Rename "--validate" to "--ignore-violations"

IMA records file "Time of Measure, Time of Use (ToMToU)" and "open writers" integrity violations by adding a record to the measurement list containing one value (0x00's), but extending the TPM with a different value (0xFF's). To avoid known file integrity violations, the builtin "tcb" measurement policy should be replaced with a custom policy as early as possible. This patch renames the existing "--validate" option to "--ignore-violations". Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2025-04-27 22:32:31 +02:00 · 2020-07-29 16:44:09 -04:00 · 2020-07-29 16:44:09 -04:00 · 62534f2127
commit 62534f2127
parent 5b58f47570
2 changed files with 9 additions and 8 deletions
--- a/4
+++ b/4
@ -31,7 +31,7 @@ COMMANDS
 ima_sign [--sigfile] [--key key] [--pass password] file
 ima_verify file
 ima_hash file
- ima_measurement [--validate] [--verify-sig [--key "key1, key2, ..."]]  [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
+ ima_measurement [--ignore-violations] [--verify-sig [--key "key1, key2, ..."]]  [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
 ima_fix [-t fdsxm] path
 sign_hash [--key key] [--pass password]
 hmac [--imahash | --imasig ] file
@ -60,7 +60,7 @@ OPTIONS
      --m64          force EVM hmac/signature for 64 bit target system
      --engine e     preload OpenSSL engine e (such as: gost)
      --pcrs         file containing TPM pcrs, one per hash-algorithm/bank
-      --validate     ignore ToMToU measurement violations
+      --ignore-violations ignore ToMToU measurement violations
      --verify-sig   verify the file signature based on the file hash, both
                     stored in the template data.
  -v                 increase verbosity level
--- a/src/evmctl.c
+++ b/src/evmctl.c
@ -1392,7 +1392,7 @@ struct template_entry {

 static uint8_t zero[MAX_DIGEST_SIZE];

-static int validate = 0;
+static int ignore_violations = 0;

 static int ima_verify_template_hash(struct template_entry *entry)
 {
@ -1739,7 +1739,7 @@ static void extend_tpm_banks(struct template_entry *entry, int num_banks,
 		 * size.
 		 */
 		if (memcmp(entry->header.digest, zero, SHA_DIGEST_LENGTH) == 0) {
-			if (!validate) {
+			if (!ignore_violations) {
 				memset(bank[i].digest, 0x00, bank[i].digest_size);
 				memset(padded_bank[i].digest, 0x00, padded_bank[i].digest_size);
 			} else {
@ -2467,6 +2467,7 @@ static void usage(void)
 		"      --caps         use custom Capabilities for EVM(unspecified: from FS, empty: do not use)\n"
 		"      --verify-sig   verify measurement list signatures\n"
 		"      --engine e     preload OpenSSL engine e (such as: gost)\n"
+		"      --ignore-violations ignore ToMToU measurement violations"
 		"  -v                 increase verbosity level\n"
 		"  -h, --help         display this help and exit\n"
 		"\n");
@ -2483,7 +2484,7 @@ struct command cmds[] = {
 	{"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"},
 	{"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"},
 	{"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
-	{"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file", "Verify measurement list (experimental).\n"},
+	{"ima_measurement", cmd_ima_measurement, 0, "[--ignore-violations] [--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file", "Verify measurement list (experimental).\n"},
 	{"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[file]", "Calculate per TPM bank boot_aggregate digests\n"},
 	{"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
 	{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
@ -2522,7 +2523,7 @@ static struct option opts[] = {
 	{"verify-sig", 0, 0, 138},
 	{"engine", 1, 0, 139},
 	{"xattr-user", 0, 0, 140},
-	{"validate", 0, 0, 141},
+	{"ignore-violations", 0, 0, 141},
 	{"pcrs", 1, 0, 142},
 	{}

@ -2702,8 +2703,8 @@ int main(int argc, char *argv[])
 			xattr_ima = "user.ima";
 			xattr_evm = "user.evm";
 			break;
-		case 141: /* --validate */
-			validate = 1;
+		case 141: /* --ignore-violations */
+			ignore_violations = 1;
 			break;
 		case 142:
 			if (npcrfile >= MAX_PCRFILE) {