diff options
| author | Eric Biggers <ebiggers@google.com> | 2025-05-13 22:05:46 -0700 |
|---|---|---|
| committer | Fan Wu <wufan@kernel.org> | 2025-07-28 18:54:18 -0700 |
| commit | b90bb6dbf1d60d70969f8f8f2f30033f49711594 (patch) | |
| tree | 0934f9779333d47677dd178e6e26d6ae9f9936cd /security | |
| parent | Linux 6.16 (diff) | |
| download | linux-b90bb6dbf1d60d70969f8f8f2f30033f49711594.tar.gz linux-b90bb6dbf1d60d70969f8f8f2f30033f49711594.zip | |
ipe: use SHA-256 library API instead of crypto_shash API
audit_policy() does not support any other algorithm, so the crypto_shash
abstraction provides no value. Just use the SHA-256 library API
instead, which is much simpler and easier to use.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Fan Wu <wufan@kernel.org>
Diffstat (limited to 'security')
| -rw-r--r-- | security/ipe/Kconfig | 1 | ||||
| -rw-r--r-- | security/ipe/audit.c | 33 |
2 files changed, 6 insertions, 28 deletions
diff --git a/security/ipe/Kconfig b/security/ipe/Kconfig index 3c75bf267da4..a110a6cd848b 100644 --- a/security/ipe/Kconfig +++ b/security/ipe/Kconfig @@ -6,6 +6,7 @@ menuconfig SECURITY_IPE bool "Integrity Policy Enforcement (IPE)" depends on SECURITY && SECURITYFS && AUDIT && AUDITSYSCALL + select CRYPTO_LIB_SHA256 select PKCS7_MESSAGE_PARSER select SYSTEM_DATA_VERIFICATION select IPE_PROP_DM_VERITY if DM_VERITY diff --git a/security/ipe/audit.c b/security/ipe/audit.c index 9668ecc5acd5..de5fed62592e 100644 --- a/security/ipe/audit.c +++ b/security/ipe/audit.c @@ -6,7 +6,7 @@ #include <linux/slab.h> #include <linux/audit.h> #include <linux/types.h> -#include <crypto/hash.h> +#include <crypto/sha2.h> #include "ipe.h" #include "eval.h" @@ -17,7 +17,7 @@ #define ACTSTR(x) ((x) == IPE_ACTION_ALLOW ? "ALLOW" : "DENY") -#define IPE_AUDIT_HASH_ALG "sha256" +#define IPE_AUDIT_HASH_ALG "sha256" /* keep in sync with audit_policy() */ #define AUDIT_POLICY_LOAD_FMT "policy_name=\"%s\" policy_version=%hu.%hu.%hu "\ "policy_digest=" IPE_AUDIT_HASH_ALG ":" @@ -182,37 +182,14 @@ static void audit_policy(struct audit_buffer *ab, const char *audit_format, const struct ipe_policy *const p) { - SHASH_DESC_ON_STACK(desc, tfm); - struct crypto_shash *tfm; - u8 *digest = NULL; + u8 digest[SHA256_DIGEST_SIZE]; - tfm = crypto_alloc_shash(IPE_AUDIT_HASH_ALG, 0, 0); - if (IS_ERR(tfm)) - return; - - desc->tfm = tfm; - - digest = kzalloc(crypto_shash_digestsize(tfm), GFP_KERNEL); - if (!digest) - goto out; - - if (crypto_shash_init(desc)) - goto out; - - if (crypto_shash_update(desc, p->pkcs7, p->pkcs7len)) - goto out; - - if (crypto_shash_final(desc, digest)) - goto out; + sha256(p->pkcs7, p->pkcs7len, digest); audit_log_format(ab, audit_format, p->parsed->name, p->parsed->version.major, p->parsed->version.minor, p->parsed->version.rev); - audit_log_n_hex(ab, digest, crypto_shash_digestsize(tfm)); - -out: - kfree(digest); - crypto_free_shash(tfm); + audit_log_n_hex(ab, digest, sizeof(digest)); } /** |