diff --git a/backport-Adapter-test-cases.patch b/backport-Adapter-test-cases.patch new file mode 100644 index 0000000000000000000000000000000000000000..eb272774b63627c15ddebb6ee88549fd9aa2537c --- /dev/null +++ b/backport-Adapter-test-cases.patch @@ -0,0 +1,91 @@ +From 7bf8c057c27c72367bafb13c4a7e69883b6a7e29 Mon Sep 17 00:00:00 2001 +From: Huaxin Lu +Date: Mon, 29 Apr 2024 23:45:39 +0800 +Subject: [PATCH 08/28] Adapter test cases + +--- + test/test_interface/test_dim_core_modparam.sh | 13 ++----------- + test/test_interface/test_dim_monitor_modparam.sh | 5 ++--- + 2 files changed, 4 insertions(+), 14 deletions(-) + +diff --git a/test/test_interface/test_dim_core_modparam.sh b/test/test_interface/test_dim_core_modparam.sh +index 67cd815..d51fc36 100644 +--- a/test/test_interface/test_dim_core_modparam.sh ++++ b/test/test_interface/test_dim_core_modparam.sh +@@ -26,7 +26,6 @@ check_invalid_module_param() + test_module_param_measure_hash() + { + check_valid_module_param measure_hash=sha256 +- check_valid_module_param measure_hash=sm3 + check_invalid_module_param measure_hash=md5 + check_invalid_module_param measure_hash=abc + } +@@ -37,7 +36,7 @@ test_module_param_measure_pcr() + check_valid_module_param measure_pcr=1 + check_valid_module_param measure_pcr=11 + check_valid_module_param measure_pcr=127 +- check_invalid_module_param measure_pcr=128 ++ check_valid_module_param measure_pcr=128 + check_invalid_module_param measure_pcr=-1 + check_invalid_module_param measure_pcr=abc + } +@@ -66,13 +65,6 @@ test_module_param_measure_interval() + dim_restore_baseline_and_policy + } + +-test_module_param_measure_action() +-{ +- check_valid_module_param measure_action=0 +- check_valid_module_param measure_action=1 +- check_invalid_module_param measure_action=abc +-} +- + test_module_param_signature() + { + check_valid_module_param signature=0 +@@ -96,7 +88,6 @@ case_list=" + test_module_param_measure_pcr \ + test_module_param_measure_schedule \ + test_module_param_measure_interval \ +- test_module_param_measure_action \ + test_module_param_signature \ + test_module_param_measure_log_capacity \ + " +@@ -113,4 +104,4 @@ for case in $case_list; do + fi + done + +-echo "===== End testing dim_core module parameters =====" +\ No newline at end of file ++echo "===== End testing dim_core module parameters =====" +diff --git a/test/test_interface/test_dim_monitor_modparam.sh b/test/test_interface/test_dim_monitor_modparam.sh +index 1aaedf1..5ee5e17 100644 +--- a/test/test_interface/test_dim_monitor_modparam.sh ++++ b/test/test_interface/test_dim_monitor_modparam.sh +@@ -30,7 +30,6 @@ check_invalid_module_param() + test_module_param_measure_hash() + { + check_valid_module_param measure_hash=sha256 +- check_valid_module_param measure_hash=sm3 + check_invalid_module_param measure_hash=md5 + check_invalid_module_param measure_hash=abc + } +@@ -41,7 +40,7 @@ test_module_param_measure_pcr() + check_valid_module_param measure_pcr=1 + check_valid_module_param measure_pcr=11 + check_valid_module_param measure_pcr=127 +- check_invalid_module_param measure_pcr=128 ++ check_valid_module_param measure_pcr=128 + check_invalid_module_param measure_pcr=-1 + check_invalid_module_param measure_pcr=abc + } +@@ -76,4 +75,4 @@ for case in $case_list; do + fi + done + +-echo "===== End testing dim_monitor module parameters =====" +\ No newline at end of file ++echo "===== End testing dim_monitor module parameters =====" +-- +2.33.0 + diff --git a/backport-Add-sm3-compile-macro-and-set-the-algo-name.patch b/backport-Add-sm3-compile-macro-and-set-the-algo-name.patch new file mode 100644 index 0000000000000000000000000000000000000000..b7841064fa75b9052e88270af533694cb05003c1 --- /dev/null +++ b/backport-Add-sm3-compile-macro-and-set-the-algo-name.patch @@ -0,0 +1,41 @@ +From db470817655f80d63592c6550bdaca875dd42120 Mon Sep 17 00:00:00 2001 +From: Huaxin Lu +Date: Mon, 29 Apr 2024 23:10:50 +0800 +Subject: [PATCH 05/28] Add sm3 compile macro and set the algo name + +--- + src/common/dim_hash.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/common/dim_hash.c b/src/common/dim_hash.c +index 9f73320..3f6ecb7 100644 +--- a/src/common/dim_hash.c ++++ b/src/common/dim_hash.c +@@ -9,7 +9,9 @@ + + static const char *allow_hash[] = { + "sha256", ++#ifdef DIM_HASH_SUPPORT_SM3 + "sm3", ++#endif + }; + + int dim_hash_init(const char *algo_name, struct dim_hash *hash) +@@ -30,6 +32,7 @@ int dim_hash_init(const char *algo_name, struct dim_hash *hash) + hash->tfm = NULL; + } + ++ hash->name = algo_name; + return ret; + } + +@@ -63,4 +66,4 @@ int dim_hash_calculate(const void *data, unsigned int len, + return ret; + + return crypto_shash_final(shash, digest->data); +-} +\ No newline at end of file ++} +-- +2.33.0 + diff --git a/backport-Change-the-permissions-of-the-dim-directory-to-500.patch b/backport-Change-the-permissions-of-the-dim-directory-to-500.patch new file mode 100644 index 0000000000000000000000000000000000000000..3d4441d595771b7c6a037e690aa4c6f88665b1be --- /dev/null +++ b/backport-Change-the-permissions-of-the-dim-directory-to-500.patch @@ -0,0 +1,25 @@ +From 09d308cc79011c1d83fb9ffe7741c7b023f07cbe Mon Sep 17 00:00:00 2001 +From: jinlun +Date: Tue, 18 Jun 2024 09:28:08 +0800 +Subject: [PATCH 10/14] Change the permissions of the dim directory to 500 + +--- + src/common/dim_entry.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/common/dim_entry.h b/src/common/dim_entry.h +index 1c557b8..bb023b6 100644 +--- a/src/common/dim_entry.h ++++ b/src/common/dim_entry.h +@@ -11,7 +11,7 @@ + + #include "dim_measure_log.h" + +-#define DIM_ENTRY_DIR_MASK (S_IFDIR | S_IRWXU | S_IRUSR) ++#define DIM_ENTRY_DIR_MASK (S_IFDIR | S_IXUSR | S_IRUSR) + #define DIM_ENTRY_RW_MASK (S_IWUSR | S_IRUSR) + #define DIM_ENTRY_W_MASK (S_IWUSR) + #define DIM_ENTRY_R_MASK (S_IRUSR) +-- +2.33.0 + diff --git a/backport-Fix-NULL-pointer-reference-when-kill-child-processes.patch b/backport-Fix-NULL-pointer-reference-when-kill-child-processes.patch new file mode 100644 index 0000000000000000000000000000000000000000..89385b8a30b1d8312cb36b4c16eb7efa84a658f3 --- /dev/null +++ b/backport-Fix-NULL-pointer-reference-when-kill-child-processes.patch @@ -0,0 +1,27 @@ +From a8ce34c0c661683fe33ef79be2b5b6819d4adfde Mon Sep 17 00:00:00 2001 +From: jinlun +Date: Mon, 17 Jun 2024 14:54:40 +0800 +Subject: [PATCH 02/14] Fix NULL pointer reference when kill child processes + +--- + .../tasks/dim_core_measure_process/dim_core_measure_process.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/core/tasks/dim_core_measure_process/dim_core_measure_process.c b/src/core/tasks/dim_core_measure_process/dim_core_measure_process.c +index e5e262a..c1efa02 100644 +--- a/src/core/tasks/dim_core_measure_process/dim_core_measure_process.c ++++ b/src/core/tasks/dim_core_measure_process/dim_core_measure_process.c +@@ -89,8 +89,8 @@ static int kill_task_tree(struct task_struct *tsk) + return -ENOMEM; + + dim_core_kernel_symbol.walk_process_tree(tsk, store_task_tree, &ctx); +- if (ctx.len != 0) { +- for (i = ctx.len; i >= 0; i--) { ++ if (ctx.len > 0) { ++ for (i = ctx.len - 1; i >= 0; i--) { + send_sig(SIGKILL, ctx.buf[i], 1); + put_task_struct(ctx.buf[i]); + } +-- +2.33.0 + diff --git a/backport-Fix-calculating-ELF-memory-address.patch b/backport-Fix-calculating-ELF-memory-address.patch new file mode 100644 index 0000000000000000000000000000000000000000..dc822a93f339fddf9f282aa37d8e3cba200cd589 --- /dev/null +++ b/backport-Fix-calculating-ELF-memory-address.patch @@ -0,0 +1,39 @@ +From 6c1a35ac10351a2b2d4d66899f5848c1201ca6fc Mon Sep 17 00:00:00 2001 +From: Huaxin Lu +Date: Mon, 29 Apr 2024 21:55:45 +0800 +Subject: [PATCH 01/28] Fix calculating ELF memory address + +--- + .../dim_core_measure_process_elf.