ima_evm_utils: indicate "--verify" template data digest failures

Helps to indicate when the template data digest verification fails.
Indicate the problematic record in the measurement list based on
log level and fail verification.

fixes: ff26f9704ec4 ("ima-evm-utils: calculate and verify the template
data digest")

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>

src/evmctl.c

@@ -1444,14 +1444,21 @@ static int verify = 0;
 static int ima_verify_template_hash(struct template_entry *entry)
 {
 	uint8_t digest[SHA_DIGEST_LENGTH];
+	static int line = 0;
+
+	line++;
 
 	if (!memcmp(zero, entry->header.digest, sizeof(digest)))
 		return 0;
 
 	SHA1(entry->template, entry->template_len, digest);
 
-	if (memcmp(digest, entry->header.digest, sizeof(digest)))
+	if (memcmp(digest, entry->header.digest, sizeof(digest))) {
+		if (imaevm_params.verbose > LOG_INFO)
+			log_info("Failed to verify template data digest(line %d).\n",
+				  line);
 		return 1;
+	}
 
 	return 0;
 }
@@ -1892,6 +1899,7 @@ static int ima_measurement(const char *file)
 
 	struct template_entry entry = { .template = 0 };
 	FILE *fp;
+	int verified_template_digest = 0;
 	int err_padded = -1;
 	int err = -1;
 
@@ -2020,8 +2028,12 @@ static int ima_measurement(const char *file)
 		extend_tpm_banks(&entry, num_banks, pseudo_banks,
 				 pseudo_padded_banks);
 
-		if (verify)
+		/* Recalculate and verify template data digest */
-			ima_verify_template_hash(&entry);
+		if (verify) {
+			err = ima_verify_template_hash(&entry);
+			if (err)
+				verified_template_digest = 1;
+		}
 
 		if (is_ima_template)
 			ima_show(&entry);
@@ -2058,6 +2070,11 @@ static int ima_measurement(const char *file)
 			log_info("Failed to match per TPM bank or SHA1 padded TPM digest(s).\n");
 	}
 
+	if (verified_template_digest) {
+		log_info("Failed to verify template data digest.\n");
+		err = 1;
+	}
+
 out:
 	fclose(fp);
 	return err;