1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2005,2006,2007,2008 IBM Corporation 4 * 5 * Authors: 6 * Serge Hallyn <serue@us.ibm.com> 7 * Reiner Sailer <sailer@watson.ibm.com> 8 * Mimi Zohar <zohar@us.ibm.com> 9 * 10 * File: ima_queue.c 11 * Implements queues that store template measurements and 12 * maintains aggregate over the stored measurements 13 * in the pre-configured TPM PCR (if available). 14 * The measurement list is append-only. No entry is 15 * ever removed or changed during the boot-cycle. 16 */ 17 18 #include <linux/rculist.h> 19 #include <linux/reboot.h> 20 #include <linux/slab.h> 21 #include "ima.h" 22 23 #define AUDIT_CAUSE_LEN_MAX 32 24 25 bool ima_flush_htable; 26 27 static int __init ima_flush_htable_setup(char *str) 28 { 29 if (IS_ENABLED(CONFIG_IMA_DISABLE_HTABLE)) { 30 pr_warn("Hash table not enabled, ignoring request to flush\n"); 31 return 1; 32 } 33 34 ima_flush_htable = true; 35 return 1; 36 } 37 __setup("ima_flush_htable", ima_flush_htable_setup); 38 39 /* pre-allocated array of tpm_digest structures to extend a PCR */ 40 static struct tpm_digest *digests; 41 42 LIST_HEAD(ima_measurements); /* list of all measurements */ 43 LIST_HEAD(ima_measurements_staged); /* list of staged measurements */ 44 #ifdef CONFIG_IMA_KEXEC 45 static unsigned long binary_runtime_size[BINARY__LAST]; 46 #else 47 static unsigned long binary_runtime_size[BINARY__LAST] = { 48 [0 ... BINARY__LAST - 1] = ULONG_MAX 49 }; 50 #endif 51 52 atomic_long_t ima_num_records[BINARY__LAST] = { 53 [0 ... BINARY__LAST - 1] = ATOMIC_LONG_INIT(0) 54 }; 55 atomic_long_t ima_num_violations = ATOMIC_LONG_INIT(0); 56 57 /* key: inode (before secure-hashing a file) */ 58 struct hlist_head __rcu *ima_htable; 59 60 /* mutex protects atomicity of extending and staging measurement list 61 * and extending the TPM PCR aggregate. Since tpm_extend can take 62 * long (and the tpm driver uses a mutex), we can't use the spinlock. 63 */ 64 static DEFINE_MUTEX(ima_extend_list_mutex); 65 66 /* 67 * Used internally by the kernel to suspend measurements. 68 * Protected by ima_extend_list_mutex. 69 */ 70 static bool ima_measurements_suspended; 71 72 /* Callers must call synchronize_rcu() and free the hash table. */ 73 static struct hlist_head *ima_alloc_replace_htable(void) 74 { 75 struct hlist_head *old_htable, *new_htable; 76 77 /* Initializing to zeros is equivalent to call HLIST_HEAD_INIT. */ 78 new_htable = kcalloc(IMA_MEASURE_HTABLE_SIZE, sizeof(struct hlist_head), 79 GFP_KERNEL); 80 if (!new_htable) 81 return ERR_PTR(-ENOMEM); 82 83 old_htable = rcu_replace_pointer(ima_htable, new_htable, 84 lockdep_is_held(&ima_extend_list_mutex)); 85 86 return old_htable; 87 } 88 89 int __init ima_init_htable(void) 90 { 91 struct hlist_head *old_htable; 92 93 mutex_lock(&ima_extend_list_mutex); 94 old_htable = ima_alloc_replace_htable(); 95 mutex_unlock(&ima_extend_list_mutex); 96 97 if (IS_ERR(old_htable)) 98 return PTR_ERR(old_htable); 99 100 /* Synchronize_rcu() and kfree() not necessary, only for robustness. */ 101 synchronize_rcu(); 102 kfree(old_htable); 103 return 0; 104 } 105 106 /* lookup up the digest value in the hash table, and return the entry */ 107 static struct ima_queue_entry *ima_lookup_digest_entry(u8 *digest_value, 108 int pcr) 109 { 110 struct ima_queue_entry *qe, *ret = NULL; 111 struct hlist_head *htable; 112 unsigned int key; 113 int rc; 114 115 key = ima_hash_key(digest_value); 