On Fri, 2021-06-25 at 18:56 +0200, Roberto Sassu wrote:

ima_measure_critical_data() allows any caller in the kernel to provide a
buffer, so that is measured by IMA if an appropriate policy is set. Some
information that could be useful to the callers are the digest of the
buffer included in the new measurement entry, the digest algorithm and
whether the buffer was measured.

This patch modifies the definition of ima_measure_critical_data() to
include three new parameters: digest, algo and measured. If they are NULL,
the function behaves as before and just measures the buffer, if requested
with the IMA policy. Otherwise, it also writes the digest, algorithm and
whether the buffer is measured to the provided pointers.

If the pointers are not NULL, the digest is calculated also if there is no
matching rule in the IMA policy.

As much as possible, let's not define additional
ima_measure_critical_data() arguments.  Probably the only new variable
really need is "digest".  The hash algorithm doesn't change.  How about
defining and exporting a new function to return the system defined
ima_hash_algo.  In terms of failure, have ima_measure_critical_data()
return errno.

thanks,

Mimi