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/core/tasks/dim_core_measure_process/dim_core_measure_process_elf.c b/src/core/tasks/dim_core_measure_process/dim_core_measure_process_elf.c +index 3821c7f..76d1560 100644 +--- a/src/core/tasks/dim_core_measure_process/dim_core_measure_process_elf.c ++++ b/src/core/tasks/dim_core_measure_process/dim_core_measure_process_elf.c +@@ -266,6 +266,7 @@ static int measure_elf_text(struct vm_area_struct *vma, + int ret = 0; + unsigned int i = 0; + unsigned long addr = 0; ++ unsigned long base = 0; + struct elf_phdr *phdr = NULL; + struct dim_digest digest = { + .algo = ctx->m->hash.algo, +@@ -276,10 +277,12 @@ static int measure_elf_text(struct vm_area_struct *vma, + ret = crypto_shash_init(shash); + if (ret < 0) + return ret; +- ++ ++ base = vma->vm_start - phdrs_text[0].p_vaddr; ++ + for (; i < phdrs_text_num; i++) { + phdr = &phdrs_text[i]; +- addr = vma->vm_start + phdr->p_vaddr - vma->vm_pgoff * PAGE_SIZE; ++ addr = base + phdr->p_vaddr; + ret = dim_vm_hash_update_address(vma->vm_mm, addr, + phdr->p_memsz, shash); + if (ret < 0) +-- +2.33.0 + diff --git a/backport-Fix-calculating-ELF-trampoline-address.patch b/backport-Fix-calculating-ELF-trampoline-address.patch new file mode 100644 index 0000000000000000000000000000000000000000..acb6ede679fac1fa24dbd33b5827343cbe9003c8 --- /dev/null +++ b/backport-Fix-calculating-ELF-trampoline-address.patch @@ -0,0 +1,79 @@ +From 89d0f0762a2241b518e55b45337c1874f74e2520 Mon Sep 17 00:00:00 2001 +From: jinlun +Date: Mon, 17 Jun 2024 14:51:46 +0800 +Subject: [PATCH 01/14] Fix calculating ELF trampoline address + +--- + .../dim_core_measure_process_elf.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/src/core/tasks/dim_core_measure_process/dim_core_measure_process_elf.c b/src/core/tasks/dim_core_measure_process/dim_core_measure_process_elf.c +index 76d1560..12040e2 100644 +--- a/src/core/tasks/dim_core_measure_process/dim_core_measure_process_elf.c ++++ b/src/core/tasks/dim_core_measure_process/dim_core_measure_process_elf.c +@@ -233,6 +233,7 @@ static int get_elf_measure_area(struct file *elf_file, + } + + static int measure_elf_trampoline(struct vm_area_struct *vma, ++ unsigned long base, + struct elf_shdr *shdr_trampoline, + struct task_measure_ctx *ctx) + { +@@ -243,7 +244,7 @@ static int measure_elf_trampoline(struct vm_area_struct *vma, + .algo = ctx->m->hash.algo, + }; + +- addr_trampoline = vma->vm_start + shdr_trampoline->sh_addr; ++ addr_trampoline = base + shdr_trampoline->sh_addr; + vma_trampoline = find_vma(vma->vm_mm, addr_trampoline); + if (vma_trampoline == NULL || !vma_is_text(vma_trampoline) || + vma_trampoline->vm_start != addr_trampoline) +@@ -259,6 +260,7 @@ static int measure_elf_trampoline(struct vm_area_struct *vma, + } + + static int measure_elf_text(struct vm_area_struct *vma, ++ unsigned long base, + struct elf_phdr *phdrs_text, + unsigned int phdrs_text_num, + struct task_measure_ctx *ctx) +@@ -266,7 +268,6 @@ static int measure_elf_text(struct vm_area_struct *vma, + int ret = 0; + unsigned int i = 0; + unsigned long addr = 0; +- unsigned long base = 0; + struct elf_phdr *phdr = NULL; + struct dim_digest digest = { + .algo = ctx->m->hash.algo, +@@ -278,8 +279,6 @@ static int measure_elf_text(struct vm_area_struct *vma, + if (ret < 0) + return ret; + +- base = vma->vm_start - phdrs_text[0].p_vaddr; +- + for (; i < phdrs_text_num; i++) { + phdr = &phdrs_text[i]; + addr = base + phdr->p_vaddr; +@@ -322,7 +321,10 @@ int measure_process_module_text_elf(struct vm_area_struct *vma, + return ret; + } + +- ret = measure_elf_text(vma, phdrs_text, phdrs_text_num, ctx); ++ /* the vma is the first file-mapping text segment */ ++ base = vma->vm_start - phdrs_text[0].p_vaddr; ++ ++ ret = measure_elf_text(vma, base, phdrs_text, phdrs_text_num, ctx); + dim_kfree(phdrs_text); + if (ret < 0) { + dim_err("failed to measure elf text: %d\n", ret); +@@ -330,7 +332,7 @@ int measure_process_module_text_elf(struct vm_area_struct *vma, + } + + if (shdr_trampoline_find) { +- ret = measure_elf_trampoline(vma, &shdr_trampoline, ctx); ++ ret = measure_elf_trampoline(vma, base, &shdr_trampoline, ctx); + if (ret < 0) { + dim_err("failed to measure elf trampoline: %d\n", ret); + return ret; +-- +2.33.0 + diff --git a/backport-Fix-print-errors.patch b/backport-Fix-print-errors.patch new file mode 100644 index 0000000000000000000000000000000000000000..63f396f7d38d0718f130d3b5daec3f3c39a2347c --- /dev/null +++ b/backport-Fix-print-errors.patch @@ -0,0 +1,25 @@ +From 64e205655a1b8c885a1419116f1ddc724f07f844 Mon Sep 17 00:00:00 2001 +From: jinlun +Date: Tue, 18 Jun 2024 09:34:57 +0800 +Subject: [PATCH 12/14] Fix print errors + +--- + src/core/policy/dim_core_policy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/core/policy/dim_core_policy.c b/src/core/policy/dim_core_policy.c +index da734d3..adcdabe 100644 +--- a/src/core/policy/dim_core_policy.c ++++ b/src/core/policy/dim_core_policy.c +@@ -132,7 +132,7 @@ static int policy_check_add_module_text(struct dim_policy *policy) + } + + if (policy->path != NULL) +- dim_warn("path is ignored for BPRM_TEXT policy\n"); ++ dim_warn("path is ignored for MODULE_TEXT policy\n"); + + if (policy->action != DIM_POLICY_ACTION_LOG) + dim_warn("action is ignored for MODULE_TEXT policy\n"); +-- +2.33.0 + diff --git a/backport-Fix-the-issue-that-the-memory-allocation-is-too-larg.patch b/backport-Fix-the-issue-that-the-memory-allocation-is-too-larg.patch new file mode 100644 index 0000000000000000000000000000000000000000..95baa86a026c8e3e64b5fe8ee197421212f7fa8c --- /dev/null +++ b/backport-Fix-the-issue-that-the-memory-allocation-is-too-larg.patch @@ -0,0 +1,37 @@ +From ebcef654f8825e1db58a2d9bc62727ab9d4728a0 Mon Sep 17 00:00:00 2001 +From: jinlun +Date: Mon, 17 Jun 2024 20:33:05 +0800 +Subject: [PATCH 08/14] Fix the issue that the memory allocation is too large. + +--- + src/common/dim_utils.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/common/dim_utils.c b/src/common/dim_utils.c +index 598e824..57ea3e9 100644 +--- a/src/common/dim_utils.c ++++ b/src/common/dim_utils.c +@@ -9,6 +9,8 @@ + #include "dim_safe_func.h" + #include "dim_utils.h" + ++#define DIM_MAX_LINE_BUF (8 * 1024) ++ + int dim_get_absolute_path(const char *path, const char **result) + { + int ret = 0; +@@ -83,6 +85,11 @@ int dim_parse_line_buf(char *buf, loff_t len, int (*line_parser)(char *, int, vo + line = &buf[i + 1]; + } else { + line_len = buf + i - line + 1; ++ if (line_len + 1 > DIM_MAX_LINE_BUF) { ++ dim_err("failed to alloc memory for line buff\n"); ++ return -ENOMEM; ++ } ++ + line_buf = dim_kzalloc_gfp(line_len + 1); + if (line_buf == NULL) + return -ENOMEM; +-- +2.33.0 + diff --git a/backport-Fix-the-type-of-pcr.patch b/backport-Fix-the-type-of-pcr.patch new file mode 100644 index 0000000000000000000000000000000000000000..1324b750652e0434aae3a54507c6fbe0bac6f493 --- /dev/null +++ b/backport-Fix-the-type-of-pcr.patch @@ -0,0 +1,51 @@ +From 3fe99160401896477f5a7c2747c9aceb15170fce Mon Sep 17 00:00:00 2001 +From: Huaxin Lu +Date: Mon, 29 Apr 2024 23:45:00 +0800 +Subject: [PATCH 07/28] Fix the type of pcr + +--- + src/common/dim_measure_log.c | 4 ++-- + src/common/dim_measure_log.h | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/common/dim_measure_log.c b/src/common/dim_measure_log.c +index b84e635..4b3bd34 100644 +--- a/src/common/dim_measure_log.c ++++ b/src/common/dim_measure_log.c +@@ -272,9 +272,9 @@ int dim_measure_log_init_tree(struct dim_measure_log_tree *root, + struct dim_hash *hash, + struct dim_tpm *tpm, + unsigned int cap, +- char pcr) ++ unsigned int pcr) + { +- if (root == NULL || hash == NULL || pcr < 0) ++ if (root == NULL || hash == NULL) + return -EINVAL; + + rwlock_init(&root->lock); +diff --git a/src/common/dim_measure_log.h b/src/common/dim_measure_log.h +index 6ea2361..fcf53aa 100644 +--- a/src/common/dim_measure_log.h ++++ b/src/common/dim_measure_log.h +@@ -37,7 +37,7 @@ struct dim_measure_log_tree { + struct list_head list_root; /* list root for printing logs in order */ + struct dim_hash *hash; /* algorithm for calculating log hash */ + struct dim_tpm *tpm; +- char pcr; ++ unsigned int pcr; + rwlock_t lock; + unsigned int count; /* number of log */ + unsigned int cap; /* capacity of log */ +@@ -93,7 +93,7 @@ static inline bool is_same_dim_measure_log(struct dim_measure_log *x, + + int dim_measure_log_init_tree(struct dim_measure_log_tree *root, + struct dim_hash *hash, struct dim_tpm *tpm, +- unsigned int cap, char pcr); ++ unsigned int cap, unsigned int pcr); + void dim_measure_log_destroy_tree(struct dim_measure_log_tree *root); + int dim_measure_log_add(struct dim_measure_log_tree *root, + const char *name_str, +-- +2.33.0 + diff --git a/backport-Maximun-number-of-line-in-a-modification-policy.patch b/backport-Maximun-number-of-line-in-a-modification-policy.patch new file mode 100644 index 0000000000000000000000000000000000000000..4f9453c70e145e0dcb926f76a90127bc1e9cfaf3 --- /dev/null +++ b/backport-Maximun-number-of-line-in-a-modification-policy.patch @@ -0,0 +1,55 @@ +From f96c809dc83d8d0f44e586ccc4441e80dfe135f4 Mon Sep 17 00:00:00 2001 +From: jinlun +Date: Mon, 17 Jun 2024 19:59:15 +0800 +Subject: [PATCH 05/14] Maximun number of line in a modification policy + +--- + src/core/policy/dim_core_policy.h | 2 +- + src/core/policy/dim_core_policy_complex.c | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/core/policy/dim_core_policy.h b/src/core/policy/dim_core_policy.h +index 7f2c756..3b38d13 100644 +--- a/src/core/policy/dim_core_policy.h ++++ b/src/core/policy/dim_core_policy.h +@@ -10,7 +10,7 @@ + /* the policy filepath */ + #define DIM_POLICY_PATH "/etc/dim/policy" + /* max number of lines for parsing */ +-#define DIM_POLICY_LINE_MAX 10000 ++#define DIM_POLICY_LINE_MAX 100000 + + /* measurement object of policy */ + enum dim_policy_obj { +diff --git a/src/core/policy/dim_core_policy_complex.c b/src/core/policy/dim_core_policy_complex.c +index 8c02227..cba2dd7 100644 +--- a/src/core/policy/dim_core_policy_complex.c ++++ b/src/core/policy/dim_core_policy_complex.c +@@ -165,7 +165,7 @@ static int policy_parse_line(char* line, int line_no, void *data) + ret = parse_line(line, policy); + if (ret < 0) { + policy_destroy(policy); +- dim_err("fail to parse policy at line %d: %d\n", line_no, ret); ++ dim_err("failed to parse policy at line %d: %d\n", line_no, ret); + return ret; + } + +@@ -174,7 +174,7 @@ static int policy_parse_line(char* line, int line_no, void *data) + policy_destroy(policy); + /* ignore the repeat add */ + if (ret != -EEXIST) +- dim_err("fail to add policy at line %d: %d\n", line_no, ret); ++ dim_err("failed to add policy at line %d: %d\n", line_no, ret); + return ret == -EEXIST ? 0 : ret; + } + +@@ -188,4 +188,4 @@ int policy_parse_complex_format(char *buf, size_t buf_len, + return -EINVAL; + + return dim_parse_line_buf(buf, buf_len, policy_parse_line, policy_add); +-} +\ No newline at end of file ++} +-- +2.33.0 + diff --git a/backport-Optimize-task-kill-and-log-the-static-baseline-when-.patch b/backport-Optimize-task-kill-and-log-the-static-baseline-when-.patch new file mode 100644 index 0000000000000000000000000000000000000000..022fc94865dd19bb0b19a021bc5dde4b7d502e52 --- /dev/null +++ b/backport-Optimize-task-kill-and-log-the-static-baseline-when-.patch @@ -0,0 +1,110 @@ +From 8b7fea1bbb1796e710b9dea928de7e6e1715022f Mon Sep 17 00:00:00 2001 +From: jinlun +Date: Mon, 17 Jun 2024 20:22:45 +0800 +Subject: [PATCH 06/14] Optimize task kill and log the static baseline when + tampered + +--- + .../dim_core_measure_process.c | 56 ++++--------------- + 1 file changed, 12 insertions(+), 44 deletions(-) + +diff --git a/src/core/tasks/dim_core_measure_process/dim_core_measure_process.c b/src/core/tasks/dim_core_measure_process/dim_core_measure_process.c +index c1efa02..2ea1980 100644 +--- a/src/core/tasks/dim_core_measure_process/dim_core_measure_process.c ++++ b/src/core/tasks/dim_core_measure_process/dim_core_measure_process.c +@@ -21,16 +21,6 @@ + #include "dim_core_measure_task.h" + #include "dim_core_measure_process.h" + +-/* max number of tasks to kill */ +-#define DIM_KILL_TASKS_MAX (1024) +- +-struct task_kill_ctx { +- struct task_struct **buf; +- int len; +- int size; +- int ret; +-}; +- + static struct vm_area_struct *next_module_text_vma(struct vm_area_struct *vma) + { + struct vm_area_struct *v = NULL; +@@ -48,55 +38,33 @@ static struct vm_area_struct *next_module_text_vma(struct vm_area_struct *vma) + return v; + } + +-static int store_task_tree(struct task_struct *p, void *data) ++static int kill_task(struct task_struct *p, void * __always_unused data) + { +- unsigned int new_size = 0; +- struct task_struct **tmp = NULL; +- struct task_kill_ctx *ctx = (struct task_kill_ctx *)data; +- +- if (ctx->len == ctx->size) { +- if (ctx->size >= DIM_KILL_TASKS_MAX) +- return -ERANGE; +- +- /* realloc to size * 2 */ +- new_size = ctx->size << 1; +- tmp = dim_krealloc_atom(ctx->buf, +- new_size * sizeof(struct task_struct *)); +- if (tmp == NULL) +- return -ENOMEM; +- +- ctx->buf = tmp; ++ if (p == current) { ++ /* dont kill the current process */ ++ dim_warn("don't kill the current process\n"); ++ return 0; + } + +- ctx->buf[ctx->len++] = get_task_struct(p); ++ send_sig(SIGKILL, p, 1); + return 1; + } + + static int kill_task_tree(struct task_struct *tsk) + { +- int i = 0; +- const int def_size = 32; +- struct task_kill_ctx ctx = { .size = def_size }; +- + if (tsk->pid == 1) { + /* dont kill the init process */ + dim_warn("the pid of tampered task is 1, don't kill it\n"); + return 0; + } + +- ctx.buf = dim_kzalloc_gfp(def_size * sizeof(struct task_struct *)); +- if (ctx.buf == NULL) +- return -ENOMEM; +- +- dim_core_kernel_symbol.walk_process_tree(tsk, store_task_tree, &ctx); +- if (ctx.len > 0) { +- for (i = ctx.len - 1; i >= 0; i--) { +- send_sig(SIGKILL, ctx.buf[i], 1); +- put_task_struct(ctx.buf[i]); +- } ++ if (tsk == current) { ++ /* dont kill the current process */ ++ dim_warn("don't kill the current process\n"); ++ return 0; + } + +- dim_kfree(ctx.buf); ++ dim_core_kernel_symbol.walk_process_tree(tsk, kill_task, NULL); + send_sig(SIGKILL, tsk, 1); + return 0; + } +@@ -140,7 +108,7 @@ static int check_process_digest(struct dim_digest *digest, + return ret; + } + +- if (log_flag != LOG_TAMPERED || ++ if (log_flag != LOG_TAMPERED || ctx->mode != DIM_MEASURE || + dim_core_measure_action_get() == DIM_MEASURE_ACTION_DISABLE) + return 0; + +-- +2.33.0 + diff --git a/backport-Remove-unused-symbol-in-dim_core.patch b/backport-Remove-unused-symbol-in-dim_core.patch new file mode 100644 index 0000000000000000000000000000000000000000..9b89088bcfb295f381a71857cef8cb491e3e3860 --- /dev/null +++ b/backport-Remove-unused-symbol-in-dim_core.patch @@ -0,0 +1,40 @@ +From 79ad6482e5156c864973ca9e9f7f1a0e68290aa8 Mon Sep 17 00:00:00 2001 +From: Huaxin Lu +Date: Tue, 30 Apr 2024 00:42:43 +0800 +Subject: [PATCH 09/28] Remove unused symbol in dim_core + +--- + src/core/dim_core_symbol.c | 14 +++----------- + 1 file changed, 3 insertions(+), 11 deletions(-) + +diff --git a/src/core/dim_core_symbol.c b/src/core/dim_core_symbol.c +index eeb9240..38c9f02 100644 +--- a/src/core/dim_core_symbol.c ++++ b/src/core/dim_core_symbol.c +@@ -45,20 +45,12 @@ int dim_core_kallsyms_init(void) + k->find_get_task_by_vpid = (DIM_FIND_GET_TASK_BY_VPID) + dim_kallsyms_lookup_name("find_get_task_by_vpid"); + #endif +-#ifndef JUMP_LABEL_NOP_SIZE +- k->arch_jump_entry_size = (DIM_ARCH_JUMP_ENTRY_SIZE) +- dim_kallsyms_lookup_name("arch_jump_entry_size"); +-#endif + + return (k->stext == NULL || k->etext == NULL || +-#ifndef JUMP_LABEL_NOP_SIZE +- k->arch_jump_entry_size == NULL || +-#endif + #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 4, 0) + k->find_module == NULL || k->find_get_task_by_vpid == NULL || + #endif +- k->start_jump_table == NULL || k->stop_jump_table == NULL || +- k->jump_label_lock == NULL || k->jump_label_lock == NULL || +- k->walk_process_tree == NULL) ? -ENOENT : 0; ++ k->start_jump_table == NULL || k->stop_jump_table == NULL || ++ k->jump_label_lock == NULL || k->jump_label_lock == NULL || ++ k->walk_process_tree == NULL) ? -ENOENT : 0; + } +- +-- +2.33.0 + diff --git a/backport-Try-to-add-the-absolute-path-of-process-in-static-ba.patch b/backport-Try-to-add-the-absolute-path-of-process-in-static-ba.patch new file mode 100644 index 0000000000000000000000000000000000000000..4106533aadf321a9984e8bda54a7308e4e340b35 --- /dev/null +++ b/backport-Try-to-add-the-absolute-path-of-process-in-static-ba.patch @@ -0,0 +1,43 @@ +From 3c7a97428e8605ddcd12f7928f590d6f89d664f8 Mon Sep 17 00:00:00 2001 +From: Huaxin Lu +Date: Sun, 5 May 2024 11:43:10 +0800 +Subject: [PATCH 06/28] Try to add the absolute path of process in static + baseline + +Signed-off-by: Huaxin Lu +--- + .../static_baseline/dim_core_static_baseline.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/src/core/static_baseline/dim_core_static_baseline.c b/src/core/static_baseline/dim_core_static_baseline.c +index e33c67c..ff05690 100644 +--- a/src/core/static_baseline/dim_core_static_baseline.c ++++ b/src/core/static_baseline/dim_core_static_baseline.c +@@ -46,7 +46,23 @@ static int baseline_check_add(const char *name, int type, + struct dim_digest *digest, + struct dim_measure *m) + { +- return dim_measure_static_baseline_add(m, name, type, digest); ++ int ret = 0; ++ const char *real_path = NULL; ++ ++ if (type == DIM_BASELINE_KERNEL) ++ return dim_measure_static_baseline_add(m, name, type, digest); ++ ++ /* for process, try to add the absolute path */ ++ ret = dim_get_absolute_path(name, &real_path); ++ if (ret < 0) { ++ dim_warn("failed to get absolute path of %s in static baeline: %d\n", ++ name, ret); ++ return dim_measure_static_baseline_add(m, name, type, digest); ++ } ++ ++ ret = dim_measure_static_baseline_add(m, real_path, type, digest); ++ dim_kfree(real_path); ++ return ret; + } + + #if LINUX_VERSION_CODE < KERNEL_VERSION(6, 4, 0) +-- +2.33.0 + diff --git a/backport-Unified-log-printing-format.patch b/backport-Unified-log-printing-format.patch new file mode 100644 index 0000000000000000000000000000000000000000..c4afbce29cce3be80114953b62dde160bdb343a8 --- /dev/null +++ b/backport-Unified-log-printing-format.patch @@ -0,0 +1,71 @@ +From fc44808dc01e95de501db0e2ca9ad84bb4815948 Mon Sep 17 00:00:00 2001 +From: jinlun +Date: Tue, 18 Jun 2024 09:32:10 +0800 +Subject: [PATCH 11/14] Unified log printing format + +--- + src/core/policy/dim_core_policy.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/src/core/policy/dim_core_policy.c b/src/core/policy/dim_core_policy.c +index f10a256..da734d3 100644 +--- a/src/core/policy/dim_core_policy.c ++++ b/src/core/policy/dim_core_policy.c +@@ -70,17 +70,17 @@ static int policy_check_add_bprm_text(struct dim_policy *policy) + + /* check the policy is valid */ + if (policy->path == NULL) { +- pr_err("path must be set for BPRM_TEXT policy\n"); ++ dim_err("path must be set for BPRM_TEXT policy\n"); + return -EINVAL; + } + + if (strlen(policy->path) + 1 > PATH_MAX) { +- pr_err("path must be shorter than %d\n", PATH_MAX); ++ dim_err("path must be shorter than %d\n", PATH_MAX); + return -ENAMETOOLONG; + } + + if (policy->name != NULL) +- pr_warn("name is ignored for BPRM_TEXT policy\n"); ++ dim_warn("name is ignored for BPRM_TEXT policy\n"); + + /* firstly, add the current node */ + ret = dim_policy_rb_add(&policy_root, policy, NULL); +@@ -122,20 +122,20 @@ static int policy_check_add_bprm_text(struct dim_policy *policy) + static int policy_check_add_module_text(struct dim_policy *policy) + { + if (policy->name == NULL) { +- pr_err("name must be set for MODULE_TEXT policy\n"); ++ dim_err("name must be set for MODULE_TEXT policy\n"); + return -EINVAL; + } + + if (strlen(policy->name) + 1 > NAME_MAX) { +- pr_err("name must be shorter than %d\n", NAME_MAX); ++ dim_err("name must be shorter than %d\n", NAME_MAX); + return -ENAMETOOLONG; + } + + if (policy->path != NULL) +- pr_warn("path is ignored for BPRM_TEXT policy\n"); ++ dim_warn("path is ignored for BPRM_TEXT policy\n"); + + if (policy->action != DIM_POLICY_ACTION_LOG) +- pr_warn("action is ignored for MODULE_TEXT policy\n"); ++ dim_warn("action is ignored for MODULE_TEXT policy\n"); + + return dim_policy_rb_add(&policy_root, policy, NULL); + } +@@ -144,7 +144,7 @@ static int policy_check_add_kernel_text(struct dim_policy *policy) + { + if (policy->name != NULL || policy->path != NULL || + policy->action != DIM_POLICY_ACTION_LOG) +- pr_warn("all parameters are ignored for KERNEL_TEXT policy\n"); ++ dim_warn("all parameters are ignored for KERNEL_TEXT policy\n"); + + return dim_policy_rb_add(&policy_root, policy, NULL); + } +-- +2.33.0 + diff --git a/backport-add-missing-line-break-in-log-printing.patch b/backport-add-missing-line-break-in-log-printing.patch new file mode 100644 index 0000000000000000000000000000000000000000..24f826deafc7a97fe1d723825d7c6d84c96588d6 --- /dev/null +++ b/backport-add-missing-line-break-in-log-printing.patch @@ -0,0 +1,32 @@ +From 03facf95debc7d34e64b69a1da8200ada1f0a75a Mon Sep 17 00:00:00 2001 +From: Huaxin Lu +Date: Thu, 9 May 2024 15:47:18 +0800 +Subject: [PATCH 13/28] add missing line break in log printing + +--- + src/core/dim_core_measure.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/core/dim_core_measure.c b/src/core/dim_core_measure.c +index 2ccd1a1..caf767c 100644 +--- a/src/core/dim_core_measure.c ++++ b/src/core/dim_core_measure.c +@@ -73,13 +73,13 @@ int dim_core_interval_set(unsigned int min) + + atomic_set(&measure_interval, min); + if (min == 0) { +- dim_info("cancel dim timed measure work"); ++ dim_info("cancel dim timed measure work\n"); + cancel_delayed_work_sync(&dim_measure_work); + } else { + jiffies = nsecs_to_jiffies64((unsigned long)min * + DIM_MINUTE_TO_NSEC); + dim_info("modify dim measure interval to %u min " +- "(jittfies = 0x%lx)", min, jiffies); ++ "(jittfies = 0x%lx)\n", min, jiffies); + mod_delayed_work(dim_work_queue, &dim_measure_work, jiffies); + } + +-- +2.33.0 + diff --git a/backport-add-parameter-check.patch b/backport-add-parameter-check.patch new file mode 100644 index 0000000000000000000000000000000000000000..f12f471867cbe4db288d5b5dc79c20034b071c40 --- /dev/null +++ b/backport-add-parameter-check.patch @@ -0,0 +1,71 @@ +From 363b0761d007fa20e165f385a085a2fcf6fc11a0 Mon Sep 17 00:00:00 2001 +From: jinlun +Date: Tue, 18 Jun 2024 09:45:47 +0800 +Subject: [PATCH 13/14] add parameter check + +--- + src/common/dim_measure_log.c | 3 +++ + src/core/tasks/dim_core_measure_kernel.c | 6 +++--- + src/core/tasks/dim_core_measure_module.c | 6 ++++-- + 3 files changed, 10 insertions(+), 5 deletions(-) + +diff --git a/src/common/dim_measure_log.c b/src/common/dim_measure_log.c +index 4b3bd34..59654a5 100644 +--- a/src/common/dim_measure_log.c ++++ b/src/common/dim_measure_log.c +@@ -33,6 +33,9 @@ static int cal_measure_log_digest(const char *name, + int digest_size = dim_digest_size(info->digest.algo); + SHASH_DESC_ON_STACK(shash, hash->tfm); + ++ if (algo_name == NULL) ++ return -EINVAL; ++ + shash->tfm = hash->tfm; + ret = crypto_shash_init(shash); + if (ret < 0) +diff --git a/src/core/tasks/dim_core_measure_kernel.c b/src/core/tasks/dim_core_measure_kernel.c +index fa04ae4..bb7fd74 100644 +--- a/src/core/tasks/dim_core_measure_kernel.c ++++ b/src/core/tasks/dim_core_measure_kernel.c +@@ -139,13 +139,13 @@ static int kernel_text_measure(int mode, struct dim_measure *m) + { + int ret = 0; + const char *kr = init_uts_ns.name.release; +- struct dim_digest digest = { +- .algo = m->hash.algo, +- }; ++ struct dim_digest digest = {0}; + + if (m == NULL) + return -EINVAL; + ++ digest.algo = m->hash.algo; ++ + if (!dim_core_policy_match(DIM_POLICY_OBJ_KERNEL_TEXT, + DIM_POLICY_KEY_NAME, kr)) + return 0; +diff --git a/src/core/tasks/dim_core_measure_module.c b/src/core/tasks/dim_core_measure_module.c +index feb6624..613e0e5 100644 +--- a/src/core/tasks/dim_core_measure_module.c ++++ b/src/core/tasks/dim_core_measure_module.c +@@ -64,13 +64,15 @@ static int measure_module(struct dim_policy *policy, void *data) + { + int ret = 0; + struct module_text_measure_ctx *ctx = data; +- const char *mod_name = policy->name; ++ const char *mod_name = NULL; + struct dim_digest digest = { 0 }; + + if (policy == NULL || policy->obj != DIM_POLICY_OBJ_MODULE_TEXT || +- mod_name == NULL) ++ policy->name == NULL) + return 0; + ++ mod_name = policy->name; ++ + /* if module is not inserted in baseline_init stage, ignore it */ + if (ctx->mode == DIM_MEASURE && + dim_measure_dynamic_baseline_search(ctx->m, mod_name, +-- +2.33.0 + diff --git a/backport-add-two-interfaces-for-baseline-operations.patch b/backport-add-two-interfaces-for-baseline-operations.patch new file mode 100644 index 0000000000000000000000000000000000000000..a45d0b7c514316c877a6022239aad551422b744e --- /dev/null +++ b/backport-add-two-interfaces-for-baseline-operations.patch @@ -0,0 +1,65 @@ +From 59720657cc90aad769fa6a7bef2175f12dae72ef Mon Sep 17 00:00:00 2001 +From: Huaxin Lu +Date: Mon, 29 Apr 2024 23:02:27 +0800 +Subject: [PATCH 04/28] add two interfaces for baseline operations + +--- + src/measure/dim_measure.h | 7 +++++++ + src/measure/dim_measure_baseline.c | 20 ++++++++++++++++++++ + 2 files changed, 27 insertions(+) + +diff --git a/src/measure/dim_measure.h b/src/measure/dim_measure.h +index d73fbaf..f5140f0 100644 +--- a/src/measure/dim_measure.h ++++ b/src/measure/dim_measure.h +@@ -101,9 +101,16 @@ int dim_measure_process_dynamic_result(struct dim_measure *m, int mode, + int dim_measure_static_baseline_add(struct dim_measure *m, + const char *name, int type, + struct dim_digest *digest); ++int dim_measure_dynamic_baseline_add(struct dim_measure *m, ++ const char *name, int type, ++ struct dim_digest *digest); ++int dim_measure_static_baseline_search(struct dim_measure *m, ++ const char *name, int type, ++ struct dim_digest *digest); + int dim_measure_dynamic_baseline_search(struct dim_measure *m, + const char *name, int type, + struct dim_digest *digest); ++ + /* functions for dim measurement task */ + int dim_measure_tasks_register(struct dim_measure *m, + struct dim_measure_task **tasks, +diff --git a/src/measure/dim_measure_baseline.c b/src/measure/dim_measure_baseline.c +index c62d6be..b73b639 100644 +--- a/src/measure/dim_measure_baseline.c ++++ b/src/measure/dim_measure_baseline.c +@@ -224,6 +224,26 @@ int dim_measure_static_baseline_add(struct dim_measure *m, + return static_baseline_add(m, name, type, digest); + } + ++int dim_measure_dynamic_baseline_add(struct dim_measure *m, ++ const char *name, int type, ++ struct dim_digest *digest) ++{ ++ if (m == NULL) ++ return -EINVAL; ++ ++ return dynamic_baseline_add(m, name, type, digest); ++} ++ ++int dim_measure_static_baseline_search(struct dim_measure *m, ++ const char *name, int type, ++ struct dim_digest *digest) ++{ ++ if (m == NULL) ++ return -EINVAL; ++ ++ return static_baseline_search(m, name, type, digest); ++} ++ + int dim_measure_dynamic_baseline_search(struct dim_measure *m, + const char *name, int type, + struct dim_digest *digest) +-- +2.33.0 + diff --git a/backport-dont-kill-the-init-process.patch b/backport-dont-kill-the-init-process.patch new file mode 100644 index 0000000000000000000000000000000000000000..f315c677d6b8e144f4c18b7b8b9abd7abdfca581 --- /dev/null +++ b/backport-dont-kill-the-init-process.patch @@ -0,0 +1,29 @@ +From b515dc62636113d06ac524476da7c30fa3fd42b0 Mon Sep 17 00:00:00 2001 +From: Huaxin Lu +Date: Thu, 9 May 2024 15:16:28 +0800 +Subject: [PATCH 10/28] dont kill the init process + +--- + .../dim_core_measure_process/dim_core_measure_process.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/core/tasks/dim_core_measure_process/dim_core_measure_process.c b/src/core/tasks/dim_core_measure_process/dim_core_measure_process.c +index 643b661..e5e262a 100644 +--- a/src/core/tasks/dim_core_measure_process/dim_core_measure_process.c ++++ b/src/core/tasks/dim_core_measure_process/dim_core_measure_process.c +@@ -78,6 +78,12 @@ static int kill_task_tree(struct task_struct *tsk) + const int def_size = 32; + struct task_kill_ctx ctx = { .size = def_size }; + ++ if (tsk->pid == 1) { ++ /* dont kill the init process */ ++ dim_warn("the pid of tampered task is 1, don't kill it\n"); ++ return 0; ++ } ++ + ctx.buf = dim_kzalloc_gfp(def_size * sizeof(struct task_struct *)); + if (ctx.buf == NULL) + return -ENOMEM; +-- +2.33.0 + diff --git a/backport-dont-warp-strncpy.patch b/backport-dont-warp-strncpy.patch new file mode 100644 index 0000000000000000000000000000000000000000..e5fcce7fba50c6a060730089fbcd7e9b960024e6 --- /dev/null +++ b/backport-dont-warp-strncpy.patch @@ -0,0 +1,45 @@ +From 6f0a9e9a1ce574b5b2d28fbf986bf551d38b3832 Mon Sep 17 00:00:00 2001 +From: Huaxin Lu +Date: Thu, 9 May 2024 15:56:17 +0800 +Subject: [PATCH 14/28] dont warp strncpy + +--- + src/common/dim_baseline.c | 2 +- + src/common/dim_safe_func.h | 10 +--------- + 2 files changed, 2 insertions(+), 10 deletions(-) + +diff --git a/src/common/dim_baseline.c b/src/common/dim_baseline.c +index 3272ded..17c58dd 100644 +--- a/src/common/dim_baseline.c ++++ b/src/common/dim_baseline.c +@@ -106,7 +106,7 @@ int dim_baseline_add(struct dim_baseline_tree *root, const char *name, + if (ret < 0) + goto err; + +- dim_strncpy((char *)baseline->name, name, buf_len - 1); ++ strncpy((char *)baseline->name, name, buf_len - 1); + ((char *)baseline->name)[buf_len - 1] = '\0'; + + write_lock(&root->lock); +diff --git a/src/common/dim_safe_func.h b/src/common/dim_safe_func.h +index 15c716c..8cba7b2 100644 +--- a/src/common/dim_safe_func.h ++++ b/src/common/dim_safe_func.h +@@ -132,12 +132,4 @@ static inline int dim_strncmp(const char *cs, const char *ct, size_t count) + return strncmp(cs, ct, count); + } + +-static inline char *dim_strncpy(char *dest, const char *src, size_t count) +-{ +- if (dest == NULL || src == NULL) +- return NULL; +- +- return strncpy(dest, src, count); +-} +- +-#endif +\ No newline at end of file ++#endif +-- +2.33.0 + diff --git a/backport-fix-double-free-in-tpm.patch b/backport-fix-double-free-in-tpm.patch new file mode 100644 index 0000000000000000000000000000000000000000..b609410837e10b045dff89bf0e90f36cda7e9630 --- /dev/null +++ b/backport-fix-double-free-in-tpm.patch @@ -0,0 +1,42 @@ +From b313cae9712a5c13ad9617c39019693072372499 Mon Sep 17 00:00:00 2001 +From: jinlun +Date: Mon, 17 Jun 2024 14:58:16 +0800 +Subject: [PATCH 03/14] fix double free in tpm + +--- + src/common/dim_tpm.c | 4 +++- + src/measure/dim_measure.c | 4 +++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/common/dim_tpm.c b/src/common/dim_tpm.c +index 6d3c255..35f3fac 100644 +--- a/src/common/dim_tpm.c ++++ b/src/common/dim_tpm.c +@@ -74,4 +74,6 @@ void dim_tpm_destroy(struct dim_tpm *tpm) + + put_device(&tpm->chip->dev); + dim_kfree(tpm->digests); +-} +\ No newline at end of file ++ tpm->chip = NULL; ++ tpm->digests = NULL; ++} +diff --git a/src/measure/dim_measure.c b/src/measure/dim_measure.c +index dd35cb8..c40be0e 100644 +--- a/src/measure/dim_measure.c ++++ b/src/measure/dim_measure.c +@@ -44,8 +44,10 @@ int dim_measure_init(struct dim_measure *m, struct dim_measure_cfg *cfg) + /* 2. init TPM, dont break if init fail */ + if (cfg->pcr > 0) { + ret = dim_tpm_init(&m->tpm, HASH_ALGO_SHA256); +- if (ret < 0) ++ if (ret < 0) { ++ cfg->pcr = 0; + dim_warn("failed to init tpm chip: %d\n", ret); ++ } + } else { + memset(&m->tpm, 0, sizeof(struct dim_tpm)); + } +-- +2.33.0 + diff --git a/backport-fix-incorrect-indent.patch b/backport-fix-incorrect-indent.patch new file mode 100644 index 0000000000000000000000000000000000000000..87d5edb1b0f158298632323eb455443f46adf839 --- /dev/null +++ b/backport-fix-incorrect-indent.patch @@ -0,0 +1,30 @@ +From 19a59c415c0360df06ccd540e1c9e847926f7fe4 Mon Sep 17 00:00:00 2001 +From: Huaxin Lu +Date: Mon, 29 Apr 2024 22:41:47 +0800 +Subject: [PATCH 03/28] fix incorrect indent + +--- + src/measure/dim_measure_status.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/measure/dim_measure_status.c b/src/measure/dim_measure_status.c +index 28cfb43..e57e611 100644 +--- a/src/measure/dim_measure_status.c ++++ b/src/measure/dim_measure_status.c +@@ -18,10 +18,10 @@ const char *dim_measure_status_print(struct dim_measure *m) + { + int status = 0; + +- if (m == NULL) +- return status_name[MEASURE_STATUS_LAST]; ++ if (m == NULL) ++ return status_name[MEASURE_STATUS_LAST]; + +- status = atomic_read(&m->status); ++ status = atomic_read(&m->status); + if (status < 0 || status >= MEASURE_STATUS_LAST) + status = MEASURE_STATUS_LAST; + +-- +2.33.0 + diff --git a/backport-fix-resource-clear-in-concurrent-scenarios.patch b/backport-fix-resource-clear-in-concurrent-scenarios.patch new file mode 100644 index 0000000000000000000000000000000000000000..3dd5d358018ce8751e07cc1b048b16f3adaa7f00 --- /dev/null +++ b/backport-fix-resource-clear-in-concurrent-scenarios.patch @@ -0,0 +1,67 @@ +From 3c3197390d14cc94e3e0117969ab8c70d0976dd0 Mon Sep 17 00:00:00 2001 +From: jinlun +Date: Mon, 17 Jun 2024 20:28:35 +0800 +Subject: [PATCH 07/14] fix resource clear in concurrent scenarios + +--- + src/common/dim_entry.c | 13 ++++++++++++- + src/core/dim_core_main.c | 2 +- + 2 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/src/common/dim_entry.c b/src/common/dim_entry.c +index a8dcae7..f2454ce 100644 +--- a/src/common/dim_entry.c ++++ b/src/common/dim_entry.c +@@ -4,9 +4,12 @@ + + #include + #include ++#include + + #include "dim_entry.h" + ++#define WAIT_TIME_MAX 1000 ++ + int dim_entry_create(struct dim_entry *entry, struct dentry *parent) + { + int ret = 0; +@@ -27,7 +30,15 @@ int dim_entry_create(struct dim_entry *entry, struct dentry *parent) + + void dim_entry_remove(struct dim_entry *entry) + { ++ int time_ms = 0; ++ + if (entry != NULL && entry->dentry != NULL) { ++ while (d_is_dir(entry->dentry) && ++ !simple_empty(entry->dentry) && ++ time_ms < WAIT_TIME_MAX) { ++ time_ms++; ++ msleep(1); ++ } + securityfs_remove(entry->dentry); + entry->dentry = NULL; + } +@@ -60,4 +71,4 @@ void dim_entry_remove_list(struct dim_entry **list, unsigned int len) + + for (i = 0; i < len; i++) + dim_entry_remove(list[i]); +-} +\ No newline at end of file ++} +diff --git a/src/core/dim_core_main.c b/src/core/dim_core_main.c +index de18d66..d4cc870 100644 +--- a/src/core/dim_core_main.c ++++ b/src/core/dim_core_main.c +@@ -91,8 +91,8 @@ err: + + static void __exit dim_core_exit(void) + { +- dim_core_measure_destroy(); + dim_core_destroy_fs(); ++ dim_core_measure_destroy(); + dim_mem_pool_destroy(); + + if (signature) +-- +2.33.0 + diff --git a/backport-fix-trampoline.patch b/backport-fix-trampoline.patch new file mode 100644 index 0000000000000000000000000000000000000000..782772c9cf477ee3c3f8634d1ca6c30a557b9dda --- /dev/null +++ b/backport-fix-trampoline.patch @@ -0,0 +1,113 @@ +From 478e0745ff6e37c03aa98f0883a18f7749d0afb2 Mon Sep 17 00:00:00 2001 +From: jinlun +Date: Mon, 17 Jun 2024 19:28:54 +0800 +Subject: [PATCH 04/14] fix trampoline + +--- + src/common/dim_baseline.h | 2 ++ + .../dim_core_measure_process_elf.c | 33 +++++++++++++++++-- + 2 files changed, 32 insertions(+), 3 deletions(-) + +diff --git a/src/common/dim_baseline.h b/src/common/dim_baseline.h +index 345b348..4292259 100644 +--- a/src/common/dim_baseline.h ++++ b/src/common/dim_baseline.h +@@ -15,6 +15,7 @@ enum dim_baseline_type { + DIM_BASELINE_USER, /* baseline of user process */ + DIM_BASELINE_KERNEL, /* baseline of kernel or kernel modules */ + DIM_BASELINE_DATA, ++ DIM_BASELINE_TRAMPOLINE, + DIM_BASELINE_LAST, + }; + +@@ -22,6 +23,7 @@ static const char *const dim_baseline_name[DIM_BASELINE_LAST] = { + [DIM_BASELINE_USER] = "USER", + [DIM_BASELINE_KERNEL] = "KERNEL", + [DIM_BASELINE_DATA] = "DATA", ++ [DIM_BASELINE_TRAMPOLINE] = "TRAMPOLINE", + }; + + struct dim_baseline_tree { +diff --git a/src/core/tasks/dim_core_measure_process/dim_core_measure_process_elf.c b/src/core/tasks/dim_core_measure_process/dim_core_measure_process_elf.c +index 12040e2..df8d773 100644 +--- a/src/core/tasks/dim_core_measure_process/dim_core_measure_process_elf.c ++++ b/src/core/tasks/dim_core_measure_process/dim_core_measure_process_elf.c +@@ -222,7 +222,10 @@ static int get_elf_measure_area(struct file *elf_file, + return ret; + } + +- // TODO ++ /* check if it is no need to measure trampoline */ ++ if (shdr_trampoline == NULL) ++ return 0; ++ + ret = get_elf_section(elf_file, &ehdr, TRAMPOLINE_SECTION_NAME, shdr_trampoline); + if (ret == 0) + *shdr_trampoline_find = true; +@@ -256,6 +259,14 @@ static int measure_elf_trampoline(struct vm_area_struct *vma, + return ret; + } + ++ /* for baseline mode, add an extra dynamic baseline of trampoline */ ++ if (ctx->mode == DIM_BASELINE) { ++ ret = dim_measure_dynamic_baseline_add(ctx->m, ctx->path, ++ DIM_BASELINE_TRAMPOLINE, &digest); ++ if (ret < 0) ++ pr_warn("failed to add trampoline dynamic baseline\n"); ++ } ++ + return ctx->check(&digest, ctx); + } + +@@ -295,6 +306,18 @@ static int measure_elf_text(struct vm_area_struct *vma, + return ctx->check(&digest, ctx); + } + ++static bool trampoline_baseline_exist(struct task_measure_ctx *ctx) ++{ ++ struct dim_digest digest = { 0 }; ++ ++ /* measure trampoline only the baseline is set */ ++ return ctx->mode == DIM_BASELINE ? ++ (dim_measure_static_baseline_search(ctx->m, ctx->path, ++ DIM_BASELINE_TRAMPOLINE, &digest) == 0) : ++ (dim_measure_dynamic_baseline_search(ctx->m, ctx->path, ++ DIM_BASELINE_TRAMPOLINE, &digest) == 0); ++} ++ + int measure_process_module_text_elf(struct vm_area_struct *vma, + struct task_measure_ctx *ctx) + { +@@ -304,6 +327,7 @@ int measure_process_module_text_elf(struct vm_area_struct *vma, + unsigned int phdrs_text_num = 0; + struct elf_shdr shdr_trampoline = { 0 }; + bool shdr_trampoline_find = false; ++ bool trampoline_baseline_existed = false; + + if (vma == NULL || !vma_is_file_text(vma) || ctx == NULL + || ctx->m == NULL || ctx->check == NULL) +@@ -314,8 +338,11 @@ int measure_process_module_text_elf(struct vm_area_struct *vma, + return -ENOEXEC; + } + ++ trampoline_baseline_existed = trampoline_baseline_exist(ctx); ++ + ret = get_elf_measure_area(elf_file, &phdrs_text, &phdrs_text_num, +- &shdr_trampoline, &shdr_trampoline_find); ++ trampoline_baseline_existed ? &shdr_trampoline : NULL, ++ &shdr_trampoline_find); + if (ret < 0) { + dim_err("failed to get elf measure area from vma\n"); + return ret; +@@ -331,7 +358,7 @@ int measure_process_module_text_elf(struct vm_area_struct *vma, + return ret; + } + +- if (shdr_trampoline_find) { ++ if (shdr_trampoline_find && trampoline_baseline_existed) { + ret = measure_elf_trampoline(vma, base, &shdr_trampoline, ctx); + if (ret < 0) { + dim_err("failed to measure elf trampoline: %d\n", ret); +-- +2.33.0 + diff --git a/backport-ignore-return-value-if-the-measure-log-is-limited.patch b/backport-ignore-return-value-if-the-measure-log-is-limited.patch new file mode 100644 index 0000000000000000000000000000000000000000..a7501b6b31f04004d769f6b457863db083f49964 --- /dev/null +++ b/backport-ignore-return-value-if-the-measure-log-is-limited.patch @@ -0,0 +1,26 @@ +From e5ad2b5264d67694eba932c247d78011da4fd308 Mon Sep 17 00:00:00 2001 +From: jinlun +Date: Tue, 18 Jun 2024 09:25:44 +0800 +Subject: [PATCH 09/14] ignore return value if the measure log is limited + +--- + src/measure/dim_measure_baseline.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/measure/dim_measure_baseline.c b/src/measure/dim_measure_baseline.c +index b73b639..185a06e 100644 +--- a/src/measure/dim_measure_baseline.c ++++ b/src/measure/dim_measure_baseline.c +@@ -93,7 +93,8 @@ static int measure_log_add(struct dim_measure *m, const char *name, + int ret = dim_measure_log_add(&m->log, name, digest, flag); + if (ret < 0 && ret != -EEXIST) { + dim_err("failed to add measure log of %s: %d\n", name, ret); +- return ret; ++ /* the measure log of this object has been limited */ ++ return ret == -ENOSPC ? 0 : ret; + } + + return 0; +-- +2.33.0 + diff --git a/backport-set-dim_work_queue-to-NULL-after-fail-branch.patch b/backport-set-dim_work_queue-to-NULL-after-fail-branch.patch new file mode 100644 index 0000000000000000000000000000000000000000..015f87d1861e7fdc0034d7437d96404b315a8cbc --- /dev/null +++ b/backport-set-dim_work_queue-to-NULL-after-fail-branch.patch @@ -0,0 +1,28 @@ +From 849a1ffebc606304e8a47aaa1dac9001873ffff9 Mon Sep 17 00:00:00 2001 +From: Huaxin Lu +Date: Thu, 9 May 2024 15:31:46 +0800 +Subject: [PATCH 11/28] set dim_work_queue to NULL after fail branch + +--- + src/core/dim_core_measure.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/core/dim_core_measure.c b/src/core/dim_core_measure.c +index 6b8cd49..2ccd1a1 100644 +--- a/src/core/dim_core_measure.c ++++ b/src/core/dim_core_measure.c +@@ -247,8 +247,10 @@ int dim_core_measure_init(struct dim_measure_cfg *cfg, unsigned int interval) + return 0; + err: + dim_measure_destroy(&dim_core_handle); +- if (dim_work_queue != NULL) ++ if (dim_work_queue != NULL) { + destroy_workqueue(dim_work_queue); ++ dim_work_queue = NULL; ++ } + + return ret; + } +-- +2.33.0 + diff --git a/backport-use-fs-interface-to-set-measure-action.patch b/backport-use-fs-interface-to-set-measure-action.patch new file mode 100644 index 0000000000000000000000000000000000000000..38d4f2a15192fd666c61c543068b9fa17308de76 --- /dev/null +++ b/backport-use-fs-interface-to-set-measure-action.patch @@ -0,0 +1,141 @@ +From 1be543b4082c7cf516d11408abf35d1b3ec67254 Mon Sep 17 00:00:00 2001 +From: Huaxin Lu +Date: Mon, 29 Apr 2024 22:27:49 +0800 +Subject: [PATCH 02/28] use fs interface to set measure action + +--- + src/core/dim_core_fs.c | 11 +++++++++++ + src/core/dim_core_main.c | 4 ---- + src/core/dim_core_measure.c | 17 +++++++++++++++++ + src/core/dim_core_measure.h | 9 ++++++++- + .../dim_core_measure_process.c | 3 ++- + 5 files changed, 38 insertions(+), 6 deletions(-) + +diff --git a/src/core/dim_core_fs.c b/src/core/dim_core_fs.c +index 4d6bdd4..4a82e53 100644 +--- a/src/core/dim_core_fs.c ++++ b/src/core/dim_core_fs.c +@@ -53,6 +53,16 @@ dim_string_print_entry(dim_status, runtime_status, dim_core_status_print); + dim_uint_rw_entry(dim_interval, interval, dim_core_interval_get, + dim_core_interval_set); + ++/* ++ * measure action set and read interface ++ * dim_entry struct: dim_tampered_action_entry ++ * file entry name: tampered_action ++ * read function: dim_core_measure_action_get ++ * write function: dim_core_measure_action_set ++ */ ++dim_uint_rw_entry(dim_tampered_action, tampered_action, ++ dim_core_measure_action_get, dim_core_measure_action_set); ++ + /* + * dim directory + */ +@@ -69,6 +79,7 @@ static struct dim_entry *dim_core_files[] = { + &dim_measure_log_entry, + &dim_status_entry, + &dim_interval_entry, ++ &dim_tampered_action_entry, + }; + + void dim_core_destroy_fs(void) +diff --git a/src/core/dim_core_main.c b/src/core/dim_core_main.c +index c62fa09..de18d66 100644 +--- a/src/core/dim_core_main.c ++++ b/src/core/dim_core_main.c +@@ -33,15 +33,11 @@ MODULE_PARM_DESC(measure_pcr, "TPM PCR index to extend measure log"); + + /* special measurement configuration for dim_core */ + static unsigned int measure_interval = 0; +-bool dim_core_measure_action_enabled = 0; + static bool signature = false; + + module_param(measure_interval, uint, 0); + MODULE_PARM_DESC(measure_interval, "Interval time (min) for automatic measurement"); + +-module_param_named(measure_action, dim_core_measure_action_enabled, bool, 0); +-MODULE_PARM_DESC(signature, "Enable actions when tampering detected"); +- + module_param(signature, bool, 0); + MODULE_PARM_DESC(signature, "Require signature for policy and static baseline"); + +diff --git a/src/core/dim_core_measure.c b/src/core/dim_core_measure.c +index f5b378c..6b8cd49 100644 +--- a/src/core/dim_core_measure.c ++++ b/src/core/dim_core_measure.c +@@ -32,6 +32,7 @@ static struct work_struct dim_baseline_work; + + /* special measurement parameters for dim_core */ + static atomic_t measure_interval = ATOMIC_INIT(0); ++static atomic_t measure_action = ATOMIC_INIT(0); + + /* interface to print measure status string */ + const char *dim_core_status_print(void) +@@ -39,6 +40,22 @@ const char *dim_core_status_print(void) + return dim_measure_status_print(&dim_core_handle); + } + ++/* interface to get tampered action */ ++long dim_core_measure_action_get(void) ++{ ++ return atomic_read(&measure_action); ++} ++ ++/* interface to set measure action */ ++int dim_core_measure_action_set(unsigned int act) ++{ ++ if (act >= DIM_MEASURE_ACTION_MAX) ++ return -ERANGE; ++ ++ atomic_set(&measure_action, act); ++ return 0; ++} ++ + /* interface to get measure interval */ + long dim_core_interval_get(void) + { +diff --git a/src/core/dim_core_measure.h b/src/core/dim_core_measure.h +index 3522ba0..a91d0b3 100644 +--- a/src/core/dim_core_measure.h ++++ b/src/core/dim_core_measure.h +@@ -16,7 +16,12 @@ + #define DIM_MINUTE_TO_SEC (60UL) + #define DIM_MINUTE_TO_NSEC (60UL * 1000 * 1000 * 1000) + +-extern bool dim_core_measure_action_enabled; ++enum dim_measure_action { ++ DIM_MEASURE_ACTION_DISABLE, ++ DIM_MEASURE_ACTION_ENABLE, ++ DIM_MEASURE_ACTION_MAX, ++}; ++ + extern struct dim_measure dim_core_handle; + + /* global init and destroy */ +@@ -25,6 +30,8 @@ void dim_core_measure_destroy(void); + + /* control function for measurement parameters */ + const char *dim_core_status_print(void); ++long dim_core_measure_action_get(void); ++int dim_core_measure_action_set(unsigned int act); + long dim_core_interval_get(void); + int dim_core_interval_set(unsigned int p); + long dim_core_tampered_action_get(void); +diff --git a/src/core/tasks/dim_core_measure_process/dim_core_measure_process.c b/src/core/tasks/dim_core_measure_process/dim_core_measure_process.c +index 8522085..643b661 100644 +--- a/src/core/tasks/dim_core_measure_process/dim_core_measure_process.c ++++ b/src/core/tasks/dim_core_measure_process/dim_core_measure_process.c +@@ -134,7 +134,8 @@ static int check_process_digest(struct dim_digest *digest, + return ret; + } + +- if (log_flag != LOG_TAMPERED || !dim_core_measure_action_enabled) ++ if (log_flag != LOG_TAMPERED || ++ dim_core_measure_action_get() == DIM_MEASURE_ACTION_DISABLE) + return 0; + + /* now the process is tampered, check if action need to be taken */ +-- +2.33.0 + diff --git a/dim.spec b/dim.spec index 183cf27e9c518edbe33a9d4ed299597f7a3c6aff..eb2fedb75f34c2c636e6b7ac69b55a8c1f7f03f8 100644 --- a/dim.spec +++ b/dim.spec @@ -4,7 +4,7 @@ Name : dim Summary : Dynamic Integrity Measurement Version : 1.0.2 -Release : 6 +Release : 8 License : GPL-2.0 Source0 : %{name}-v%{version}.tar.gz BuildRequires: kernel-devel kernel-headers @@ -34,6 +34,32 @@ Patch0021: backport-Use-warpper-dim_vzalloc-to-avoid-false-warning.patch Patch0022: backport-Set-dim_core_keyring-to-NULL-when-initialize-failed.patch Patch0023: backport-Disable-dfx-testcase-by-default.patch Patch0024: backport-Support-init-function-for-measure-tasks.patch +Patch0025: backport-Fix-calculating-ELF-memory-address.patch +Patch0026: backport-use-fs-interface-to-set-measure-action.patch +Patch0027: backport-fix-incorrect-indent.patch +Patch0028: backport-add-two-interfaces-for-baseline-operations.patch +Patch0029: backport-Add-sm3-compile-macro-and-set-the-algo-name.patch +Patch0030: backport-Try-to-add-the-absolute-path-of-process-in-static-ba.patch +Patch0031: backport-Fix-the-type-of-pcr.patch +Patch0032: backport-Adapter-test-cases.patch +Patch0033: backport-Remove-unused-symbol-in-dim_core.patch +Patch0034: backport-dont-kill-the-init-process.patch +Patch0035: backport-set-dim_work_queue-to-NULL-after-fail-branch.patch +Patch0037: backport-add-missing-line-break-in-log-printing.patch +Patch0038: backport-dont-warp-strncpy.patch +Patch0039: backport-Fix-calculating-ELF-trampoline-address.patch +Patch0040: backport-Fix-NULL-pointer-reference-when-kill-child-processes.patch +Patch0041: backport-fix-double-free-in-tpm.patch +Patch0042: backport-fix-trampoline.patch +Patch0043: backport-Maximun-number-of-line-in-a-modification-policy.patch +Patch0044: backport-Optimize-task-kill-and-log-the-static-baseline-when-.patch +Patch0045: backport-fix-resource-clear-in-concurrent-scenarios.patch +Patch0046: backport-Fix-the-issue-that-the-memory-allocation-is-too-larg.patch +Patch0047: backport-ignore-return-value-if-the-measure-log-is-limited.patch +Patch0048: backport-Change-the-permissions-of-the-dim-directory-to-500.patch +Patch0049: backport-Unified-log-printing-format.patch +Patch0050: backport-Fix-print-errors.patch +Patch0051: backport-add-parameter-check.patch %description Dynamic Integrity Measurement @@ -44,7 +70,7 @@ Dynamic Integrity Measurement %build cd src sed -i 's#/lib/modules/$(shell uname -r)/build#/lib/modules/%{kernel_version}/build#' Makefile -make +make EXTRA_CFLAGS+=-DDIM_HASH_SUPPORT_SM3 %install mkdir -p $RPM_BUILD_ROOT/lib/modules/%{kernel_version}/extra/dim @@ -72,6 +98,12 @@ rm -rf %{buildroot} %attr(0400,root,root) /lib/modules/%{kernel_version}/extra/dim/dim_monitor.ko %changelog +* Mon Aug 19 2024 gengqihu 1.0.2-8 +- Enabled DIM_HASH_SUPPORT_SM3 + +* Mon Aug 19 2024 gengqihu 1.0.2-7 +- fix some bugs + * Tue Apr 16 2024 jinlun 1.0.2-6 - backport some patches