116 rcu_read_lock(); 117 htable = rcu_dereference(ima_htable); 118 hlist_for_each_entry_rcu(qe, &htable[key], hnext) { 119 rc = memcmp(qe->entry->digests[ima_hash_algo_idx].digest, 120 digest_value, hash_digest_size[ima_hash_algo]); 121 if ((rc == 0) && (qe->entry->pcr == pcr)) { 122 ret = qe; 123 break; 124 } 125 } 126 rcu_read_unlock(); 127 return ret; 128 } 129 130 /* 131 * Calculate the memory required for serializing a single 132 * binary_runtime_measurement list entry, which contains a 133 * couple of variable length fields (e.g template name and data). 134 */ 135 static int get_binary_runtime_size(struct ima_template_entry *entry) 136 { 137 int size = 0; 138 139 size += sizeof(u32); /* pcr */ 140 size += TPM_DIGEST_SIZE; 141 size += sizeof(int); /* template name size field */ 142 size += strlen(entry->template_desc->name); 143 size += sizeof(entry->template_data_len); 144 size += entry->template_data_len; 145 return size; 146 } 147 148 static void ima_update_binary_runtime_size(struct ima_template_entry *entry, 149 enum binary_lists binary_list) 150 { 151 int size; 152 153 if (binary_runtime_size[binary_list] == ULONG_MAX) 154 return; 155 156 size = get_binary_runtime_size(entry); 157 binary_runtime_size[binary_list] = 158 (binary_runtime_size[binary_list] < ULONG_MAX - size) ? 159 binary_runtime_size[binary_list] + size : ULONG_MAX; 160 } 161 162 /* ima_add_template_entry helper function: 163 * - Add template entry to the measurement list and hash table, for 164 * all entries except those carried across kexec. 165 * 166 * (Called with ima_extend_list_mutex held.) 167 */ 168 static int ima_add_digest_entry(struct ima_template_entry *entry, 169 bool update_htable) 170 { 171 struct ima_queue_entry *qe; 172 struct hlist_head *htable; 173 unsigned int key; 174 175 qe = kmalloc_obj(*qe); 176 if (qe == NULL) { 177 pr_err("OUT OF MEMORY ERROR creating queue entry\n"); 178 return -ENOMEM; 179 } 180 qe->entry = entry; 181 182 INIT_LIST_HEAD(&qe->later); 183 list_add_tail_rcu(&qe->later, &ima_measurements); 184 185 htable = rcu_dereference_protected(ima_htable, 186 lockdep_is_held(&ima_extend_list_mutex)); 187 188 atomic_long_inc(&ima_num_records[BINARY]); 189 atomic_long_inc(&ima_num_records[BINARY_FULL]); 190 191 if (update_htable) { 192 key = ima_hash_key(entry->digests[ima_hash_algo_idx].digest); 193 hlist_add_head_rcu(&qe->hnext, &htable[key]); 194 } 195 196 ima_update_binary_runtime_size(entry, BINARY); 197 ima_update_binary_runtime_size(entry, BINARY_FULL); 198 199 return 0; 200 } 201 202 /* 203 * Return the amount of memory required for serializing the 204 * entire binary_runtime_measurement list, including the ima_kexec_hdr 205 * structure. 206 */ 207 unsigned long ima_get_binary_runtime_size(enum binary_lists binary_list) 208 { 209 unsigned long val; 210 211 mutex_lock(&ima_extend_list_mutex); 212 val = binary_runtime_size[binary_list]; 213 mutex_unlock(&ima_extend_list_mutex); 214 215 if (val >= (ULONG_MAX - sizeof(struct ima_kexec_hdr))) 216 return ULONG_MAX; 217 else 218 return val + sizeof(struct ima_kexec_hdr); 219 } 220 221 static int ima_pcr_extend(struct tpm_digest *digests_arg, int pcr) 222 { 223 int result = 0; 224 225 if (!ima_tpm_chip) 226 return result; 227 228 result = tpm_pcr_extend(ima_tpm_chip, pcr, digests_arg); 229 if (result != 0) 230 pr_err("Error Communicating to TPM chip, result: %d\n", result); 231 return result; 232 } 233 234 /* 235 * Add template entry to the measurement list and hash table, and 236 * extend the pcr. 237 * 238 * On systems which support carrying the IMA measurement list across 239 * kexec, maintain the total memory size required for serializing the 240 * binary_runtime_measurements. 241 */ 242 int ima_add_template_entry(struct ima_template_entry *entry, int violation, 243 const char *op, struct inode *inode, 244 const unsigned char *filename) 245 { 246 u8 *digest = entry->digests[ima_hash_algo_idx].digest; 247 struct tpm_digest *digests_arg = entry->digests; 248 const char *audit_cause = "hash_added"; 249 char tpm_audit_cause[AUDIT_CAUSE_LEN_MAX]; 250 int audit_info = 1; 251 int result = 0, tpmresult = 0; 252 253 mutex_lock(&ima_extend_list_mutex); 254 255 /* 256 * Avoid appending to the measurement log when the TPM subsystem has 257 * been shut down while preparing for system reboot. 258 */ 259 if (ima_measurements_suspended) { 260 audit_cause = "measurements_suspended"; 261 audit_info = 0; 262 result = -ENODEV; 263 goto out; 264 } 265 266 if (!violation && !IS_ENABLED(CONFIG_IMA_DISABLE_HTABLE)) { 267 if (ima_lookup_digest_entry(digest, entry->pcr)) { 268 audit_cause = "hash_exists"; 269 result = -EEXIST; 270 goto out; 271 } 272 } 273 274 result = ima_add_digest_entry(entry, 275 !IS_ENABLED(CONFIG_IMA_DISABLE_HTABLE)); 276 if (result < 0) { 277 audit_cause = "ENOMEM"; 278 audit_info = 0; 279 goto out; 280 } 281 282 if (violation) /* invalidate pcr */ 283 digests_arg = digests; 284 285 tpmresult = ima_pcr_extend(digests_arg, entry->pcr); 286 if (tpmresult != 0) { 287 snprintf(tpm_audit_cause, AUDIT_CAUSE_LEN_MAX, "TPM_error(%d)", 288 tpmresult); 289 audit_cause = tpm_audit_cause; 290 audit_info = 0; 291 } 292 out: 293 mutex_unlock(&ima_extend_list_mutex); 294 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename, 295 op, audit_cause, result, audit_info); 296 return result; 297 } 298 299 /** 300 * ima_queue_stage - Stage all measurements 301 * 302 * If the staged measurements list is empty, the current measurements list is 303 * not empty, and measurement is not suspended, move the measurements from the 304 * current list to the staged one, and update the number of records and binary 305 * run-time size accordingly. 306 * 307 * Do not allow staging after measurement is suspended, so that dumping 308 * measurements can be done in a lockless way. 309 * 310 * Return: Zero on success, a negative value otherwise. 311 */ 312 int ima_queue_stage(void) 313 { 314 int ret = 0; 315 316 mutex_lock(&ima_extend_list_mutex); 317 if (!list_empty(&ima_measurements_staged)) { 318 ret = -EEXIST; 319 goto out_unlock; 320 } 321 322 if (list_empty(&ima_measurements)) { 323 ret = -ENOENT; 324 goto out_unlock; 325 } 326 327 if (ima_measurements_suspended) { 328 ret = -EACCES; 329 goto out_unlock; 330 } 331 332 list_replace(&ima_measurements, &ima_measurements_staged); 333 INIT_LIST_HEAD(&ima_measurements); 334 335 atomic_long_set(&ima_num_records[BINARY_STAGED], 336 atomic_long_read(&ima_num_records[BINARY])); 337 atomic_long_set(&ima_num_records[BINARY], 0); 338 339 if (IS_ENABLED(CONFIG_IMA_KEXEC)) { 340 binary_runtime_size[BINARY_STAGED] = 341 binary_runtime_size[BINARY]; 342 binary_runtime_size[BINARY] = 0; 343 } 344 out_unlock: 345 mutex_unlock(&ima_extend_list_mutex); 346 return ret; 347 } 348 349 static void ima_queue_delete(struct list_head *head, bool flush_htable); 350 351 /** 352 * ima_queue_staged_delete_all - Delete staged measurements 353 * 354 * Move staged measurements to a temporary list, ima_measurements_trim, update 355 * the number of records and the binary run-time size accordingly. Finally, 356 * delete measurements in the temporary list. 357 * 358 * Refuse to delete staged measurements if measurement is suspended, so that 359 * dump can be done in a lockless way and user space is notified about staged 360 * measurements being carried over to the secondary kernel, so that it does not 361 * save them twice. 362 * 363 * Return: Zero on success, a negative value otherwise. 364 */ 365 int ima_queue_staged_delete_all(void) 366 { 367 struct hlist_head *old_queue = NULL; 368 LIST_HEAD(ima_measurements_trim); 369 370 mutex_lock(&ima_extend_list_mutex); 371 if (list_empty(&ima_measurements_staged)) { 372 mutex_unlock(&ima_extend_list_mutex); 373 return -ENOENT; 374 } 375 376 if (ima_measurements_suspended) { 377 mutex_unlock(&ima_extend_list_mutex); 378 return -ESTALE; 379 } 380 381 list_replace(&ima_measurements_staged, &ima_measurements_trim); 382 INIT_LIST_HEAD(&ima_measurements_staged); 383 384 atomic_long_set(&ima_num_records[BINARY_STAGED], 0); 385 386 if (IS_ENABLED(CONFIG_IMA_KEXEC)) 387 binary_runtime_size[BINARY_STAGED] = 0; 388 389 if (ima_flush_htable) { 390 old_queue = ima_alloc_replace_htable(); 391 if (IS_ERR(old_queue)) { 392 mutex_unlock(&ima_extend_list_mutex); 393 return PTR_ERR(old_queue); 394 } 395 } 396 397 mutex_unlock(&ima_extend_list_mutex); 398 399 if (ima_flush_htable) { 400 synchronize_rcu(); 401 kfree(old_queue); 402 } 403 404 ima_queue_delete(&ima_measurements_trim, ima_flush_htable); 405 return 0; 406 } 407 408 /** 409 * ima_queue_delete_partial - Delete current measurements 410 * @req_value: Number of measurements to delete 411 * 412 * Delete the requested number of measurements from the current measurements 413 * list, and update the number of records and the binary run-time size 414 * accordingly. 415 * 416 * Refuse to delete current measurements if measurement is suspended, so that 417 * dump can be done in a lockless way and user space is notified about current 418 * measurements being carried over to the secondary kernel, so that it does not 419 * save them twice. 420 * 421 * Return: Zero on success, a negative value otherwise. 422 */ 423 int ima_queue_delete_partial(unsigned long req_value) 424 { 425 unsigned long req_value_copy = req_value; 426 unsigned long size_to_remove = 0, num_to_remove = 0; 427 LIST_HEAD(ima_measurements_trim); 428 struct ima_queue_entry *qe; 429 int ret = 0; 430 431 /* 432 * list_for_each_entry_rcu() without rcu_read_lock() is fine because 433 * only list append can happen concurrently. No list replace due to the 434 * staging/delete writers mutual exclusion. 435 */ 436 list_for_each_entry_rcu(qe, &ima_measurements, later, true) { 437 size_to_remove += get_binary_runtime_size(qe->entry); 438 num_to_remove++; 439 440 if (--req_value_copy == 0) 441 break; 442 } 443 444 /* Not enough records to delete. */ 445 if (req_value_copy > 0) 446 return -ENOENT; 447 448 mutex_lock(&ima_extend_list_mutex); 449 if (ima_measurements_suspended) { 450 mutex_unlock(&ima_extend_list_mutex); 451 return -ESTALE; 452 } 453 454 /* 455 * qe remains valid because ima_fs.c enforces single-writer exclusion. 456 */ 457 __list_cut_position(&ima_measurements_trim, &ima_measurements, 458 &qe->later); 459 460 atomic_long_sub(num_to_remove, &ima_num_records[BINARY]); 461 462 if (IS_ENABLED(CONFIG_IMA_KEXEC)) 463 binary_runtime_size[BINARY] -= size_to_remove; 464 465 mutex_unlock(&ima_extend_list_mutex); 466 467 ima_queue_delete(&ima_measurements_trim, false); 468 return ret; 469 } 470 471 /** 472 * ima_queue_delete - Delete measurements 473 * @head: List head measurements are deleted from 474 * @flush_htable: Whether or not the hash table is being flushed 475 * 476 * Delete the measurements from the passed list head completely if the 477 * hash table is not enabled or is being flushed, or partially (only the 478 * template data), if the hash table is used. 479 */ 480 static void ima_queue_delete(struct list_head *head, bool flush_htable) 481 { 482 struct ima_queue_entry *qe, *qe_tmp; 483 unsigned int i; 484 485 list_for_each_entry_safe(qe, qe_tmp, head, later) { 486 /* 487 * Safe to free template_data here without synchronize_rcu() 488 * because the only htable reader, ima_lookup_digest_entry(), 489 * accesses only entry->digests, not template_data. If new 490 * htable readers are added that access template_data, a 491 * synchronize_rcu() is required here. 492 */ 493 for (i = 0; i < qe->entry->template_desc->num_fields; i++) { 494 kfree(qe->entry->template_data[i].data); 495 qe->entry->template_data[i].data = NULL; 496 qe->entry->template_data[i].len = 0; 497 } 498 499 list_del(&qe->later); 500 501 /* No leak if condition is false, referenced by ima_htable. */ 502 if (IS_ENABLED(CONFIG_IMA_DISABLE_HTABLE) || flush_htable) { 503 kfree(qe->entry->digests); 504 kfree(qe->entry); 505 kfree(qe); 506 } 507 } 508 } 509 510 int ima_restore_measurement_entry(struct ima_template_entry *entry) 511 { 512 int result = 0; 513 514 mutex_lock(&ima_extend_list_mutex); 515 result = ima_add_digest_entry(entry, 0); 516 mutex_unlock(&ima_extend_list_mutex); 517 return result; 518 } 519 520 static void ima_measurements_suspend(void) 521 { 522 mutex_lock(&ima_extend_list_mutex); 523 ima_measurements_suspended = true; 524 mutex_unlock(&ima_extend_list_mutex); 525 } 526 527 static int ima_reboot_notifier(struct notifier_block *nb, 528 unsigned long action, 529 void *data) 530 { 531 #ifdef CONFIG_IMA_KEXEC 532 if (action == SYS_RESTART && data && !strcmp(data, "kexec reboot")) 533 ima_measure_kexec_event("kexec_execute"); 534 #endif 535 536 ima_measurements_suspend(); 537 538 return NOTIFY_DONE; 539 } 540 541 static struct notifier_block ima_reboot_nb = { 542 .notifier_call = ima_reboot_notifier, 543 }; 544 545 void __init ima_init_reboot_notifier(void) 546 { 547 register_reboot_notifier(&ima_reboot_nb); 548 } 549 550 int __init ima_init_digests(void) 551 { 552 u16 digest_size; 553 u16 crypto_id; 554 int i; 555 556 if (!ima_tpm_chip) 557 return 0; 558 559 digests = kzalloc_objs(*digests, ima_tpm_chip->nr_allocated_banks, 560 GFP_NOFS); 561 if (!digests) 562 return -ENOMEM; 563 564 for (i = 0; i < ima_tpm_chip->nr_allocated_banks; i++) { 565 digests[i].alg_id = ima_tpm_chip->allocated_banks[i].alg_id; 566 digest_size = ima_tpm_chip->allocated_banks[i].digest_size; 567 crypto_id = ima_tpm_chip->allocated_banks[i].crypto_id; 568 569 /* for unmapped TPM algorithms digest is still a padded SHA1 */ 570 if (crypto_id == HASH_ALGO__LAST) 571 digest_size = SHA1_DIGEST_SIZE; 572 573 memset(digests[i].digest, 0xff, digest_size); 574 } 575 576 return 0; 577 } 578