mirror of
https://git.code.sf.net/p/linux-ima/ima-evm-utils
synced 2025-10-31 05:00:41 +01:00
Support different levels of output for "ima_measurement"
Instead of always displaying the entire measurement list, the default behavior is just to return an error. Verbose (-v) displays the key ids used in validating the measurement list, the PCR aggregate and TPM PCR values. Verbose+ (-v -v) also displays the measurement list. Signed-of-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
This commit is contained in:
Mimi Zohar
29
src/evmctl.c
29
src/evmctl.c
@@ -771,6 +771,7 @@ static int verify_evm(const char *file)
|
||||
static int cmd_verify_evm(struct command *cmd)
|
||||
{
|
||||
char *file = g_argv[optind++];
|
||||
int err;
|
||||
|
||||
if (!file) {
|
||||
log_err("Parameters missing\n");
|
||||
@@ -778,7 +779,10 @@ static int cmd_verify_evm(struct command *cmd)
|
||||
return -1;
|
||||
}
|
||||
|
||||
return verify_evm(file);
|
||||
err = verify_evm(file);
|
||||
if (!err && params.verbose >= LOG_INFO)
|
||||
log_info("%s: verification is OK\n", file);
|
||||
return err;
|
||||
}
|
||||
|
||||
static int verify_ima(const char *file)
|
||||
@@ -805,14 +809,19 @@ static int verify_ima(const char *file)
|
||||
static int cmd_verify_ima(struct command *cmd)
|
||||
{
|
||||
char *file = g_argv[optind++];
|
||||
int err;
|
||||
|
||||
errno = 0;
|
||||
if (!file) {
|
||||
log_err("Parameters missing\n");
|
||||
print_usage(cmd);
|
||||
return -1;
|
||||
}
|
||||
|
||||
return verify_ima(file);
|
||||
err = verify_ima(file);
|
||||
if (!err && params.verbose >= LOG_INFO)
|
||||
log_info("%s: verification is OK\n", file);
|
||||
return err;
|
||||
}
|
||||
|
||||
static int cmd_convert(struct command *cmd)
|
||||
@@ -1361,6 +1370,7 @@ void ima_ng_show(struct template_entry *entry)
|
||||
int total_len = entry->template_len, digest_len, len, sig_len;
|
||||
uint8_t *digest, *sig = NULL;
|
||||
char *algo, *path;
|
||||
int err;
|
||||
|
||||
/* get binary digest */
|
||||
field_len = *(uint32_t *)fieldp;
|
||||
@@ -1404,22 +1414,30 @@ void ima_ng_show(struct template_entry *entry)
|
||||
}
|
||||
|
||||
/* ascii_runtime_measurements */
|
||||
if (params.verbose > LOG_INFO) {
|
||||
log_info("%d ", entry->header.pcr);
|
||||
log_dump_n(entry->header.digest, sizeof(entry->header.digest));
|
||||
log_info(" %s %s", entry->name, algo);
|
||||
log_dump_n(digest, digest_len);
|
||||
log_info(" %s", path);
|
||||
}
|
||||
|
||||
if (sig) {
|
||||
if (params.verbose > LOG_INFO) {
|
||||
log_info(" ");
|
||||
log_dump(sig, sig_len);
|
||||
}
|
||||
if (measurement_list)
|
||||
ima_verify_signature(path, sig, sig_len,
|
||||
err = ima_verify_signature(path, sig, sig_len,
|
||||
digest, digest_len);
|
||||
else
|
||||
ima_verify_signature(path, sig, sig_len, NULL, 0);
|
||||
} else
|
||||
err = ima_verify_signature(path, sig, sig_len, NULL, 0);
|
||||
if (!err && params.verbose > LOG_INFO)
|
||||
log_info("%s: verification is OK\n", path);
|
||||
} else {
|
||||
if (params.verbose > LOG_INFO)
|
||||
log_info("\n");
|
||||
}
|
||||
|
||||
if (total_len)
|
||||
log_err("Remain unprocessed data: %d\n", total_len);
|
||||
@@ -1435,6 +1453,7 @@ static int ima_measurement(const char *file)
|
||||
bool verify_failed = false;
|
||||
int i;
|
||||
|
||||
errno = 0;
|
||||
memset(zero, 0, SHA_DIGEST_LENGTH);
|
||||
memset(fox, 0xff, SHA_DIGEST_LENGTH);
|
||||
|
||||
|
||||
@@ -408,9 +408,6 @@ int verify_hash_v1(const char *file, const unsigned char *hash, int size,
|
||||
if (len != sizeof(sighash) || memcmp(out, sighash, len) != 0) {
|
||||
log_err("%s: verification failed: %d\n", file, err);
|
||||
return -1;
|
||||
} else {
|
||||
/*log_info("%s: verification is OK\n", file);*/
|
||||
printf("%s: verification is OK\n", file);
|
||||
}
|
||||
|
||||
return 0;
|
||||
@@ -480,13 +477,15 @@ int verify_hash_v2(const char *file, const unsigned char *hash, int size,
|
||||
struct signature_v2_hdr *hdr = (struct signature_v2_hdr *)sig;
|
||||
const struct RSA_ASN1_template *asn1;
|
||||
|
||||
if (params.verbose > LOG_INFO) {
|
||||
log_info("hash: ");
|
||||
log_dump(hash, size);
|
||||
}
|
||||
|
||||
if (public_keys) {
|
||||
key = find_keyid(hdr->keyid);
|
||||
if (!key) {
|
||||
log_err("%s: Unknown keyid: %x\n", file,
|
||||
log_err("%s: unknown keyid: %x\n", file,
|
||||
__be32_to_cpup(&hdr->keyid));
|
||||
return -1;
|
||||
}
|
||||
@@ -520,9 +519,6 @@ int verify_hash_v2(const char *file, const unsigned char *hash, int size,
|
||||
return -1;
|
||||
}
|
||||
|
||||
/*log_info("%s: verification is OK\n", file);*/
|
||||
printf("%s: verification is OK\n", file);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -677,10 +673,12 @@ void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len
|
||||
log_debug("keyid: ");
|
||||
log_debug_dump(keyid, 8);
|
||||
|
||||
if (params.verbose > LOG_INFO) {
|
||||
id = __be64_to_cpup((__be64 *) keyid);
|
||||
sprintf(str, "%llX", (unsigned long long)id);
|
||||
log_info("keyid-v1: %s\n", str);
|
||||
}
|
||||
}
|
||||
|
||||
void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key)
|
||||
{
|
||||
@@ -697,8 +695,10 @@ void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key)
|
||||
log_debug("keyid: ");
|
||||
log_debug_dump(keyid, 4);
|
||||
|
||||
if (params.verbose > LOG_INFO) {
|
||||
sprintf(str, "%x", __be32_to_cpup(keyid));
|
||||
log_info("keyid: %s\n", str);
|
||||
}
|
||||
|
||||
free(pkey);
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user