On Fri, 2021-06-25 at 18:56 +0200, Roberto Sassu wrote:
ima_measure_critical_data() allows any caller in the kernel to provide a buffer, so that is measured by IMA if an appropriate policy is set. Some information that could be useful to the callers are the digest of the buffer included in the new measurement entry, the digest algorithm and whether the buffer was measured.
This patch modifies the definition of ima_measure_critical_data() to include three new parameters: digest, algo and measured. If they are NULL, the function behaves as before and just measures the buffer, if requested with the IMA policy. Otherwise, it also writes the digest, algorithm and whether the buffer is measured to the provided pointers.
If the pointers are not NULL, the digest is calculated also if there is no matching rule in the IMA policy.
As much as possible, let's not define additional ima_measure_critical_data() arguments. Probably the only new variable really need is "digest". The hash algorithm doesn't change. How about defining and exporting a new function to return the system defined ima_hash_algo. In terms of failure, have ima_measure_critical_data() return errno.
thanks,
Mimi