LXR linux/security/integrity/ima/ima

   1// SPDX-License-Identifier: GPL-2.0-only
   2/*
   3 * Copyright (C) 2005,2006,2007,2008 IBM Corporation
   4 *
   5 * Authors:
   6 * Reiner Sailer      <sailer@watson.ibm.com>
   7 * Leendert van Doorn <leendert@watson.ibm.com>
   8 * Mimi Zohar         <zohar@us.ibm.com>
   9 *
  10 * File: ima_init.c
  11 *             initialization and cleanup functions
  12 */
  13
  14#include <linux/init.h>
  15#include <linux/scatterlist.h>
  16#include <linux/slab.h>
  17#include <linux/err.h>
  18#include <linux/ima.h>
  19#include <generated/utsrelease.h>
  20
  21#include "ima.h"
  22
  23/* name for boot aggregate entry */
  24const char boot_aggregate_name[] = "boot_aggregate";
  25struct tpm_chip *ima_tpm_chip;
  26
  27/* Add the boot aggregate to the IMA measurement list and extend
  28 * the PCR register.
  29 *
  30 * Calculate the boot aggregate, a hash over tpm registers 0-7,
  31 * assuming a TPM chip exists, and zeroes if the TPM chip does not
  32 * exist.  Add the boot aggregate measurement to the measurement
  33 * list and extend the PCR register.
  34 *
  35 * If a tpm chip does not exist, indicate the core root of trust is
  36 * not hardware based by invalidating the aggregate PCR value.
  37 * (The aggregate PCR value is invalidated by adding one value to
  38 * the measurement list and extending the aggregate PCR value with
  39 * a different value.) Violations add a zero entry to the measurement
  40 * list and extend the aggregate PCR value with ff...ff's.
  41 */
  42static int __init ima_add_boot_aggregate(void)
  43{
  44        static const char op[] = "add_boot_aggregate";
  45        const char *audit_cause = "ENOMEM";
  46        struct ima_template_entry *entry;
  47        struct integrity_iint_cache tmp_iint, *iint = &tmp_iint;
  48        struct ima_event_data event_data = { .iint = iint,
  49                                             .filename = boot_aggregate_name };
  50        int result = -ENOMEM;
  51        int violation = 0;
  52        struct {
  53                struct ima_digest_data hdr;
  54                char digest[TPM_MAX_DIGEST_SIZE];
  55        } hash;
  56
  57        memset(iint, 0, sizeof(*iint));
  58        memset(&hash, 0, sizeof(hash));
  59        iint->ima_hash = &hash.hdr;
  60        iint->ima_hash->algo = ima_hash_algo;
  61        iint->ima_hash->length = hash_digest_size[ima_hash_algo];
  62
  63        /*
  64         * With TPM 2.0 hash agility, TPM chips could support multiple TPM
  65         * PCR banks, allowing firmware to configure and enable different
  66         * banks.  The SHA1 bank is not necessarily enabled.
  67         *
  68         * Use the same hash algorithm for reading the TPM PCRs as for
  69         * calculating the boot aggregate digest.  Preference is given to
  70         * the configured IMA default hash algorithm.  Otherwise, use the
  71         * TCG required banks - SHA256 for TPM 2.0, SHA1 for TPM 1.2.
  72         * Ultimately select SHA1 also for TPM 2.0 if the SHA256 PCR bank
  73         * is not found.
  74         */
  75        if (ima_tpm_chip) {
  76                result = ima_calc_boot_aggregate(&hash.hdr);
  77                if (result < 0) {
  78                        audit_cause = "hashing_error";
  79                        goto err_out;
  80                }
  81        }
  82
  83        result = ima_alloc_init_template(&event_data, &entry, NULL);
  84        if (result < 0) {
  85                audit_cause = "alloc_entry";
  86                goto err_out;
  87        }
  88
  89        result = ima_store_template(entry, violation, NULL,
  90                                    boot_aggregate_name,
  91                                    CONFIG_IMA_MEASURE_PCR_IDX);
  92        if (result < 0) {
  93                ima_free_template_entry(entry);
  94                audit_cause = "store_entry";
  95                goto err_out;
  96        }
  97        return 0;
  98err_out:
  99        integrity_audit_msg(AUDIT_INTEGRITY_PCR, NULL, boot_aggregate_name, op,
 100                            audit_cause, result, 0);
 101        return result;
 102}
 103
 104#ifdef CONFIG_IMA_LOAD_X509
 105void __init ima_load_x509(void)
 106{
 107        int unset_flags = ima_policy_flag & IMA_APPRAISE;
 108
 109        ima_policy_flag &= ~unset_flags;
 110        integrity_load_x509(INTEGRITY_KEYRING_IMA, CONFIG_IMA_X509_PATH);
 111
 112        /* load also EVM key to avoid appraisal */
 113        evm_load_x509();
 114
 115        ima_policy_flag |= unset_flags;
 116}
 117#endif
 118
 119int __init ima_init(void)
 120{
 121        int rc;
 122
 123        ima_tpm_chip = tpm_default_chip();
 124        if (!ima_tpm_chip)
 125                pr_info("No TPM chip found, activating TPM-bypass!\n");
 126
 127        rc = integrity_init_keyring(INTEGRITY_KEYRING_IMA);
 128        if (rc)
 129                return rc;
 130
 131        rc = ima_init_crypto();
 132        if (rc)
 133                return rc;
 134        rc = ima_init_template();
 135        if (rc != 0)
 136                return rc;
 137
 138        /* It can be called before ima_init_digests(), it does not use TPM. */
 139        ima_load_kexec_buffer();
 140
 141        rc = ima_init_digests();
 142        if (rc != 0)
 143                return rc;
 144        rc = ima_add_boot_aggregate();  /* boot aggregate must be first entry */
 145        if (rc != 0)
 146                return rc;
 147
 148        ima_init_policy();
 149
 150        rc = ima_fs_init();
 151        if (rc != 0)
 152                return rc;
 153
 154        ima_init_key_queue();
 155
 156        ima_measure_critical_data("kernel_info", "kernel_version",
 157                                  UTS_RELEASE, strlen(UTS_RELEASE), false,
 158                                  NULL, 0);
 159
 160        return rc;
 161}
 162