> -----Original Message----- > From: linux-integrity-owner@xxxxxxxxxxxxxxx [mailto:linux-integrity- > owner@xxxxxxxxxxxxxxx] On Behalf Of Mimi Zohar > Sent: Friday, January 31, 2020 1:19 PM > To: Roberto Sassu <roberto.sassu@xxxxxxxxxx>; > jarkko.sakkinen@xxxxxxxxxxxxxxx; > james.bottomley@xxxxxxxxxxxxxxxxxxxxx; linux-integrity@xxxxxxxxxxxxxxx > Cc: linux-security-module@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx; > Silviu Vlasceanu <Silviu.Vlasceanu@xxxxxxxxxx> > Subject: Re: [PATCH 5/8] ima: allocate and initialize tfm for each PCR bank > > On Mon, 2020-01-27 at 18:04 +0100, Roberto Sassu wrote: > > This patch creates a crypto_shash structure for each allocated PCR bank > and > > for SHA1 if a bank with that algorithm is not currently allocated. > > > > Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx> > > <snip> > > > +int __init ima_init_crypto(void) > > +{ > > + enum hash_algo algo; > > + long rc; > > + int i; > > + > > + rc = ima_init_ima_crypto(); > > + if (rc) > > + return rc; > > + > > + ima_algo_array = kmalloc_array(ima_tpm_chip- > >nr_allocated_banks + 1, > > + sizeof(*ima_algo_array), GFP_KERNEL); > > Perhaps instead of hard coding "nr_allocated_banks + 1", create a > variable for storing the number of "extra" banks. Walk the banks > setting ima_sha1_idx and, later, in a subsequent patch set > ima_hash_algo_idx. I could store the indexes in an array and add ARRAY_SIZE of that array. > > + if (!ima_algo_array) { > > + rc = -ENOMEM; > > + goto out; > > + } > > + > > + for (i = 0; i < ima_tpm_chip->nr_allocated_banks + 1; i++) { > > + ima_algo_array[i].tfm = NULL; > > + ima_algo_array[i].algo = HASH_ALGO__LAST; > > + } > > ima_init_crypto() is executed once on initialization. I'm not sure if > it makes a difference, but if you're really concerned about an > additional loop, the initialization, here, could be limited to the > "extra" banks. The other banks could be initialized at the beginning > of the next loop. I set algo to HASH_ALGO__LAST to mark the ima_algo_array entries as uninitialized. ima_alloc_tfm() uses ima_algo_array in the next loop. Replacing kmalloc_array() with kcalloc() would cause algo to be set to HASH_ALGO_MD4. I could check tfm first, which ensures that also algo was initialized. Roberto > > + ima_sha1_idx = -1; > > + > > + for (i = 0; i < ima_tpm_chip->nr_allocated_banks; i++) { > > + algo = ima_tpm_chip->allocated_banks[i].crypto_id; > > + ima_algo_array[i].algo = algo; > > + > > + /* unknown TPM algorithm */ > > + if (algo == HASH_ALGO__LAST) > > + continue; > > + > > + if (algo == HASH_ALGO_SHA1) > > + ima_sha1_idx = i; > > + > > + if (algo == ima_hash_algo) { > > + ima_algo_array[i].tfm = ima_shash_tfm; > > + continue; > > + } > > + > > + ima_algo_array[i].tfm = ima_alloc_tfm(algo); > > + if (IS_ERR(ima_algo_array[i].tfm)) { > > + if (algo == HASH_ALGO_SHA1) { > > + rc = PTR_ERR(ima_algo_array[i].tfm); > > + ima_algo_array[i].tfm = NULL; > > + goto out_array; > > + } > > + > > + ima_algo_array[i].tfm = NULL; > > + } > > + } > > + > > + if (ima_sha1_idx < 0) { > > + ima_algo_array[i].tfm = ima_alloc_tfm(HASH_ALGO_SHA1); > > + if (IS_ERR(ima_algo_array[i].tfm)) { > > + rc = PTR_ERR(ima_algo_array[i].tfm); > > + goto out_array; > > + } > > + > > + ima_sha1_idx = i; > > + ima_algo_array[i].algo = HASH_ALGO_SHA1; > > + } > > + > > + return 0; > > +out_array: > > + for (i = 0; i < ima_tpm_chip->nr_allocated_banks + 1; i++) { > > + if (!ima_algo_array[i].tfm || > > + ima_algo_array[i].tfm == ima_shash_tfm) > > + continue; > > + > > + crypto_free_shash(ima_algo_array[i].tfm); > > + } > > +out: > > + crypto_free_shash(ima_shash_tfm); > > + return rc; > > +}
