From 4a96edb6e8d08e1865582b3a5ecbea4cd747c8d4 Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Fri, 10 Jul 2020 11:01:44 -0400 Subject: [PATCH] ima-evm-utils: verify the template data file signature The file signature stored in the ima_measurement list is verified based on the file hash. Instead of reading the file data to calculate the file hash, compare with the file hash stored in the template data. In both cases, the set of public keys need to be specified. This patch renames the "--list" option to "verify-sig" option. Signed-off-by: Mimi Zohar --- README | 4 +++- src/evmctl.c | 12 ++++++------ 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/README b/README index 3603ae8..77429b8 100644 --- a/README +++ b/README @@ -31,7 +31,7 @@ COMMANDS ima_sign [--sigfile] [--key key] [--pass password] file ima_verify file ima_hash file - ima_measurement [--key "key1, key2, ..."] [--list] file + ima_measurement [--verify-sig [--key "key1, key2, ..."]] file ima_fix [-t fdsxm] path sign_hash [--key key] [--pass password] hmac [--imahash | --imasig ] file @@ -59,6 +59,8 @@ OPTIONS --m32 force EVM hmac/signature for 32 bit target system --m64 force EVM hmac/signature for 64 bit target system --engine e preload OpenSSL engine e (such as: gost) + --verify-sig verify the file signature based on the file hash, both + stored in the template data. -v increase verbosity level -h, --help display this help and exit diff --git a/src/evmctl.c b/src/evmctl.c index 98005dc..8439bec 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -125,7 +125,7 @@ static char *caps_str; static char *ima_str; static char *selinux_str; static char *search_type; -static int measurement_list; +static int verify_list_sig; static int recursive; static int msize; static dev_t fs_dev; @@ -1565,7 +1565,7 @@ void ima_ng_show(struct template_entry *entry) log_info(" "); log_dump(sig, sig_len); } - if (measurement_list) + if (verify_list_sig) err = ima_verify_signature(path, sig, sig_len, digest, digest_len); else @@ -2365,7 +2365,7 @@ static void usage(void) " --ima use custom IMA signature for EVM\n" " --selinux use custom Selinux label for EVM\n" " --caps use custom Capabilities for EVM(unspecified: from FS, empty: do not use)\n" - " --list measurement list verification\n" + " --verify-sig verify measurement list signatures\n" " --engine e preload OpenSSL engine e (such as: gost)\n" " -v increase verbosity level\n" " -h, --help display this help and exit\n" @@ -2383,7 +2383,7 @@ struct command cmds[] = { {"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"}, {"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"}, {"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"}, - {"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify] [--pcrs file] file", "Verify measurement list (experimental).\n"}, + {"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify] [--verify-sig [--key key1, key2, ...]] [--pcrs file] file", "Verify measurement list (experimental).\n"}, {"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[file]", "Calculate per TPM bank boot_aggregate digests\n"}, {"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"}, {"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"}, @@ -2419,7 +2419,7 @@ static struct option opts[] = { {"ima", 1, 0, 135}, {"selinux", 1, 0, 136}, {"caps", 2, 0, 137}, - {"list", 0, 0, 138}, + {"verify-sig", 0, 0, 138}, {"engine", 1, 0, 139}, {"xattr-user", 0, 0, 140}, {"validate", 0, 0, 141}, @@ -2584,7 +2584,7 @@ int main(int argc, char *argv[]) hmac_flags |= HMAC_FLAG_CAPS_SET; break; case 138: - measurement_list = 1; + verify_list_sig = 1; break; case 139: /* --engine e */ eng = ENGINE_by_id(optarg);