- 28 Jun, 2017 1 commit
-
-
Stephen Rothwell authored
Fixes: 8014370f ("apparmor: move path_link mediation to using labels") Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au> Acked-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: James Morris <james.l.morris@oracle.com>
-
- 27 Jun, 2017 1 commit
-
-
- 26 Jun, 2017 3 commits
-
-
Kees Cook authored
This switches the seccomp usage tracking from atomic_t to refcount_t to gain refcount overflow protections. Cc: Elena Reshetova <elena.reshetova@intel.com> Cc: David Windsor <dwindsor@gmail.com> Cc: Hans Liljestrand <hans.liljestrand@aalto.fi> Signed-off-by: Kees Cook <keescook@chromium.org>
-
Kees Cook authored
While glibc's pthread implementation is rather forgiving about repeat thread joining, Bionic has recently become much more strict. To deal with this, actually track which threads have been successfully joined and kill the rest at teardown. Based on a patch from Paul Lawrence. Cc: Paul Lawrence <paullawrence@google.com> Signed-off-by: Kees Cook <keescook@chromium.org>
-
Kees Cook authored
This just cleans up the core dumping logic to avoid the braces around the RET_KILL case. Signed-off-by: Kees Cook <keescook@chromium.org>
-
- 23 Jun, 2017 1 commit
-
-
- 21 Jun, 2017 17 commits
-
-
Eric Richter authored
Commit 0260643c "ima: add policy support for extending different pcrs" introduced a new IMA policy option "pcr=". Missing was the documentation for this option. This patch updates ima_policy to include this option, as well as an example. Signed-off-by: Eric Richter <erichte@linux.vnet.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
-
Thiago Jung Bauermann authored
If the file doesn't have an xattr, ima_appraise_measurement sets cause to "missing-hash" while if there's an xattr but it's a digest instead of a signature it sets cause to "IMA-signature-required". Fix it by setting cause to "IMA-signature-required" in both cases. Signed-off-by: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
-
Thiago Jung Bauermann authored
If the func_tokens array uses the same indices as enum ima_hooks, policy_func_show can be a lot simpler, and the func_* enum becomes unnecessary. Also, if we use the same macro trick used by kernel_read_file_id_str we can use one hooks list for both the enum and the string array, making sure they are always in sync (suggested by Mimi Zohar). Finally, by using the printf pattern for the function token directly instead of using the pt macro we can simplify policy_func_show even further and avoid needing a temporary buffer. Signed-off-by: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
-
Thiago Jung Bauermann authored
These changes are too small to warrant their own patches: The keyid and sig_size members of struct signature_v2_hdr are in BE format, so use a type that makes this assumption explicit. Also, use beXX_to_cpu instead of __beXX_to_cpu to read them. Change integrity_kernel_read to take a void * buffer instead of char * buffer, so that callers don't have to use a cast if they provide a buffer that isn't a char *. Add missing #endif comment in ima.h pointing out which macro it refers to. Add missing fall through comment in ima_appraise.c. Constify mask_tokens and func_tokens arrays. Signed-off-by: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
-
Roberto Sassu authored
Remove '+ 1' from 'size += strlen(entry->template_desc->name) + 1;', as the template name is sent to userspace without the '\0' character. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
-
Roberto Sassu authored
The binary_field_data structure definition has been removed from ima_restore_template_data(). The lengths and data pointers are directly stored into the template_data array of the ima_template_entry structure. For template data, both the number of fields and buffer end checks can be done, as these information are known (respectively from the template descriptor, and from the measurement header field). Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
-
Roberto Sassu authored
The binary_hdr_v1 and binary_data_v1 structures defined in ima_restore_measurement_list() have been replaced with an array of four ima_field_data structures where pcr, digest, template name and template data lengths and pointers are stored. The length of pcr and digest in the ima_field_data array and the bits in the bitmap are set before ima_parse_buf() is called. The ENFORCE_FIELDS bit is set for all entries except the last one (there is still data to parse), and ENFORCE_BUFEND is set only for the last entry. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
-
Roberto Sassu authored
