[RFC PATCH v1 2/7] ima: always create runtime_measurements sysfs file for ima_hash

From: Nicolai Stange
Date: Thu Mar 13 2025 - 13:35:52 EST


runtime_measurements_<hash-algo> sysfs files are getting created for
each PCR bank + for SHA-1.

Now that runtime_measurements_<hash-algo> sysfs file creation is being
skipped for unsupported hash algorithms, it will become possible that no
such file would be provided at all once SHA-1 is made optional in a
later patch.

Always create the file for the 'ima_hash' algorithm, even if it's not
associated with any of the PCR banks. As IMA initialization will
continue to fail if the ima_hash algorithm is not available to the
kernel, this guarantees that at least one such file will always be
there.

Signed-off-by: Nicolai Stange <nstange@xxxxxxx>
---
security/integrity/ima/ima_fs.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index a8df2fe5f4cb..f030ff7f56da 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -436,10 +436,8 @@ static int __init create_securityfs_measurement_lists(void)
u16 algo;
int i;

- securityfs_measurement_list_count = NR_BANKS(ima_tpm_chip);
-
- if (ima_sha1_idx >= NR_BANKS(ima_tpm_chip))
- securityfs_measurement_list_count++;
+ securityfs_measurement_list_count =
+ NR_BANKS(ima_tpm_chip) + ima_extra_slots;

ascii_securityfs_measurement_lists =
kcalloc(securityfs_measurement_list_count, sizeof(struct dentry *),
--
2.47.1