Commit ebe7acad authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge branch 'next-integrity' of... 

Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity

Pull IMA fixes from Mimi Zohar:
 "Two bug fixes and an associated change for each.

  The one that adds SM3 to the IMA list of supported hash algorithms is
  a simple change, but could be considered a new feature"

* 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
  ima: add sm3 algorithm to hash algorithm configuration list
  crypto: rename sm3-256 to sm3 in hash_algo_name
  efi: Only print errors about failing to get certs if EFI vars are found
  x86/ima: use correct identifier for SetupMode variable
parents ca7e1fd1 5780b9ab

arch/x86/kernel/ima_arch.c

+2 −4
Original line number Diff line number Diff line
@@ -10,8 +10,6 @@ extern struct boot_params boot_params; 


static enum efi_secureboot_mode get_sb_mode(void)

{

	efi_char16_t efi_SecureBoot_name[] = L"SecureBoot";

	efi_char16_t efi_SetupMode_name[] = L"SecureBoot";

	efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID;

	efi_status_t status;

	unsigned long size;
@@ -25,7 +23,7 @@ static enum efi_secureboot_mode get_sb_mode(void) 
	}



	/* Get variable contents into buffer */

	status = efi.get_variable(efi_SecureBoot_name, &efi_variable_guid,

	status = efi.get_variable(L"SecureBoot", &efi_variable_guid,

				  NULL, &size, &secboot);

	if (status == EFI_NOT_FOUND) {

		pr_info("ima: secureboot mode disabled\n");
@@ -38,7 +36,7 @@ static enum efi_secureboot_mode get_sb_mode(void) 
	}



	size = sizeof(setupmode);

	status = efi.get_variable(efi_SetupMode_name, &efi_variable_guid,

	status = efi.get_variable(L"SetupMode", &efi_variable_guid,

				  NULL, &size, &setupmode);



	if (status != EFI_SUCCESS)	/* ignore unknown SetupMode */

crypto/hash_info.c

+1 −1
Original line number Diff line number Diff line
@@ -26,7 +26,7 @@ const char *const hash_algo_name[HASH_ALGO__LAST] = { 
	[HASH_ALGO_TGR_128]	= "tgr128",

	[HASH_ALGO_TGR_160]	= "tgr160",

	[HASH_ALGO_TGR_192]	= "tgr192",

	[HASH_ALGO_SM3_256]	= "sm3-256",

	[HASH_ALGO_SM3_256]	= "sm3",

	[HASH_ALGO_STREEBOG_256] = "streebog256",

	[HASH_ALGO_STREEBOG_512] = "streebog512",

};

security/integrity/ima/Kconfig

+5 −0
Original line number Diff line number Diff line
@@ -112,6 +112,10 @@ choice 
	config IMA_DEFAULT_HASH_WP512

		bool "WP512"

		depends on CRYPTO_WP512=y && !IMA_TEMPLATE



	config IMA_DEFAULT_HASH_SM3

		bool "SM3"

		depends on CRYPTO_SM3=y && !IMA_TEMPLATE

endchoice



config IMA_DEFAULT_HASH
@@ -121,6 +125,7 @@ config IMA_DEFAULT_HASH 
	default "sha256" if IMA_DEFAULT_HASH_SHA256

	default "sha512" if IMA_DEFAULT_HASH_SHA512

	default "wp512" if IMA_DEFAULT_HASH_WP512

	default "sm3" if IMA_DEFAULT_HASH_SM3



config IMA_WRITE_POLICY

	bool "Enable multiple writes to the IMA policy"

security/integrity/platform_certs/load_uefi.c

+26 −14
Original line number Diff line number Diff line
@@ -35,16 +35,18 @@ static __init bool uefi_check_ignore_db(void) 
 * Get a certificate list blob from the named EFI variable.

 */

static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,

				  unsigned long *size)

				  unsigned long *size, efi_status_t *status)

{

	efi_status_t status;

	unsigned long lsize = 4;

	unsigned long tmpdb[4];

	void *db;



	status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb);

	if (status != EFI_BUFFER_TOO_SMALL) {

		pr_err("Couldn't get size: 0x%lx\n", status);

	*status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb);

	if (*status == EFI_NOT_FOUND)

		return NULL;



	if (*status != EFI_BUFFER_TOO_SMALL) {

		pr_err("Couldn't get size: 0x%lx\n", *status);

		return NULL;

	}
@@ -52,10 +54,10 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, 
	if (!db)

		return NULL;



	status = efi.get_variable(name, guid, NULL, &lsize, db);

	if (status != EFI_SUCCESS) {

	*status = efi.get_variable(name, guid, NULL, &lsize, db);

	if (*status != EFI_SUCCESS) {

		kfree(db);

		pr_err("Error reading db var: 0x%lx\n", status);

		pr_err("Error reading db var: 0x%lx\n", *status);

		return NULL;

	}
@@ -74,6 +76,7 @@ static int __init load_uefi_certs(void) 
	efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;

	void *db = NULL, *dbx = NULL, *mok = NULL;

	unsigned long dbsize = 0, dbxsize = 0, moksize = 0;

	efi_status_t status;

	int rc = 0;



	if (!efi.get_variable)
@@ -83,8 +86,11 @@ static int __init load_uefi_certs(void) 
	 * an error if we can't get them.

	 */

	if (!uefi_check_ignore_db()) {

		db = get_cert_list(L"db", &secure_var, &dbsize);

		db = get_cert_list(L"db", &secure_var, &dbsize, &status);

		if (!db) {

			if (status == EFI_NOT_FOUND)

				pr_debug("MODSIGN: db variable wasn't found\n");

			else

				pr_err("MODSIGN: Couldn't get UEFI db list\n");

		} else {

			rc = parse_efi_signature_list("UEFI:db",
@@ -96,8 +102,11 @@ static int __init load_uefi_certs(void) 
		}

	}



	mok = get_cert_list(L"MokListRT", &mok_var, &moksize);

	mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status);

	if (!mok) {

		if (status == EFI_NOT_FOUND)

			pr_debug("MokListRT variable wasn't found\n");

		else

			pr_info("Couldn't get UEFI MokListRT\n");

	} else {

		rc = parse_efi_signature_list("UEFI:MokListRT",
@@ -107,8 +116,11 @@ static int __init load_uefi_certs(void) 
		kfree(mok);

	}



	dbx = get_cert_list(L"dbx", &secure_var, &dbxsize);

	dbx = get_cert_list(L"dbx", &secure_var, &dbxsize, &status);

	if (!dbx) {

		if (status == EFI_NOT_FOUND)

			pr_debug("dbx variable wasn't found\n");

		else

			pr_info("Couldn't get UEFI dbx list\n");

	} else {

		rc = parse_efi_signature_list("UEFI:dbx",

CRA Git | Maintained and supported by SUSTech CRA and CCSE