ima: add support for measuring and appraising firmware

The "security: introduce kernel_fw_from_file hook" patch defined a new security hook to evaluate any loaded firmware that wasn't built into the kernel. This patch defines ima_fw_from_file(), which is called from the new security hook, to measure and/or appraise the loaded firmware's integrity. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: Kees Cook <keescook@chromium.org>
author: Mimi Zohar <zohar@linux.vnet.ibm.com> 2014-07-22 10:39:48 -0400
committer: Kees Cook <keescook@chromium.org> 2014-07-25 11:47:46 -0700
commit: 5a9196d715607f76d6b7d96a0970d6065335e62b (patch)
tree: df323588d1026b947e489c5fb9c83299dbcb9689 /security/integrity/ima/ima_main.c
parent: 6593d9245bc66e6e3cf4ba6d365a7833110c1402 (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 0d696431209c..2917f980bf30 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -319,6 +319,17 @@ int ima_module_check(struct file *file)
 	return process_measurement(file, NULL, MAY_EXEC, MODULE_CHECK);
 }
 
+int ima_fw_from_file(struct file *file, char *buf, size_t size)
+{
+	if (!file) {
+		if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
+		    (ima_appraise & IMA_APPRAISE_ENFORCE))
+			return -EACCES;	/* INTEGRITY_UNKNOWN */
+		return 0;
+	}
+	return process_measurement(file, NULL, MAY_EXEC, FIRMWARE_CHECK);
+}
+
 static int __init init_ima(void)
 {
 	int error;
author	Mimi Zohar <zohar@linux.vnet.ibm.com>	2014-07-22 10:39:48 -0400
committer	Kees Cook <keescook@chromium.org>	2014-07-25 11:47:46 -0700
commit	5a9196d715607f76d6b7d96a0970d6065335e62b (patch)
tree	df323588d1026b947e489c5fb9c83299dbcb9689 /security/integrity/ima/ima_main.c
parent	6593d9245bc66e6e3cf4ba6d365a7833110c1402 (diff)