1
2
3
4
5
6
7
8
9
10
11
12
13#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
14
15#include <linux/kernel.h>
16#include <linux/moduleparam.h>
17#include <linux/ratelimit.h>
18#include <linux/file.h>
19#include <linux/crypto.h>
20#include <linux/scatterlist.h>
21#include <linux/err.h>
22#include <linux/slab.h>
23#include <crypto/hash.h>
24
25#include "ima.h"
26
27
28static unsigned long ima_ahash_minsize;
29module_param_named(ahash_minsize, ima_ahash_minsize, ulong, 0644);
30MODULE_PARM_DESC(ahash_minsize, "Minimum file size for ahash use");
31
32
33static int ima_maxorder;
34static unsigned int ima_bufsize = PAGE_SIZE;
35
36static int param_set_bufsize(const char *val, const struct kernel_param *kp)
37{
38 unsigned long long size;
39 int order;
40
41 size = memparse(val, NULL);
42 order = get_order(size);
43 if (order >= MAX_ORDER)
44 return -EINVAL;
45 ima_maxorder = order;
46 ima_bufsize = PAGE_SIZE << order;
47 return 0;
48}
49
50static const struct kernel_param_ops param_ops_bufsize = {
51 .set = param_set_bufsize,
52 .get = param_get_uint,
53};
54#define param_check_bufsize(name, p) __param_check(name, p, unsigned int)
55
56module_param_named(ahash_bufsize, ima_bufsize, bufsize, 0644);
57MODULE_PARM_DESC(ahash_bufsize, "Maximum ahash buffer size");
58
59static struct crypto_shash *ima_shash_tfm;
60static struct crypto_ahash *ima_ahash_tfm;
61
62int __init ima_init_crypto(void)
63{
64 long rc;
65
66 ima_shash_tfm = crypto_alloc_shash(hash_algo_name[ima_hash_algo], 0, 0);
67 if (IS_ERR(ima_shash_tfm)) {
68 rc = PTR_ERR(ima_shash_tfm);
69 pr_err("Can not allocate %s (reason: %ld)\n",
70 hash_algo_name[ima_hash_algo], rc);
71 return rc;
72 }
73 pr_info("Allocated hash algorithm: %s\n",
74 hash_algo_name[ima_hash_algo]);
75 return 0;
76}
77
78static struct crypto_shash *ima_alloc_tfm(enum hash_algo algo)
79{
80 struct crypto_shash *tfm = ima_shash_tfm;
81 int rc;
82
83 if (algo < 0 || algo >= HASH_ALGO__LAST)
84 algo = ima_hash_algo;
85
86 if (algo != ima_hash_algo) {
87 tfm = crypto_alloc_shash(hash_algo_name[algo], 0, 0);
88 if (IS_ERR(tfm)) {
89 rc = PTR_ERR(tfm);
90 pr_err("Can not allocate %s (reason: %d)\n",
91 hash_algo_name[algo], rc);
92 }
93 }
94 return tfm;
95}
96
97static void ima_free_tfm(struct crypto_shash *tfm)
98{
99 if (tfm != ima_shash_tfm)
100 crypto_free_shash(tfm);
101}
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118static void *ima_alloc_pages(loff_t max_size, size_t *allocated_size,
119 int last_warn)
120{
121 void *ptr;
122 int order = ima_maxorder;
123 gfp_t gfp_mask = __GFP_RECLAIM | __GFP_NOWARN | __GFP_NORETRY;
124
125 if (order)
126 order = min(get_order(max_size), order);
127
128 for (; order; order--) {
129 ptr = (void *)__get_free_pages(gfp_mask, order);
130 if (ptr) {
131 *allocated_size = PAGE_SIZE << order;
132 return ptr;
133 }
134 }
135
136
137
138 gfp_mask = GFP_KERNEL;
139
140 if (!last_warn)
