberto Sassu, Dmitry Kasatkin, Eric Snowberg,
Paul Moore, James Morris, Serge E. Hallyn, Darrick J. Wong,
Christian Brauner, Josef Bacik, Jeff Layton
Cc: linux-kernel, linux-integrity, linux-security-module, kernel-team,
Frederick Lawler
Since commit 1cf7e834a6fb ("xfs: switch to multigrain timestamps"), IMA
is no longer able to correctly track inode.i_version due to the struct
kstat.change_cookie no longer containing an updated i_version.
Introduce a fallback mechanism for IMA that instead tracks a
integrity_ctime_guard() in absence of or outdated i_version
for stacked file systems.
EVM is left alone since it mostly cares about the backing inode.
Link: https://lore.kernel.org/all/aTspr4_h9IU4EyrR@CMGLRV3
Fixes: 1cf7e834a6fb ("xfs: switch to multigrain timestamps")
Suggested-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Frederick Lawler <fred@cloudflare.com>
---
The motivation behind this was that file systems that use the
cookie to set the i_version for stacked file systems may still do so.
Then add in the ctime_guard as a fallback if there's a detected change.
The assumption is that the ctime will be different if the i_version is
different anyway for non-stacked file systems.
I'm not too pleased with passing in struct file* to
integrity_inode_attrs_changed() since EVM doesn't currently use
that for now, but I couldn't come up with another idea to get the
stat without coming up with a new stat function to accommodate just
the file path, fully separate out IMA/EVM checks, or lastly add stacked
file system support to EVM (which doesn't make much sense to me
at the moment).
I plan on adding in self test infrastructure for the v1, but I would
like to get some early feedback on the approach first.
---
include/linux/integrity.h | 29 ++++++++++++++++++++++++-----
security/integrity/evm/evm_crypto.c | 2 +-
security/integrity/evm/evm_main.c | 2 +-
security/integrity/ima/ima_api.c | 21 +++++++++++++++------
security/integrity/ima/ima_main.c | 17 ++++++++++-------
5 files changed, 51 insertions(+), 20 deletions(-)
diff --git a/include/linux/integrity.h b/include/linux/integrity.h
index f5842372359be5341b6870a43b92e695e8fc78af..4964c0f2bbda0ca450d135b9b738bc92256c375a 100644
--- a/include/linux/integrity.h
+++ b/include/linux/integrity.h
@@ -31,19 +31,27 @@ static inline void integrity_load_keys(void)
/* An inode's attributes for detection of changes */
struct integrity_inode_attributes {
+ u64 ctime_guard;
u64 version; /* track inode changes */
unsigned long ino;
dev_t dev;
};
+static inline u64 integrity_ctime_guard(struct kstat stat)
+{
+ return stat.ctime.tv_sec ^ stat.ctime.tv_nsec;
+}
+
/*
* On stacked filesystems the i_version alone is not enough to detect file data
* or metadata change. Additional metadata is required.
*/
static inline void
integrity_inode_attrs_store(struct integrity_inode_attributes *attrs,
- u64 i_version, const struct inode *inode)
+ u64 i_version, u64 ctime_guard,
+ const struct inode *inode)
{
+ attrs->ctime_guard = ctime_guard;
attrs->version = i_version;
attrs->dev = inode->i_sb->s_dev;
attrs->ino = inode->i_ino;
@@ -54,11 +62,22 @@ integrity_inode_attrs_store(struct integrity_inode_attributes *attrs,
*/
static inline bool
integrity_inode_attrs_changed(const struct integrity_inode_attributes *attrs,
- const struct inode *inode)
+ struct file *file, struct inode *inode)
{
- return (inode->i_sb->s_dev != attrs->dev ||
- inode->i_ino != attrs->ino ||
- !inode_eq_iversion(inode, attrs->version));
+ struct kstat stat;
+
+ if (inode->i_sb->s_dev != attrs->dev ||
+ inode->i_ino != attrs->ino)
+ return true;
+
+ if (inode_eq_iversion(inode, attrs->version))
+ return false;
+
+ if (!file || vfs_getattr_nosec(&file->f_path, &stat, STATX_CTIME,
+ AT_STATX_SYNC_AS_STAT))
+ return true;
+
+ return attrs->ctime_guard != integrity_ctime_guard(stat);
}
diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
index a5e730ffda57fbc0a91124adaa77b946a12d08b4..2d89c0e8d9360253f8dad52d2a8168127bb4d3b8 100644
--- a/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@ -300,7 +300,7 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry,
if (IS_I_VERSION(inode))
i_version = inode_query_iversion(inode);
integrity_inode_attrs_store(&iint->metadata_inode, i_version,
- inode);
+ 0, inode);
}
/* Portable EVM signatures must include an IMA hash */
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 73d500a375cb37a54f295b0e1e93fd6e5d9ecddc..0712802628fd6533383f9855687e19bef7b771c7 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -754,7 +754,7 @@ bool evm_metadata_changed(struct inode *inode, struct inode *metadata_inode)
if (iint) {
ret = (!IS_I_VERSION(metadata_inode) ||
integrity_inode_attrs_changed(&iint->metadata_inode,
- metadata_inode));
+ NULL, metadata_inode));
if (ret)
iint->evm_status = INTEGRITY_UNKNOWN;
}
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index c35ea613c9f8d404ba4886e3b736c3bab29d1668..72bba8daa588a0f4e45e4249276edb54ca3d77ef 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -254,6 +254,7 @@ int ima_collect_measurement(struct ima_iint_cache *iint, struct file *file,
int length;
void *tmpbuf;
u64 i_version = 0;
+ u64 ctime_guard = 0;
/*
* Always collect the modsig, because IMA might have already collected
@@ -272,10 +273,16 @@ int ima_collect_measurement(struct ima_iint_cache *iint, struct file *file,
* to an initial measurement/appraisal/audit, but was modified to
* assume the file changed.
*/
- result = vfs_getattr_nosec(&file->f_path, &stat, STATX_CHANGE_COOKIE,
+ result = vfs_getattr_nosec(&file->f_path, &stat,
+ STATX_CHANGE_COOKIE | STATX_CTIME,
AT_STATX_SYNC_AS_STAT);
- if (!result && (stat.result_mask & STATX_CHANGE_COOKIE))
- i_version = stat.change_cookie;
+ if (!result) {
+ if (stat.result_mask & STATX_CHANGE_COOKIE)
+ i_version = stat.change_cookie;
+
+ if (stat.result_mask & STATX_CTIME)
+ ctime_guard = integrity_ctime_guard(stat);
+ }
hash.hdr.algo = algo;
hash.hdr.length = hash_digest_size[algo];
@@ -305,11 +312,13 @@ int ima_collect_measurement(struct ima_iint_cache *iint, struct file *file,
iint->ima_hash = tmpbuf;
memcpy(iint->ima_hash, &hash, length);
- if (real_inode == inode)
+ if (real_inode == inode) {
iint->real_inode.version = i_version;
- else
+ iint->real_inode.ctime_guard = ctime_guard;
+ } else {
integrity_inode_attrs_store(&iint->real_inode, i_version,
- real_inode);
+ ctime_guard, real_inode);
+ }
/* Possibly temporary failure due to type of read (eg. O_DIRECT) */
if (!result)
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 5770cf691912aa912fc65280c59f5baac35dd725..6051ea4a472fc0b0dd7b4e81da36eff8bd048c62 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -22,6 +22,7 @@
#include <linux/mount.h>
#include <linux/mman.h>
#include <linux/slab.h>
+#include <linux/stat.h>
#include <linux/xattr.h>
#include <linux/ima.h>
#include <linux/fs.h>
@@ -185,6 +186,7 @@ static void ima_check_last_writer(struct ima_iint_cache *iint,
{
fmode_t mode = file->f_mode;
bool update;
+ int ret;
if (!(mode & FMODE_WRITE))
return;
@@ -197,12 +199,13 @@ static void ima_check_last_writer(struct ima_iint_cache *iint,
update = test_and_clear_bit(IMA_UPDATE_XATTR,
&iint->atomic_flags);
- if ((iint->flags & IMA_NEW_FILE) ||
- vfs_getattr_nosec(&file->f_path, &stat,
- STATX_CHANGE_COOKIE,
- AT_STATX_SYNC_AS_STAT) ||
- !(stat.result_mask & STATX_CHANGE_COOKIE) ||
- stat.change_cookie != iint->real_inode.version) {
+ ret = vfs_getattr_nosec(&file->f_path, &stat,
+ STATX_CHANGE_COOKIE | STATX_CTIME,
+ AT_STATX_SYNC_AS_STAT);
+ if ((iint->flags & IMA_NEW_FILE) || ret ||
+ (!ret && stat.change_cookie != iint->real_inode.version) ||
+ (!ret && integrity_ctime_guard(stat) !=
+ iint->real_inode.ctime_guard)) {
iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE);
iint->measured_pcrs = 0;
if (update)
@@ -330,7 +333,7 @@ static int process_measurement(struct file *file, const struct cred *cred,
(action & IMA_DO_MASK) && (iint->flags & IMA_DONE_MASK)) {
if (!IS_I_VERSION(real_inode) ||
integrity_inode_attrs_changed(&iint->real_inode,
- real_inode)) {
+ file, real_inode)) {
iint->flags &= ~IMA_DONE_MASK;
iint->measured_pcrs = 0;
}
---
base-commit: 8f0b4cce4481fb22653697cced8d0d04027cb1e8
change-id: 20251212-xfs-ima-fixup-931780a62c2c
Best regards,
--
Frederick Lawler <fred@cloudflare.com>
^ permalink raw reply related
* Re: [syzbot] [lsm?] [integrity?] INFO: task hung in process_measurement (3)
From: syzbot @ 2025-12-28 6:29 UTC (permalink / raw)
To: bfoster, dmitry.kasatkin, eric.snowberg, jmorris, kent.overstreet,
linux-bcachefs, linux-integrity, linux-kernel,
linux-security-module, paul, roberto.sassu, serge, syzkaller-bugs,
torvalds, zohar
In-Reply-To: <682e11b1.050a0220.ade60.09e5.GAE@google.com>
syzbot suspects this issue was fixed by commit:
commit f2c61db29f277b9c80de92102fc532cc247495cd
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date: Mon Sep 29 20:43:52 2025 +0000
Remove bcachefs core code
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10499e2a580000
start commit: 172a9d94339c Merge tag '6.15-rc6-smb3-client-fixes' of git..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=ea35e429f965296e
dashboard link: https://syzkaller.appspot.com/bug?extid=cb9e66807bcb882cd0c5
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16836e70580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1617a2d4580000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: Remove bcachefs core code
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
^ permalink raw reply
* [PATCH v3] ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec()
From: Chris J Arges @ 2025-12-28 3:18 UTC (permalink / raw)
To: zohar, roberto.sassu
Cc: kernel-team, Chris J Arges, Dmitry Kasatkin, Eric Snowberg,
Paul Moore, James Morris, Serge E. Hallyn,
Mickaël Salaün, Kees Cook, linux-integrity,
linux-security-module, linux-kernel
In-Reply-To: <3aeed1ff9388f09555bf5c6ade03cbe9ce93ff14.camel@linux.ibm.com>
KASAN reported a stack-out-of-bounds access in ima_appraise_measurement
from is_bprm_creds_for_exec:
BUG: KASAN: stack-out-of-bounds in ima_appraise_measurement+0x12dc/0x16a0
Read of size 1 at addr ffffc9000160f940 by task sudo/550
The buggy address belongs to stack of task sudo/550
and is located at offset 24 in frame:
ima_appraise_measurement+0x0/0x16a0
This frame has 2 objects:
[48, 56) 'file'
[80, 148) 'hash'
This is caused by using container_of on the *file pointer. This offset
calculation is what triggers the stack-out-of-bounds error.
In order to fix this, pass in a bprm_is_check boolean which can be set
depending on how process_measurement is called. If the caller has a
linux_binprm pointer and the function is BPRM_CHECK we can determine
is_check and set it then. Otherwise set it to false.
Fixes: 95b3cdafd7cb7 ("ima: instantiate the bprm_creds_for_exec() hook")
Signed-off-by: Chris J Arges <carges@cloudflare.com>
---
security/integrity/ima/ima.h | 6 ++++--
security/integrity/ima/ima_appraise.c | 16 +++-------------
security/integrity/ima/ima_main.c | 22 +++++++++++++---------
3 files changed, 20 insertions(+), 24 deletions(-)
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index e3d71d8d56e3..89ebe98ffc5e 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -441,7 +441,8 @@ int ima_check_blacklist(struct ima_iint_cache *iint,
int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint,
struct file *file, const unsigned char *filename,
struct evm_ima_xattr_data *xattr_value,
- int xattr_len, const struct modsig *modsig);
+ int xattr_len, const struct modsig *modsig,
+ bool bprm_is_check);
int ima_must_appraise(struct mnt_idmap *idmap, struct inode *inode,
int mask, enum ima_hooks func);
void ima_update_xattr(struct ima_iint_cache *iint, struct file *file);
@@ -466,7 +467,8 @@ static inline int ima_appraise_measurement(enum ima_hooks func,
const unsigned char *filename,
struct evm_ima_xattr_data *xattr_value,
int xattr_len,
- const struct modsig *modsig)
+ const struct modsig *modsig,
+ bool bprm_is_check)
{
return INTEGRITY_UNKNOWN;
}
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 5149ff4fd50d..16c20c578ea8 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -470,17 +470,6 @@ int ima_check_blacklist(struct ima_iint_cache *iint,
return rc;
}
-static bool is_bprm_creds_for_exec(enum ima_hooks func, struct file *file)
-{
- struct linux_binprm *bprm;
-
- if (func == BPRM_CHECK) {
- bprm = container_of(&file, struct linux_binprm, file);
- return bprm->is_check;
- }
- return false;
-}
-
/*
* ima_appraise_measurement - appraise file measurement
*
@@ -492,7 +481,8 @@ static bool is_bprm_creds_for_exec(enum ima_hooks func, struct file *file)
int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint,
struct file *file, const unsigned char *filename,
struct evm_ima_xattr_data *xattr_value,
- int xattr_len, const struct modsig *modsig)
+ int xattr_len, const struct modsig *modsig,
+ bool bprm_is_check)
{
static const char op[] = "appraise_data";
int audit_msgno = AUDIT_INTEGRITY_DATA;
@@ -514,7 +504,7 @@ int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint,
* of the script interpreter(userspace). Differentiate kernel and
* userspace enforced integrity audit messages.
*/
- if (is_bprm_creds_for_exec(func, file))
+ if (bprm_is_check)
audit_msgno = AUDIT_INTEGRITY_USERSPACE;
/* If reading the xattr failed and there's no modsig, error out. */
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 5770cf691912..1d6229b156fb 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -236,7 +236,8 @@ static void ima_file_free(struct file *file)
static int process_measurement(struct file *file, const struct cred *cred,
struct lsm_prop *prop, char *buf, loff_t size,
int mask, enum ima_hooks func,
- enum kernel_read_file_id read_id)
+ enum kernel_read_file_id read_id,
+ bool bprm_is_check)
{
struct inode *real_inode, *inode = file_inode(file);
struct ima_iint_cache *iint = NULL;
@@ -426,7 +427,8 @@ static int process_measurement(struct file *file, const struct cred *cred,
inode_lock(inode);
rc = ima_appraise_measurement(func, iint, file,
pathname, xattr_value,
- xattr_len, modsig);
+ xattr_len, modsig,
+ bprm_is_check);
inode_unlock(inode);
}
if (!rc)
@@ -493,14 +495,15 @@ static int ima_file_mmap(struct file *file, unsigned long reqprot,
if (reqprot & PROT_EXEC) {
ret = process_measurement(file, current_cred(), &prop, NULL,
- 0, MAY_EXEC, MMAP_CHECK_REQPROT, 0);
+ 0, MAY_EXEC, MMAP_CHECK_REQPROT, 0,
+ false);
if (ret)
return ret;
}
if (prot & PROT_EXEC)
return process_measurement(file, current_cred(), &prop, NULL,
- 0, MAY_EXEC, MMAP_CHECK, 0);
+ 0, MAY_EXEC, MMAP_CHECK, 0, false);
return 0;
}
@@ -584,7 +587,8 @@ static int ima_bprm_check(struct linux_binprm *bprm)
security_current_getlsmprop_subj(&prop);
return process_measurement(bprm->file, current_cred(),
- &prop, NULL, 0, MAY_EXEC, BPRM_CHECK, 0);
+ &prop, NULL, 0, MAY_EXEC, BPRM_CHECK, 0,
+ bprm->is_check);
}
/**
@@ -614,7 +618,7 @@ static int ima_creds_check(struct linux_binprm *bprm, const struct file *file)
security_current_getlsmprop_subj(&prop);
return process_measurement((struct file *)file, bprm->cred, &prop, NULL,
- 0, MAY_EXEC, CREDS_CHECK, 0);
+ 0, MAY_EXEC, CREDS_CHECK, 0, false);
}
/**
@@ -662,7 +666,7 @@ static int ima_file_check(struct file *file, int mask)
security_current_getlsmprop_subj(&prop);
return process_measurement(file, current_cred(), &prop, NULL, 0,
mask & (MAY_READ | MAY_WRITE | MAY_EXEC |
- MAY_APPEND), FILE_CHECK, 0);
+ MAY_APPEND), FILE_CHECK, 0, false);
}
static int __ima_inode_hash(struct inode *inode, struct file *file, char *buf,
@@ -881,7 +885,7 @@ static int ima_read_file(struct file *file, enum kernel_read_file_id read_id,
func = read_idmap[read_id] ?: FILE_CHECK;
security_current_getlsmprop_subj(&prop);
return process_measurement(file, current_cred(), &prop, NULL, 0,
- MAY_READ, func, 0);
+ MAY_READ, func, 0, false);
}
const int read_idmap[READING_MAX_ID] = {
@@ -925,7 +929,7 @@ static int ima_post_read_file(struct file *file, char *buf, loff_t size,
func = read_idmap[read_id] ?: FILE_CHECK;
security_current_getlsmprop_subj(&prop);
return process_measurement(file, current_cred(), &prop, buf, size,
- MAY_READ, func, read_id);
+ MAY_READ, func, read_id, false);
}
/**
--
2.43.0
^ permalink raw reply related
* Re: [PATCH v2] ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec()
From: Chris Arges @ 2025-12-28 3:16 UTC (permalink / raw)
To: Mimi Zohar
Cc: roberto.sassu, kernel-team, Dmitry Kasatkin, Eric Snowberg,
Paul Moore, James Morris, Serge E. Hallyn,
Mickaël Salaün, Kees Cook, linux-integrity,
linux-security-module, linux-kernel
In-Reply-To: <3aeed1ff9388f09555bf5c6ade03cbe9ce93ff14.camel@linux.ibm.com>
On 2025-12-23 16:58:26, Mimi Zohar wrote:
> Hi Chris,
>
> On Sun, 2025-12-21 at 12:01 -0600, Chris J Arges wrote:
> > KASAN reported a stack-out-of-bounds access in ima_appraise_measurement
> > from is_bprm_creds_for_exec:
> >
> > BUG: KASAN: stack-out-of-bounds in ima_appraise_measurement+0x12dc/0x16a0
> > Read of size 1 at addr ffffc9000160f940 by task sudo/550
> > The buggy address belongs to stack of task sudo/550
> > and is located at offset 24 in frame:
> > ima_appraise_measurement+0x0/0x16a0
> > This frame has 2 objects:
> > [48, 56) 'file'
> > [80, 148) 'hash'
> >
> > This is caused by using container_of on the *file pointer. This offset
> > calculation is what triggers the stack-out-of-bounds error.
> >
> > In order to fix this, pass in a bprm_is_check boolean which can be set
> > depending on how process_measurement is called. If the caller has a
> > linux_binprm pointer and the function is BPRM_CHECK we can determine
> > is_check and set it then. Otherwise set it to false.
> >
> > Fixes: 95b3cdafd7cb7 ("ima: instantiate the bprm_creds_for_exec() hook")
> >
> > Signed-off-by: Chris J Arges <carges@cloudflare.com>
>
> Thank you! I'd appreciate your limiting the line lengths to 80 chars (e.g.
> scripts/checkpatch.pl --max-line-length=80).
>
> --
> thanks,
>
> Mimi
Sure thing, I'll make that adjustment and send v3.
--chris
^ permalink raw reply
* [PATCH] tpm: st33zp24: Fix missing cleanup on get_burstcount() error
From: Alper Ak @ 2025-12-26 12:09 UTC (permalink / raw)
To: peterhuewe, jarkko
Cc: Alper Ak, Jason Gunthorpe, Stefano Garzarella, Christophe Ricard,
linux-integrity, linux-kernel
get_burstcount() can return -EBUSY on timeout. When this happens,
st33zp24_send() returns directly without releasing the locality
acquired earlier.
