Support different levels of output for "ima_measurement"

Instead of always displaying the entire measurement list, the default behavior is just to return an error. Verbose (-v) displays the key ids used in validating the measurement list, the PCR aggregate and TPM PCR values. Verbose+ (-v -v) also displays the measurement list. Signed-of-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2025-04-29 07:03:37 +02:00 · 2018-02-05 22:40:56 -05:00 · 2018-02-05 22:40:56 -05:00 · 360655f059
commit 360655f059
parent 057efc397d
2 changed files with 47 additions and 28 deletions
--- a/src/evmctl.c
+++ b/src/evmctl.c
@ -771,6 +771,7 @@ static int verify_evm(const char *file)
 static int cmd_verify_evm(struct command *cmd)
 {
 	char *file = g_argv[optind++];
+	int err;

 	if (!file) {
 		log_err("Parameters missing\n");
@ -778,7 +779,10 @@ static int cmd_verify_evm(struct command *cmd)
 		return -1;
 	}

-	return verify_evm(file);
+	err = verify_evm(file);
+	if (!err && params.verbose >= LOG_INFO)
+		log_info("%s: verification is OK\n", file);
+	return err;
 }

 static int verify_ima(const char *file)
@ -805,14 +809,19 @@ static int verify_ima(const char *file)
 static int cmd_verify_ima(struct command *cmd)
 {
 	char *file = g_argv[optind++];
+	int err;

+	errno = 0;
 	if (!file) {
 		log_err("Parameters missing\n");
 		print_usage(cmd);
 		return -1;
 	}

-	return verify_ima(file);
+	err = verify_ima(file);
+	if (!err && params.verbose >= LOG_INFO)
+		log_info("%s: verification is OK\n", file);
+	return err;
 }

 static int cmd_convert(struct command *cmd)
@ -1361,6 +1370,7 @@ void ima_ng_show(struct template_entry *entry)
 	int total_len = entry->template_len, digest_len, len, sig_len;
 	uint8_t *digest, *sig = NULL;
 	char *algo, *path;
+	int err;

 	/* get binary digest */
 	field_len = *(uint32_t *)fieldp;
@ -1404,22 +1414,30 @@ void ima_ng_show(struct template_entry *entry)
 	}

 	/* ascii_runtime_measurements */
+	if (params.verbose > LOG_INFO) {
 		log_info("%d ", entry->header.pcr);
 		log_dump_n(entry->header.digest, sizeof(entry->header.digest));
 		log_info(" %s %s", entry->name, algo);
 		log_dump_n(digest, digest_len);
 		log_info(" %s", path);
+	}

 	if (sig) {
+		if (params.verbose > LOG_INFO) {
 			log_info(" ");
 			log_dump(sig, sig_len);
+		}
 		if (measurement_list)
-			ima_verify_signature(path, sig, sig_len,
+			err = ima_verify_signature(path, sig, sig_len,
 						   digest, digest_len);
 		else
-			ima_verify_signature(path, sig, sig_len, NULL, 0);
-	} else
+			err = ima_verify_signature(path, sig, sig_len, NULL, 0);
+		if (!err && params.verbose > LOG_INFO)
+			log_info("%s: verification is OK\n", path);
+	} else {
+		if (params.verbose > LOG_INFO)
 			log_info("\n");
+	}

 	if (total_len)
 		log_err("Remain unprocessed data: %d\n", total_len);
@ -1435,6 +1453,7 @@ static int ima_measurement(const char *file)
 	bool verify_failed = false;
 	int i;

+	errno = 0;
 	memset(zero, 0, SHA_DIGEST_LENGTH);
 	memset(fox, 0xff, SHA_DIGEST_LENGTH);

--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@ -408,9 +408,6 @@ int verify_hash_v1(const char *file, const unsigned char *hash, int size,
 	if (len != sizeof(sighash) || memcmp(out, sighash, len) != 0) {
 		log_err("%s: verification failed: %d\n", file, err);
 		return -1;
-	} else {
-		/*log_info("%s: verification is OK\n", file);*/
-		printf("%s: verification is OK\n", file);
 	}

 	return 0;
@ -480,13 +477,15 @@ int verify_hash_v2(const char *file, const unsigned char *hash, int size,
 	struct signature_v2_hdr *hdr = (struct signature_v2_hdr *)sig;
 	const struct RSA_ASN1_template *asn1;

+	if (params.verbose > LOG_INFO) {
 		log_info("hash: ");
 		log_dump(hash, size);
+	}

 	if (public_keys) {
 		key = find_keyid(hdr->keyid);
 		if (!key) {
-			log_err("%s: Unknown keyid: %x\n", file,
+			log_err("%s: unknown keyid: %x\n", file,
 				__be32_to_cpup(&hdr->keyid));
 			return -1;
 		}
@ -520,9 +519,6 @@ int verify_hash_v2(const char *file, const unsigned char *hash, int size,
 		return -1;
 	}

-	/*log_info("%s: verification is OK\n", file);*/
-	printf("%s: verification is OK\n", file);
-
 	return 0;
 }

@ -677,10 +673,12 @@ void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len
 	log_debug("keyid: ");
 	log_debug_dump(keyid, 8);

+	if (params.verbose > LOG_INFO) {
 		id = __be64_to_cpup((__be64 *) keyid);
 		sprintf(str, "%llX", (unsigned long long)id);
 		log_info("keyid-v1: %s\n", str);
 	}
+}

 void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key)
 {
@ -697,8 +695,10 @@ void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key)
 	log_debug("keyid: ");
 	log_debug_dump(keyid, 4);

+	if (params.verbose > LOG_INFO) {
 		sprintf(str, "%x", __be32_to_cpup(keyid));
 		log_info("keyid: %s\n", str);
+	}

 	free(pkey);
 }