From 6d0d8278d37b3874e0b272a6d01663fbfc91cdcb Mon Sep 17 00:00:00 2001
From: Kam Nasim <kam.nasim@windriver.com>
Date: Fri, 22 Sep 2017 14:19:39 -0400
Subject: [PATCH] US103091: IMA: System Configuration

Expose integrity_audit and ima_appraise (which were only available
as boot parameters), as Module parameters since it is perceived that
customers would want to tune these at runtime. The integrity_audit
parameter can be toggled at runtime, however the ima_appraise modparam
will require a node reboot inorder to change appraise type.

In addition we introduce a new module param to disable IMA-TPM
interactions. Ths is tunable at runtime.
---
 ima/ima_appraise.c | 47 +++++++++++++++++++++++++++++++++++++++++++++--
 ima/ima_init.c     | 18 ++++++++++++------
 integrity_audit.c  |  2 ++
 kcompat.h          |  4 ++++
 4 files changed, 63 insertions(+), 8 deletions(-)

diff --git a/ima/ima_appraise.c b/ima/ima_appraise.c
index b0d4286..88b5091 100644
--- a/ima/ima_appraise.c
+++ b/ima/ima_appraise.c
@@ -21,7 +21,21 @@
 
 #include "ima.h"
 
-static int __init default_appraise_setup(char *str)
+static char *ima_appraise_param = "log";
+static int ima_appraise_param_set(const char *,
+                              const struct kernel_param *);
+static struct kernel_param_ops ima_appraise_param_ops = {
+    .set =      ima_appraise_param_set,
+    .get =      param_get_charp,
+};
+module_param_cb(ima_appraise_param, &ima_appraise_param_ops,
+                &ima_appraise_param, 0444);
+MODULE_PARM_DESC(ima_appraise_param,
+                 "IMA appraise type " \
+                 "{ \"off\" | \"enforce\" | \"fix\" | \"log\" }" \
+                 "(default: log).");
+
+static int default_appraise_setup(char *str)
 {
 	if (strncmp(str, "off", 3) == 0)
 		ima_appraise = 0;
@@ -29,11 +43,40 @@ static int __init default_appraise_setup(char *str)
 		ima_appraise = IMA_APPRAISE_LOG;
 	else if (strncmp(str, "fix", 3) == 0)
 		ima_appraise = IMA_APPRAISE_FIX;
-	return 1;
+    else if (strncmp(str, "enforce", 7) == 0) 
+		ima_appraise = IMA_APPRAISE_ENFORCE;
+    else {
+	    return -1;
+    }
+    return 1;
 }
 
 __setup("ima_appraise=", default_appraise_setup);
 
+
+static int ima_appraise_param_set(const char *val, 
+        const struct kernel_param *kp)
+{
+    char *ima_appraise_type = strstrip((char *)val);
+
+    /* no change required */
+    if (!strcmp(ima_appraise_type, *(char **)kp->arg))
+        return 0;
+    
+    /* set the ima_appraise mode and only 
+     * update the kernel parameter if the parameter
+     * was successfully set */
+    int ret;
+    ret = default_appraise_setup(ima_appraise_type);
+    if (ret == -1) {
+        pr_err("Undefined value for ima_appraise_param: %s\n",
+               ima_appraise_type);
+        return -EINVAL;
+    }
+
+    return param_set_charp(ima_appraise_type, kp);
+}
+                                  
 /*
  * ima_must_appraise - set appraise flag
  *
diff --git a/ima/ima_init.c b/ima/ima_init.c
index 0759c8c..a7362e8 100644
--- a/ima/ima_init.c
+++ b/ima/ima_init.c
@@ -26,7 +26,11 @@
 
 /* name for boot aggregate entry */
 static const char *boot_aggregate_name = "boot_aggregate";
-int ima_used_chip;
+int ima_used_chip = -1;
+module_param_named(ima_use_tpm, ima_used_chip, int, 0644);
+MODULE_PARM_DESC(ima_use_tpm, 
+        "Enable TPM interaction for storing measurement aggregate " \
+        " { 0(disable) | 1(enable) }(default: 0).");
 
 /* Add the boot aggregate to the IMA measurement list and extend
  * the PCR register.
@@ -108,11 +112,13 @@ int __init ima_init(void)
 {
 	u8 pcr_i[TPM_DIGEST_SIZE];
 	int rc;
-
-	ima_used_chip = 0;
-	rc = tpm_pcr_read(TPM_ANY_NUM, 0, pcr_i);
-	if (rc == 0)
-		ima_used_chip = 1;
+	
+	if (ima_used_chip != 0) {
+		ima_used_chip = 0;
+		rc = tpm_pcr_read(TPM_ANY_NUM, 0, pcr_i);
+		if (rc == 0)
+			ima_used_chip = 1;
+	}
 
 	if (!ima_used_chip)
 		pr_info("No TPM chip found, activating TPM-bypass! (rc=%d)\n",
diff --git a/integrity_audit.c b/integrity_audit.c
index ba5e532..da29f91 100644
--- a/integrity_audit.c
+++ b/integrity_audit.c
@@ -17,6 +17,8 @@
 #include "integrity.h"
 
 static int integrity_audit_info;
+module_param_named(integrity_audit, integrity_audit_info, uint, 0644);
+MODULE_PARM_DESC(integrity_audit, "Enable debug integrity auditing.");
 
 /* ima_audit_setup - enable informational auditing messages */
 static int __init integrity_audit_setup(char *str)
diff --git a/kcompat.h b/kcompat.h
index 936b76c..a5445aa 100644
--- a/kcompat.h
+++ b/kcompat.h
@@ -9,6 +9,10 @@
 
 #if ( LINUX_VERSION_CODE <= KERNEL_VERSION(3,10,0) )
 
+#include <linux/string.h>
+#include <linux/moduleparam.h>
+#include <linux/module.h>
+
 /* kcompat definitions */
 #define CONFIG_TCG_TPM_MODULE               1 
 
-- 
1.8.3.1