dh/ima-evm-utils-mirror
1
0
Fork 0
mirror of https://git.code.sf.net/p/linux-ima/ima-evm-utils synced 2025-04-28 14:43:37 +02:00
Code Releases Activity

ima-evm-utils: verify the measurement list signature based on the list digest

Browse Source 
Instead of verifying file signatures included in the measurement list,
by calculating the local file hash, verify the file signature based on the
digest contained in the measurement list.

This patch defines a new option named "--list".

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
This commit is contained in:
Mimi Zohar 2018-01-17 15:31:31 -05:00
parent 9c79b7de72
commit 1a69e42ac1
4 changed files with 23 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README
View File

@ -31,7 +31,7 @@ COMMANDS
ima_sign [--sigfile] [--key key] [--pass password] file ima_sign [--sigfile] [--key key] [--pass password] file
ima_verify file ima_verify file
ima_hash file ima_hash file
ima_measurement [--key "key1, key2, ..."] file ima_measurement [--key "key1, key2, ..."] [--list] file
ima_fix [-t fdsxm] path ima_fix [-t fdsxm] path
sign_hash [--key key] [--pass password] sign_hash [--key key] [--pass password]
hmac [--imahash | --imasig ] file hmac [--imahash | --imasig ] file

14
src/evmctl.c
View File

@ -113,6 +113,7 @@ static char *caps_str;
static char *ima_str; static char *ima_str;
static char *selinux_str; static char *selinux_str;
static char *search_type; static char *search_type;
static int measurement_list;
static int recursive; static int recursive;
static int msize; static int msize;
static dev_t fs_dev; static dev_t fs_dev;
@ -792,7 +793,7 @@ static int verify_ima(const char *file)
} }
} }
return ima_verify_signature(file, sig, len); return ima_verify_signature(file, sig, len, NULL, 0);
} }
static int cmd_verify_ima(struct command *cmd) static int cmd_verify_ima(struct command *cmd)
@ -1392,7 +1393,11 @@ void ima_ng_show(struct template_entry *entry)
if (sig) { if (sig) {
log_info(" "); log_info(" ");
log_dump(sig, sig_len); log_dump(sig, sig_len);
ima_verify_signature(path, sig, sig_len); if (measurement_list)
ima_verify_signature(path, sig, sig_len,
digest, digest_len);
else
ima_verify_signature(path, sig, sig_len, NULL, 0);
} else } else
log_info("\n"); log_info("\n");
@ -1586,6 +1591,7 @@ static void usage(void)
" --ima use custom IMA signature for EVM\n" " --ima use custom IMA signature for EVM\n"
" --selinux use custom Selinux label for EVM\n" " --selinux use custom Selinux label for EVM\n"
" --caps use custom Capabilities for EVM(unspecified: from FS, empty: do not use)\n" " --caps use custom Capabilities for EVM(unspecified: from FS, empty: do not use)\n"
" --list measurement list verification\n"
" -v increase verbosity level\n" " -v increase verbosity level\n"
" -h, --help display this help and exit\n" " -h, --help display this help and exit\n"
"\n"); "\n");
@ -1637,6 +1643,7 @@ static struct option opts[] = {
{"ima", 1, 0, 135}, {"ima", 1, 0, 135},
{"selinux", 1, 0, 136}, {"selinux", 1, 0, 136},
{"caps", 2, 0, 137}, {"caps", 2, 0, 137},
{"list", 0, 0, 138},
{} {}
}; };
@ -1785,6 +1792,9 @@ int main(int argc, char *argv[])
caps_str = optarg; caps_str = optarg;
hmac_flags |= HMAC_FLAG_CAPS_SET; hmac_flags |= HMAC_FLAG_CAPS_SET;
break; break;
case 138:
measurement_list = 1;
break;
case '?': case '?':
exit(1); exit(1);
break; break;

2
src/imaevm.h
View File

@ -204,7 +204,7 @@ int key2bin(RSA *key, unsigned char *pub);
int sign_hash(const char *algo, const unsigned char *hash, int size, const char *keyfile, const char *keypass, unsigned char *sig); int sign_hash(const char *algo, const unsigned char *hash, int size, const char *keyfile, const char *keypass, unsigned char *sig);
int verify_hash(const unsigned char *hash, int size, unsigned char *sig, int siglen); int verify_hash(const unsigned char *hash, int size, unsigned char *sig, int siglen);
int ima_verify_signature(const char *file, unsigned char *sig, int siglen); int ima_verify_signature(const char *file, unsigned char *sig, int siglen, unsigned char *digest, int digestlen);
void init_public_keys(const char *keyfiles); void init_public_keys(const char *keyfiles);
#endif #endif

10
src/libimaevm.c
View File

@ -582,7 +582,8 @@ int verify_hash(const unsigned char *hash, int size, unsigned char *sig, int sig
return verify_hash(hash, size, sig, siglen, key); return verify_hash(hash, size, sig, siglen, key);
} }
int ima_verify_signature(const char *file, unsigned char *sig, int siglen) int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
unsigned char *digest, int digestlen)
{ {
unsigned char hash[64]; unsigned char hash[64];
int hashlen, sig_hash_algo; int hashlen, sig_hash_algo;
@ -600,6 +601,13 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen)
/* Use hash algorithm as retrieved from signature */ /* Use hash algorithm as retrieved from signature */
params.hash_algo = pkey_hash_algo[sig_hash_algo]; params.hash_algo = pkey_hash_algo[sig_hash_algo];
/*
* Validate the signature based on the digest included in the
* measurement list, not by calculating the local file digest.
*/
if (digestlen > 0)
return verify_hash(digest, digestlen, sig + 1, siglen - 1);
hashlen = ima_calc_hash(file, hash); hashlen = ima_calc_hash(file, hash);
if (hashlen <= 1) if (hashlen <= 1)
return hashlen; return hashlen;