141 gfp_mask |= __GFP_NOWARN;
142
143 ptr = (void *)__get_free_pages(gfp_mask, 0);
144 if (ptr) {
145 *allocated_size = PAGE_SIZE;
146 return ptr;
147 }
148
149 *allocated_size = 0;
150 return NULL;
151}
152
153
154
155
156
157
158static void ima_free_pages(void *ptr, size_t size)
159{
160 if (!ptr)
161 return;
162 free_pages((unsigned long)ptr, get_order(size));
163}
164
165static struct crypto_ahash *ima_alloc_atfm(enum hash_algo algo)
166{
167 struct crypto_ahash *tfm = ima_ahash_tfm;
168 int rc;
169
170 if (algo < 0 || algo >= HASH_ALGO__LAST)
171 algo = ima_hash_algo;
172
173 if (algo != ima_hash_algo || !tfm) {
174 tfm = crypto_alloc_ahash(hash_algo_name[algo], 0, 0);
175 if (!IS_ERR(tfm)) {
176 if (algo == ima_hash_algo)
177 ima_ahash_tfm = tfm;
178 } else {
179 rc = PTR_ERR(tfm);
180 pr_err("Can not allocate %s (reason: %d)\n",
181 hash_algo_name[algo], rc);
182 }
183 }
184 return tfm;
185}
186
187static void ima_free_atfm(struct crypto_ahash *tfm)
188{
189 if (tfm != ima_ahash_tfm)
190 crypto_free_ahash(tfm);
191}
192
193static inline int ahash_wait(int err, struct crypto_wait *wait)
194{
195
196 err = crypto_wait_req(err, wait);
197
198 if (err)
199 pr_crit_ratelimited("ahash calculation failed: err: %d\n", err);
200
201 return err;
202}
203
204static int ima_calc_file_hash_atfm(struct file *file,
205 struct ima_digest_data *hash,
206 struct crypto_ahash *tfm)
207{
208 loff_t i_size, offset;
209 char *rbuf[2] = { NULL, };
210 int rc, rbuf_len, active = 0, ahash_rc = 0;
211 struct ahash_request *req;
212 struct scatterlist sg[1];
213 struct crypto_wait wait;
214 size_t rbuf_size[2];
215
216 hash->length = crypto_ahash_digestsize(tfm);
217
218 req = ahash_request_alloc(tfm, GFP_KERNEL);
219 if (!req)
220 return -ENOMEM;
221
222 crypto_init_wait(&wait);
223 ahash_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
224 CRYPTO_TFM_REQ_MAY_SLEEP,
225 crypto_req_done, &wait);
226
227 rc = ahash_wait(crypto_ahash_init(req), &wait);
228 if (rc)
229 goto out1;
230
231 i_size = i_size_read(file_inode(file));
232
233 if (i_size == 0)
234 goto out2;
235
236
237
238
239
240 rbuf[0] = ima_alloc_pages(i_size, &rbuf_size[0], 1);
241 if (!rbuf[0]) {
242 rc = -ENOMEM;
243 goto out1;
244 }
245
246
247 if (i_size > rbuf_size[0]) {
248
249
250
251
252
253 rbuf[1] = ima_alloc_pages(i_size - rbuf_size[0],
254 &rbuf_size[1], 0);
255 }
256
257 for (offset = 0; offset < i_size; offset += rbuf_len) {
258 if (!rbuf[1] && offset) {
259
260
261
262
263 rc = ahash_wait(ahash_rc, &wait);
264 if (rc)
265 goto out3;
266 }
267
268 rbuf_len = min_t(loff_t, i_size - offset, rbuf_size[active]);
269 rc = integrity_kernel_read(file, offset, rbuf[active],
270 rbuf_len);
271 if (rc != rbuf_len)
272 goto out3;
273
274 if (rbuf[1] && offset) {
275
276
277
278
279 rc = ahash_wait(ahash_rc, &wait);
280 if (rc)
281 goto out3;
282 }
283
284 sg_init_one(&sg[0], rbuf[active], rbuf_len);
