diff options
author | Prakhar Srivastava <prsriva02@gmail.com> | 2019-06-23 23:23:30 -0700 |
---|---|---|
committer | Mimi Zohar <zohar@linux.ibm.com> | 2019-06-30 17:53:45 -0400 |
commit | 86b4da8c0e7fcb6c217c604efcd9438ad55dd055 (patch) | |
tree | d0fd6261853d1c15238f42be11c80f6f730f43f4 /kernel/memremap.c | |
parent | b0935123a18360d19f1dcc779ea33841cdc304cc (diff) | |
download | lwn-86b4da8c0e7fcb6c217c604efcd9438ad55dd055.tar.gz lwn-86b4da8c0e7fcb6c217c604efcd9438ad55dd055.zip |
IMA: Define a new template field buf
A buffer(kexec boot command line arguments) measured into IMA
measuremnt list cannot be appraised, without already being
aware of the buffer contents. Since hashes are non-reversible,
raw buffer is needed for validation or regenerating hash for
appraisal/attestation.
Add support to store/read the buffer contents in HEX.
The kexec cmdline hash is stored in the "d-ng" field of the
template data. It can be verified using
sudo cat /sys/kernel/security/integrity/ima/ascii_runtime_measurements |
grep kexec-cmdline | cut -d' ' -f 6 | xxd -r -p | sha256sum
- Add two new fields to ima_event_data to hold the buf and
buf_len
- Add a new template field 'buf' to be used to store/read
the buffer data.
- Updated process_buffer_meaurement to add the buffer to
ima_event_data. process_buffer_measurement added in
"Define a new IMA hook to measure the boot command line
arguments"
- Add a new template policy name ima-buf to represent
'd-ng|n-ng|buf'
Signed-off-by: Prakhar Srivastava <prsriva02@gmail.com>
Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: James Morris <jamorris@linux.microsoft.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'kernel/memremap.c')
0 files changed, 0 insertions, 0 deletions