• Mimi Zohar's avatar
    ima: always measure and audit files in policy · de72a0f9
    Mimi Zohar authored
    commit f3cc6b25 upstream.
    
    All files matching a "measure" rule must be included in the IMA
    measurement list, even when the file hash cannot be calculated.
    Similarly, all files matching an "audit" rule must be audited, even when
    the file hash can not be calculated.
    
    The file data hash field contained in the IMA measurement list template
    data will contain 0's instead of the actual file hash digest.
    
    Note:
    In general, adding, deleting or in anyway changing which files are
    included in the IMA measurement list is not a good idea, as it might
    result in not being able to unseal trusted keys sealed to a specific
    TPM PCR value.  This patch not only adds file measurements that were
    not previously measured, but specifies that the file hash value for
    these files will be 0's.
    
    As the IMA measurement list ordering is not consistent from one boot
    to the next, it is unlikely that anyone is sealing keys based on the
    IMA measurement list.  Remote attestation servers should be able to
    process these new measurement records, but might complain about
    these unknown records.
    Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
    Reviewed-by: default avatarDmitry Kasatkin <dmitry.kasatkin@huawei.com>
    Cc: Aditya Kali <adityakali@google.com>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    de72a0f9
ima_crypto.c 15.7 KB