ima_parse_buf() takes as input the buffer start and end pointers, and stores the result in a static array of ima_field_data structures, where the len field contains the length parsed from the buffer, and the data field contains the address of the buffer just after the length. Optionally, the function returns the current value of the buffer pointer and the number of array elements written. A bitmap has been added as parameter of ima_parse_buf() to handle the cases where the length is not prepended to data. Each bit corresponds to an element of the ima_field_data array. If a bit is set, the length is not parsed from the buffer, but is read from the corresponding element of the array (the length must be set before calling the function). ima_parse_buf() can perform three checks upon request by callers, depending on the enforce mask passed to it: - ENFORCE_FIELDS: matching of number of fields (length-data combination) - there must be enough data in the buffer to parse the number of fields requested (output: current value of buffer pointer) - ENFORCE_BUFEND: matching of buffer end - the ima_field_data array must be large enough to contain lengths and data pointers for the amount of data requested (output: number of fields written) - ENFORCE_FIELDS | ENFORCE_BUFEND: matching of both Use cases - measurement entry header: ENFORCE_FIELDS | ENFORCE_BUFEND - four fields must be parsed: pcr, digest, template name, template data - ENFORCE_BUFEND is enforced only for the last measurement entry - template digest (Crypto Agile): ENFORCE_BUFEND - since only the total template digest length is known, the function parses length-data combinations until the buffer end is reached - template data: ENFORCE_FIELDS | ENFORCE_BUFEND - since the number of fields and the total template data length are known, the function can perform both checks Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
-
Laura Abbott authored
cgroups2 is beginning to show up in wider usage. Add it to the default nomeasure/noappraise list like other filesystems. Signed-off-by: Laura Abbott <labbott@redhat.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
-
Geliang Tang authored
Use memdup_user_nul() helper instead of open-coding to simplify the code. Signed-off-by: Geliang Tang <geliangtang@gmail.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
-
Tycho Andersen authored
While reading the code, I noticed that these #endif comments don't match how they're actually nested. This patch fixes that. Signed-off-by: Tycho Andersen <tycho@docker.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
-
Ben Hutchings authored
IMA uses the hash algorithm too early to be able to use a module. Require the selected hash algorithm to be built-in. Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
-
Mimi Zohar authored
Only return enabled if in enforcing mode, not fix or log modes. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Changes: - Define is_ima_appraise_enabled() as a bool (Thiago Bauermann)
-
Mimi Zohar authored
Permit enabling the different "ima_appraise=" modes (eg. log, fix) from the boot command line. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
-
Mimi Zohar authored
The builtin "ima_appraise_tcb" policy should require file signatures for at least a few of the hooks (eg. kernel modules, firmware, and the kexec kernel image), but changing it would break the existing userspace/kernel ABI. This patch defines a new builtin policy named "secure_boot", which can be specified on the "ima_policy=" boot command line, independently or in conjunction with the "ima_appraise_tcb" policy, by specifing ima_policy="appraise_tcb | secure_boot". The new appraisal rules requiring file signatures will be added prior to the "ima_appraise_tcb" rules. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Changelog: - Reference secure boot in the new builtin policy name. (Thiago Bauermann)
-
Mimi Zohar authored
Add support for providing multiple builtin policies on the "ima_policy=" boot command line. Use "|" as the delimitor separating the policy names. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
-
-
- 20 Jun, 2017 1 commit
-
-
Jeff Vander Stoep authored
In kernel version 4.1, tracefs was separated from debugfs into its own filesystem. Prior to this split, files in /sys/kernel/debug/tracing could be labeled during filesystem creation using genfscon or later from userspace using setxattr. This change re-enables support for genfscon labeling. Signed-off-by: Jeff Vander Stoep <jeffv@google.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com>
-
- 19 Jun, 2017 2 commits
-
-
Gustavo A. R. Silva authored
Remove unnecessary NULL check. Pointer _chip_ cannot be NULL in this instance. Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkine@linux.intel.com> Tested-by: Jarkko Sakkinen <jarkko.sakkine@linux.intel.com> (compilation) Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
-
Andy Shevchenko authored
Switch to use managed variant of acpi_dev_add_driver_gpios() to simplify error path and fix potentially wrong assignment if ->probe() fails. Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkine@linux.intel.com> Tested-by: Jarkko Sakkinen <jarkko.sakkine@linux.intel.com> (compilation) Signed-off-by: Jarkko Sakkinen <jarkko.sakkine@linux.intel.com>
-
- 13 Jun, 2017 14 commits
-
-
Stefan Berger authored
To prevent userspace from sending the TPM driver command to set the locality, we need to check every command that is sent from user space. To distinguish user space commands from internally sent commands we introduce an additional state flag STATE_DRIVER_COMMAND that is set while the driver sends this command. Similar to the TPM 2 space commands we return an error code when this command is detected. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
-
Stefan Berger authored