Use goto out_err to ensure proper cleanup when get_burstcount() fails.
Fixes: bf38b8710892 ("tpm/tpm_i2c_stm_st33: Split tpm_i2c_tpm_st33 in 2 layers (core + phy)")
Signed-off-by: Alper Ak <alperyasinak1@gmail.com>
---
drivers/char/tpm/st33zp24/st33zp24.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/char/tpm/st33zp24/st33zp24.c b/drivers/char/tpm/st33zp24/st33zp24.c
index 2ed7815e4899..e2b7451ea7cc 100644
--- a/drivers/char/tpm/st33zp24/st33zp24.c
+++ b/drivers/char/tpm/st33zp24/st33zp24.c
@@ -328,8 +328,10 @@ static int st33zp24_send(struct tpm_chip *chip, unsigned char *buf,
for (i = 0; i < len - 1;) {
burstcnt = get_burstcount(chip);
- if (burstcnt < 0)
- return burstcnt;
+ if (burstcnt < 0) {
+ ret = burstcnt;
+ goto out_err;
+ }
size = min_t(int, len - i - 1, burstcnt);
ret = tpm_dev->ops->send(tpm_dev->phy_id, TPM_DATA_FIFO,
buf + i, size);
--
2.43.0
^ permalink raw reply related
* [PATCH] tpm: tpm_tis_spi: Initialize ret variable in tpm_tis_spi_transfer_half()
From: Alper Ak @ 2025-12-26 11:35 UTC (permalink / raw)
To: peterhuewe, jarkko
Cc: Alper Ak, Jason Gunthorpe, Krishna Yarlagadda, linux-integrity,
linux-kernel
When len is 0, the while loop in tpm_tis_spi_transfer_half() is never
entered and the function returns an uninitialized ret variable.
Initialize ret to 0 to correctly handle this case. This is consistent
with tpm_tis_spi_transfer_full(), which already initializes ret to 0
before the loop.
Fixes: a86a42ac2bd6 ("tpm_tis_spi: Add hardware wait polling")
Signed-off-by: Alper Ak <alperyasinak1@gmail.com>
---
drivers/char/tpm/tpm_tis_spi_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/char/tpm/tpm_tis_spi_main.c b/drivers/char/tpm/tpm_tis_spi_main.c
index 61b42c83ced8..1b6d79662ca1 100644
--- a/drivers/char/tpm/tpm_tis_spi_main.c
+++ b/drivers/char/tpm/tpm_tis_spi_main.c
@@ -85,7 +85,7 @@ static int tpm_tis_spi_transfer_half(struct tpm_tis_data *data, u32 addr,
struct spi_transfer spi_xfer[3];
struct spi_message m;
u8 transfer_len;
- int ret;
+ int ret = 0;
while (len) {
transfer_len = min_t(u16, len, MAX_SPI_FRAMESIZE);
--
2.43.0
^ permalink raw reply related
* [PATCH] tpm: tpm2-space: Skip handle check when context load returns -ENOENT
From: Alper Ak @ 2025-12-26 11:12 UTC (permalink / raw)
To: peterhuewe, jarkko
Cc: Alper Ak, Jason Gunthorpe, James Bottomley, linux-integrity,
linux-kernel
When tpm2_load_context() returns -ENOENT, the session is marked as
forgotten by setting session_tbl[i] to 0. Although tpm2_load_context()
also sets handle to 0 in this case, the subsequent comparison
"handle != space->session_tbl[i]" (0 != 0) is always false and serves
no purpose.
Add continue to skip this unnecessary comparison when load fails with
-ENOENT, making the control flow clearer and fix possible
uninitialized 'handle' variable.
Fixes: 4d57856a21ed2 ("tpm2: add session handle context saving and restoring to the space code")
Signed-off-by: Alper Ak <alperyasinak1@gmail.com>
---
drivers/char/tpm/tpm2-space.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/char/tpm/tpm2-space.c b/drivers/char/tpm/tpm2-space.c
index 60354cd53b5c..7dfbe07ecf5b 100644
--- a/drivers/char/tpm/tpm2-space.c
+++ b/drivers/char/tpm/tpm2-space.c
@@ -213,6 +213,7 @@ static int tpm2_load_space(struct tpm_chip *chip)
if (rc == -ENOENT) {
/* load failed, just forget session */
space->session_tbl[i] = 0;
+ continue;
} else if (rc) {
tpm2_flush_space(chip);
return rc;
--
2.43.0
^ permalink raw reply related
* [PATCH] tpm: tpm_i2c_infineon: Fix locality leak on get_burstcount() failure
From: Alper Ak @ 2025-12-26 10:23 UTC (permalink / raw)
To: peterhuewe, jarkko
Cc: Alper Ak, Jason Gunthorpe, Bryan Freed, Andi Shyti, Kent Yoder,
Marcel Selhorst, linux-integrity, linux-kernel
get_burstcount() can return -EBUSY on timeout. When this happens, the
function returns directly without releasing the locality that was
acquired at the beginning of tpm_tis_i2c_send().
Use goto out_err to ensure proper cleanup when get_burstcount() fails.
Fixes: aad628c1d91a ("char/tpm: Add new driver for Infineon I2C TIS TPM")
Signed-off-by: Alper Ak <alperyasinak1@gmail.com>
---
drivers/char/tpm/tpm_i2c_infineon.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/char/tpm/tpm_i2c_infineon.c b/drivers/char/tpm/tpm_i2c_infineon.c
index bdf1f329a679..8b7d32de0b2e 100644
--- a/drivers/char/tpm/tpm_i2c_infineon.c
+++ b/drivers/char/tpm/tpm_i2c_infineon.c
@@ -544,8 +544,10 @@ static int tpm_tis_i2c_send(struct tpm_chip *chip, u8 *buf, size_t bufsiz,
burstcnt = get_burstcount(chip);
/* burstcnt < 0 = TPM is busy */
- if (burstcnt < 0)
- return burstcnt;
+ if (burstcnt < 0) {
+ rc = burstcnt;
+ goto out_err;
+ }
if (burstcnt > (len - 1 - count))
burstcnt = len - 1 - count;
--
2.43.0
^ permalink raw reply related
* Re: [PATCH V2 1/1] IMA event log trimming
From: Mimi Zohar @ 2025-12-23 22:32 UTC (permalink / raw)
To: steven chen, linux-integrity
Cc: roberto.sassu, dmitry.kasatkin, eric.snowberg, corbet, serge,
paul, jmorris, linux-security-module, anirudhve, gregorylumen,
nramas, sushring, linux-doc
In-Reply-To: <b9d7bcea-3784-4ad6-b494-374db0c00cc6@linux.microsoft.com>
On Tue, 2025-12-16 at 11:59 -0800, steven chen wrote:
> > > > +{
> > > > + struct ima_queue_entry *qe, *qe_tmp;
> > > > + LIST_HEAD(ima_measurements_staged);
> > > > + unsigned int i;
> > > > + long cur = number_logs;
> > The variable name "number_logs" is confusing. As I mentioned in the patch
> > description, there is one measurement list with multiple records. There aren't
> > multiple logs in the kernel (other than the staged list).
>
> Will update it to "req_value". Thanks!
Please refer to the section titled "Naming" in Documentation/process/coding-
style.rst. Since this is the number of records being deleted, perhaps a better
variable name would be "num_records".
--
thanks,
Mimi
^ permalink raw reply
* Re: [PATCH v2] ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec()
From: Mimi Zohar @ 2025-12-23 21:58 UTC (permalink / raw)
To: Chris J Arges, roberto.sassu
Cc: kernel-team, Dmitry Kasatkin, Eric Snowberg, Paul Moore,
James Morris, Serge E. Hallyn, Mickaël Salaün,
Kees Cook, linux-integrity, linux-security-module, linux-kernel
In-Reply-To: <20251221180128.1026760-1-carges@cloudflare.com>
Hi Chris,
On Sun, 2025-12-21 at 12:01 -0600, Chris J Arges wrote:
> KASAN reported a stack-out-of-bounds access in ima_appraise_measurement
> from is_bprm_creds_for_exec:
>
> BUG: KASAN: stack-out-of-bounds in ima_appraise_measurement+0x12dc/0x16a0
> Read of size 1 at addr ffffc9000160f940 by task sudo/550
> The buggy address belongs to stack of task sudo/550
> and is located at offset 24 in frame:
> ima_appraise_measurement+0x0/0x16a0
> This frame has 2 objects:
> [48, 56) 'file'
> [80, 148) 'hash'
>
> This is caused by using container_of on the *file pointer. This offset
> calculation is what triggers the stack-out-of-bounds error.
>
> In order to fix this, pass in a bprm_is_check boolean which can be set
> depending on how process_measurement is called. If the caller has a
> linux_binprm pointer and the function is BPRM_CHECK we can determine
> is_check and set it then. Otherwise set it to false.
>
> Fixes: 95b3cdafd7cb7 ("ima: instantiate the bprm_creds_for_exec() hook")
>
> Signed-off-by: Chris J Arges <carges@cloudflare.com>
Thank you! I'd appreciate your limiting the line lengths to 80 chars (e.g.
scripts/checkpatch.pl --max-line-length=80).
--
thanks,
Mimi
^ permalink raw reply
* Re: [PATCH v2] module: Only declare set_module_sig_enforced when CONFIG_MODULE_SIG=y
From: Sami Tolvanen @ 2025-12-22 20:24 UTC (permalink / raw)
To: linux-modules, Coiby Xu
Cc: Sami Tolvanen, linux-integrity, kernel test robot, Aaron Tomlin,
Daniel Gomez, Luis Chamberlain, Petr Pavlu, Daniel Gomez,
linux-kernel
In-Reply-To: <20251201030606.2295399-1-coxu@redhat.com>
On Mon, 01 Dec 2025 11:06:05 +0800, Coiby Xu wrote:
> Currently if set_module_sig_enforced is called with CONFIG_MODULE_SIG=n
> e.g. [1], it can lead to a linking error,
>
> ld: security/integrity/ima/ima_appraise.o: in function `ima_appraise_measurement':
> security/integrity/ima/ima_appraise.c:587:(.text+0xbbb): undefined reference to `set_module_sig_enforced'
>
> This happens because the actual implementation of
> set_module_sig_enforced comes from CONFIG_MODULE_SIG but both the
> function declaration and the empty stub definition are tied to
> CONFIG_MODULES.
>
> [...]
Applied to modules-next, thanks!
[1/1] module: Only declare set_module_sig_enforced when CONFIG_MODULE_SIG=y
commit: 1ae719a43b0336678172b3eb55c5187816f9a130
Best regards,
Sami
^ permalink raw reply
* Re: [RFC][PATCH v2 2/2] ima: measure buffer sent to securityfs policy file
From: Mimi Zohar @ 2025-12-22 14:01 UTC (permalink / raw)
To: Enrico Bravi, linux-integrity, dmitry.kasatkin, roberto.sassu
Cc: eric.snowberg
In-Reply-To: <20251216165620.683529-3-enrico.bravi@polito.it>
Hi Enrico,
On Tue, 2025-12-16 at 17:56 +0100, Enrico Bravi wrote:
> When signed a policy is not mandatory, it is possile to write the IMA
> policy directly on the corresponding securityfs file:
>
> echo -e "measure func=BPRM_CHECK mask=MAY_EXEC\n" \
> "audit func=BPRM_CHECK mask=MAY_EXEC\n" \
> > /sys/kernel/security/ima/policy
>
> Add input buffer measurement that can be caught when 'measure
> func=POLICY_CHECK' is enabled (e.g., ima_policy=tcb).
>
> Suggested-by: Roberto Sassu <roberto.sassu@huawei.com>
> Signed-off-by: Enrico Bravi <enrico.bravi@polito.it>
> ---
> security/integrity/ima/ima.h | 1 +
> security/integrity/ima/ima_fs.c | 1 +
> security/integrity/ima/ima_main.c | 38 +++++++++++++++++++++++++++++++
> 3 files changed, 40 insertions(+)
>
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index ca7b96663623..3b00c298355b 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -426,6 +426,7 @@ void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos);
> void ima_policy_stop(struct seq_file *m, void *v);
> int ima_policy_show(struct seq_file *m, void *v);
> void ima_measure_loaded_policy(void);
> +int ima_measure_policy_write(char *buf, size_t size);
>
> /* Appraise integrity measurements */
> #define IMA_APPRAISE_ENFORCE 0x01
> diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
> index 89946d803d44..f1a5edd060ad 100644
> --- a/security/integrity/ima/ima_fs.c
> +++ b/security/integrity/ima/ima_fs.c
> @@ -362,6 +362,7 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf,
> 1, 0);
> result = -EACCES;
> } else {
> + ima_measure_policy_write(data, datalen);
> result = ima_parse_add_rule(data);
> }
> mutex_unlock(&ima_write_mutex);
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index cdd225f65a62..6a8ad4714881 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -28,6 +28,7 @@
> #include <linux/iversion.h>
> #include <linux/evm.h>
> #include <linux/crash_dump.h>
> +#include <linux/shmem_fs.h>
>
> #include "ima.h"
>
> @@ -986,6 +987,43 @@ static int ima_post_load_data(char *buf, loff_t size,
> return 0;
> }
>
> +/**
> + * ima_measure_policy_write - Measure the policy write buffer
> + * @buf: pointer to the buffer containing the policy write data
> + * @size: size of the buffer
> + *
> + * Measure the buffer sent to the IMA policy securityfs file.
> + *
> + * Return 0 on success, a negative value otherwise.
> + */
> +int ima_measure_policy_write(char *buf, size_t size0
> +{
> + static const char op[] = "measure_ima_policy_write";
> + const char *file_name = "ima_write_policy_buffer";
> + static char *audit_cause = "ENOMEM";
> + struct file *policy_file = NULL;
> + struct lsm_prop prop;
> + int ret = 0;
> +
> + policy_file = shmem_kernel_file_setup(file_name, 0, 0);
> + if (IS_ERR(policy_file)) {
> + ret = PTR_ERR(policy_file);
> + audit_cause = "alloc_file";
> + integrity_audit_msg(AUDIT_INTEGRITY_PCR, NULL, "ima_policy_write",
> + op, audit_cause, ret, 1);
> + goto out;
> + }
> +
> + security_current_getlsmprop_subj(&prop);
> +
> + ret = process_measurement(policy_file, current_cred(), &prop, buf, size,
> + MAY_READ, POLICY_CHECK);
The purpose of this patch is to measure IMA policy rules as they're written to
the <securityfs> IMA policy file, based on the IMA "measure func=POLICY_CHECK"
policy rule.
Like critical data, it should be calling process_buffer_measurement(), not
process_measurement().
The functions ima_match_rules() and ima_match_rule_data() need to be updated to
support POLICY_CHECK.
This function naming is off and should be renamed to ima_measure_policy_buf().
Please update the patch description accordingly.
Mimi
> + fput(policy_file);
> +
> +out:
> + return ret;
> +}
> +
> /**
> * process_buffer_measurement - Measure the buffer or the buffer data hash
> * @idmap: idmap of the mount the inode was found from
^ permalink raw reply
* Re: [PATCHv3 1/2] kernel/kexec: Change the prototype of kimage_map_segment()
From: Baoquan He @ 2025-12-22 2:09 UTC (permalink / raw)
To: Pingfan Liu
Cc: kexec, linux-integrity, Andrew Morton, Mimi Zohar, Roberto Sassu,
Alexander Graf, Steven Chen, linux-kernel, stable
In-Reply-To: <20251216014852.8737-1-piliu@redhat.com>
On 12/16/25 at 09:48am, Pingfan Liu wrote:
> The kexec segment index will be required to extract the corresponding
> information for that segment in kimage_map_segment(). Additionally,
> kexec_segment already holds the kexec relocation destination address and
> size. Therefore, the prototype of kimage_map_segment() can be changed.
>
> Fixes: 07d24902977e ("kexec: enable CMA based contiguous allocation")
> Signed-off-by: Pingfan Liu <piliu@redhat.com>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: Baoquan He <bhe@redhat.com>
> Cc: Mimi Zohar <zohar@linux.ibm.com>
> Cc: Roberto Sassu <roberto.sassu@huawei.com>
> Cc: Alexander Graf <graf@amazon.com>
> Cc: Steven Chen <chenste@linux.microsoft.com>
> Cc: linux-kernel@vger.kernel.org
> Cc: <stable@vger.kernel.org>
> To: kexec@lists.infradead.org
> To: linux-integrity@vger.kernel.org
> ---
> include/linux/kexec.h | 4 ++--
> kernel/kexec_core.c | 9 ++++++---
> security/integrity/ima/ima_kexec.c | 4 +---
> 3 files changed, 9 insertions(+), 8 deletions(-)
Ack the series:
Acked-by: Baoquan He <bhe@redhat.com>
^ permalink raw reply
* [PATCH v2] ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec()
From: Chris J Arges @ 2025-12-21 18:01 UTC (permalink / raw)
To: zohar, roberto.sassu
Cc: kernel-team, Chris J Arges, Dmitry Kasatkin, Eric Snowberg,
Paul Moore, James Morris, Serge E. Hallyn,
Mickaël Salaün, Kees Cook, linux-integrity,
linux-security-module, linux-kernel
In-Reply-To: <20251219195456.912190-1-carges@cloudflare.com>
KASAN reported a stack-out-of-bounds access in ima_appraise_measurement
from is_bprm_creds_for_exec:
BUG: KASAN: stack-out-of-bounds in ima_appraise_measurement+0x12dc/0x16a0
Read of size 1 at addr ffffc9000160f940 by task sudo/550
The buggy address belongs to stack of task sudo/550
and is located at offset 24 in frame:
ima_appraise_measurement+0x0/0x16a0
This frame has 2 objects:
[48, 56) 'file'
[80, 148) 'hash'
This is caused by using container_of on the *file pointer. This offset
calculation is what triggers the stack-out-of-bounds error.
In order to fix this, pass in a bprm_is_check boolean which can be set
depending on how process_measurement is called. If the caller has a
linux_binprm pointer and the function is BPRM_CHECK we can determine
is_check and set it then. Otherwise set it to false.
Fixes: 95b3cdafd7cb7 ("ima: instantiate the bprm_creds_for_exec() hook")
Signed-off-by: Chris J Arges <carges@cloudflare.com>
---
security/integrity/ima/ima.h | 4 ++--
security/integrity/ima/ima_appraise.c | 15 ++-------------
security/integrity/ima/ima_main.c | 18 +++++++++---------
3 files changed, 13 insertions(+), 24 deletions(-)
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index e3d71d8d56e3..2c9e50c02634 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -441,7 +441,7 @@ int ima_check_blacklist(struct ima_iint_cache *iint,
int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint,
struct file *file, const unsigned char *filename,
struct evm_ima_xattr_data *xattr_value,
- int xattr_len, const struct modsig *modsig);
+ int xattr_len, const struct modsig *modsig, bool bprm_is_check);
int ima_must_appraise(struct mnt_idmap *idmap, struct inode *inode,
int mask, enum ima_hooks func);
void ima_update_xattr(struct ima_iint_cache *iint, struct file *file);
@@ -466,7 +466,7 @@ static inline int ima_appraise_measurement(enum ima_hooks func,
const unsigned char *filename,
struct evm_ima_xattr_data *xattr_value,
int xattr_len,
- const struct modsig *modsig)
+ const struct modsig *modsig, bool bprm_is_check)
{
return INTEGRITY_UNKNOWN;
}
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 5149ff4fd50d..ea2079417318 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -470,17 +470,6 @@ int ima_check_blacklist(struct ima_iint_cache *iint,
return rc;
}
-static bool is_bprm_creds_for_exec(enum ima_hooks func, struct file *file)
-{
- struct linux_binprm *bprm;
-
- if (func == BPRM_CHECK) {
- bprm = container_of(&file, struct linux_binprm, file);
- return bprm->is_check;
- }
- return false;
-}
-
/*
* ima_appraise_measurement - appraise file measurement
*
@@ -492,7 +481,7 @@ static bool is_bprm_creds_for_exec(enum ima_hooks func, struct file *file)
int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint,
struct file *file, const unsigned char *filename,
struct evm_ima_xattr_data *xattr_value,
- int xattr_len, const struct modsig *modsig)
+ int xattr_len, const struct modsig *modsig, bool bprm_is_check)
{
static const char op[] = "appraise_data";
int audit_msgno = AUDIT_INTEGRITY_DATA;
@@ -514,7 +503,7 @@ int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint,
* of the script interpreter(userspace). Differentiate kernel and
* userspace enforced integrity audit messages.