285 ahash_request_set_crypt(req, sg, NULL, rbuf_len);
286
287 ahash_rc = crypto_ahash_update(req);
288
289 if (rbuf[1])
290 active = !active;
291 }
292
293 rc = ahash_wait(ahash_rc, &wait);
294out3:
295 ima_free_pages(rbuf[0], rbuf_size[0]);
296 ima_free_pages(rbuf[1], rbuf_size[1]);
297out2:
298 if (!rc) {
299 ahash_request_set_crypt(req, NULL, hash->digest, 0);
300 rc = ahash_wait(crypto_ahash_final(req), &wait);
301 }
302out1:
303 ahash_request_free(req);
304 return rc;
305}
306
307static int ima_calc_file_ahash(struct file *file, struct ima_digest_data *hash)
308{
309 struct crypto_ahash *tfm;
310 int rc;
311
312 tfm = ima_alloc_atfm(hash->algo);
313 if (IS_ERR(tfm))
314 return PTR_ERR(tfm);
315
316 rc = ima_calc_file_hash_atfm(file, hash, tfm);
317
318 ima_free_atfm(tfm);
319
320 return rc;
321}
322
323static int ima_calc_file_hash_tfm(struct file *file,
324 struct ima_digest_data *hash,
325 struct crypto_shash *tfm)
326{
327 loff_t i_size, offset = 0;
328 char *rbuf;
329 int rc;
330 SHASH_DESC_ON_STACK(shash, tfm);
331
332 shash->tfm = tfm;
333
334 hash->length = crypto_shash_digestsize(tfm);
335
336 rc = crypto_shash_init(shash);
337 if (rc != 0)
338 return rc;
339
340 i_size = i_size_read(file_inode(file));
341
342 if (i_size == 0)
343 goto out;
344
345 rbuf = kzalloc(PAGE_SIZE, GFP_KERNEL);
346 if (!rbuf)
347 return -ENOMEM;
348
349 while (offset < i_size) {
350 int rbuf_len;
351
352 rbuf_len = integrity_kernel_read(file, offset, rbuf, PAGE_SIZE);
353 if (rbuf_len < 0) {
354 rc = rbuf_len;
355 break;
356 }
357 if (rbuf_len == 0)
358 break;
359 offset += rbuf_len;
360
361 rc = crypto_shash_update(shash, rbuf, rbuf_len);
362 if (rc)
363 break;
364 }
365 kfree(rbuf);
366out:
367 if (!rc)
368 rc = crypto_shash_final(shash, hash->digest);
369 return rc;
370}
371
372static int ima_calc_file_shash(struct file *file, struct ima_digest_data *hash)
373{
374 struct crypto_shash *tfm;
375 int rc;
376
377 tfm = ima_alloc_tfm(hash->algo);
378 if (IS_ERR(tfm))
379 return PTR_ERR(tfm);
380
381 rc = ima_calc_file_hash_tfm(file, hash, tfm);
382
383 ima_free_tfm(tfm);
384
385 return rc;
386}
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash)
402{
403 loff_t i_size;
404 int rc;
405 struct file *f = file;
406 bool new_file_instance = false, modified_flags = false;
407
408
409
410
411
412 if (file->f_flags & O_DIRECT) {
413 hash->length = hash_digest_size[ima_hash_algo];
414 hash->algo = ima_hash_algo;
415 return -EINVAL;
416 }
417
418
419 if (!(file->f_mode & FMODE_READ)) {
420 int flags = file->f_flags & ~(O_WRONLY | O_APPEND |
421 O_TRUNC | O_CREAT | O_NOCTTY | O_EXCL);
422 flags |= O_RDONLY;
423 f = dentry_open(&file->f_path, flags, file->f_cred);
424 if (IS_ERR(f)) {
425
426
427
428
429 pr_info_ratelimited("Unable to reopen file for reading.\n");
430 f = file;
431 f->f_flags |= FMODE_READ;
432 modified_flags = true;
433 } else {
434 new_file_instance = true;
435 }
436 }
437
438 i_size = i_size_read(file_inode(f));
439
440 if (ima_ahash_minsize && i_size >= ima_ahash_minsize) {
441 rc = ima_calc_file_ahash(f, hash);
442 if (!rc)
443 goto out;
444 }
445
446 rc = ima_calc_file_shash(f, hash);
447out:
448 if (new_file_instance)
449 fput(f);
450 else if (modified_flags)
451 f->f_flags &= ~FMODE_READ;
452 return rc;
453}
454
455
456
457
458static int ima_calc_field_array_hash_tfm(struct ima_field_data *field_data,
459 struct ima_template_desc *td,
460 int num_fields,
461 struct ima_digest_data *hash,
462 struct crypto_shash *tfm)
463{
464 SHASH_DESC_ON_STACK(shash, tfm);
465 int rc, i;
466
467 shash->tfm = tfm;
468
469 hash->length = crypto_shash_digestsize(tfm);
470
471 rc = crypto_shash_init(shash);
472 if (rc != 0)
473 return rc;
474
475 for (i = 0; i < num_fields; i++) {
476 u8 buffer[IMA_EVENT_NAME_LEN_MAX + 1] = { 0 };
477 u8 *data_to_hash = field_data[i].data;
478 u32 datalen = field_data[i].len;
479 u32 datalen_to_hash =
480 !ima_canonical_fmt ? datalen : cpu_to_le32(datalen);
481
482 if (strcmp(td->name, IMA_TEMPLATE_IMA_NAME) != 0) {
483 rc = crypto_shash_update(shash,
484 (const u8 *) &datalen_to_hash,
485 sizeof(datalen_to_hash));
486 if (rc)
487 break;
488 } else if (strcmp(td->fields[i]->field_id, "n") == 0) {
489 memcpy(buffer, data_to_hash, datalen);
490 data_to_hash = buffer;
491 datalen = IMA_EVENT_NAME_LEN_MAX + 1;
492 }
493 rc = crypto_shash_update(shash, data_to_hash, datalen);
494 if (rc)
495 break;
496 }
497
498 if (!rc)
499 rc = crypto_shash_final(shash, hash->digest);
500
501 return rc;
502}
503
504int ima_calc_field_array_hash(struct ima_field_data *field_data,
505 struct ima_template_desc *desc, int num_fields,
506 struct ima_digest_data *hash)
507{
508 struct crypto_shash *tfm;
509 int rc;
510
511 tfm = ima_alloc_tfm(hash->algo);
512 if (IS_ERR(tfm))
513 return PTR_ERR(tfm);
514
515 rc = ima_calc_field_array_hash_tfm(field_data, desc, num_fields,
516 hash, tfm);
517
518 ima_free_tfm(tfm);
519
520 return rc;
521}
522
523static int calc_buffer_ahash_atfm(const void *buf, loff_t len,
524 struct ima_digest_data *hash,
525 struct crypto_ahash *tfm)
526{
527 struct ahash_request *req;
528 struct scatterlist sg;
529 struct crypto_wait wait;
530 int rc, ahash_rc = 0;
531
532 hash->length = crypto_ahash_digestsize(tfm);
533
534 req = ahash_request_alloc(tfm, GFP_KERNEL);
535 if (!req)
536 return -ENOMEM;
537
538 crypto_init_wait(&wait);
539 ahash_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
540 CRYPTO_TFM_REQ_MAY_SLEEP,
541 crypto_req_done, &wait);
542
543 rc = ahash_wait(crypto_ahash_init(req), &wait);
544 if (rc)
545 goto out;
546
547 sg_init_one(&sg, buf, len);
548 ahash_request_set_crypt(req, &sg, NULL, len);
549
550 ahash_rc = crypto_ahash_update(req);
551
552
553 rc = ahash_wait(ahash_rc, &wait);
554 if (!rc) {
555 ahash_request_set_crypt(req, NULL, hash->digest, 0);
