From: Mimi Zohar <zohar@linux.ibm.com>
To: Nicolai Stange <nstange@suse.de>,
Roberto Sassu <roberto.sassu@huawei.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Cc: Eric Snowberg <eric.snowberg@oracle.com>,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [RFC PATCH v1 3/7] ima: move INVALID_PCR() to ima.h
Date: Mon, 17 Mar 2025 21:57:02 -0400 [thread overview]
Message-ID: <7e7d730961ee65dd063755f6a1ff9aefdcdff430.camel@linux.ibm.com> (raw)
In-Reply-To: <20250313173339.3815589-4-nstange@suse.de>
On Thu, 2025-03-13 at 18:33 +0100, Nicolai Stange wrote:
> Make the INVALID_PCR() #define available to other compilation units
> by moving it from ima_policy.c to ima.h and renaming it to
> IMA_INVALID_PCR() in the course.
>
> Signed-off-by: Nicolai Stange <nstange@suse.de>
Restoring the IMA measurement list doesn't involve extending the TPM. The hash
specific measurements have already been extended into the respective TPM banks.
Is this and the subsequent patch necessary?
Mimi
> ---
> security/integrity/ima/ima.h | 4 ++++
> security/integrity/ima/ima_policy.c | 5 +----
> 2 files changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index a4f284bd846c..1158a7b8bf6b 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -198,6 +198,10 @@ struct ima_iint_cache {
> struct ima_digest_data *ima_hash;
> };
>
> +#define IMA_INVALID_PCR(a) (((a) < 0) || \
> + (a) >= (sizeof_field(struct ima_iint_cache, measured_pcrs) * 8))
> +
> +
> extern struct lsm_blob_sizes ima_blob_sizes;
>
> static inline struct ima_iint_cache *
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 128fab897930..d9e4210ea814 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -48,9 +48,6 @@
> #define HASH 0x0100
> #define DONT_HASH 0x0200
>
> -#define INVALID_PCR(a) (((a) < 0) || \
> - (a) >= (sizeof_field(struct ima_iint_cache, measured_pcrs) * 8))
> -
> int ima_policy_flag;
> static int temp_ima_appraise;
> static int build_ima_appraise __ro_after_init;
> @@ -1855,7 +1852,7 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
> ima_log_string(ab, "pcr", args[0].from);
>
> result = kstrtoint(args[0].from, 10, &entry->pcr);
> - if (result || INVALID_PCR(entry->pcr))
> + if (result || IMA_INVALID_PCR(entry->pcr))
> result = -EINVAL;
> else
> entry->flags |= IMA_PCR;
next prev parent reply other threads:[~2025-03-18 1:57 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-13 17:33 [RFC PATCH v1 0/7] ima: get rid of hard dependency on SHA-1 Nicolai Stange
2025-03-13 17:33 ` [RFC PATCH v1 1/7] ima: don't expose runtime_measurements for unsupported hashes Nicolai Stange
2025-03-13 17:33 ` [RFC PATCH v1 2/7] ima: always create runtime_measurements sysfs file for ima_hash Nicolai Stange
2025-03-13 17:33 ` [RFC PATCH v1 3/7] ima: move INVALID_PCR() to ima.h Nicolai Stange
2025-03-18 1:57 ` Mimi Zohar [this message]
2025-03-13 17:33 ` [RFC PATCH v1 4/7] ima: track the set of PCRs ever extended Nicolai Stange
2025-03-13 17:33 ` [RFC PATCH v1 5/7] tpm: enable bank selection for PCR extend Nicolai Stange
2025-03-13 17:33 ` [RFC PATCH v1 6/7] ima: invalidate unsupported PCR banks once at first use Nicolai Stange
2025-03-18 1:46 ` Mimi Zohar
2025-03-18 10:26 ` Nicolai Stange
2025-03-18 14:32 ` Mimi Zohar
2025-03-18 15:55 ` Nicolai Stange
2025-03-18 20:49 ` Mimi Zohar
2025-03-23 14:21 ` Nicolai Stange
2025-03-13 17:33 ` [RFC PATCH v1 7/7] ima: make SHA1 non-mandatory Nicolai Stange
2025-03-18 11:00 ` [RFC PATCH v1 0/7] ima: get rid of hard dependency on SHA-1 Roberto Sassu
2025-03-18 11:54 ` Nicolai Stange
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7e7d730961ee65dd063755f6a1ff9aefdcdff430.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=eric.snowberg@oracle.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nstange@suse.de \
--cc=roberto.sassu@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).