*/
- if (is_bprm_creds_for_exec(func, file))
+ if (bprm_is_check)
audit_msgno = AUDIT_INTEGRITY_USERSPACE;
/* If reading the xattr failed and there's no modsig, error out. */
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 5770cf691912..36ce07063dc7 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -236,7 +236,7 @@ static void ima_file_free(struct file *file)
static int process_measurement(struct file *file, const struct cred *cred,
struct lsm_prop *prop, char *buf, loff_t size,
int mask, enum ima_hooks func,
- enum kernel_read_file_id read_id)
+ enum kernel_read_file_id read_id, bool bprm_is_check)
{
struct inode *real_inode, *inode = file_inode(file);
struct ima_iint_cache *iint = NULL;
@@ -426,7 +426,7 @@ static int process_measurement(struct file *file, const struct cred *cred,
inode_lock(inode);
rc = ima_appraise_measurement(func, iint, file,
pathname, xattr_value,
- xattr_len, modsig);
+ xattr_len, modsig, bprm_is_check);
inode_unlock(inode);
}
if (!rc)
@@ -493,14 +493,14 @@ static int ima_file_mmap(struct file *file, unsigned long reqprot,
if (reqprot & PROT_EXEC) {
ret = process_measurement(file, current_cred(), &prop, NULL,
- 0, MAY_EXEC, MMAP_CHECK_REQPROT, 0);
+ 0, MAY_EXEC, MMAP_CHECK_REQPROT, 0, false);
if (ret)
return ret;
}
if (prot & PROT_EXEC)
return process_measurement(file, current_cred(), &prop, NULL,
- 0, MAY_EXEC, MMAP_CHECK, 0);
+ 0, MAY_EXEC, MMAP_CHECK, 0, false);
return 0;
}
@@ -584,7 +584,7 @@ static int ima_bprm_check(struct linux_binprm *bprm)
security_current_getlsmprop_subj(&prop);
return process_measurement(bprm->file, current_cred(),
- &prop, NULL, 0, MAY_EXEC, BPRM_CHECK, 0);
+ &prop, NULL, 0, MAY_EXEC, BPRM_CHECK, 0, bprm->is_check);
}
/**
@@ -614,7 +614,7 @@ static int ima_creds_check(struct linux_binprm *bprm, const struct file *file)
security_current_getlsmprop_subj(&prop);
return process_measurement((struct file *)file, bprm->cred, &prop, NULL,
- 0, MAY_EXEC, CREDS_CHECK, 0);
+ 0, MAY_EXEC, CREDS_CHECK, 0, false);
}
/**
@@ -662,7 +662,7 @@ static int ima_file_check(struct file *file, int mask)
security_current_getlsmprop_subj(&prop);
return process_measurement(file, current_cred(), &prop, NULL, 0,
mask & (MAY_READ | MAY_WRITE | MAY_EXEC |
- MAY_APPEND), FILE_CHECK, 0);
+ MAY_APPEND), FILE_CHECK, 0, false);
}
static int __ima_inode_hash(struct inode *inode, struct file *file, char *buf,
@@ -881,7 +881,7 @@ static int ima_read_file(struct file *file, enum kernel_read_file_id read_id,
func = read_idmap[read_id] ?: FILE_CHECK;
security_current_getlsmprop_subj(&prop);
return process_measurement(file, current_cred(), &prop, NULL, 0,
- MAY_READ, func, 0);
+ MAY_READ, func, 0, false);
}
const int read_idmap[READING_MAX_ID] = {
@@ -925,7 +925,7 @@ static int ima_post_read_file(struct file *file, char *buf, loff_t size,
func = read_idmap[read_id] ?: FILE_CHECK;
security_current_getlsmprop_subj(&prop);
return process_measurement(file, current_cred(), &prop, buf, size,
- MAY_READ, func, read_id);
+ MAY_READ, func, read_id, false);
}
/**
--
2.43.0
^ permalink raw reply related
* Re: [PATCH] ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec()
From: kernel test robot @ 2025-12-20 18:37 UTC (permalink / raw)
To: Chris J Arges, zohar, roberto.sassu
Cc: oe-kbuild-all, kernel-team, Chris J Arges, Dmitry Kasatkin,
Eric Snowberg, Paul Moore, James Morris, Serge E. Hallyn,
Mickaël Salaün, Kees Cook, linux-integrity,
linux-security-module, linux-kernel
In-Reply-To: <20251219195456.912190-1-carges@cloudflare.com>
Hi Chris,
kernel test robot noticed the following build errors:
[auto build test ERROR on zohar-integrity/next-integrity]
[also build test ERROR on linus/master v6.19-rc1 next-20251219]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Chris-J-Arges/ima-Fix-stack-out-of-bounds-in-is_bprm_creds_for_exec/20251220-035711
base: https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git next-integrity
patch link: https://lore.kernel.org/r/20251219195456.912190-1-carges%40cloudflare.com
patch subject: [PATCH] ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec()
config: powerpc64-allnoconfig-bpf (https://download.01.org/0day-ci/archive/20251220/202512201956.LY8Y70Fd-lkp@intel.com/config)
compiler: powerpc64-linux-gcc (GCC) 15.1.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251220/202512201956.LY8Y70Fd-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202512201956.LY8Y70Fd-lkp@intel.com/
All errors (new ones prefixed by >>):
security/integrity/ima/ima_main.c: In function 'process_measurement':
>> security/integrity/ima/ima_main.c:427:30: error: too many arguments to function 'ima_appraise_measurement'; expected 7, have 8
427 | rc = ima_appraise_measurement(func, iint, file,
| ^~~~~~~~~~~~~~~~~~~~~~~~
428 | pathname, xattr_value,
429 | xattr_len, modsig, bprm_is_check);
| ~~~~~~~~~~~~~
In file included from security/integrity/ima/ima_main.c:32:
security/integrity/ima/ima.h:463:19: note: declared here
463 | static inline int ima_appraise_measurement(enum ima_hooks func,
| ^~~~~~~~~~~~~~~~~~~~~~~~
vim +/ima_appraise_measurement +427 security/integrity/ima/ima_main.c
3323eec921efd8 Mimi Zohar 2009-02-04 235
d906c10d8a3165 Matthew Garrett 2018-01-08 236 static int process_measurement(struct file *file, const struct cred *cred,
37f670aacd4811 Casey Schaufler 2024-10-09 237 struct lsm_prop *prop, char *buf, loff_t size,
c200892b46ba3d Coiby Xu 2025-11-19 238 int mask, enum ima_hooks func,
073872ff30b34d Chris J Arges 2025-12-19 239 enum kernel_read_file_id read_id, bool bprm_is_check)
3323eec921efd8 Mimi Zohar 2009-02-04 240 {
c21632b66895eb Stefan Berger 2024-02-23 241 struct inode *real_inode, *inode = file_inode(file);
4de2f084fbff41 Roberto Sassu 2024-02-15 242 struct ima_iint_cache *iint = NULL;
19453ce0bcfbdf Matthew Garrett 2019-06-19 243 struct ima_template_desc *template_desc = NULL;
cd9b909a117210 Stefan Berger 2024-02-23 244 struct inode *metadata_inode;
ea1046d4c57ee6 Dmitry Kasatkin 2012-09-04 245 char *pathbuf = NULL;
bc15ed663e7e53 Mimi Zohar 2017-01-17 246 char filename[NAME_MAX];
ea1046d4c57ee6 Dmitry Kasatkin 2012-09-04 247 const char *pathname = NULL;
0d73a55208e94f Dmitry Kasatkin 2017-12-05 248 int rc = 0, action, must_appraise = 0;
725de7fabb9fe4 Eric Richter 2016-06-01 249 int pcr = CONFIG_IMA_MEASURE_PCR_IDX;
1525b06d99b117 Dmitry Kasatkin 2014-10-30 250 struct evm_ima_xattr_data *xattr_value = NULL;
39b07096364a42 Thiago Jung Bauermann 2019-06-27 251 struct modsig *modsig = NULL;
d3634d0f426bde Dmitry Kasatkin 2013-04-25 252 int xattr_len = 0;
f7a859ff7395c0 Roberto Sassu 2014-09-12 253 bool violation_check;
1525b06d99b117 Dmitry Kasatkin 2014-10-30 254 enum hash_algo hash_algo;
1624dc0086056c THOBY Simon 2021-08-16 255 unsigned int allowed_algos = 0;
3323eec921efd8 Mimi Zohar 2009-02-04 256
a756024efea259 Roberto Sassu 2014-09-12 257 if (!ima_policy_flag || !S_ISREG(inode->i_mode))
3323eec921efd8 Mimi Zohar 2009-02-04 258 return 0;
bc7d2a3e66b404 Eric Paris 2010-10-25 259
d79d72e02485c0 Mimi Zohar 2012-12-03 260 /* Return an IMA_MEASURE, IMA_APPRAISE, IMA_AUDIT action
d79d72e02485c0 Mimi Zohar 2012-12-03 261 * bitmask based on the appraise/audit/measurement policy.
d79d72e02485c0 Mimi Zohar 2012-12-03 262 * Included is the appraise submask.