Implement the request_locality function. To set the locality on the backend we define vendor-specific TPM 1.2 and TPM 2 ordinals and send a command to the backend to set the locality for the next commands. To avoid recursing into requesting the locality, we set the TPM_TRANSMIT_RAW flag when calling tpm_transmit_cmd. To avoid recursing into TPM 2 space related commands, we set the space parameter to NULL. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
-
Stefan Berger authored
Introduce the flag TPM_TRANSMIT_RAW that allows us to transmit a command without recursing into the requesting of locality. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
-
Stefan Berger authored
Suppress the error logging when the core TPM driver sends commands to the VTPM proxy driver and -EPIPE is returned in case the VTPM proxy driver is 'closed' (closed anonymous file descriptor). This error code is only returned by the send function and by tpm_transmit when the VTPM proxy driver is being used. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
-
Peter Huewe authored
sparse complains that tpmrm_write can be made static, and since it is right we make it static. Signed-off-by: Peter Huewe <peterhuewe@gmx.de> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
-
Jarkko Sakkinen authored
Removed struct tpm_pcrextend_in as it is not used for anything anymore. Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Reviewed-by: Peter Huewe <peterhuewe@gmx.de>
-
Jarkko Sakkinen authored
The memory copy from rodata to stack is useless. Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Reviewed-by: Peter Huewe <peterhuewe@gmx.de>
-
Jarkko Sakkinen authored
You should not do arithmetic with __be32 or __le32 types because sometimes it results incorrect results. Calculations must be done only with integers that are in in the CPU byte order. This commit migrates tpm_getcap() to struct tpm_buf in order to sort out these issues. Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Reviewed-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
-
Bryan Freed authored
When the I2C Infineon part is attached to an I2C adapter that imposes a size limitation, large requests will fail with -EOPNOTSUPP. Retry them with a sane minimum size without re-issuing the 0x05 command as this appears to occasionally put the TPM in a bad state. Signed-off-by: Bryan Freed <bfreed@chromium.org> [rework the patch to adapt to the feedback received] Signed-off-by: Enric Balletbo i Serra <enric.balletbo@collabora.com> Acked-by: Andrew Lunn <andrew@lunn.ch> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Reviewed-by: Andrew Lunn <andrew@lunn.ch> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
-
Jason Gunthorpe authored
Now that the platform device was merged for OF support we can use the platform device to match ACPI devices as well and run everything through tpm_tis_init. pnp_acpi_device is replaced with ACPI_COMPANION, and ACPI_HANDLE is pushed further down. platform_get_resource is used instead of acpi_dev_get_resources. The itpm global module parameter is no longer changed during itpm detection, instead the phy specific bit is set directly. Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Tested-by: Jerry Snitselaar <jsnitsel@redhat.com> (with TPM 2.0) Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> (with TPM 1.2) Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
-
Jason Gunthorpe authored
Replace the open coded IORESOURCE_IRQ with platform_get_irq, which supports more cases. Fixes: 00194826 ("tpm_tis: Clean up the force=1 module parameter") Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Tested-by: Jerry Snitselaar <jsnitsel@redhat.com> (with TPM 2.0) Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> (with TPM 1.2) Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
-
Jason Gunthorpe authored
The test was backwards, triggering IRQ autoprobing if the firmware did not specify an IRQ, instead of triggering it only when the module force parameter was specified. Since autoprobing is not enabled on !x86 and the platform device is currently only used on !x86, or with force, this has gone unnoticed. Fixes: 00194826 ("tpm_tis: Clean up the force=1 module parameter") Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Tested-by: Jerry Snitselaar <jsnitsel@redhat.com> (with TPM 2.0) Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> (with TPM 1.2) Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
-
Roberto Sassu authored
In preparation of the modifications to tpm_pcr_extend(), which will allow callers to supply a digest for each PCR bank of a TPM 2.0, the TPM 1.2 specific code has been moved to tpm1_pcr_extend(). tpm1_pcr_extend() uses tpm_buf_init() to prepare the command buffer, which offers protection against buffer overflow. It is called by tpm_pcr_extend() and tpm_pm_suspend(). Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
-
Roberto Sassu authored
Move CPU native value to big-endian conversion of ordinals to the tpm_input_header declarations. With the previous and this patch it will now be possible to modify TPM 1.2 functions to use tpm_buf_init(), which expects CPU native value for the tag and ordinal arguments. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
-