mirror of
https://git.code.sf.net/p/linux-ima/ima-evm-utils
synced 2025-04-30 15:43:36 +02:00
Support different levels of output for "ima_measurement"
Instead of always displaying the entire measurement list, the default behavior is just to return an error. Verbose (-v) displays the key ids used in validating the measurement list, the PCR aggregate and TPM PCR values. Verbose+ (-v -v) also displays the measurement list. Signed-of-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
This commit is contained in:
Mimi Zohar
parent
057efc397d
commit
360655f059
29
src/evmctl.c
29
src/evmctl.c
@ -771,6 +771,7 @@ static int verify_evm(const char *file)
|
|||||||
static int cmd_verify_evm(struct command *cmd)
|
static int cmd_verify_evm(struct command *cmd)
|
||||||
{
|
{
|
||||||
char *file = g_argv[optind++];
|
char *file = g_argv[optind++];
|
||||||
|
int err;
|
||||||
|
|
||||||
if (!file) {
|
if (!file) {
|
||||||
log_err("Parameters missing\n");
|
log_err("Parameters missing\n");
|
||||||
@ -778,7 +779,10 @@ static int cmd_verify_evm(struct command *cmd)
|
|||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
return verify_evm(file);
|
err = verify_evm(file);
|
||||||
|
if (!err && params.verbose >= LOG_INFO)
|
||||||
|
log_info("%s: verification is OK\n", file);
|
||||||
|
return err;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int verify_ima(const char *file)
|
static int verify_ima(const char *file)
|
||||||
@ -805,14 +809,19 @@ static int verify_ima(const char *file)
|
|||||||
static int cmd_verify_ima(struct command *cmd)
|
static int cmd_verify_ima(struct command *cmd)
|
||||||
{
|
{
|
||||||
char *file = g_argv[optind++];
|
char *file = g_argv[optind++];
|
||||||
|
int err;
|
||||||
|
|
||||||
|
errno = 0;
|
||||||
if (!file) {
|
if (!file) {
|
||||||
log_err("Parameters missing\n");
|
log_err("Parameters missing\n");
|
||||||
print_usage(cmd);
|
print_usage(cmd);
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
return verify_ima(file);
|
err = verify_ima(file);
|
||||||
|
if (!err && params.verbose >= LOG_INFO)
|
||||||
|
log_info("%s: verification is OK\n", file);
|
||||||
|
return err;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int cmd_convert(struct command *cmd)
|
static int cmd_convert(struct command *cmd)
|
||||||
@ -1361,6 +1370,7 @@ void ima_ng_show(struct template_entry *entry)
|
|||||||
int total_len = entry->template_len, digest_len, len, sig_len;
|
int total_len = entry->template_len, digest_len, len, sig_len;
|
||||||
uint8_t *digest, *sig = NULL;
|
uint8_t *digest, *sig = NULL;
|
||||||
char *algo, *path;
|
char *algo, *path;
|
||||||
|
int err;
|
||||||
|
|
||||||
/* get binary digest */
|
/* get binary digest */
|
||||||
field_len = *(uint32_t *)fieldp;
|
field_len = *(uint32_t *)fieldp;
|
||||||
@ -1404,22 +1414,30 @@ void ima_ng_show(struct template_entry *entry)
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* ascii_runtime_measurements */
|
/* ascii_runtime_measurements */
|
||||||
|
if (params.verbose > LOG_INFO) {
|
||||||
log_info("%d ", entry->header.pcr);
|
log_info("%d ", entry->header.pcr);
|
||||||
log_dump_n(entry->header.digest, sizeof(entry->header.digest));
|
log_dump_n(entry->header.digest, sizeof(entry->header.digest));
|
||||||
log_info(" %s %s", entry->name, algo);
|
log_info(" %s %s", entry->name, algo);
|
||||||
log_dump_n(digest, digest_len);
|
log_dump_n(digest, digest_len);
|
||||||
log_info(" %s", path);
|
log_info(" %s", path);
|
||||||
|
}
|
||||||
|
|
||||||
if (sig) {
|
if (sig) {
|
||||||
|
if (params.verbose > LOG_INFO) {
|
||||||
log_info(" ");
|
log_info(" ");
|
||||||
log_dump(sig, sig_len);
|
log_dump(sig, sig_len);
|
||||||
|
}
|
||||||
if (measurement_list)
|
if (measurement_list)
|
||||||
ima_verify_signature(path, sig, sig_len,
|
err = ima_verify_signature(path, sig, sig_len,
|
||||||
digest, digest_len);
|
digest, digest_len);
|
||||||
else
|
else
|
||||||
ima_verify_signature(path, sig, sig_len, NULL, 0);
|
err = ima_verify_signature(path, sig, sig_len, NULL, 0);
|
||||||
} else
|
if (!err && params.verbose > LOG_INFO)
|
||||||
|
log_info("%s: verification is OK\n", path);
|
||||||
|
} else {
|
||||||
|
if (params.verbose > LOG_INFO)
|
||||||
log_info("\n");
|
log_info("\n");
|
||||||
|
}
|
||||||
|
|
||||||
if (total_len)
|
if (total_len)
|
||||||
log_err("Remain unprocessed data: %d\n", total_len);
|
log_err("Remain unprocessed data: %d\n", total_len);
|
||||||
@ -1435,6 +1453,7 @@ static int ima_measurement(const char *file)
|
|||||||
bool verify_failed = false;
|
bool verify_failed = false;
|
||||||
int i;
|
int i;
|
||||||
|
|
||||||
|
errno = 0;
|
||||||
memset(zero, 0, SHA_DIGEST_LENGTH);
|
memset(zero, 0, SHA_DIGEST_LENGTH);
|
||||||
memset(fox, 0xff, SHA_DIGEST_LENGTH);
|
memset(fox, 0xff, SHA_DIGEST_LENGTH);
|
||||||
|
|
||||||
|
|||||||
@ -408,9 +408,6 @@ int verify_hash_v1(const char *file, const unsigned char *hash, int size,
|
|||||||
if (len != sizeof(sighash) || memcmp(out, sighash, len) != 0) {
|
if (len != sizeof(sighash) || memcmp(out, sighash, len) != 0) {
|
||||||
log_err("%s: verification failed: %d\n", file, err);
|
log_err("%s: verification failed: %d\n", file, err);
|
||||||
return -1;
|
return -1;
|
||||||
} else {
|
|
||||||
/*log_info("%s: verification is OK\n", file);*/
|
|
||||||
printf("%s: verification is OK\n", file);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
@ -480,13 +477,15 @@ int verify_hash_v2(const char *file, const unsigned char *hash, int size,
|
|||||||
struct signature_v2_hdr *hdr = (struct signature_v2_hdr *)sig;
|
struct signature_v2_hdr *hdr = (struct signature_v2_hdr *)sig;
|
||||||
const struct RSA_ASN1_template *asn1;
|
const struct RSA_ASN1_template *asn1;
|
||||||
|
|
||||||
|
if (params.verbose > LOG_INFO) {
|
||||||
log_info("hash: ");
|
log_info("hash: ");
|
||||||
log_dump(hash, size);
|
log_dump(hash, size);
|
||||||
|
}
|
||||||
|
|
||||||
if (public_keys) {
|
if (public_keys) {
|
||||||
key = find_keyid(hdr->keyid);
|
key = find_keyid(hdr->keyid);
|
||||||
if (!key) {
|
if (!key) {
|
||||||
log_err("%s: Unknown keyid: %x\n", file,
|
log_err("%s: unknown keyid: %x\n", file,
|
||||||
__be32_to_cpup(&hdr->keyid));
|
__be32_to_cpup(&hdr->keyid));
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
@ -520,9 +519,6 @@ int verify_hash_v2(const char *file, const unsigned char *hash, int size,
|
|||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*log_info("%s: verification is OK\n", file);*/
|
|
||||||
printf("%s: verification is OK\n", file);
|
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -677,10 +673,12 @@ void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len
|
|||||||
log_debug("keyid: ");
|
log_debug("keyid: ");
|
||||||
log_debug_dump(keyid, 8);
|
log_debug_dump(keyid, 8);
|
||||||
|
|
||||||
|
if (params.verbose > LOG_INFO) {
|
||||||
id = __be64_to_cpup((__be64 *) keyid);
|
id = __be64_to_cpup((__be64 *) keyid);
|
||||||
sprintf(str, "%llX", (unsigned long long)id);
|
sprintf(str, "%llX", (unsigned long long)id);
|
||||||
log_info("keyid-v1: %s\n", str);
|
log_info("keyid-v1: %s\n", str);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key)
|
void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key)
|
||||||
{
|
{
|
||||||
@ -697,8 +695,10 @@ void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key)
|
|||||||
log_debug("keyid: ");
|
log_debug("keyid: ");
|
||||||
log_debug_dump(keyid, 4);
|
log_debug_dump(keyid, 4);
|
||||||
|
|
||||||
|
if (params.verbose > LOG_INFO) {
|
||||||
sprintf(str, "%x", __be32_to_cpup(keyid));
|
sprintf(str, "%x", __be32_to_cpup(keyid));
|
||||||
log_info("keyid: %s\n", str);
|
log_info("keyid: %s\n", str);
|
||||||
|
}
|
||||||
|
|
||||||
free(pkey);
|
free(pkey);
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user