dh/ima-evm-utils-mirror
1
0
Fork 0
mirror of https://git.code.sf.net/p/linux-ima/ima-evm-utils synced 2025-04-28 14:43:37 +02:00
Code Releases Activity

ima-evm-utils: add support for validating multiple pcrs

Browse Source 
The IMA measurement list may contain records for different PCRs.  This
patch walks the measurement list, calculating a PCR aggregate value for
each PCR.

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
This commit is contained in:
Mimi Zohar 2018-01-17 21:23:35 -05:00
parent 1a69e42ac1
commit 6921833477
2 changed files with 26 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
src/evmctl.c
View File

@ -1407,12 +1407,15 @@ void ima_ng_show(struct template_entry *entry)
static int ima_measurement(const char *file) static int ima_measurement(const char *file)
{ {
uint8_t pcr[SHA_DIGEST_LENGTH] = {0,}; uint8_t pcr[NUM_PCRS][SHA_DIGEST_LENGTH] = {{0}};
uint8_t pcr10[SHA_DIGEST_LENGTH]; uint8_t hwpcr[SHA_DIGEST_LENGTH];
struct template_entry entry = { .template = 0 }; struct template_entry entry = { .template = 0 };
FILE *fp; FILE *fp;
int err = -1; int err = -1;
bool verify_failed = false;
int i;
memset(zero, 0, SHA_DIGEST_LENGTH);
memset(fox, 0xff, SHA_DIGEST_LENGTH); memset(fox, 0xff, SHA_DIGEST_LENGTH);
log_debug("Initial PCR value: "); log_debug("Initial PCR value: ");
@ -1429,7 +1432,8 @@ static int ima_measurement(const char *file)
init_public_keys(params.keyfile); init_public_keys(params.keyfile);
while (fread(&entry.header, sizeof(entry.header), 1, fp)) { while (fread(&entry.header, sizeof(entry.header), 1, fp)) {
ima_extend_pcr(pcr, entry.header.digest, SHA_DIGEST_LENGTH); ima_extend_pcr(pcr[entry.header.pcr], entry.header.digest,
SHA_DIGEST_LENGTH);
if (!fread(entry.name, entry.header.name_len, 1, fp)) { if (!fread(entry.name, entry.header.name_len, 1, fp)) {
log_err("Unable to read template name\n"); log_err("Unable to read template name\n");
@ -1463,23 +1467,29 @@ static int ima_measurement(const char *file)
ima_ng_show(&entry); ima_ng_show(&entry);
} }
tpm_pcr_read(10, pcr10, sizeof(pcr10));
log_info("PCRAgg: "); for (i = 0; i < NUM_PCRS; i++) {
log_dump(pcr, sizeof(pcr)); if (memcmp(pcr[i], zero, SHA_DIGEST_LENGTH) == 0)
continue;
log_info("PCR-10: "); log_info("PCRAgg %.2d: ", i);
log_dump(pcr10, sizeof(pcr10)); log_dump(pcr[i], SHA_DIGEST_LENGTH);
if (memcmp(pcr, pcr10, sizeof(pcr))) { tpm_pcr_read(i, hwpcr, sizeof(hwpcr));
log_err("PCRAgg does not match PCR-10\n"); log_info("HW PCR-%d: ", i);
goto out; log_dump(hwpcr, sizeof(hwpcr));
if (memcmp(pcr[i], hwpcr, sizeof(SHA_DIGEST_LENGTH)) != 0) {
log_err("PCRAgg %d does not match HW PCR-%d\n", i, i);
verify_failed = true;
}
} }
err = 0; if (!verify_failed)
err = 0;
out: out:
fclose(fp); fclose(fp);
return err; return err;
} }

3
src/imaevm.h
View File

@ -188,6 +188,9 @@ struct RSA_ASN1_template {
size_t size; size_t size;
}; };
#define NUM_PCRS 20
#define DEFAULT_PCR 10
extern const struct RSA_ASN1_template RSA_ASN1_templates[PKEY_HASH__LAST]; extern const struct RSA_ASN1_template RSA_ASN1_templates[PKEY_HASH__LAST];
extern struct libevm_params params; extern struct libevm_params params;