Re: [PATCH v5 4/8] ima: define a new template field 'd-type' and a new template 'ima-ngv2'

From: Eric Biggers
Date: Wed Feb 23 2022 - 19:32:38 EST

Next message: Hao Luo: "Re: [PATCH bpf-next v2] bpf: Cache the last valid build_id."
Previous message: kernel test robot: "[hare-scsi-devel:tls-upcall.v2 34/67] crypto/hkdf.c:26:5: warning: no previous prototype for function 'hkdf_extract'"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Feb 11, 2022 at 04:43:06PM -0500, Mimi Zohar wrote:
> In preparation to differentiate between regular IMA file hashes and
> fs-verity's file digests, define a new template field named 'd-type'.
> Define a new template named 'ima-ngv2', which includes the new 'd-type'
> field.
>
> Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
> ---
> security/integrity/ima/ima_template.c | 3 +++
> security/integrity/ima/ima_template_lib.c | 13 +++++++++++++
> security/integrity/ima/ima_template_lib.h | 2 ++
> 3 files changed, 18 insertions(+)
>
> diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
> index db1ad6d7a57f..b321342e5bee 100644
> --- a/security/integrity/ima/ima_template.c
> +++ b/security/integrity/ima/ima_template.c
> @@ -19,6 +19,7 @@ enum header_fields { HDR_PCR, HDR_DIGEST, HDR_TEMPLATE_NAME,
> static struct ima_template_desc builtin_templates[] = {
> {.name = IMA_TEMPLATE_IMA_NAME, .fmt = IMA_TEMPLATE_IMA_FMT},
> {.name = "ima-ng", .fmt = "d-ng|n-ng"},
> + {.name = "ima-ngv2", .fmt = "d-ng|n-ng|d-type"},
> {.name = "ima-sig", .fmt = "d-ng|n-ng|sig"},
> {.name = "ima-buf", .fmt = "d-ng|n-ng|buf"},
> {.name = "ima-modsig", .fmt = "d-ng|n-ng|sig|d-modsig|modsig"},
> @@ -40,6 +41,8 @@ static const struct ima_template_field supported_fields[] = {
> .field_show = ima_show_template_digest_ng},
> {.field_id = "n-ng", .field_init = ima_eventname_ng_init,
> .field_show = ima_show_template_string},
> + {.field_id = "d-type", .field_init = ima_eventdigest_type_init,
> + .field_show = ima_show_template_string},
> {.field_id = "sig", .field_init = ima_eventsig_init,
> .field_show = ima_show_template_sig},
> {.field_id = "buf", .field_init = ima_eventbuf_init,

I notice that the "d-ng" field already contains both the hash algorithm and the
hash itself, in the form <algorithm>:<hash>. Wouldn't it make more sense to
define a "d-ngv2" field that contains <type>:<algorithm>:<hash>? After all,
both the type and algorithm are required to interpret the hash.

Or in other words, what about the hash type is different from the hash algorithm
that would result in them needing different handling here?

- Eric

Next message: Hao Luo: "Re: [PATCH bpf-next v2] bpf: Cache the last valid build_id."
Previous message: kernel test robot: "[hare-scsi-devel:tls-upcall.v2 34/67] crypto/hkdf.c:26:5: warning: no previous prototype for function 'hkdf_extract'"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]