-----Original Message-----
From: Mimi Zohar [mailto:zohar@linux.ibm.com]
Sent: Thursday, February 6, 2020 5:08 PM
To: Roberto Sassu <roberto.sassu@huawei.com>;
James.Bottomley@HansenPartnership.com;
jarkko.sakkinen@linux.intel.com
Cc: linux-integrity@vger.kernel.org; linux-security-module@vger.kernel.org;
linux-kernel@vger.kernel.org; Silviu Vlasceanu
[off-list ref]
Subject: Re: [PATCH v2 5/8] ima: Switch to dynamically allocated buffer for
template digests

Hi Roberto,

On Wed, 2020-02-05 at 11:33 +0100, Roberto Sassu wrote:

quoted

This patch dynamically allocates the array of tpm_digest structures in
ima_alloc_init_template() and ima_restore_template_data(). The size of

the

quoted

array, stored in ima_num_template_digests, is initially equal to 1 (SHA1)
and will be determined in the upcoming patches depending on the

allocated

quoted

PCR banks and the chosen default IMA algorithm.

Calculating the SHA1 digest is mandatory, as SHA1 still remains the default
hash algorithm for the measurement list. When IMA will support the

Crypto

quoted

Agile format, remaining digests will be also provided.

The position in the array of the SHA1 digest is stored in the ima_sha1_idx
global variable and it is determined at IMA initialization time.

Changelog

v1:
- move ima_sha1_idx to ima_crypto.c
- introduce ima_num_template_digests (suggested by Mimi)

Instead of hardcoding "nr_allocated_banks + 1" or nr_allocated_banks +
2", I suggested defining "nr_allocated_banks + extra", where "extra"
could be 0, 1, or 2.

The rest of the code would remain exactly the same as you had.

Ok. I did a small improvement. Since we determine the number of
required elements of ima_algo_array before kmalloc() I thought it
was ok to directly set that number of elements in a single variable.

If you think that having two variables is better, I will change it.

Thanks

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli