ima: add support for measuring and appraising firmware The "security: introduce kernel_fw_from_file hook" patch defined a new security hook to evaluate any loaded firmware that wasn't built into the kernel. This patch defines ima_fw_from_file(), which is called from the new security hook, to measure and/or appraise the loaded firmware's integrity. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: Kees Cook <keescook@chromium.org>

commit: 5a9196d715607f76d6b7d96a0970d6065335e62b [log] [tgz]
author: Mimi Zohar <zohar@linux.vnet.ibm.com> Tue Jul 22 10:39:48 2014 -0400
committer: Kees Cook <keescook@chromium.org> Fri Jul 25 11:47:46 2014 -0700
tree: df323588d1026b947e489c5fb9c83299dbcb9689
parent: 6593d9245bc66e6e3cf4ba6d365a7833110c1402 [diff] [blame]
diff --git a/security/security.c b/security/security.c
index 35d37d0..e41b1a8 100644
--- a/security/security.c
+++ b/security/security.c

@@ -847,7 +847,12 @@
 
 int security_kernel_fw_from_file(struct file *file, char *buf, size_t size)
 {
-	return security_ops->kernel_fw_from_file(file, buf, size);
+	int ret;
+
+	ret = security_ops->kernel_fw_from_file(file, buf, size);
+	if (ret)
+		return ret;
+	return ima_fw_from_file(file, buf, size);
 }
 EXPORT_SYMBOL_GPL(security_kernel_fw_from_file);
commit	5a9196d715607f76d6b7d96a0970d6065335e62b	[log] [tgz]
author	Mimi Zohar <zohar@linux.vnet.ibm.com>	Tue Jul 22 10:39:48 2014 -0400
committer	Kees Cook <keescook@chromium.org>	Fri Jul 25 11:47:46 2014 -0700
tree	df323588d1026b947e489c5fb9c83299dbcb9689
parent	6593d9245bc66e6e3cf4ba6d365a7833110c1402 [diff] [blame]