157 lines
4.7 KiB
Diff
157 lines
4.7 KiB
Diff
From 6d0d8278d37b3874e0b272a6d01663fbfc91cdcb Mon Sep 17 00:00:00 2001
|
|
From: Kam Nasim <kam.nasim@windriver.com>
|
|
Date: Fri, 22 Sep 2017 14:19:39 -0400
|
|
Subject: [PATCH] US103091: IMA: System Configuration
|
|
|
|
Expose integrity_audit and ima_appraise (which were only available
|
|
as boot parameters), as Module parameters since it is perceived that
|
|
customers would want to tune these at runtime. The integrity_audit
|
|
parameter can be toggled at runtime, however the ima_appraise modparam
|
|
will require a node reboot inorder to change appraise type.
|
|
|
|
In addition we introduce a new module param to disable IMA-TPM
|
|
interactions. Ths is tunable at runtime.
|
|
---
|
|
ima/ima_appraise.c | 47 +++++++++++++++++++++++++++++++++++++++++++++--
|
|
ima/ima_init.c | 18 ++++++++++++------
|
|
integrity_audit.c | 2 ++
|
|
kcompat.h | 4 ++++
|
|
4 files changed, 63 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/ima/ima_appraise.c b/ima/ima_appraise.c
|
|
index b0d4286..88b5091 100644
|
|
--- a/ima/ima_appraise.c
|
|
+++ b/ima/ima_appraise.c
|
|
@@ -21,7 +21,21 @@
|
|
|
|
#include "ima.h"
|
|
|
|
-static int __init default_appraise_setup(char *str)
|
|
+static char *ima_appraise_param = "log";
|
|
+static int ima_appraise_param_set(const char *,
|
|
+ const struct kernel_param *);
|
|
+static struct kernel_param_ops ima_appraise_param_ops = {
|
|
+ .set = ima_appraise_param_set,
|
|
+ .get = param_get_charp,
|
|
+};
|
|
+module_param_cb(ima_appraise_param, &ima_appraise_param_ops,
|
|
+ &ima_appraise_param, 0444);
|
|
+MODULE_PARM_DESC(ima_appraise_param,
|
|
+ "IMA appraise type " \
|
|
+ "{ \"off\" | \"enforce\" | \"fix\" | \"log\" }" \
|
|
+ "(default: log).");
|
|
+
|
|
+static int default_appraise_setup(char *str)
|
|
{
|
|
if (strncmp(str, "off", 3) == 0)
|
|
ima_appraise = 0;
|
|
@@ -29,11 +43,40 @@ static int __init default_appraise_setup(char *str)
|
|
ima_appraise = IMA_APPRAISE_LOG;
|
|
else if (strncmp(str, "fix", 3) == 0)
|
|
ima_appraise = IMA_APPRAISE_FIX;
|
|
- return 1;
|
|
+ else if (strncmp(str, "enforce", 7) == 0)
|
|
+ ima_appraise = IMA_APPRAISE_ENFORCE;
|
|
+ else {
|
|
+ return -1;
|
|
+ }
|
|
+ return 1;
|
|
}
|
|
|
|
__setup("ima_appraise=", default_appraise_setup);
|
|
|
|
+
|
|
+static int ima_appraise_param_set(const char *val,
|
|
+ const struct kernel_param *kp)
|
|
+{
|
|
+ char *ima_appraise_type = strstrip((char *)val);
|
|
+
|
|
+ /* no change required */
|
|
+ if (!strcmp(ima_appraise_type, *(char **)kp->arg))
|
|
+ return 0;
|
|
+
|
|
+ /* set the ima_appraise mode and only
|
|
+ * update the kernel parameter if the parameter
|
|
+ * was successfully set */
|
|
+ int ret;
|
|
+ ret = default_appraise_setup(ima_appraise_type);
|
|
+ if (ret == -1) {
|
|
+ pr_err("Undefined value for ima_appraise_param: %s\n",
|
|
+ ima_appraise_type);
|
|
+ return -EINVAL;
|
|
+ }
|
|
+
|
|
+ return param_set_charp(ima_appraise_type, kp);
|
|
+}
|
|
+
|
|
/*
|
|
* ima_must_appraise - set appraise flag
|
|
*
|
|
diff --git a/ima/ima_init.c b/ima/ima_init.c
|
|
index 0759c8c..a7362e8 100644
|
|
--- a/ima/ima_init.c
|
|
+++ b/ima/ima_init.c
|
|
@@ -26,7 +26,11 @@
|
|
|
|
/* name for boot aggregate entry */
|
|
static const char *boot_aggregate_name = "boot_aggregate";
|
|
-int ima_used_chip;
|
|
+int ima_used_chip = -1;
|
|
+module_param_named(ima_use_tpm, ima_used_chip, int, 0644);
|
|
+MODULE_PARM_DESC(ima_use_tpm,
|
|
+ "Enable TPM interaction for storing measurement aggregate " \
|
|
+ " { 0(disable) | 1(enable) }(default: 0).");
|
|
|
|
/* Add the boot aggregate to the IMA measurement list and extend
|
|
* the PCR register.
|
|
@@ -108,11 +112,13 @@ int __init ima_init(void)
|
|
{
|
|
u8 pcr_i[TPM_DIGEST_SIZE];
|
|
int rc;
|
|
-
|
|
- ima_used_chip = 0;
|
|
- rc = tpm_pcr_read(TPM_ANY_NUM, 0, pcr_i);
|
|
- if (rc == 0)
|
|
- ima_used_chip = 1;
|
|
+
|
|
+ if (ima_used_chip != 0) {
|
|
+ ima_used_chip = 0;
|
|
+ rc = tpm_pcr_read(TPM_ANY_NUM, 0, pcr_i);
|
|
+ if (rc == 0)
|
|
+ ima_used_chip = 1;
|
|
+ }
|
|
|
|
if (!ima_used_chip)
|
|
pr_info("No TPM chip found, activating TPM-bypass! (rc=%d)\n",
|
|
diff --git a/integrity_audit.c b/integrity_audit.c
|
|
index ba5e532..da29f91 100644
|
|
--- a/integrity_audit.c
|
|
+++ b/integrity_audit.c
|
|
@@ -17,6 +17,8 @@
|
|
#include "integrity.h"
|
|
|
|
static int integrity_audit_info;
|
|
+module_param_named(integrity_audit, integrity_audit_info, uint, 0644);
|
|
+MODULE_PARM_DESC(integrity_audit, "Enable debug integrity auditing.");
|
|
|
|
/* ima_audit_setup - enable informational auditing messages */
|
|
static int __init integrity_audit_setup(char *str)
|
|
diff --git a/kcompat.h b/kcompat.h
|
|
index 936b76c..a5445aa 100644
|
|
--- a/kcompat.h
|
|
+++ b/kcompat.h
|
|
@@ -9,6 +9,10 @@
|
|
|
|
#if ( LINUX_VERSION_CODE <= KERNEL_VERSION(3,10,0) )
|
|
|
|
+#include <linux/string.h>
|
|
+#include <linux/moduleparam.h>
|
|
+#include <linux/module.h>
|
|
+
|
|
/* kcompat definitions */
|
|
#define CONFIG_TCG_TPM_MODULE 1
|
|
|
|
--
|
|
1.8.3.1
|
|
|