d79d72e02485c0 Mimi Zohar 2012-12-03 263 */
37f670aacd4811 Casey Schaufler 2024-10-09 264 action = ima_get_action(file_mnt_idmap(file), inode, cred, prop,
1624dc0086056c THOBY Simon 2021-08-16 265 mask, func, &pcr, &template_desc, NULL,
1624dc0086056c THOBY Simon 2021-08-16 266 &allowed_algos);
4958db3245fa65 Roberto Sassu 2023-01-31 267 violation_check = ((func == FILE_CHECK || func == MMAP_CHECK ||
4958db3245fa65 Roberto Sassu 2023-01-31 268 func == MMAP_CHECK_REQPROT) &&
30d68cb0c37ebe Frederick Lawler 2025-03-27 269 (ima_policy_flag & IMA_MEASURE) &&
30d68cb0c37ebe Frederick Lawler 2025-03-27 270 ((action & IMA_MEASURE) ||
30d68cb0c37ebe Frederick Lawler 2025-03-27 271 (file->f_mode & FMODE_WRITE)));
f7a859ff7395c0 Roberto Sassu 2014-09-12 272 if (!action && !violation_check)
2fe5d6def1672a Mimi Zohar 2012-02-13 273 return 0;
2fe5d6def1672a Mimi Zohar 2012-02-13 274
2fe5d6def1672a Mimi Zohar 2012-02-13 275 must_appraise = action & IMA_APPRAISE;
bc7d2a3e66b404 Eric Paris 2010-10-25 276
5a73fcfa8875a9 Mimi Zohar 2012-12-05 277 /* Is the appraise rule hook specific? */
3a8a2eadc4946c Dmitry Kasatkin 2014-09-03 278 if (action & IMA_FILE_APPRAISE)
4ad87a3d7444de Mimi Zohar 2016-01-14 279 func = FILE_CHECK;
5a73fcfa8875a9 Mimi Zohar 2012-12-05 280
5955102c9984fa Al Viro 2016-01-22 281 inode_lock(inode);
2fe5d6def1672a Mimi Zohar 2012-02-13 282
f7a859ff7395c0 Roberto Sassu 2014-09-12 283 if (action) {
4de2f084fbff41 Roberto Sassu 2024-02-15 284 iint = ima_inode_get(inode);
bf2276d10ce58f Dmitry Kasatkin 2011-10-19 285 if (!iint)
0d73a55208e94f Dmitry Kasatkin 2017-12-05 286 rc = -ENOMEM;
f7a859ff7395c0 Roberto Sassu 2014-09-12 287 }
f7a859ff7395c0 Roberto Sassu 2014-09-12 288
0d73a55208e94f Dmitry Kasatkin 2017-12-05 289 if (!rc && violation_check)
1b68bdf9cded82 Roberto Sassu 2014-09-12 290 ima_rdwr_violation_check(file, iint, action & IMA_MEASURE,
4e8581eefe720f Roberto Sassu 2017-11-30 291 &pathbuf, &pathname, filename);
0d73a55208e94f Dmitry Kasatkin 2017-12-05 292
0d73a55208e94f Dmitry Kasatkin 2017-12-05 293 inode_unlock(inode);
0d73a55208e94f Dmitry Kasatkin 2017-12-05 294
0d73a55208e94f Dmitry Kasatkin 2017-12-05 295 if (rc)
0d73a55208e94f Dmitry Kasatkin 2017-12-05 296 goto out;
0d73a55208e94f Dmitry Kasatkin 2017-12-05 297 if (!action)
0d73a55208e94f Dmitry Kasatkin 2017-12-05 298 goto out;
0d73a55208e94f Dmitry Kasatkin 2017-12-05 299
0d73a55208e94f Dmitry Kasatkin 2017-12-05 300 mutex_lock(&iint->mutex);
0d73a55208e94f Dmitry Kasatkin 2017-12-05 301
0d73a55208e94f Dmitry Kasatkin 2017-12-05 302 if (test_and_clear_bit(IMA_CHANGE_ATTR, &iint->atomic_flags))
57a0ef02fefafc Roberto Sassu 2025-02-04 303 /*
57a0ef02fefafc Roberto Sassu 2025-02-04 304 * Reset appraisal flags (action and non-action rule-specific)
57a0ef02fefafc Roberto Sassu 2025-02-04 305 * if ima_inode_post_setattr was called.
57a0ef02fefafc Roberto Sassu 2025-02-04 306 */
0d73a55208e94f Dmitry Kasatkin 2017-12-05 307 iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
0d73a55208e94f Dmitry Kasatkin 2017-12-05 308 IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
57a0ef02fefafc Roberto Sassu 2025-02-04 309 IMA_NONACTION_RULE_FLAGS);
0d73a55208e94f Dmitry Kasatkin 2017-12-05 310
d77ccdc644a59b Mimi Zohar 2018-02-21 311 /*
d77ccdc644a59b Mimi Zohar 2018-02-21 312 * Re-evaulate the file if either the xattr has changed or the
d77ccdc644a59b Mimi Zohar 2018-02-21 313 * kernel has no way of detecting file change on the filesystem.
d77ccdc644a59b Mimi Zohar 2018-02-21 314 * (Limited to privileged mounted filesystems.)
d77ccdc644a59b Mimi Zohar 2018-02-21 315 */
d77ccdc644a59b Mimi Zohar 2018-02-21 316 if (test_and_clear_bit(IMA_CHANGE_XATTR, &iint->atomic_flags) ||
d77ccdc644a59b Mimi Zohar 2018-02-21 317 ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) &&
9e67028e76514a Mimi Zohar 2018-02-21 318 !(inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) &&
9e67028e76514a Mimi Zohar 2018-02-21 319 !(action & IMA_FAIL_UNVERIFIABLE_SIGS))) {
0d73a55208e94f Dmitry Kasatkin 2017-12-05 320 iint->flags &= ~IMA_DONE_MASK;
d77ccdc644a59b Mimi Zohar 2018-02-21 321 iint->measured_pcrs = 0;
d77ccdc644a59b Mimi Zohar 2018-02-21 322 }
bf2276d10ce58f Dmitry Kasatkin 2011-10-19 323
c21632b66895eb Stefan Berger 2024-02-23 324 /*
cd9b909a117210 Stefan Berger 2024-02-23 325 * On stacked filesystems, detect and re-evaluate file data and
cd9b909a117210 Stefan Berger 2024-02-23 326 * metadata changes.
c21632b66895eb Stefan Berger 2024-02-23 327 */
c21632b66895eb Stefan Berger 2024-02-23 328 real_inode = d_real_inode(file_dentry(file));
c21632b66895eb Stefan Berger 2024-02-23 329 if (real_inode != inode &&
b836c4d29f2744 Mimi Zohar 2023-10-18 330 (action & IMA_DO_MASK) && (iint->flags & IMA_DONE_MASK)) {
c21632b66895eb Stefan Berger 2024-02-23 331 if (!IS_I_VERSION(real_inode) ||
309e2b775da8b2 Stefan Berger 2024-02-23 332 integrity_inode_attrs_changed(&iint->real_inode,
309e2b775da8b2 Stefan Berger 2024-02-23 333 real_inode)) {
b836c4d29f2744 Mimi Zohar 2023-10-18 334 iint->flags &= ~IMA_DONE_MASK;
b836c4d29f2744 Mimi Zohar 2023-10-18 335 iint->measured_pcrs = 0;
b836c4d29f2744 Mimi Zohar 2023-10-18 336 }
cd9b909a117210 Stefan Berger 2024-02-23 337
cd9b909a117210 Stefan Berger 2024-02-23 338 /*
cd9b909a117210 Stefan Berger 2024-02-23 339 * Reset the EVM status when metadata changed.
cd9b909a117210 Stefan Berger 2024-02-23 340 */
cd9b909a117210 Stefan Berger 2024-02-23 341 metadata_inode = d_inode(d_real(file_dentry(file),
cd9b909a117210 Stefan Berger 2024-02-23 342 D_REAL_METADATA));
cd9b909a117210 Stefan Berger 2024-02-23 343 if (evm_metadata_changed(inode, metadata_inode))
cd9b909a117210 Stefan Berger 2024-02-23 344 iint->flags &= ~(IMA_APPRAISED |
cd9b909a117210 Stefan Berger 2024-02-23 345 IMA_APPRAISED_SUBMASK);
b836c4d29f2744 Mimi Zohar 2023-10-18 346 }
b836c4d29f2744 Mimi Zohar 2023-10-18 347
2fe5d6def1672a Mimi Zohar 2012-02-13 348 /* Determine if already appraised/measured based on bitmask
d79d72e02485c0 Mimi Zohar 2012-12-03 349 * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED,
d79d72e02485c0 Mimi Zohar 2012-12-03 350 * IMA_AUDIT, IMA_AUDITED)
d79d72e02485c0 Mimi Zohar 2012-12-03 351 */
2fe5d6def1672a Mimi Zohar 2012-02-13 352 iint->flags |= action;
0e5a247cb37a97 Dmitry Kasatkin 2012-06-08 353 action &= IMA_DO_MASK;
a422638d492a35 Eric Richter 2016-06-01 354 action &= ~((iint->flags & (IMA_DONE_MASK ^ IMA_MEASURED)) >> 1);
a422638d492a35 Eric Richter 2016-06-01 355
a422638d492a35 Eric Richter 2016-06-01 356 /* If target pcr is already measured, unset IMA_MEASURE action */
a422638d492a35 Eric Richter 2016-06-01 357 if ((action & IMA_MEASURE) && (iint->measured_pcrs & (0x1 << pcr)))
a422638d492a35 Eric Richter 2016-06-01 358 action ^= IMA_MEASURE;
2fe5d6def1672a Mimi Zohar 2012-02-13 359
da1b0029f527a9 Mimi Zohar 2016-09-29 360 /* HASH sets the digital signature and update flags, nothing else */
da1b0029f527a9 Mimi Zohar 2016-09-29 361 if ((action & IMA_HASH) &&
da1b0029f527a9 Mimi Zohar 2016-09-29 362 !(test_bit(IMA_DIGSIG, &iint->atomic_flags))) {
f6fbd8cbf3ed19 Paul Moore 2022-11-09 363 xattr_len = ima_read_xattr(file_dentry(file),
f6fbd8cbf3ed19 Paul Moore 2022-11-09 364 &xattr_value, xattr_len);
da1b0029f527a9 Mimi Zohar 2016-09-29 365 if ((xattr_value && xattr_len > 2) &&
da1b0029f527a9 Mimi Zohar 2016-09-29 366 (xattr_value->type == EVM_IMA_XATTR_DIGSIG))
da1b0029f527a9 Mimi Zohar 2016-09-29 367 set_bit(IMA_DIGSIG, &iint->atomic_flags);
da1b0029f527a9 Mimi Zohar 2016-09-29 368 iint->flags |= IMA_HASHED;
da1b0029f527a9 Mimi Zohar 2016-09-29 369 action ^= IMA_HASH;
da1b0029f527a9 Mimi Zohar 2016-09-29 370 set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
da1b0029f527a9 Mimi Zohar 2016-09-29 371 }
da1b0029f527a9 Mimi Zohar 2016-09-29 372
2fe5d6def1672a Mimi Zohar 2012-02-13 373 /* Nothing to do, just return existing appraised status */
2fe5d6def1672a Mimi Zohar 2012-02-13 374 if (!action) {
2cd4737bc85022 Mimi Zohar 2019-04-30 375 if (must_appraise) {
2cd4737bc85022 Mimi Zohar 2019-04-30 376 rc = mmap_violation_check(func, file, &pathbuf,
2cd4737bc85022 Mimi Zohar 2019-04-30 377 &pathname, filename);
2cd4737bc85022 Mimi Zohar 2019-04-30 378 if (!rc)
4ad87a3d7444de Mimi Zohar 2016-01-14 379 rc = ima_get_cache_status(iint, func);
2cd4737bc85022 Mimi Zohar 2019-04-30 380 }
0d73a55208e94f Dmitry Kasatkin 2017-12-05 381 goto out_locked;
2fe5d6def1672a Mimi Zohar 2012-02-13 382 }
3323eec921efd8 Mimi Zohar 2009-02-04 383
f68c05f4d2d4e1 Dmitry Kasatkin 2014-08-22 384 if ((action & IMA_APPRAISE_SUBMASK) ||
39b07096364a42 Thiago Jung Bauermann 2019-06-27 385 strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0) {
1525b06d99b117 Dmitry Kasatkin 2014-10-30 386 /* read 'security.ima' */
f6fbd8cbf3ed19 Paul Moore 2022-11-09 387 xattr_len = ima_read_xattr(file_dentry(file),
f6fbd8cbf3ed19 Paul Moore 2022-11-09 388 &xattr_value, xattr_len);
d3634d0f426bde Dmitry Kasatkin 2013-04-25 389
e5092255bb3967 Thiago Jung Bauermann 2019-06-27 390 /*
e5092255bb3967 Thiago Jung Bauermann 2019-06-27 391 * Read the appended modsig if allowed by the policy, and allow
e5092255bb3967 Thiago Jung Bauermann 2019-06-27 392 * an additional measurement list entry, if needed, based on the
e5092255bb3967 Thiago Jung Bauermann 2019-06-27 393 * template format and whether the file was already measured.
e5092255bb3967 Thiago Jung Bauermann 2019-06-27 394 */
e5092255bb3967 Thiago Jung Bauermann 2019-06-27 395 if (iint->flags & IMA_MODSIG_ALLOWED) {
e5092255bb3967 Thiago Jung Bauermann 2019-06-27 396 rc = ima_read_modsig(func, buf, size, &modsig);
e5092255bb3967 Thiago Jung Bauermann 2019-06-27 397
e5092255bb3967 Thiago Jung Bauermann 2019-06-27 398 if (!rc && ima_template_has_modsig(template_desc) &&
e5092255bb3967 Thiago Jung Bauermann 2019-06-27 399 iint->flags & IMA_MEASURED)
e5092255bb3967 Thiago Jung Bauermann 2019-06-27 400 action |= IMA_MEASURE;
e5092255bb3967 Thiago Jung Bauermann 2019-06-27 401 }
39b07096364a42 Thiago Jung Bauermann 2019-06-27 402 }
39b07096364a42 Thiago Jung Bauermann 2019-06-27 403
1525b06d99b117 Dmitry Kasatkin 2014-10-30 404 hash_algo = ima_get_hash_algo(xattr_value, xattr_len);
1525b06d99b117 Dmitry Kasatkin 2014-10-30 405
15588227e086ec Thiago Jung Bauermann 2019-06-27 406 rc = ima_collect_measurement(iint, file, buf, size, hash_algo, modsig);
6dc387d52eb67f Matt Bobrowski 2023-01-04 407 if (rc != 0 && rc != -EBADF && rc != -EINVAL)
0d73a55208e94f Dmitry Kasatkin 2017-12-05 408 goto out_locked;
08e1b76ae399a0 Mimi Zohar 2012-06-20 409
c200892b46ba3d Coiby Xu 2025-11-19 410 /* Defer measuring/appraising kernel modules to READING_MODULE */
c200892b46ba3d Coiby Xu 2025-11-19 411 if (read_id == READING_MODULE_COMPRESSED) {
c200892b46ba3d Coiby Xu 2025-11-19 412 must_appraise = 0;
c200892b46ba3d Coiby Xu 2025-11-19 413 goto out_locked;
c200892b46ba3d Coiby Xu 2025-11-19 414 }
c200892b46ba3d Coiby Xu 2025-11-19 415
bc15ed663e7e53 Mimi Zohar 2017-01-17 416 if (!pathbuf) /* ima_rdwr_violation possibly pre-fetched */
bc15ed663e7e53 Mimi Zohar 2017-01-17 417 pathname = ima_d_path(&file->f_path, &pathbuf, filename);
08e1b76ae399a0 Mimi Zohar 2012-06-20 418
2fe5d6def1672a Mimi Zohar 2012-02-13 419 if (action & IMA_MEASURE)
bcbc9b0cf6d8f3 Mimi Zohar 2013-07-23 420 ima_store_measurement(iint, file, pathname,
3878d505aa718b Thiago Jung Bauermann 2019-06-27 421 xattr_value, xattr_len, modsig, pcr,
19453ce0bcfbdf Matthew Garrett 2019-06-19 422 template_desc);
0d73a55208e94f Dmitry Kasatkin 2017-12-05 423 if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) {
273df864cf7466 Nayna Jain 2019-10-30 424 rc = ima_check_blacklist(iint, modsig, pcr);
273df864cf7466 Nayna Jain 2019-10-30 425 if (rc != -EPERM) {
0d73a55208e94f Dmitry Kasatkin 2017-12-05 426 inode_lock(inode);
273df864cf7466 Nayna Jain 2019-10-30 @427 rc = ima_appraise_measurement(func, iint, file,
273df864cf7466 Nayna Jain 2019-10-30 428 pathname, xattr_value,
073872ff30b34d Chris J Arges 2025-12-19 429 xattr_len, modsig, bprm_is_check);
0d73a55208e94f Dmitry Kasatkin 2017-12-05 430 inode_unlock(inode);
273df864cf7466 Nayna Jain 2019-10-30 431 }
2cd4737bc85022 Mimi Zohar 2019-04-30 432 if (!rc)
2cd4737bc85022 Mimi Zohar 2019-04-30 433 rc = mmap_violation_check(func, file, &pathbuf,
2cd4737bc85022 Mimi Zohar 2019-04-30 434 &pathname, filename);
0d73a55208e94f Dmitry Kasatkin 2017-12-05 435 }
e7c568e0fd0cf6 Peter Moody 2012-06-14 436 if (action & IMA_AUDIT)
ea1046d4c57ee6 Dmitry Kasatkin 2012-09-04 437 ima_audit_measurement(iint, pathname);
f7a859ff7395c0 Roberto Sassu 2014-09-12 438
f3cc6b25dcc561 Mimi Zohar 2017-06-17 439 if ((file->f_flags & O_DIRECT) && (iint->flags & IMA_PERMIT_DIRECTIO))
f3cc6b25dcc561 Mimi Zohar 2017-06-17 440 rc = 0;
1624dc0086056c THOBY Simon 2021-08-16 441
1624dc0086056c THOBY Simon 2021-08-16 442 /* Ensure the digest was generated using an allowed algorithm */
1624dc0086056c THOBY Simon 2021-08-16 443 if (rc == 0 && must_appraise && allowed_algos != 0 &&
1624dc0086056c THOBY Simon 2021-08-16 444 (allowed_algos & (1U << hash_algo)) == 0) {
1624dc0086056c THOBY Simon 2021-08-16 445 rc = -EACCES;
1624dc0086056c THOBY Simon 2021-08-16 446
1624dc0086056c THOBY Simon 2021-08-16 447 integrity_audit_msg(AUDIT_INTEGRITY_DATA, file_inode(file),
1624dc0086056c THOBY Simon 2021-08-16 448 pathname, "collect_data",
1624dc0086056c THOBY Simon 2021-08-16 449 "denied-hash-algorithm", rc, 0);
1624dc0086056c THOBY Simon 2021-08-16 450 }
0d73a55208e94f Dmitry Kasatkin 2017-12-05 451 out_locked:
0d73a55208e94f Dmitry Kasatkin 2017-12-05 452 if ((mask & MAY_WRITE) && test_bit(IMA_DIGSIG, &iint->atomic_flags) &&
05d1a717ec0430 Mimi Zohar 2016-02-29 453 !(iint->flags & IMA_NEW_FILE))
a175b8bb29ebba Dmitry Kasatkin 2012-09-27 454 rc = -EACCES;
0d73a55208e94f Dmitry Kasatkin 2017-12-05 455 mutex_unlock(&iint->mutex);
f7a859ff7395c0 Roberto Sassu 2014-09-12 456 kfree(xattr_value);
39b07096364a42 Thiago Jung Bauermann 2019-06-27 457 ima_free_modsig(modsig);
0d73a55208e94f Dmitry Kasatkin 2017-12-05 458 out:
456f5fd3f6017f Dmitry Kasatkin 2014-10-01 459 if (pathbuf)
456f5fd3f6017f Dmitry Kasatkin 2014-10-01 460 __putname(pathbuf);
0d73a55208e94f Dmitry Kasatkin 2017-12-05 461 if (must_appraise) {
0d73a55208e94f Dmitry Kasatkin 2017-12-05 462 if (rc && (ima_appraise & IMA_APPRAISE_ENFORCE))
750943a30714b7 Dmitry Kasatkin 2012-09-27 463 return -EACCES;
0d73a55208e94f Dmitry Kasatkin 2017-12-05 464 if (file->f_mode & FMODE_WRITE)
0d73a55208e94f Dmitry Kasatkin 2017-12-05 465 set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
0d73a55208e94f Dmitry Kasatkin 2017-12-05 466 }
750943a30714b7 Dmitry Kasatkin 2012-09-27 467 return 0;
3323eec921efd8 Mimi Zohar 2009-02-04 468 }
3323eec921efd8 Mimi Zohar 2009-02-04 469
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply
* Re: [PATCH] ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec()
From: kernel test robot @ 2025-12-20 15:21 UTC (permalink / raw)
To: Chris J Arges, zohar, roberto.sassu
Cc: oe-kbuild-all, kernel-team, Chris J Arges, Dmitry Kasatkin,
Eric Snowberg, Paul Moore, James Morris, Serge E. Hallyn,
Mickaël Salaün, Kees Cook, linux-integrity,
linux-security-module, linux-kernel
In-Reply-To: <20251219195456.912190-1-carges@cloudflare.com>
Hi Chris,
kernel test robot noticed the following build errors:
[auto build test ERROR on zohar-integrity/next-integrity]
[also build test ERROR on linus/master v6.19-rc1 next-20251219]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Chris-J-Arges/ima-Fix-stack-out-of-bounds-in-is_bprm_creds_for_exec/20251220-035711
base: https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git next-integrity
patch link: https://lore.kernel.org/r/20251219195456.912190-1-carges%40cloudflare.com
patch subject: [PATCH] ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec()
config: i386-allnoconfig-bpf (https://download.01.org/0day-ci/archive/20251220/202512201634.hYE4i2PX-lkp@intel.com/config)
compiler: clang version 20.1.8 (https://github.com/llvm/llvm-project 87f0227cb60147a26a1eeb4fb06e3b505e9c7261)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251220/202512201634.hYE4i2PX-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202512201634.hYE4i2PX-lkp@intel.com/
All errors (new ones prefixed by >>):
>> security/integrity/ima/ima_main.c:429:32: error: too many arguments to function call, expected 7, have 8
427 | rc = ima_appraise_measurement(func, iint, file,
| ~~~~~~~~~~~~~~~~~~~~~~~~
428 | pathname, xattr_value,
429 | xattr_len, modsig, bprm_is_check);
| ^~~~~~~~~~~~~
security/integrity/ima/ima.h:463:19: note: 'ima_appraise_measurement' declared here
463 | static inline int ima_appraise_measurement(enum ima_hooks func,
| ^ ~~~~~~~~~~~~~~~~~~~~
464 | struct ima_iint_cache *iint,
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
465 | struct file *file,
| ~~~~~~~~~~~~~~~~~~
466 | const unsigned char *filename,
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
467 | struct evm_ima_xattr_data *xattr_value,
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
468 | int xattr_len,
| ~~~~~~~~~~~~~~
469 | const struct modsig *modsig)
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 error generated.
vim +429 security/integrity/ima/ima_main.c
235
236 static int process_measurement(struct file *file, const struct cred *cred,
237 struct lsm_prop *prop, char *buf, loff_t size,
238 int mask, enum ima_hooks func,
239 enum kernel_read_file_id read_id, bool bprm_is_check)
240 {
241 struct inode *real_inode, *inode = file_inode(file);
242 struct ima_iint_cache *iint = NULL;
243 struct ima_template_desc *template_desc = NULL;
244 struct inode *metadata_inode;
245 char *pathbuf = NULL;
246 char filename[NAME_MAX];
247 const char *pathname = NULL;
248 int rc = 0, action, must_appraise = 0;
249 int pcr = CONFIG_IMA_MEASURE_PCR_IDX;
250 struct evm_ima_xattr_data *xattr_value = NULL;
251 struct modsig *modsig = NULL;
252 int xattr_len = 0;
253 bool violation_check;
254 enum hash_algo hash_algo;
255 unsigned int allowed_algos = 0;
256
257 if (!ima_policy_flag || !S_ISREG(inode->i_mode))
258 return 0;
259
260 /* Return an IMA_MEASURE, IMA_APPRAISE, IMA_AUDIT action
261 * bitmask based on the appraise/audit/measurement policy.
262 * Included is the appraise submask.
263 */
264 action = ima_get_action(file_mnt_idmap(file), inode, cred, prop,
265 mask, func, &pcr, &template_desc, NULL,
266 &allowed_algos);
267 violation_check = ((func == FILE_CHECK || func == MMAP_CHECK ||
268 func == MMAP_CHECK_REQPROT) &&
269 (ima_policy_flag & IMA_MEASURE) &&
270 ((action & IMA_MEASURE) ||
271 (file->f_mode & FMODE_WRITE)));
272 if (!action && !violation_check)
273 return 0;
274
275 must_appraise = action & IMA_APPRAISE;
276
277 /* Is the appraise rule hook specific? */
278 if (action & IMA_FILE_APPRAISE)
279 func = FILE_CHECK;
280
281 inode_lock(inode);
282
283 if (action) {
284 iint = ima_inode_get(inode);
285 if (!iint)
286 rc = -ENOMEM;
287 }
288
289 if (!rc && violation_check)
290 ima_rdwr_violation_check(file, iint, action & IMA_MEASURE,
291 &pathbuf, &pathname, filename);
292
293 inode_unlock(inode);
294
295 if (rc)
296 goto out;
297 if (!action)
298 goto out;
299
300 mutex_lock(&iint->mutex);
301
302 if (test_and_clear_bit(IMA_CHANGE_ATTR, &iint->atomic_flags))
303 /*
304 * Reset appraisal flags (action and non-action rule-specific)
305 * if ima_inode_post_setattr was called.
306 */
307 iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
308 IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
309 IMA_NONACTION_RULE_FLAGS);
310
311 /*
312 * Re-evaulate the file if either the xattr has changed or the
313 * kernel has no way of detecting file change on the filesystem.
314 * (Limited to privileged mounted filesystems.)
315 */
316 if (test_and_clear_bit(IMA_CHANGE_XATTR, &iint->atomic_flags) ||
317 ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) &&
318 !(inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) &&
319 !(action & IMA_FAIL_UNVERIFIABLE_SIGS))) {
320 iint->flags &= ~IMA_DONE_MASK;
321 iint->measured_pcrs = 0;
322 }
323
324 /*
325 * On stacked filesystems, detect and re-evaluate file data and
326 * metadata changes.
327 */
328 real_inode = d_real_inode(file_dentry(file));
329 if (real_inode != inode &&
330 (action & IMA_DO_MASK) && (iint->flags & IMA_DONE_MASK)) {
331 if (!IS_I_VERSION(real_inode) ||
332 integrity_inode_attrs_changed(&iint->real_inode,
333 real_inode)) {
334 iint->flags &= ~IMA_DONE_MASK;
335 iint->measured_pcrs = 0;
336 }
337
338 /*
339 * Reset the EVM status when metadata changed.
340 */
341 metadata_inode = d_inode(d_real(file_dentry(file),
342 D_REAL_METADATA));
343 if (evm_metadata_changed(inode, metadata_inode))
344 iint->flags &= ~(IMA_APPRAISED |
345 IMA_APPRAISED_SUBMASK);
346 }
347
348 /* Determine if already appraised/measured based on bitmask
349 * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED,
350 * IMA_AUDIT, IMA_AUDITED)
351 */
352 iint->flags |= action;
353 action &= IMA_DO_MASK;
354 action &= ~((iint->flags & (IMA_DONE_MASK ^ IMA_MEASURED)) >> 1);
355
356 /* If target pcr is already measured, unset IMA_MEASURE action */
357 if ((action & IMA_MEASURE) && (iint->measured_pcrs & (0x1 << pcr)))
358 action ^= IMA_MEASURE;
359
360 /* HASH sets the digital signature and update flags, nothing else */
361 if ((action & IMA_HASH) &&
362 !(test_bit(IMA_DIGSIG, &iint->atomic_flags))) {
363 xattr_len = ima_read_xattr(file_dentry(file),
364 &xattr_value, xattr_len);
365 if ((xattr_value && xattr_len > 2) &&
366 (xattr_value->type == EVM_IMA_XATTR_DIGSIG))
367 set_bit(IMA_DIGSIG, &iint->atomic_flags);
368 iint->flags |= IMA_HASHED;
369 action ^= IMA_HASH;
370 set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
371 }
372
373 /* Nothing to do, just return existing appraised status */
374 if (!action) {
375 if (must_appraise) {
376 rc = mmap_violation_check(func, file, &pathbuf,
377 &pathname, filename);
378 if (!rc)
379 rc = ima_get_cache_status(iint, func);
380 }
381 goto out_locked;
382 }
383
384 if ((action & IMA_APPRAISE_SUBMASK) ||
385 strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0) {
386 /* read 'security.ima' */
387 xattr_len = ima_read_xattr(file_dentry(file),
388 &xattr_value, xattr_len);
389
390 /*
391 * Read the appended modsig if allowed by the policy, and allow
392 * an additional measurement list entry, if needed, based on the
393 * template format and whether the file was already measured.
394 */
395 if (iint->flags & IMA_MODSIG_ALLOWED) {
396 rc = ima_read_modsig(func, buf, size, &modsig);
397
398 if (!rc && ima_template_has_modsig(template_desc) &&
399 iint->flags & IMA_MEASURED)
400 action |= IMA_MEASURE;
401 }
402 }
403
404 hash_algo = ima_get_hash_algo(xattr_value, xattr_len);
405
406 rc = ima_collect_measurement(iint, file, buf, size, hash_algo, modsig);
407 if (rc != 0 && rc != -EBADF && rc != -EINVAL)
408 goto out_locked;
409
410 /* Defer measuring/appraising kernel modules to READING_MODULE */
411 if (read_id == READING_MODULE_COMPRESSED) {
412 must_appraise = 0;
413 goto out_locked;
414 }
415
416 if (!pathbuf) /* ima_rdwr_violation possibly pre-fetched */
417 pathname = ima_d_path(&file->f_path, &pathbuf, filename);
418
419 if (action & IMA_MEASURE)
420 ima_store_measurement(iint, file, pathname,
421 xattr_value, xattr_len, modsig, pcr,
422 template_desc);
423 if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) {
424 rc = ima_check_blacklist(iint, modsig, pcr);
425 if (rc != -EPERM) {
426 inode_lock(inode);
427 rc = ima_appraise_measurement(func, iint, file,
428 pathname, xattr_value,
> 429 xattr_len, modsig, bprm_is_check);
430 inode_unlock(inode);
431 }
432 if (!rc)
433 rc = mmap_violation_check(func, file, &pathbuf,
434 &pathname, filename);
435 }
436 if (action & IMA_AUDIT)
437 ima_audit_measurement(iint, pathname);
438
439 if ((file->f_flags & O_DIRECT) && (iint->flags & IMA_PERMIT_DIRECTIO))
440 rc = 0;
441
442 /* Ensure the digest was generated using an allowed algorithm */
443 if (rc == 0 && must_appraise && allowed_algos != 0 &&
444 (allowed_algos & (1U << hash_algo)) == 0) {
445 rc = -EACCES;
446
447 integrity_audit_msg(AUDIT_INTEGRITY_DATA, file_inode(file),
448 pathname, "collect_data",
449 "denied-hash-algorithm", rc, 0);
450 }
451 out_locked:
452 if ((mask & MAY_WRITE) && test_bit(IMA_DIGSIG, &iint->atomic_flags) &&
453 !(iint->flags & IMA_NEW_FILE))
454 rc = -EACCES;
455 mutex_unlock(&iint->mutex);
456 kfree(xattr_value);
457 ima_free_modsig(modsig);
458 out:
459 if (pathbuf)
460 __putname(pathbuf);
461 if (must_appraise) {
462 if (rc && (ima_appraise & IMA_APPRAISE_ENFORCE))
463 return -EACCES;
464 if (file->f_mode & FMODE_WRITE)
465 set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
466 }
467 return 0;
468 }
469
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox