[PATCH] 3 of 5 IMA: LSM-based measurement code

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This patch applies against linux-2.6.12-rc6-mm1 and provides the main
Integrity Measurement Architecture code (LSM-based).

Signed-off-by: Reiner Sailer <[email protected]>
---

diff -uprN linux-2.6.12-rc6-mm1_orig/security/ima/ima_fs.c linux-2.6.12-rc6-mm1-ima/security/ima/ima_fs.c
--- linux-2.6.12-rc6-mm1_orig/security/ima/ima_fs.c	1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.12-rc6-mm1-ima/security/ima/ima_fs.c	2005-06-14 16:25:05.000000000 -0400
@@ -0,0 +1,432 @@
+/*
+ * Copyright (C) 2005 IBM Corporation
+ *
+ * Authors:
+ * Kylene Hall <[email protected]>
+ *
+ * Maintained by: Reiner Sailer <[email protected]>
+ *
+ * LSM IBM Integrity Measurement Architecture.		  
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ * File: ima_fs.c
+ *		implemenents imafs 
+ *		for reporting measurement log and userspace measure requests
+ */
+
+#include <linux/init.h>
+#include <linux/config.h>
+#include <linux/kernel.h>
+#include <linux/pagemap.h>
+#include <linux/slab.h>
+#include <linux/vmalloc.h>
+#include <linux/fs.h>
+#include <linux/init.h>
+#include <linux/string.h>
+#include <linux/security.h>
+#include <linux/major.h>
+#include <linux/seq_file.h>
+#include <linux/percpu.h>
+#include <asm/uaccess.h>
+#include <asm/semaphore.h>
+#include <linux/file.h>
+#include <linux/parser.h>
+#include <linux/device.h>
+
+#include "ima.h"
+
+struct measure_request {
+	int fd;
+	u16 label;
+};
+
+extern struct h_table htable;
+
+/* based on selinux pseudo filesystem */
+
+#define TMPBUFLEN 12
+static ssize_t ima_show_htable_value(char __user * buf, size_t count,
+				     loff_t * ppos, atomic_t * val)
+{
+	char tmpbuf[TMPBUFLEN];
+	ssize_t len;
+
+	len = scnprintf(tmpbuf, TMPBUFLEN, "%i\n", atomic_read(val));
+	return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
+}
+
+static ssize_t ima_show_htable_clean_inode_hits(struct file *filp,
+						char __user * buf,
+						size_t count,
+						loff_t * ppos)
+{
+	return ima_show_htable_value(buf, count, ppos,
+				     &htable.clean_inode_hits);
+}
+static struct file_operations ima_htable_clean_inode_hits_ops = {
+	.read = ima_show_htable_clean_inode_hits
+};
+
+static ssize_t ima_show_htable_clean_table_hits(struct file *filp,
+						char __user * buf,
+						size_t count,
+						loff_t * ppos)
+{
+	return ima_show_htable_value(buf, count, ppos,
+				     &htable.clean_table_hits);
+}
+static struct file_operations ima_htable_clean_table_hits_ops = {
+	.read = ima_show_htable_clean_table_hits
+};
+
+static ssize_t ima_show_htable_dirty_table_hits(struct file *filp,
+						char __user * buf,
+						size_t count,
+						loff_t * ppos)
+{
+	return ima_show_htable_value(buf, count, ppos,
+				     &htable.dirty_table_hits);
+}
+static struct file_operations ima_htable_dirty_table_hits_ops = {
+	.read = ima_show_htable_dirty_table_hits
+};
+
+static ssize_t ima_show_htable_changed_files(struct file *filp,
+					     char __user * buf,
+					     size_t count, loff_t * ppos)
+{
+	return ima_show_htable_value(buf, count, ppos,
+				     &htable.changed_files);
+}
+static struct file_operations ima_htable_changed_files_ops = {
+	.read = ima_show_htable_changed_files
+};
+
+static ssize_t ima_show_htable_user_measure(struct file *filp,
+					    char __user * buf,
+					    size_t count, loff_t * ppos)
+{
+	return ima_show_htable_value(buf, count, ppos,
+				     &htable.user_measure);
+}
+static struct file_operations ima_htable_user_measure_ops = {
+	.read = ima_show_htable_user_measure
+};
+
+static ssize_t ima_show_htable_kernel_measure(struct file *filp,
+					      char __user * buf,
+					      size_t count, loff_t * ppos)
+{
+	return ima_show_htable_value(buf, count, ppos,
+				     &htable.kernel_measure);
+}
+static struct file_operations ima_htable_kernel_measure_ops = {
+	.read = ima_show_htable_kernel_measure
+};
+
+static ssize_t ima_show_htable_violations(struct file *filp,
+					  char __user * buf,
+					  size_t count, loff_t * ppos)
+{
+	return ima_show_htable_value(buf, count, ppos, &htable.violations);
+}
+static struct file_operations ima_htable_violations_ops = {
+	.read = ima_show_htable_violations
+};
+
+static ssize_t ima_show_measurements_count(struct file *filp,
+					   char __user * buf,
+					   size_t count, loff_t * ppos)
+{
+	return ima_show_htable_value(buf, count, ppos, &htable.len);
+
+}
+static struct file_operations ima_measurements_count_ops = {
+	.read = ima_show_measurements_count
+};
+
+extern int measure_user_file(struct file *, u32 measure_flags);
+extern int ima_enabled;
+
+enum ima_inos {
+	IMA_ROOT_INO = 1,
+	IMA_MEASURE,		/* userspace measurement request */
+	IMA_MEASUREMENTS,	/* measurement log in binary format */
+	IMA_MEASUREMENTS_COUNT,	/* number of measurements in log */
+	IMA_HTABLE_CLEAN_INODE_HITS,
+	IMA_HTABLE_CLEAN_TABLE_HITS,
+	IMA_HTABLE_DIRTY_TABLE_HITS,
+	IMA_HTABLE_CHANGED_FILES,
+	IMA_HTABLE_USER_MEASURE,
+	IMA_HTABLE_KERNEL_MEASURE,
+	IMA_HTABLE_VIOLATIONS,
+};
+
+#define IMA_MAX_EVENT_SIZE 69
+/* print format: 32bit-le=pcr#||char[20]=digest||flags||filename||'\0'  flags bits: 32-16 application flags, 15-3 kernel flags, 2-0 hook len(filename)<=40*/
+static int print_measure_event_entry(struct measure_entry *e, char *buf,
+				     int count)
+{
+	void *ptr = (void *) buf;
+	int filename_len = strlen(e->file_name);
+
+	/* 1st: PCR used is always the same (config option) in little-endian format */
+	*((u32 *) ptr) = (u32) CONFIG_IMA_MEASURE_PCR_IDX;
+	ptr += 4;
+
+	/* 2nd: SHA1 */
+	memcpy(ptr, e->digest, 20);
+	ptr += 20;
+
+	/* 3rd: flags */
+	*((u32 *)ptr) = e->measure_flags;
+	ptr += 4;
+
+	/* 4th:  filename <= 40 + \'0' delimiter */
+	if (filename_len > TCG_EVENT_NAME_LEN_MAX)
+		filename_len = TCG_EVENT_NAME_LEN_MAX;
+
+	memcpy(ptr, e->file_name, filename_len);
+	ptr += filename_len;
+
+	/* 4th: delimiter */
+	*((char *) ptr) = '\0';
+	ptr += 1;
+
+	return ((u32) ptr - (u32) buf);
+}
+
+/* Position pointer is overrided to mean entry # rather than size in bytes */
+static ssize_t ima_measurements_read(struct file *filp, char __user * buf,
+				     size_t count, loff_t * ppos)
+{
+	struct queue_entry *qe;
+	char *tmpbuf;
+	int tmpsiz, i, ret = 0, len;
+	loff_t pos = 0;
+
+	if (count < 0)
+		return -EINVAL;
+
+	tmpsiz = (count < PAGE_SIZE) ? count : PAGE_SIZE;
+	tmpbuf = kmalloc(tmpsiz, GFP_KERNEL);
+	if (!tmpbuf)
+		return -ENOMEM;
+
+
+	down(&h_table_mutex);
+
+	/* fast forward to correct measurement for requested position */
+	for (qe = first_measurement, i = 0; qe && qe->entry && i < *ppos;
+	     qe = qe->later, i++);
+
+
+	/* make sure the next entry fits completely */
+	while ((tmpsiz >= IMA_MAX_EVENT_SIZE) && qe && qe->entry) {
+		/* now fill rest of page */
+		len =
+		    print_measure_event_entry(qe->entry, tmpbuf + ret,
+					      count);
+		qe = qe->later;
+		tmpsiz -= len;
+		ret += len;
+		*ppos += 1;
+	}
+	up(&h_table_mutex);
+	len = simple_read_from_buffer(buf, count, &pos, tmpbuf, ret);
+
+	kfree(tmpbuf);
+	return len;
+}
+
+static ssize_t ima_measure_write(struct file *file,
+				 const char __user * buf, size_t count,
+				 loff_t * ppos)
+{
+	struct measure_request *mr;
+	struct file *meas_file;
+	int error = -EINVAL;
+	char tmpbuf[sizeof(struct measure_request)];
+
+	atomic_inc(&htable.user_measure);
+	if (count != sizeof(struct measure_request)) {
+		ima_error("illegal request size (%d, expected %d).\n",
+			  count, sizeof(struct measure_request));
+		return -EIO;
+	}
+
+	if (copy_from_user(tmpbuf, buf, count)) {
+		ima_error("trouble copying request\n");
+		return -EIO;
+	}
+
+	mr = (struct measure_request *) tmpbuf;
+	if (mr->fd < 0) {
+		ima_error("bad descriptor request\n");
+		return -EBADF;
+	}
+
+	meas_file = fget(mr->fd);
+	if (!meas_file) {
+		ima_error("could not open request\n");
+		return -EACCES;
+	}
+
+	error = measure_user_file(meas_file, (u32)(((mr->label) << 16) | USER_MEASURE_FLAG));
+	fput(meas_file);
+	if (error) {
+		ima_error("problem measuring request\n");
+		return error;
+	} else
+		return count;
+}
+
+static struct file_operations ima_measure_ops = {
+	.write = ima_measure_write,
+};
+
+static struct file_operations ima_measurements_ops = {
+	.read = ima_measurements_read
+};
+
+enum { Opt_uid, Opt_gid };
+
+static match_table_t tokens = {
+	{Opt_uid, "uid=%u"},
+	{Opt_gid, "gid=%u"}
+};
+
+static int ima_remount(struct super_block *sb, int *flags, char *data)
+{
+	char *p;
+	int option;
+	int changed = 0, uid = 0, gid = 0;
+	struct inode *inode;
+
+	if (!data)
+		return 0;
+
+	while ((p = strsep(&data, ",")) != NULL) {
+		substring_t args[MAX_OPT_ARGS];
+		int token;
+		if (!*p)
+			continue;
+
+		token = match_token(p, tokens, args);
+		switch (token) {
+
+		case Opt_uid:
+			if (match_int(args, &option))
+				return -EINVAL;
+			uid = option;
+			changed = 1;
+			break;
+
+		case Opt_gid:
+			if (match_int(args, &option))
+				return -EINVAL;
+			gid = option;
+			changed = 1;
+			break;
+
+		default:
+			ima_error("ima_fs: unrecognized mount option\n");
+			return -EINVAL;
+		}
+	}
+
+	if (changed) {
+		list_for_each_entry(inode, &sb->s_inodes, i_sb_list) {
+			inode->i_uid = uid;
+			inode->i_gid = gid;
+		}
+	}
+
+	return 0;
+}
+
+/* imafs Filenames and Permissions are set here -- Double CHECK */
+static int ima_fill_super(struct super_block *sb, void *data, int silent)
+{
+	static struct tree_descr ima_files[] = {
+		[IMA_MEASURE] =
+		    {"measurereq", &ima_measure_ops, S_IWUSR | S_IWGRP},
+		[IMA_MEASUREMENTS] =
+		    {"binary_measurements", &ima_measurements_ops,
+		     S_IRUSR | S_IRGRP},
+		[IMA_MEASUREMENTS_COUNT] =
+		    {"binary_measurements_count",
+		     &ima_measurements_count_ops,
+		     S_IRUSR | S_IRGRP},
+		[IMA_HTABLE_CLEAN_INODE_HITS] =
+		    {"clean_inode_hits", &ima_htable_clean_inode_hits_ops,
+		     S_IRUSR | S_IRGRP},
+		[IMA_HTABLE_CLEAN_TABLE_HITS] =
+		    {"clean_hashtable_hits",
+		     &ima_htable_clean_table_hits_ops,
+		     S_IRUSR | S_IRGRP},
+		[IMA_HTABLE_DIRTY_TABLE_HITS] =
+		    {"dirty_hashtable_hits",
+		     &ima_htable_dirty_table_hits_ops,
+		     S_IRUSR | S_IRGRP},
+		[IMA_HTABLE_CHANGED_FILES] =
+		    {"changed_files", &ima_htable_changed_files_ops,
+		     S_IRUSR | S_IRGRP},
+		[IMA_HTABLE_USER_MEASURE] =
+		    {"user_count", &ima_htable_user_measure_ops,
+		     S_IRUSR | S_IRGRP},
+		[IMA_HTABLE_KERNEL_MEASURE] =
+		    {"kernel_count", &ima_htable_kernel_measure_ops,
+		     S_IRUSR | S_IRGRP},
+		[IMA_HTABLE_VIOLATIONS] =
+		    {"violations", &ima_htable_violations_ops,
+		     S_IRUSR | S_IRGRP},
+
+		/* last one */ {""}
+	};
+
+	return simple_fill_super(sb, IMA_MAGIC, ima_files);
+}
+
+static struct super_block *ima_get_sb(struct file_system_type *fs_type,
+				      int flags, const char *dev_name,
+				      void *data)
+{
+	struct super_block *sb;
+	sb = get_sb_single(fs_type, flags, data, ima_fill_super);
+
+	sb->s_op->remount_fs = ima_remount;
+
+	return sb;
+}
+
+static struct file_system_type ima_fs_type = {
+	.name = "imafs",
+	.get_sb = ima_get_sb,
+	.kill_sb = kill_litter_super,
+};
+
+struct vfsmount *imafs_mount;
+
+void ima_fs_init(void)
+{
+	int err;
+
+	if (!ima_enabled)
+		return;
+
+	err = register_filesystem(&ima_fs_type);
+	if (!err) {
+		imafs_mount = kern_mount(&ima_fs_type);
+		if (IS_ERR(imafs_mount)) {
+			ima_error("imafs:  could not mount!\n");
+			err = PTR_ERR(imafs_mount);
+			imafs_mount = NULL;
+		}
+	}
+	return;
+}
diff -uprN linux-2.6.12-rc6-mm1_orig/security/ima/ima.h linux-2.6.12-rc6-mm1-ima/security/ima/ima.h
--- linux-2.6.12-rc6-mm1_orig/security/ima/ima.h	1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.12-rc6-mm1-ima/security/ima/ima.h	2005-06-14 16:25:05.000000000 -0400
@@ -0,0 +1,242 @@
+/*
+ * Copyright (C) 2005 IBM Corporation
+ *
+ * Authors:
+ * Reiner Sailer <[email protected]>
+ *
+ * Maintained by: Reiner Sailer <[email protected]>
+ *
+ * LSM IBM Integrity Measurement Architecture.	  
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ * File: ima.h
+ *             defs
+ */
+#ifndef __LINUX_IMA_H
+#define __LINUX_IMA_H
+
+#include <linux/types.h>
+#include <linux/fs.h>
+#include <linux/major.h>
+#include <linux/crypto.h>
+#include <linux/security.h>
+
+#define ima_printk(level, format, arg...)	\
+	printk(level "ima (%s): " format ,__func__, ## arg)
+       
+#define ima_error(format, arg...)	\
+	ima_printk(KERN_ERR, format, ## arg)
+
+#define ima_info(format, arg...)	\
+	ima_printk(KERN_INFO, format, ## arg)
+
+/* if you cannot tolerate panic for the sake of attestation guarantees,
+ * then redefine IMA_PANIC to, e g., ima_error (see INSTALL documentation) */
+#define IMA_PANIC   \
+	panic
+
+/* set during registering as lsm */
+extern unsigned char ima_terminating;
+void invalidate_pcr(char *);
+
+#define IMA_MEASURE_MODULE_NAME	"IMA"
+#define TCG_EVENT_NAME_LEN_MAX	40
+
+/* file systems we expect to change without
+ * our inode_permission hook being called (nfs, remote fs) */
+#define NFS_SUPER_MAGIC		0x6969
+
+/* file systems we won't measure */
+#define IMA_MAGIC 		0x9999
+
+/* Flags for measurement entries (identifying hook) */
+#define FLAG_HOOK_MASK		0x0f
+#define MMAP_MEASURE_FLAG 	0x01
+#define MODULE_MEASURE_FLAG 	0x02
+#define USER_MEASURE_FLAG 	0x04
+
+#define MEASURE_HTABLE_SIZE	512
+#define HASH_KEY(inode_number) ((inode_number) % MEASURE_HTABLE_SIZE)
+#define SHA_KEY(sha_value) (((sha_value)[18] << 8 | (sha_value)[19]) % MEASURE_HTABLE_SIZE)
+typedef enum { CLEAN, DIRTY, CHANGED } ima_entry_flags;
+
+/* security structure appended to inodes */
+struct ima_inode {
+	atomic_t measure_count;	/* # processes currently using this file in measure-mode */
+	ima_entry_flags dirty;
+};
+
+/* security structure appended to measured files*/
+struct ima_file {
+	char is_measuring;	/* identify fds that are "measuring" */
+};
+
+/* get/store security state information;
+ * if stacking were to be implemented, this would be the place */
+#define ima_get_inode_security(inode) \
+	((struct ima_inode *) ((inode)->i_security))
+
+#define ima_store_inode_security(inode,sec_struct) \
+	((inode)->i_security = (sec_struct))
+
+#define ima_get_file_security(file) \
+	((struct ima_file *) ((file)->f_security))
+
+#define ima_store_file_security(file, sec_struct) \
+	((file)->f_security = (sec_struct))
+
+struct measure_entry {
+	u32 measure_flags;
+	unsigned long inode_nr;
+	dev_t dev_id;
+	ima_entry_flags dirty;
+	u8 digest[20];				  /* sha1 measurement hash */
+	char file_name[TCG_EVENT_NAME_LEN_MAX+1]; /* name + \0 */
+	struct super_block *super_block;	/* super block link (for umount-dirty flagging) */
+};
+
+struct sha_entry {
+	struct sha_entry *next;
+	u8 *digest;
+	struct measure_entry *m_entry;
+};
+
+struct queue_entry {
+	struct queue_entry *next;
+	struct queue_entry *later;
+	struct measure_entry *entry;
+};
+
+extern struct queue_entry *first_measurement;	/* for printing */
+extern struct queue_entry *latest_measurement;	/* for adding */
+
+/* hash table to keep fast access to past measurements 
+ * uses one global lock for now (read/write) */
+extern struct semaphore h_table_mutex;
+
+struct h_table {
+	atomic_t len;
+	atomic_t user_measure; /* # measurements requested from userspace */
+	atomic_t kernel_measure; /* # measurements performed from kernel */
+	atomic_t clean_inode_hits; /* times we find an inode clean when measuring */
+	atomic_t clean_table_hits; /* times we find a clean htable hit */
+	atomic_t dirty_table_hits; /* times we find a dirty htable hit */
+	atomic_t changed_files;	 /* times we realize a dirty marked entry really changed */
+	atomic_t violations;
+	unsigned int max_htable_size;
+	struct queue_entry *queue[MEASURE_HTABLE_SIZE];
+	atomic_t queue_len[MEASURE_HTABLE_SIZE];
+};
+
+struct sha_table {
+	atomic_t len;
+	unsigned int max_htable_size;
+	struct sha_entry *queue[MEASURE_HTABLE_SIZE];
+	atomic_t queue_len[MEASURE_HTABLE_SIZE];
+};
+
+#define MEM_MINOR	1
+#define KMEM_MINOR	2
+#ifdef CONFIG_IMA_KMEM_BYPASS_PROTECTION
+static inline void check_kmem_bypass(struct inode *inode)
+{
+	if ((imajor(inode) == MEM_MAJOR) 
+	    && S_ISCHR(inode->i_mode) && (iminor(inode) == KMEM_MINOR))
+		invalidate_pcr("/dev/kmem write violation");
+}
+#else
+static inline void check_kmem_bypass(struct inode *inode)
+{
+	return;
+}
+#endif
+
+#ifdef CONFIG_IMA_MEM_BYPASS_PROTECTION
+static inline void check_mem_bypass(struct inode *inode)
+{
+	if ((imajor(inode) == MEM_MAJOR) 
+	    && S_ISCHR(inode->i_mode) && (iminor(inode) == MEM_MINOR))
+		invalidate_pcr("/dev/mmem write violation");
+}
+#else
+static inline void check_mem_bypass(struct inode *inode)
+{
+	return;
+}
+#endif
+
+#ifdef CONFIG_IMA_RAM_BYPASS_PROTECTION
+static inline void check_ram_bypass(struct inode *inode)
+{
+	if ((imajor(inode) == RAMDISK_MAJOR) && S_ISBLK(inode->i_mode))
+		invalidate_pcr("/dev/ram write violation");
+}
+#else
+static inline void check_ram_bypass(struct inode *inode)
+{
+	return;
+}
+#endif
+
+#ifdef CONFIG_IMA_HD_SD_BYPASS_PROTECTION
+static inline void check_hd_sd_bypass(struct inode *inode)
+{
+	if ((imajor(inode) == HD_MAJOR) && S_ISBLK(inode->i_mode))
+		invalidate_pcr("/dev/hdx write violation");
+	else if ((imajor(inode) == SCSI_DISK0_MAJOR) && S_ISBLK(inode->i_mode))
+		invalidate_pcr("/dev/sdx write violation");
+}
+#else
+static inline void check_hd_sd_bypass(struct inode *inode)
+{
+	return;
+}
+#endif
+
+/* configuration options*/
+extern int ima_test_mode;
+extern int skip_boot_aggregate;
+
+static inline void read_configs(void)
+{
+#ifdef CONFIG_IMA_TEST_MODE
+	ima_test_mode = 1;
+#else
+	ima_test_mode = 0;
+#endif
+
+#ifdef CONFIG_IMA_SKIP_BOOT_AGGREGATE
+	skip_boot_aggregate = 1;
+#else
+	skip_boot_aggregate = 0;
+#endif
+}
+
+#ifdef CONFIG_TCG_TPM
+struct tpm_chip;
+
+extern ssize_t tpm_transmit(struct tpm_chip *chip, const char *buf, size_t bufsiz);
+
+extern struct tpm_chip *tpm_chip_lookup(int chip_num);
+#else
+struct tpm_chip {
+	char dummy;
+};
+
+static inline ssize_t tpm_transmit(struct tpm_chip *chip, const char *buf, size_t bufsiz)
+{
+	return 0;
+}
+
+static inline struct tpm_chip *tpm_chip_lookup(int chip_num)
+{
+	return NULL;
+}
+#endif
+
+
+#endif
diff -uprN linux-2.6.12-rc6-mm1_orig/security/ima/ima_init.c linux-2.6.12-rc6-mm1-ima/security/ima/ima_init.c
--- linux-2.6.12-rc6-mm1_orig/security/ima/ima_init.c	1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.12-rc6-mm1-ima/security/ima/ima_init.c	2005-06-14 16:25:05.000000000 -0400
@@ -0,0 +1,191 @@
+/*
+ * Copyright (C) 2005 IBM Corporation
+ *
+ * Authors:
+ * Reiner Sailer      <[email protected]>
+ *
+ * Contributions:
+ * Leendert van Doorn <[email protected]>
+ *
+ * Maintained by: Reiner Sailer <[email protected]>
+ *
+ * LSM IBM Integrity Measurement Architecture.	  
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ * File: ima_init.c
+ *             init functions to start up IBM IMA as LSM
+ */
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/linkage.h>
+#include <linux/time.h>
+#include <linux/types.h>
+#include <linux/fcntl.h>
+#include <asm/uaccess.h>
+#include <linux/file.h>
+#include <linux/slab.h>
+#include <linux/errno.h>
+#include <linux/crypto.h>
+#include <linux/fs.h>
+#include <linux/init.h>
+#include "ima.h"
+#include "ima_tpm_pcrread.h"
+#include "ima_tpm_extend.h"
+
+/* name for boot aggregate entry */
+char *boot_aggregate_name = "boot_aggregate";
+
+extern struct h_table htable;
+
+/* These identify the driver base version and may not be removed. */
+static const char version[] = "v4.0 06/15/2005";
+static const char illegal_pcr[20] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
+
+/* configuration parameters */
+int ima_test_mode;
+int skip_boot_aggregate;
+
+void create_htable(void);
+void create_sha_htable(void);
+void ima_lsm_init(void);
+void ima_fs_init(void);
+int ima_add_measure_entry(struct measure_entry *);
+
+int ima_enabled = 0;
+struct tpm_chip *ima_used_chip;
+
+static int __init ima_enabled_setup(char *str)
+{
+	ima_enabled = simple_strtol(str, NULL, 0);
+	return 1;
+}
+
+__setup("ima=", ima_enabled_setup);
+
+
+void ima_add_boot_aggregate(void)
+{
+	/* cumulative sha1 the first 8 tpm registers */
+	struct measure_entry *entry;
+	size_t count;
+
+	/* create new entry for boot aggregate */
+	entry = (struct measure_entry *)
+	    kmalloc(sizeof(struct measure_entry), GFP_KERNEL);
+	if (entry == NULL) {
+		invalidate_pcr("error allocating new measurement entry");
+		return;
+	}
+	entry->inode_nr = 0;	/* 0,0 are special (no files) */
+	entry->dev_id = 0;
+	entry->measure_flags = 0;
+	entry->dirty = DIRTY;
+	entry->super_block = NULL;
+	memset(entry->digest, 0, 20);
+	if ((count = strlen(boot_aggregate_name)) > TCG_EVENT_NAME_LEN_MAX)
+		count = TCG_EVENT_NAME_LEN_MAX;
+	memcpy(entry->file_name, boot_aggregate_name, count);
+	entry->file_name[count] = '\0';	/* ez-print */
+	if (ima_used_chip != NULL) {
+		int i;
+		u8 pcr_i[20];
+		struct crypto_tfm *tfm;
+		
+		tfm = crypto_alloc_tfm("sha1", 0);
+		if (tfm == NULL) {
+			ima_error("Digest init failed ERROR.\n");
+			return;
+		}
+		crypto_digest_init(tfm);
+
+		for (i = 0; i < 8; i++) {
+			tpm_pcrread(i, pcr_i);
+			/* now accumulate with current aggregate */
+			tfm->__crt_alg->cra_digest.
+			    dia_update(crypto_tfm_ctx(tfm), pcr_i, 20);
+		}
+		crypto_digest_final(tfm, entry->digest);
+		crypto_free_tfm(tfm);
+	} else
+		memset(entry->digest, 0xff, 20);
+
+	/* now add measurement; if TPM bypassed, we have a ff..ff entry */
+	if (ima_add_measure_entry(entry) < 0) {
+		kfree(entry);
+		invalidate_pcr("error adding boot aggregate");
+	} else
+		tpm_extend(CONFIG_IMA_MEASURE_PCR_IDX, entry->digest);
+}
+
+
+/* general invalidation function called by the measurement code */
+void invalidate_pcr(char *cause)
+{
+	/* extend pcr with illegal digest (no digest yields 0) */
+	/* extending twice is obviously flagging the exception condition... */
+	ima_error("INVALIDATING PCR AGGREGATE. Cause=%s.\n", cause);
+	tpm_extend(CONFIG_IMA_MEASURE_PCR_IDX, illegal_pcr);
+	tpm_extend(CONFIG_IMA_MEASURE_PCR_IDX, illegal_pcr);
+	atomic_inc(&htable.violations); /* can overflow into 0; this is an indicator only */
+}
+
+
+static int __init measure_init(void)
+{
+	struct security_operations null_ops;
+
+	printk(KERN_INFO "IBM Integrity Measurement Architecture (IBM IMA %s).\n", 
+	       version);
+	read_configs();
+
+	/* check pre-conditions and dependencies */
+	if (!ima_test_mode)
+		ima_enabled = 1;	/* unconditionally */
+	else {
+		if (!ima_enabled) {
+			printk(KERN_INFO "    IMA (not enabled in kernel command line) aborting!\n");
+			return 0;
+		}
+		printk(KERN_INFO "    IMA (test mode)\n");
+	}
+	ima_used_chip = tpm_chip_lookup(0);
+	if (ima_used_chip == NULL) {
+		if (ima_test_mode)
+			printk(KERN_INFO "    IMA (TPM/BYPASS - no TPM chip found)\n");
+		else
+			/* no way to invalidate pcr and inform remote party */
+			IMA_PANIC("IMA: TPM/no support and IMA not in test mode!\n");
+	}
+	/* check for LSM availability */
+	memset(&null_ops, 0, sizeof(struct security_operations));
+	if (!register_security(&null_ops))
+		unregister_security(&null_ops);
+	else {
+		if (ima_test_mode) {
+			ima_enabled = 0;
+			printk(KERN_INFO "    IMA (LSM/not free) aborting!\n");
+			return -EFAULT;
+		} else
+			invalidate_pcr("LSM/not free in real mode!\n");
+	}
+	create_htable(); /* for measurements */
+	create_sha_htable();
+	/* boot aggregate must be very first entry */
+	if (!skip_boot_aggregate)
+		ima_add_boot_aggregate();
+	ima_lsm_init();
+	ima_fs_init();
+	return 0;
+}
+
+__initcall(measure_init);
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Reiner Sailer <[email protected]>");
+MODULE_DESCRIPTION
+    ("Run-time LSM-based IBM Integrity Measurement Architecture");
diff -uprN linux-2.6.12-rc6-mm1_orig/security/ima/ima_lsmhooks.c linux-2.6.12-rc6-mm1-ima/security/ima/ima_lsmhooks.c
--- linux-2.6.12-rc6-mm1_orig/security/ima/ima_lsmhooks.c	1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.12-rc6-mm1-ima/security/ima/ima_lsmhooks.c	2005-06-14 16:25:05.000000000 -0400
@@ -0,0 +1,181 @@
+/*
+ * Copyright (C) 2005 IBM Corporation
+ *
+ * Authors:
+ * Reiner Sailer <[email protected]>
+ *
+ * Maintained by: Reiner Sailer <[email protected]>
+ *
+ * LSM IBM Integrity Measurement Architecture.		  
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ * File: ima_lsmhooks.c
+ *             implements Linux Security Modules hooks that call into
+ *             into the measurement functions
+ */
+#include <linux/config.h>
+#include <linux/module.h>
+#include <linux/init.h>
+#include <linux/kernel.h>
+#include <asm/mman.h>
+#include <linux/fs.h>
+#include <linux/mount.h>
+#include <linux/namei.h>
+#include "ima.h"
+
+extern struct h_table htable;
+
+/* if set, then hooks do nothing 
+ * (controls non-lsm module hook as well) */
+unsigned char ima_terminating = 1;
+
+struct measure_entry *ima_lookup_measure_entry(unsigned long, dev_t);
+void measure_mmap_file(struct file *, u32 flags);
+int measure_dirty_flag_super(struct super_block *);
+
+/* measure files mmapped with exec permission */
+int ima_file_mmap(struct file *file, unsigned long reqprot, unsigned long prot, unsigned long flags)
+{
+	/* filter interesting calls that actually map files executable */
+	if (!(reqprot & PROT_EXEC))
+		return 0;
+
+	/* now check protection  */
+	if (reqprot & MAP_SHARED & PROT_EXEC & PROT_WRITE) {
+		ima_error("MMAP protection flag error!!!\n");
+		invalidate_pcr("MMAP protection flag violation!");
+	}
+	atomic_inc(&htable.kernel_measure);
+	measure_mmap_file(file, (u32)MMAP_MEASURE_FLAG);
+	/* IMA is non-intrusive, so we always map */
+	return 0;
+}
+
+/* dirty flags on open with MAY_WRITE|MAY_APPEND */
+int ima_inode_permission(struct inode *inode, int mask, struct nameidata *nd)
+{
+	struct ima_inode *i_security = NULL;
+	struct measure_entry *entry;
+
+	/* dirty-flagging applies to changing files */
+	if (!(mask & (MAY_WRITE | MAY_APPEND)) || !inode)
+		return 0;
+	
+	/* general checks against bypassing dirty-flagging */
+	check_kmem_bypass(inode);
+	check_mem_bypass(inode);
+	check_ram_bypass(inode);
+	check_hd_sd_bypass(inode);
+	
+	/* files that are written to are usually not executed (measured),
+	   optimize this path */
+	down(&h_table_mutex);
+	if ((entry = ima_lookup_measure_entry(inode->i_ino, inode->i_rdev)) == NULL)
+		goto out; /* not a measured file */
+	if (entry->dirty == CLEAN)
+		entry->dirty = DIRTY;
+	/* dirty flag inode */
+	if ((i_security = ima_get_inode_security(inode)) != NULL) {
+		if (atomic_read(&(i_security->measure_count))) {
+			/* write permission on measured file was granted! */
+			invalidate_pcr("ToMToU violation");
+			ima_error("VIOLATION: Writing to measured file (%s) while it is being used!\n", 
+				  entry->file_name);	
+		}
+		if (i_security->dirty == CLEAN)
+			i_security->dirty = DIRTY;
+	}
+ out:
+	up(&h_table_mutex);
+	return 0;
+}
+
+/* dirty flag files on an umounted file system */
+static int ima_sb_umount(struct vfsmount *mnt, int flags)
+{
+	/* mark all clean entries with this superblock dirty */
+	struct queue_entry *qe;
+	struct super_block *super = mnt->mnt_sb;
+	int j;
+
+	down(&h_table_mutex);
+	for (j = 0; j < htable.max_htable_size; j++) {
+		qe = htable.queue[j];
+		while (qe != NULL) {
+			if (qe->entry->super_block == super)
+				if (qe->entry->dirty == CLEAN)
+					qe->entry->dirty = DIRTY;
+			qe = qe->next;
+		}
+	}
+	up(&h_table_mutex);
+	return 0;
+}
+
+/* free security structure if applies */
+static void ima_inode_free_security(struct inode *inode)
+{
+	struct ima_inode *i_security = ima_get_inode_security(inode);
+
+	if (i_security) {
+		kfree(i_security);
+		ima_store_inode_security(inode, NULL);
+	}
+}
+
+static void ima_file_free_security(struct file *file)
+{
+	struct ima_file *f_security;
+	struct ima_inode *i_security = NULL;
+
+	if ((f_security = ima_get_file_security(file)) == NULL)
+		return;
+	/* decrease measure count if file is measured */
+	i_security = ima_get_inode_security(file->f_dentry->d_inode);
+	if (i_security && (f_security->is_measuring))
+			atomic_dec(&(i_security->measure_count));
+	kfree(f_security);
+	ima_store_file_security(file, NULL);
+}
+
+/* module stacking operations */
+int ima_register_security(const char *name, struct security_operations *ops)
+{
+	/* no stacking */
+	return -EFAULT;
+}
+
+int ima_unregister_security(const char *name, struct security_operations *ops)
+{
+	/* no stacking */
+	return -EFAULT;
+}
+
+struct security_operations ima_ops;
+
+/* IMA requires early initialization in order measure
+   all executables etc from the very beginning. */
+void ima_lsm_init(void)
+{
+	/* prepare ima_ops struct */
+	memset(&ima_ops, 0, sizeof(struct security_operations));
+	/* set the few non-null elements */
+	ima_ops.file_mmap = ima_file_mmap;
+	ima_ops.file_free_security = ima_file_free_security;
+	ima_ops.inode_permission = ima_inode_permission;
+	ima_ops.inode_free_security = ima_inode_free_security;
+	ima_ops.sb_umount = ima_sb_umount;
+	ima_ops.register_security = ima_register_security;
+	ima_ops.unregister_security = ima_unregister_security;
+	/* rest will be taken care of by registration (fixup) */
+	if (register_security(&ima_ops)) {
+		invalidate_pcr("IMA: Unable to register with kernel.\n");
+		return;
+	}
+	/* module measurement hook becomes hot */
+	ima_terminating = 0;
+}
diff -uprN linux-2.6.12-rc6-mm1_orig/security/ima/ima_main.c linux-2.6.12-rc6-mm1-ima/security/ima/ima_main.c
--- linux-2.6.12-rc6-mm1_orig/security/ima/ima_main.c	1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.12-rc6-mm1-ima/security/ima/ima_main.c	2005-06-14 21:58:13.000000000 -0400
@@ -0,0 +1,462 @@
+/*
+ * Copyright (C) 2005 IBM Corporation
+ *
+ * Authors:
+ * Reiner Sailer <[email protected]>
+ *
+ * Maintained by: Reiner Sailer <[email protected]>
+ *
+ * LSM IBM Integrity Measurement Architecture.		  
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ * File: ima_main.c
+ *             implements run-time measurements
+ */
+#include <linux/init.h>
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/linkage.h>
+#include <linux/time.h>
+#include <linux/types.h>
+#include <linux/fcntl.h>
+#include <asm/uaccess.h>
+#include <asm/atomic.h>
+#include <linux/file.h>
+#include <linux/slab.h>
+#include <linux/stat.h>
+
+#include "ima.h"
+#include "ima_tpm_extend.h"
+
+extern struct h_table htable;
+extern struct sha_table sha_htable;
+
+struct sha_entry *ima_lookup_sha_entry(u8 * sha_value);
+struct measure_entry *ima_lookup_measure_entry(unsigned long, dev_t);
+int ima_add_measure_entry(struct measure_entry *);
+int measure_dirty_flag_inode(struct inode *);
+extern struct tpm_chip *ima_used_chip;
+
+DEFINE_SPINLOCK(ima_measure_file_lock);
+
+/* 
+ * Returns the dirty flag setting for an inode
+ * (nfs, since we don't control changes)
+ */
+static inline ima_entry_flags get_default_dirty_setting(struct inode *inode)
+{
+	switch (inode->i_sb->s_magic) {
+	case NFS_SUPER_MAGIC:
+		return DIRTY;	/* dirty */
+		break;
+	default:		/* local fs etc. */
+		return CLEAN;	/* clean */
+	}
+}
+
+/* returns >0 if measurement must be skipped
+ * returns =0 if measurement allowed 
+ */
+static inline int skip_measurement(struct inode *inode)
+{
+	/* measuring only regular files; can't measure IMA files */
+	if (S_ISREG(inode->i_mode) && (inode->i_sb->s_magic != IMA_MAGIC))
+		return 0;       	/* measure */
+	else
+		return 1;       	/* skip */	
+}
+
+
+/*  measures new file and adds it to measurement list */
+static struct measure_entry *do_measure_file(struct file *file, struct inode *inode)
+{
+	struct ima_inode *i_security = NULL;
+	mm_segment_t oldfs;
+	int error = 0;
+	loff_t offset = 0;
+	size_t count;
+	struct crypto_tfm *tfm;
+	struct measure_entry *entry;
+
+	char *bufp = NULL;
+	/* create read buffer */
+	if ((bufp =
+	     (char *) kmalloc(PAGE_SIZE, GFP_KERNEL)) == 0) {
+		ima_error("no memory for read buffer\n");
+		error = -ENOMEM;
+		goto out;	/* invalidate pcr */
+	}
+	/* create new entry and measure */
+	entry = (struct measure_entry *)
+	    kmalloc(sizeof(struct measure_entry), GFP_KERNEL);
+	if (entry == NULL) {
+		error = -ENOMEM;
+		ima_error("error allocating new measurement entry");
+		kfree(bufp);
+		goto out;	/* invalidate pcr */
+	}
+	entry->inode_nr = inode->i_ino;
+	entry->dev_id = inode->i_rdev;
+	entry->dirty = get_default_dirty_setting(inode);
+	entry->super_block = inode->i_sb;
+	if ((count = file->f_dentry->d_name.len) > TCG_EVENT_NAME_LEN_MAX)
+		count = TCG_EVENT_NAME_LEN_MAX;
+	memcpy(entry->file_name, file->f_dentry->d_name.name, count);
+	entry->file_name[count] = '\0';	/* ez-print */
+	error = 0;
+	/* second add sha1 over file contents */
+	/* init context */
+	tfm = crypto_alloc_tfm("sha1", 0);
+	if (tfm == NULL) {
+		ima_error("Digest init failed ERROR.\n");
+		goto outm;
+	}
+	crypto_digest_init(tfm);
+
+	/* set fs so that kernel writes into kernel segment */
+	oldfs = get_fs();
+	set_fs(KERNEL_DS);
+	do {
+		if ((count =
+		     (file->f_op->read) (file,
+					 (char __user *) bufp,
+					 PAGE_SIZE,
+					 &offset)) < 0) {
+			error = count;
+			ima_error("Error reading from file (%d)\n", error);
+			goto outf;
+		}
+		/* update hash with this part */
+		tfm->__crt_alg->cra_digest.dia_update(crypto_tfm_ctx(tfm),
+						      bufp, count);
+	} while (count);
+	set_fs(oldfs);
+
+	/* complete hash */
+	crypto_digest_final(tfm, entry->digest);
+	crypto_free_tfm(tfm);
+	/* before returning, replicate important information into inode->i_security */
+	i_security = ima_get_inode_security(inode);
+	if (i_security != NULL) {
+		/* update */
+		i_security->dirty = entry->dirty;
+	} else {
+		ima_error("error No security structure in measure!\n");
+		goto outm;
+	}
+
+	kfree(bufp);
+	return (entry);
+
+	/* error exits */
+      outf:
+	set_fs(oldfs);
+      outm:
+	kfree(entry);
+	kfree(bufp);
+      out:
+	return (NULL);
+}
+
+/* measure memory (kernel module; still the exact copy of the object file) */
+int do_measure_memory(void *start, unsigned long len, u32 measure_flags, char *name)
+{
+	struct crypto_tfm *tfm;
+	u8 mem_digest[20];
+	int error = 0;
+	struct measure_entry *entry;
+	int count;
+
+	/* init context */
+	tfm = crypto_alloc_tfm("sha1", 0);
+	if (tfm == NULL) {
+		invalidate_pcr("No SHA1 available");
+		return -EFAULT;
+	}
+	crypto_digest_init(tfm);
+	/* now measure the memory ... */
+	tfm->__crt_alg->cra_digest.dia_update(crypto_tfm_ctx(tfm), start,
+					      len);
+	crypto_digest_final(tfm, mem_digest);
+	crypto_free_tfm(tfm);
+
+	down(&h_table_mutex);
+	if (!ima_lookup_sha_entry(mem_digest)) {
+		/* create new entry and measure */
+		entry = (struct measure_entry *)
+		    kmalloc(sizeof(struct measure_entry), GFP_KERNEL);
+		if (entry == NULL) {
+			invalidate_pcr("OUT OF MEMORY");
+			error = -EFAULT;
+			goto out;
+		}
+		entry->inode_nr = 0;	/* special entries, no file entries */
+		entry->dev_id = 0;
+		entry->dirty = DIRTY;
+		entry->super_block = NULL;
+		memcpy(entry->digest, mem_digest, 20);
+		if ((count = strlen(name)) > TCG_EVENT_NAME_LEN_MAX)
+			count = TCG_EVENT_NAME_LEN_MAX;
+		strncpy(entry->file_name, name, count);
+		entry->file_name[count] = '\0';
+		entry->measure_flags = measure_flags;
+		if ((error = ima_add_measure_entry(entry)) < 0) {
+			kfree(entry);
+			invalidate_pcr
+			    ("error adding new measurement entry");;
+			goto out;
+		} else {	/* extend PCR */
+			tpm_extend(CONFIG_IMA_MEASURE_PCR_IDX, entry->digest);
+		}
+	}			/* else we already have this hash value from an exec/file that was running earlier */
+	up(&h_table_mutex);
+	return 0;
+      out:
+	up(&h_table_mutex);
+	return -EFAULT;
+}
+
+static unsigned int find_mod_sec(Elf_Ehdr * hdr, Elf_Shdr * sechdrs, const char *secstrings, const char *name)
+{
+	unsigned int i;
+	for (i = 1; i < hdr->e_shnum; i++)
+		/* Alloc bit cleared means "here is nothing to look for (ignore)" */
+		if ((sechdrs[i].sh_flags & SHF_ALLOC)
+		    && strcmp(secstrings + sechdrs[i].sh_name, name) == 0)
+			return i;
+	return 0;
+}
+
+/* Measure kernel modules in-memory before relocation */
+void measure_kernel_module(void *start, unsigned long len, const char __user * uargs)
+{
+	Elf_Ehdr *hdr;
+	Elf_Shdr *sechdrs;
+	struct module *mod;
+	unsigned int modindex;
+	char *args, *secstrings;
+	long arglen;
+
+	arglen = strlen_user(uargs);
+	if (!arglen) {
+		invalidate_pcr("ERROR measuring kernel module!");
+		return;
+	}
+	args = kmalloc(arglen, GFP_KERNEL);
+	if (!args) {
+		invalidate_pcr("OUT OF MEMORY measuring kernel module!");
+		return;
+	}
+	if (copy_from_user(args, uargs, arglen) != 0) {
+		invalidate_pcr("ERROR measuring kernel module!");
+		return;
+	}
+	/* get the module name for entry */
+	hdr = (Elf_Ehdr *) start;
+	sechdrs = (void *) hdr + hdr->e_shoff;
+	secstrings = (void *) hdr + sechdrs[hdr->e_shstrndx].sh_offset;
+
+	modindex = find_mod_sec(hdr, sechdrs, secstrings,
+				".gnu.linkonce.this_module");
+	if (!modindex) {
+		ima_error("No module found in object\n");
+		invalidate_pcr("Module without name?!");
+		return;
+	}
+	mod = (void *) ((size_t) hdr + sechdrs[modindex].sh_offset);
+	atomic_inc(&htable.kernel_measure); /* CHECK */
+	do_measure_memory(start, len, (u32)MODULE_MEASURE_FLAG, mod->name);
+	return;
+}
+
+
+
+static void measure_file (struct file *file, u32 measure_flags, struct inode *inode, struct ima_inode *i_security)
+{
+	struct measure_entry *entry, *new_entry;
+
+	down(&h_table_mutex);
+	entry = ima_lookup_measure_entry(inode->i_ino, inode->i_rdev);
+	if ((entry != NULL) && (entry->dirty == CLEAN)) {
+		i_security->dirty = CLEAN;
+		atomic_inc(&htable.clean_table_hits);
+		goto out; /* done */
+	}
+	new_entry = do_measure_file(file, inode);
+	/* now we adjust the entry table:
+	 * -- if there was no entry, we just add the new one
+	 * -- if there was one but different hash, we add the new one
+	 * -- if there was one and same hash, we clear dirty bit on existing one
+	 */
+	if (!new_entry) {
+		/* internal error, make sure attestation fails from now on */
+		invalidate_pcr("error measuring file");
+		goto out;
+	}
+	new_entry->measure_flags = measure_flags;
+	if (entry == NULL) {	/* no old entry for this inode found */
+		/* add if this hash is new (i.e., no copy measured yet) */
+		if (!ima_lookup_sha_entry(new_entry->digest)) {
+			if (ima_add_measure_entry(new_entry) < 0) {
+				kfree(new_entry);
+				invalidate_pcr("error adding measurement entry");
+			} else	
+				tpm_extend(CONFIG_IMA_MEASURE_PCR_IDX, new_entry->digest);
+		}
+		goto out;
+	}
+	/* old entry exists (!= clean) */
+	if (!memcmp(entry->digest, new_entry->digest, 20)) {
+		/* set with default (no clean-flag for nfs) */
+		entry->dirty = get_default_dirty_setting(inode);
+		i_security->dirty = entry->dirty;
+		atomic_inc(&htable.dirty_table_hits);
+		kfree(new_entry);
+	} else {
+		/* dirty and look whether to add new entry */
+		entry->dirty = CHANGED;
+		atomic_inc(&htable.changed_files);
+		if (!ima_lookup_sha_entry(new_entry->digest)) {
+			if (ima_add_measure_entry(new_entry) < 0) {
+				kfree(new_entry);
+				invalidate_pcr("error adding measurement entry");
+			} else
+				tpm_extend(CONFIG_IMA_MEASURE_PCR_IDX, new_entry->digest);
+		}
+	}
+ out:
+	up(&h_table_mutex);
+}
+
+
+/* Measure user space file descriptor, protect file from being
+ * written until all measureing processes have closed the file
+ */
+int measure_user_file(struct file *file, u32 measure_flags)
+{
+	struct inode *inode;
+	struct ima_file *f_security = NULL;
+	struct ima_inode *i_security = NULL;
+
+	if (!file || !file->f_op || !file->f_dentry || !file->f_dentry->d_inode)
+		return -EACCES;
+
+	inode = file->f_dentry->d_inode;
+
+	/* here we skip unnecessary measurements */
+	if (skip_measurement(inode))
+		return -EACCES; /* not allowed to measure; user apps to handle error */
+ 
+	/* a) if there is already a writer on this file --> error! */
+	if (atomic_read(&(inode->i_writecount)) > 0) {
+		struct measure_entry *entry;
+		invalidate_pcr("ToMToU violation");
+		down(&h_table_mutex);
+		entry = ima_lookup_measure_entry(inode->i_ino, inode->i_rdev);
+		ima_error("VIOLATION: Measured file (%s) has writers!\n",
+			  (entry != NULL) ? entry->file_name : "most likely measuring file opened rw");
+		up(&h_table_mutex);
+		return -EACCES;
+	}
+	inode = file->f_dentry->d_inode;
+	/* mark this file as measuring (increases measurement-refcount on inode) */
+	if ((f_security = ima_get_file_security(file)) != NULL) {
+		i_security = ima_get_inode_security(file->f_dentry->d_inode);
+		if (i_security == NULL) {
+			invalidate_pcr("Internal error (f_security not free but no i_security).\n");
+			return -EFAULT;
+		}
+	} else {
+		/* create f_security and if necessary i_security */
+		f_security = kmalloc(sizeof(struct ima_file), GFP_KERNEL);
+		if (f_security == NULL) {
+			invalidate_pcr("out of memory error");
+			return -ENOMEM;
+		} else {
+			f_security->is_measuring = 1;
+			ima_store_file_security(file, f_security);
+		}
+		/* we maintain an inode copy of clean etc. to speed up clean hits */
+		i_security = ima_get_inode_security(inode);
+		if (i_security != NULL)
+			atomic_inc(&(i_security->measure_count));
+		else {
+			spin_lock(&ima_measure_file_lock);
+			if ((i_security = ima_get_inode_security(inode)))
+				goto dontalloc;
+			i_security =
+				kmalloc(sizeof(struct ima_inode), GFP_KERNEL);
+			if (i_security == NULL) {
+				spin_unlock(&ima_measure_file_lock);
+				invalidate_pcr("out of memory error");
+				return -EFAULT;
+			} else {
+				i_security->dirty = DIRTY;
+				/* is reset later after measuring file */
+				atomic_set(&(i_security->measure_count), 1);
+				ima_store_inode_security(inode, i_security);
+			}
+dontalloc:
+			spin_unlock(&ima_measure_file_lock);	
+		}
+	}
+	/* catch most cases */
+	if (i_security->dirty == CLEAN)
+		atomic_inc(&htable.clean_inode_hits);
+	else
+		measure_file(file, measure_flags, inode, i_security);
+	return 0;
+}
+
+
+/* Measure files mapped as executable */
+void measure_mmap_file(struct file *file, u32 measure_flags)
+{
+	struct inode *inode;
+	struct ima_inode *i_security = NULL;
+
+	if (!file || !file->f_op || !file->f_dentry || !file->f_dentry->d_inode)
+		return;
+	
+	inode = file->f_dentry->d_inode;
+
+	/* here we skip non-allowed measurements */
+	if (skip_measurement(inode))
+		return;
+
+	/* if there is already a writer on this file --> error! */
+	if (atomic_read(&(inode->i_writecount)) > 0) {
+		invalidate_pcr("Measured file has writers.");
+		return;
+	}
+	/* we maintain an inode copy of clean etc. to speed up clean hits */
+	i_security = ima_get_inode_security(inode);
+	if (!i_security) {
+		spin_lock(&ima_measure_file_lock);
+		if ((i_security = ima_get_inode_security(inode)))
+			goto dontalloc;
+		i_security = kmalloc(sizeof(struct ima_inode), GFP_KERNEL);
+		if (i_security == NULL) {
+			spin_unlock(&ima_measure_file_lock);
+			invalidate_pcr("out of memory error");
+			return;
+		} else {
+			i_security->dirty = DIRTY;
+			/* is reset later after measuring file */
+			atomic_set(&(i_security->measure_count), 0);
+			ima_store_inode_security(inode, i_security);
+		}
+dontalloc:
+		spin_unlock(&ima_measure_file_lock);
+	}
+	/* catch most cases */
+	if (i_security->dirty == CLEAN)
+		atomic_inc(&htable.clean_inode_hits);
+	else
+		measure_file(file, measure_flags, inode, i_security);
+}
diff -uprN linux-2.6.12-rc6-mm1_orig/security/ima/ima_queue.c linux-2.6.12-rc6-mm1-ima/security/ima/ima_queue.c
--- linux-2.6.12-rc6-mm1_orig/security/ima/ima_queue.c	1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.12-rc6-mm1-ima/security/ima/ima_queue.c	2005-06-14 16:25:05.000000000 -0400
@@ -0,0 +1,185 @@
+/*
+ * Copyright (C) 2005 IBM Corporation
+ *
+ * Authors:
+ * Reiner Sailer <[email protected]>
+ *
+ * Maintained by: Reiner Sailer <[email protected]>
+ *
+ * LSM IBM Integrity Measurement Architecture.		  
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ * File: ima_queue.c
+ *             implements queues for run-time measurement
+ *             functions based on SHA1
+ */
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/linkage.h>
+#include <linux/time.h>
+#include <linux/types.h>
+#include <linux/fcntl.h>
+#include <asm/uaccess.h>
+#include <linux/file.h>
+#include <linux/slab.h>
+#include <linux/crypto.h>
+
+#include "ima.h"
+
+/* pointer to very first and latest measurement (time-ordered) */
+struct queue_entry *first_measurement = NULL;	/* for printing */
+struct queue_entry *latest_measurement = NULL;	/* for adding */
+
+struct h_table htable;		/* key: inode (before secure-hashing a file) */
+struct sha_table sha_htable;	/* key: hash (after secure-hashing a file) */
+int ima_add_sha_entry(struct measure_entry *);
+
+DECLARE_MUTEX_LOCKED(h_table_mutex);
+
+void create_sha_htable(void)
+{
+	int i;
+
+	atomic_set(&sha_htable.len, 0);
+	sha_htable.max_htable_size = MEASURE_HTABLE_SIZE;
+	for (i = 0; i < sha_htable.max_htable_size; i++) {
+		sha_htable.queue[i] = NULL;
+		atomic_set(&sha_htable.queue_len[i], 0);
+	}
+}
+
+void create_htable(void)
+{
+	int i;
+
+	init_MUTEX_LOCKED(&h_table_mutex);
+	first_measurement = NULL;
+	latest_measurement = NULL;
+	atomic_set(&htable.len, 0);
+	atomic_set(&htable.user_measure, 0);
+	atomic_set(&htable.kernel_measure, 0);
+	atomic_set(&htable.clean_inode_hits, 0);
+	atomic_set(&htable.clean_table_hits, 0);
+	atomic_set(&htable.dirty_table_hits, 0);
+	atomic_set(&htable.changed_files, 0);
+	atomic_set(&htable.violations, 0);
+	htable.max_htable_size = MEASURE_HTABLE_SIZE;
+	for (i = 0; i < htable.max_htable_size; i++) {
+		htable.queue[i] = NULL;
+		atomic_set(&htable.queue_len[i], 0);
+	}
+	up(&h_table_mutex);
+}
+
+/* 
+ * also sets clean and dirty table hit marks 
+ */
+struct measure_entry *ima_lookup_measure_entry(unsigned long inode_number, dev_t dev_number)
+{
+	struct queue_entry *qe;
+	struct measure_entry *me;
+
+	/* fill in later */
+	qe = htable.queue[HASH_KEY(inode_number)];
+	while ((qe != NULL) && ((qe->entry->inode_nr != inode_number)
+				|| (qe->entry->dev_id != dev_number)))
+		qe = qe->next;
+
+	if (qe != NULL) {
+		if (qe->entry->dirty != CLEAN)
+			atomic_inc(&htable.dirty_table_hits);
+		else
+			atomic_inc(&htable.clean_table_hits);
+
+		me = qe->entry;
+	} else {
+		me = NULL;
+	}
+	return me;
+}
+
+
+
+struct sha_entry *ima_lookup_sha_entry(u8 * sha_value)
+{
+	struct sha_entry *se;
+	unsigned int key;
+
+	key = SHA_KEY(sha_value);
+	se = sha_htable.queue[key];
+	while ((se != NULL) && (memcmp(se->digest, sha_value, 20)))
+		se = se->next;
+	return se;
+}
+
+
+int ima_add_measure_entry(struct measure_entry *entry)
+{
+	unsigned int key;
+	struct queue_entry *qe;
+	int error = 0;
+
+	/* calculate key */
+	key = HASH_KEY(entry->inode_nr);
+
+	/* create queue_entry */
+	if ((qe = kmalloc(sizeof(struct queue_entry), GFP_KERNEL)) == NULL) {
+		ima_error("OUT OF MEMORY in %s.\n", __func__);
+		error = -ENOMEM;
+		goto out;
+	}
+	qe->entry = entry;
+
+	/* insert entry at beginning of queue */
+	qe->next = htable.queue[key];
+	qe->later = NULL;
+	htable.queue[key] = qe;
+	atomic_inc(&htable.queue_len[key]);
+	/* update later list */
+	if (first_measurement == NULL)
+		first_measurement = qe;
+	else
+		latest_measurement->later = qe;
+	
+	latest_measurement = qe;
+	atomic_inc(&htable.len);
+	/* now add to sha hash table, too */
+	if (ima_add_sha_entry(entry))
+		error = -ENOMEM;
+      out:
+	return error;
+}
+
+
+
+int ima_add_sha_entry(struct measure_entry *entry)
+{
+	unsigned int key;
+	struct sha_entry *se;
+
+	/* calculate key */
+	key = SHA_KEY(entry->digest);
+	/* create queue_entry */
+	if ((se = kmalloc(sizeof(struct sha_entry), GFP_KERNEL)) == NULL)
+		goto out;
+	se->m_entry = entry;
+	se->digest = entry->digest;
+	se->next = NULL;
+
+	/* insert entry at beginning of queue */
+	se->next = sha_htable.queue[key];
+	sha_htable.queue[key] = se;
+	atomic_inc(&sha_htable.queue_len[key]);
+	/* update later list */
+	atomic_inc(&sha_htable.len);
+	return 0;
+
+      out:
+	ima_error("OUT OF MEMORY ERROR creating queue entry.\n");
+	return -ENOMEM;
+}
diff -uprN linux-2.6.12-rc6-mm1_orig/security/ima/ima_tpm_extend.h linux-2.6.12-rc6-mm1-ima/security/ima/ima_tpm_extend.h
--- linux-2.6.12-rc6-mm1_orig/security/ima/ima_tpm_extend.h	1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.12-rc6-mm1-ima/security/ima/ima_tpm_extend.h	2005-06-14 20:32:39.000000000 -0400
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2005 IBM Corporation
+ *
+ * Authors:
+ * Reiner Sailer <[email protected]>
+ *
+ * Maintained by: Reiner Sailer <[email protected]>
+ *
+ * LSM IBM Integrity Measurement Architecture.		  
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ * File: ima_tpm_extend.h
+ *             implements glue code to connect IMA to the TPM driver
+ *             (glues to tpmdd on www.sourceforge.net/tpmdd)
+ */
+#ifndef __LINUX_IMA_TPM_EXTEND_H
+#define __LINUX_IMA_TPM_EXTEND_H
+
+#define TPM_BUFSIZE 2048
+
+extern struct tpm_chip *ima_used_chip;
+
+static const u8 extend[] = {
+	0, 193,			/* TPM_TAG_RQU_COMMAND */
+	0, 0, 0, 34,		/* length */
+	0, 0, 0, 20,		/* TPM_ORD_Extend */
+	0, 0, 0, 0		/* PCR index */
+};
+
+static void tpm_extend(int index, const u8 * digest)
+{
+	u8 *data;
+	u32 i;
+	int len;
+
+	if (ima_used_chip == NULL)
+		return;
+
+	if ((data = kmalloc(TPM_BUFSIZE, GFP_KERNEL)) == NULL)
+		goto error;
+
+	memcpy(data, extend, sizeof(extend));
+	i = cpu_to_be32(index);
+	memcpy(data+10, &i, 4);
+	memcpy(data + 14, digest, 20);
+	if ((len = tpm_transmit(ima_used_chip, data, TPM_BUFSIZE)) >= 30) {
+		memcpy(&i, data + 6, 4); /* return code */
+		if (be32_to_cpu(i) == 0)
+			goto out; /* ok */
+	}
+ error:
+	if (!ima_test_mode)
+		IMA_PANIC("IMA: Error Communicating to TPM chip and IMA not in test mode!\n");
+	else
+		ima_error("Error Communicating to TPM chip\n");
+ out:
+	if (data != NULL)
+		kfree(data);
+}
+
+#endif
diff -uprN linux-2.6.12-rc6-mm1_orig/security/ima/ima_tpm_pcrread.h linux-2.6.12-rc6-mm1-ima/security/ima/ima_tpm_pcrread.h
--- linux-2.6.12-rc6-mm1_orig/security/ima/ima_tpm_pcrread.h	1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.12-rc6-mm1-ima/security/ima/ima_tpm_pcrread.h	2005-06-14 16:25:05.000000000 -0400
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2005 IBM Corporation
+ *
+ * Authors:
+ * Reiner Sailer <[email protected]>
+ *
+ * Maintained by: Reiner Sailer <[email protected]>
+ *
+ * LSM IBM Integrity Measurement Architecture.		  
