1
0
mirror of https://git.code.sf.net/p/linux-ima/ima-evm-utils synced 2025-04-29 15:13:38 +02:00

Support different levels of output for "ima_measurement"

Instead of always displaying the entire measurement list, the default
behavior is just to return an error.  Verbose (-v) displays the key ids
used in validating the measurement list, the PCR aggregate and TPM PCR
values.  Verbose+ (-v -v) also displays the measurement list.

Signed-of-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
This commit is contained in:
Mimi Zohar 2018-02-05 22:40:56 -05:00
parent 057efc397d
commit 360655f059
2 changed files with 47 additions and 28 deletions

View File

@ -771,6 +771,7 @@ static int verify_evm(const char *file)
static int cmd_verify_evm(struct command *cmd) static int cmd_verify_evm(struct command *cmd)
{ {
char *file = g_argv[optind++]; char *file = g_argv[optind++];
int err;
if (!file) { if (!file) {
log_err("Parameters missing\n"); log_err("Parameters missing\n");
@ -778,7 +779,10 @@ static int cmd_verify_evm(struct command *cmd)
return -1; return -1;
} }
return verify_evm(file); err = verify_evm(file);
if (!err && params.verbose >= LOG_INFO)
log_info("%s: verification is OK\n", file);
return err;
} }
static int verify_ima(const char *file) static int verify_ima(const char *file)
@ -805,14 +809,19 @@ static int verify_ima(const char *file)
static int cmd_verify_ima(struct command *cmd) static int cmd_verify_ima(struct command *cmd)
{ {
char *file = g_argv[optind++]; char *file = g_argv[optind++];
int err;
errno = 0;
if (!file) { if (!file) {
log_err("Parameters missing\n"); log_err("Parameters missing\n");
print_usage(cmd); print_usage(cmd);
return -1; return -1;
} }
return verify_ima(file); err = verify_ima(file);
if (!err && params.verbose >= LOG_INFO)
log_info("%s: verification is OK\n", file);
return err;
} }
static int cmd_convert(struct command *cmd) static int cmd_convert(struct command *cmd)
@ -1361,6 +1370,7 @@ void ima_ng_show(struct template_entry *entry)
int total_len = entry->template_len, digest_len, len, sig_len; int total_len = entry->template_len, digest_len, len, sig_len;
uint8_t *digest, *sig = NULL; uint8_t *digest, *sig = NULL;
char *algo, *path; char *algo, *path;
int err;
/* get binary digest */ /* get binary digest */
field_len = *(uint32_t *)fieldp; field_len = *(uint32_t *)fieldp;
@ -1404,22 +1414,30 @@ void ima_ng_show(struct template_entry *entry)
} }
/* ascii_runtime_measurements */ /* ascii_runtime_measurements */
if (params.verbose > LOG_INFO) {
log_info("%d ", entry->header.pcr); log_info("%d ", entry->header.pcr);
log_dump_n(entry->header.digest, sizeof(entry->header.digest)); log_dump_n(entry->header.digest, sizeof(entry->header.digest));
log_info(" %s %s", entry->name, algo); log_info(" %s %s", entry->name, algo);
log_dump_n(digest, digest_len); log_dump_n(digest, digest_len);
log_info(" %s", path); log_info(" %s", path);
}
if (sig) { if (sig) {
if (params.verbose > LOG_INFO) {
log_info(" "); log_info(" ");
log_dump(sig, sig_len); log_dump(sig, sig_len);
}
if (measurement_list) if (measurement_list)
ima_verify_signature(path, sig, sig_len, err = ima_verify_signature(path, sig, sig_len,
digest, digest_len); digest, digest_len);
else else
ima_verify_signature(path, sig, sig_len, NULL, 0); err = ima_verify_signature(path, sig, sig_len, NULL, 0);
} else if (!err && params.verbose > LOG_INFO)
log_info("%s: verification is OK\n", path);
} else {
if (params.verbose > LOG_INFO)
log_info("\n"); log_info("\n");
}
if (total_len) if (total_len)
log_err("Remain unprocessed data: %d\n", total_len); log_err("Remain unprocessed data: %d\n", total_len);
@ -1435,6 +1453,7 @@ static int ima_measurement(const char *file)
bool verify_failed = false; bool verify_failed = false;
int i; int i;
errno = 0;
memset(zero, 0, SHA_DIGEST_LENGTH); memset(zero, 0, SHA_DIGEST_LENGTH);
memset(fox, 0xff, SHA_DIGEST_LENGTH); memset(fox, 0xff, SHA_DIGEST_LENGTH);

View File

@ -408,9 +408,6 @@ int verify_hash_v1(const char *file, const unsigned char *hash, int size,
if (len != sizeof(sighash) || memcmp(out, sighash, len) != 0) { if (len != sizeof(sighash) || memcmp(out, sighash, len) != 0) {
log_err("%s: verification failed: %d\n", file, err); log_err("%s: verification failed: %d\n", file, err);
return -1; return -1;
} else {
/*log_info("%s: verification is OK\n", file);*/
printf("%s: verification is OK\n", file);
} }
return 0; return 0;
@ -480,13 +477,15 @@ int verify_hash_v2(const char *file, const unsigned char *hash, int size,
struct signature_v2_hdr *hdr = (struct signature_v2_hdr *)sig; struct signature_v2_hdr *hdr = (struct signature_v2_hdr *)sig;
const struct RSA_ASN1_template *asn1; const struct RSA_ASN1_template *asn1;
if (params.verbose > LOG_INFO) {
log_info("hash: "); log_info("hash: ");
log_dump(hash, size); log_dump(hash, size);
}
if (public_keys) { if (public_keys) {
key = find_keyid(hdr->keyid); key = find_keyid(hdr->keyid);
if (!key) { if (!key) {
log_err("%s: Unknown keyid: %x\n", file, log_err("%s: unknown keyid: %x\n", file,
__be32_to_cpup(&hdr->keyid)); __be32_to_cpup(&hdr->keyid));
return -1; return -1;
} }
@ -520,9 +519,6 @@ int verify_hash_v2(const char *file, const unsigned char *hash, int size,
return -1; return -1;
} }
/*log_info("%s: verification is OK\n", file);*/
printf("%s: verification is OK\n", file);
return 0; return 0;
} }
@ -677,10 +673,12 @@ void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len
log_debug("keyid: "); log_debug("keyid: ");
log_debug_dump(keyid, 8); log_debug_dump(keyid, 8);
if (params.verbose > LOG_INFO) {
id = __be64_to_cpup((__be64 *) keyid); id = __be64_to_cpup((__be64 *) keyid);
sprintf(str, "%llX", (unsigned long long)id); sprintf(str, "%llX", (unsigned long long)id);
log_info("keyid-v1: %s\n", str); log_info("keyid-v1: %s\n", str);
} }
}
void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key) void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key)
{ {
@ -697,8 +695,10 @@ void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key)
log_debug("keyid: "); log_debug("keyid: ");
log_debug_dump(keyid, 4); log_debug_dump(keyid, 4);
if (params.verbose > LOG_INFO) {
sprintf(str, "%x", __be32_to_cpup(keyid)); sprintf(str, "%x", __be32_to_cpup(keyid));
log_info("keyid: %s\n", str); log_info("keyid: %s\n", str);
}
free(pkey); free(pkey);
} }