Hi Daiki,
On Tue, 2021-10-05 at 16:44 +0200, Daiki Ueno wrote:
> The IMA runtime measurement list exposed on securityfs is currently
> not pollable, so applications that incrementally verify the
> measurements have to monitor the file periodically. This patch makes
> it possible to poll the file in a similar fashion to the sysfs files,
> i.e., POLLPRI will be signalled on any changes to the list.
>
> Signed-off-by: Daiki Ueno <dueno@xxxxxxxxxx>
With the sample code in the poll man page and without this patch, the
ascii measurement list is pollable. I must be missing something.
> ---
> diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c
> index 532da87ce519..375325dfe449 100644
> --- a/security/integrity/ima/ima_queue.c
> +++ b/security/integrity/ima/ima_queue.c
> @@ -38,6 +38,9 @@ struct ima_h_table ima_htable = {
> .queue[0 ... IMA_MEASURE_HTABLE_SIZE - 1] = HLIST_HEAD_INIT
> };
>
> +/* wait queue for polling changes in ima_htable */
> +DECLARE_WAIT_QUEUE_HEAD(ima_htable_wait);
> +
> /* mutex protects atomicity of extending measurement list
> * and extending the TPM PCR aggregate. Since tpm_extend can take
> * long (and the tpm driver uses a mutex), we can't use the spinlock.
> @@ -119,6 +122,9 @@ static int ima_add_digest_entry(struct ima_template_entry *entry,
> binary_runtime_size = (binary_runtime_size < ULONG_MAX - size) ?
> binary_runtime_size + size : ULONG_MAX;
> }
> +
> + wake_up_interruptible(&ima_htable_wait);
> +
> return 0;
> }
>
The call to wake_up_interruptible() probably should not be here, but in
the caller after the TPM is extended. With that change, you would be
able to differentiate between restoring the measurement list after
kexec and regular additional measurements.
thanks,
Mimi
