mirror of
https://github.com/edk2-porting/linux-next.git
synced 2024-12-26 14:14:01 +08:00
6d38ca01c0
If EVM is not supported or enabled, evm_verify_hmac() returns INTEGRITY_UNKNOWN, which ima_appraise_measurement() ignores and sets the appraisal status based solely on the security.ima verification. evm_verify_hmac() also returns INTEGRITY_UNKNOWN for other failures, such as temporary failures like -ENOMEM, resulting in possible attack vectors. This patch changes the default return code for temporary/unexpected failures, like -ENOMEM, from INTEGRITY_UNKNOWN to INTEGRITY_FAIL, making evm_verify_hmac() fail safe. As a result, failures need to be re-evaluated in order to catch both temporary errors, such as the -ENOMEM, as well as errors that have been resolved in fix mode. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@nokia.com> Signed-off-by: Mimi Zohar <zohar@us.ibm.com> |
||
---|---|---|
.. | ||
evm_crypto.c | ||
evm_main.c | ||
evm_secfs.c | ||
evm.h | ||
Kconfig | ||
Makefile |