556 rc = ahash_wait(crypto_ahash_final(req), &wait);
557 }
558out:
559 ahash_request_free(req);
560 return rc;
561}
562
563static int calc_buffer_ahash(const void *buf, loff_t len,
564 struct ima_digest_data *hash)
565{
566 struct crypto_ahash *tfm;
567 int rc;
568
569 tfm = ima_alloc_atfm(hash->algo);
570 if (IS_ERR(tfm))
571 return PTR_ERR(tfm);
572
573 rc = calc_buffer_ahash_atfm(buf, len, hash, tfm);
574
575 ima_free_atfm(tfm);
576
577 return rc;
578}
579
580static int calc_buffer_shash_tfm(const void *buf, loff_t size,
581 struct ima_digest_data *hash,
582 struct crypto_shash *tfm)
583{
584 SHASH_DESC_ON_STACK(shash, tfm);
585 unsigned int len;
586 int rc;
587
588 shash->tfm = tfm;
589
590 hash->length = crypto_shash_digestsize(tfm);
591
592 rc = crypto_shash_init(shash);
593 if (rc != 0)
594 return rc;
595
596 while (size) {
597 len = size < PAGE_SIZE ? size : PAGE_SIZE;
598 rc = crypto_shash_update(shash, buf, len);
599 if (rc)
600 break;
601 buf += len;
602 size -= len;
603 }
604
605 if (!rc)
606 rc = crypto_shash_final(shash, hash->digest);
607 return rc;
608}
609
610static int calc_buffer_shash(const void *buf, loff_t len,
611 struct ima_digest_data *hash)
612{
613 struct crypto_shash *tfm;
614 int rc;
615
616 tfm = ima_alloc_tfm(hash->algo);
617 if (IS_ERR(tfm))
618 return PTR_ERR(tfm);
619
620 rc = calc_buffer_shash_tfm(buf, len, hash, tfm);
621
622 ima_free_tfm(tfm);
623 return rc;
624}
625
626int ima_calc_buffer_hash(const void *buf, loff_t len,
627 struct ima_digest_data *hash)
628{
629 int rc;
630
631 if (ima_ahash_minsize && len >= ima_ahash_minsize) {
632 rc = calc_buffer_ahash(buf, len, hash);
633 if (!rc)
634 return 0;
635 }
636
637 return calc_buffer_shash(buf, len, hash);
638}
639
640static void __init ima_pcrread(u32 idx, struct tpm_digest *d)
641{
642 if (!ima_tpm_chip)
643 return;
644
645 if (tpm_pcr_read(ima_tpm_chip, idx, d) != 0)
646 pr_err("Error Communicating to TPM chip\n");
647}
648
649
650
651
652static int __init ima_calc_boot_aggregate_tfm(char *digest,
653 struct crypto_shash *tfm)
654{
655 struct tpm_digest d = { .alg_id = TPM_ALG_SHA1, .digest = {0} };
656 int rc;
657 u32 i;
658 SHASH_DESC_ON_STACK(shash, tfm);
659
660 shash->tfm = tfm;
661
662 rc = crypto_shash_init(shash);
663 if (rc != 0)
664 return rc;
665
666
667 for (i = TPM_PCR0; i < TPM_PCR8; i++) {
668 ima_pcrread(i, &d);
669
670 rc = crypto_shash_update(shash, d.digest, TPM_DIGEST_SIZE);
671 }
672 if (!rc)
673 crypto_shash_final(shash, digest);
674 return rc;
675}
676
677int __init ima_calc_boot_aggregate(struct ima_digest_data *hash)
678{
679 struct crypto_shash *tfm;
680 int rc;
681
682 tfm = ima_alloc_tfm(hash->algo);
683 if (IS_ERR(tfm))
684 return PTR_ERR(tfm);
685
686 hash->length = crypto_shash_digestsize(tfm);
687 rc = ima_calc_boot_aggregate_tfm(hash->digest, tfm);
688
689 ima_free_tfm(tfm);
690
691 return rc;
692}
693