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ * File: ima_tpm_pcrread.h
+ *             implements glue code to connect IMA to the TPM driver
+ *             (glues to tpmdd on www.sourceforge.net/tpmdd)
+ */
+#ifndef __LINUX_IMA_TPM_PCRREAD_H
+#define __LINUX_IMA_TPM_PCRREAD_H
+
+#define TPM_BUFSIZE 2048
+
+extern struct tpm_chip *ima_used_chip;
+
+static const u8 pcrread[] = {
+	0, 193,			/* TPM_TAG_RQU_COMMAND */
+	0, 0, 0, 14,		/* length */
+	0, 0, 0, 21,		/* TPM_ORD_PcrRead */
+	0, 0, 0, 0		/* PCR index */
+};
+
+
+static void tpm_pcrread(int index, u8 * hash)
+{
+	u8 *data;
+	u32 i;
+	ssize_t len;
+
+	if (ima_used_chip == NULL)
+		return;
+
+	if ((data = kmalloc(TPM_BUFSIZE, GFP_KERNEL)) == NULL)
+		goto error;
+
+	memcpy(data, pcrread, sizeof(pcrread));
+	i = cpu_to_be32(index);
+	memcpy(data+10, &i, 4);
+	if ((len = tpm_transmit(ima_used_chip, data, TPM_BUFSIZE)) >= 30) {
+		memcpy(&i, data + 6, 4); /* return code */
+		if (be32_to_cpu(i) == 0) {
+			memcpy(hash, data + 10, 20);
+			goto out; /* ok */
+		}
+	}
+ error:
+	if (!ima_test_mode)
+		IMA_PANIC("IMA: Error Communicating to TPM chip and IMA not in test mode!\n");
+	else
+		ima_error("Error Communicating to TPM chip\n");
+ out:
+	if (data != NULL)
+		kfree(data);
+}
+
+#endif
diff -uprN linux-2.6.12-rc6-mm1_orig/security/ima/Kconfig linux-2.6.12-rc6-mm1-ima/security/ima/Kconfig
--- linux-2.6.12-rc6-mm1_orig/security/ima/Kconfig	1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.12-rc6-mm1-ima/security/ima/Kconfig	2005-06-14 16:25:05.000000000 -0400
@@ -0,0 +1,90 @@
+#
+# IBM Integrity Measurement Architecture
+#
+
+#menu "TPM-based Integrity Measurement Architecture"
+
+config IMA_MEASURE
+	bool "TCG run-time Integrity Measurement Architecture"
+	depends on SECURITY && (CRYPTO_SHA1=y)
+	help
+    		To measure executable code running on this 
+		system, say Y. If you say Y, you must disable
+		any other security modules because LSM are 
+		currently not stackable.To actually start IMA,
+		you need to set a kernel boot parameter "ima=1".
+    		If unsure, say N.
+
+config IMA_TEST_MODE
+	bool "IMA test mode"
+	depends on IMA_MEASURE
+	default y
+	help
+		If you would like to test the measurement 
+		architecture but you do not have a TPM hardware 
+		on your system, say Y. Otherwise say N. If you say
+		Y and IMA does not find a TPM chip it will just bypass
+
+config IMA_MEASURE_PCR_IDX
+	int "PCR for Aggregate (8<= Index <= 15)"
+	depends on IMA_MEASURE
+	range 8 15
+	default 10
+	help
+		This determines the PCR index used for aggregating the
+		measurement list into the TPM hardware.
+		If unsure, use the default 10.
+
+config IMA_SKIP_BOOT_AGGREGATE
+	bool "Skip Boot Aggregate Creation"
+	depends on IMA_MEASURE
+	help
+		If y, the usual aggregate over the boot PCRs 
+		of the TPM is not calculated and not added to 
+		the measurement list. If unsure, say N.
+
+config IMA_KMEM_BYPASS_PROTECTION
+	bool "Invalidate PCR on /dev/kmem write"
+	depends on IMA_MEASURE
+	help
+		This setting enforces TPM PCR invalidation if /dev/kmem
+                is written (bypass of measurements possible). Usually,
+                this does not restrict normal systems. 
+		If unsure, say Y.
+
+config IMA_RAM_BYPASS_PROTECTION
+	bool "Invalidate PCR on /dev/ram write"
+	depends on IMA_MEASURE
+	help
+		This setting enforces TPM PCR invalidation if /dev/ram
+                is written (bypass of measurements possible). If you use
+		ramdisk, you might have a problem.
+		If unsure, say N.
+
+config IMA_HD_SD_BYPASS_PROTECTION
+	bool "Invalidate PCR on /dev/hdx /dev/sdx write"
+	depends on IMA_MEASURE
+	help
+		This setting enforces TPM PCR invalidation if /dev/hda,
+		/dev/hdb ... or /dev/sda, /dev/sdb ... are written
+		directly (bypass of measurement dirty flagging possible). 
+		This requires some changes in /etc/rc.sysinit:
+		   * check filesystems readonly (in rc.sysinit add "-n" fsck
+		     option, remove -a where it appears
+		   * switch off swapping (kernel controlled open on rw)
+		otherwise the PCRs will usually be invalidated.
+		If unsure, say N.
+
+config IMA_MEM_BYPASS_PROTECTION
+	bool "Invalidate PCR on /dev/mem write"
+	depends on IMA_MEASURE
+	help
+		This setting enforces TPM PCR invalidation if /dev/mem
+                is written (bypass of measurements possible). X needs
+		currently to write directly to /dev/mem. For client systems,
+		you might want to chose N here. For server systems not running X,
+		it is safe to say yes. 
+		If unsure, say N.
+
+#endmenu
+
diff -uprN linux-2.6.12-rc6-mm1_orig/security/ima/Makefile linux-2.6.12-rc6-mm1-ima/security/ima/Makefile
--- linux-2.6.12-rc6-mm1_orig/security/ima/Makefile	1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.12-rc6-mm1-ima/security/ima/Makefile	2005-06-14 16:25:05.000000000 -0400
@@ -0,0 +1,5 @@
+
+obj-$(CONFIG_IMA_MEASURE) += ima_init.o ima_main.o \
+				ima_queue.o ima_lsmhooks.o ima_fs.o
+
+
diff -uprN linux-2.6.12-rc6-mm1_orig/security/Kconfig linux-2.6.12-rc6-mm1-ima/security/Kconfig
--- linux-2.6.12-rc6-mm1_orig/security/Kconfig	2005-06-06 11:22:29.000000000 -0400
+++ linux-2.6.12-rc6-mm1-ima/security/Kconfig	2005-06-14 16:25:05.000000000 -0400
@@ -86,6 +86,7 @@ config SECURITY_SECLVL
 	  If you are unsure how to answer this question, answer N.
 
 source security/selinux/Kconfig
+source security/ima/Kconfig
 
 endmenu
 
diff -uprN linux-2.6.12-rc6-mm1_orig/security/Makefile linux-2.6.12-rc6-mm1-ima/security/Makefile
--- linux-2.6.12-rc6-mm1_orig/security/Makefile	2005-06-06 11:22:29.000000000 -0400
+++ linux-2.6.12-rc6-mm1-ima/security/Makefile	2005-06-14 16:25:05.000000000 -0400
@@ -4,6 +4,7 @@
 
 obj-$(CONFIG_KEYS)			+= keys/
 subdir-$(CONFIG_SECURITY_SELINUX)	+= selinux
+subdir-$(CONFIG_IMA_MEASURE)		+= ima
 
 # if we don't select a security model, use the default capabilities
 ifneq ($(CONFIG_SECURITY),y)
@@ -14,6 +15,7 @@ endif
 obj-$(CONFIG_SECURITY)			+= security.o dummy.o
 # Must precede capability.o in order to stack properly.
 obj-$(CONFIG_SECURITY_SELINUX)		+= selinux/built-in.o
+obj-$(CONFIG_IMA_MEASURE)		+= ima/built-in.o
 obj-$(CONFIG_SECURITY_CAPABILITIES)	+= commoncap.o capability.o
 obj-$(CONFIG_SECURITY_ROOTPLUG)		+= commoncap.o root_plug.o
 obj-$(CONFIG_SECURITY_SECLVL)		+= seclvl.o




-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux