From 6baaf7f8766dbfd67fa7d56132c7a1b31e920a7a Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Thu, 9 Jul 2020 23:03:26 -0400 Subject: [PATCH] ima-evm-utils: guarantee the measurement list contains all the records Reading the TPM PCRs before walking the measurement list guarantees the measurement list contains all the records. Signed-off-by: Mimi Zohar --- src/evmctl.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/src/evmctl.c b/src/evmctl.c index 5cb7681..1e52f96 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -1875,6 +1875,7 @@ static int ima_measurement(const char *file) struct tpm_bank_info *tpm_banks; int is_ima_template, cur_template_fmt; int num_banks = 0; + int tpmbanks = 1; int first_record = 1; struct template_entry entry = { .template = 0 }; @@ -1899,6 +1900,14 @@ static int ima_measurement(const char *file) else /* assume read pubkey from x509 cert */ init_public_keys("/etc/keys/x509_evm.der"); + /* + * Reading the PCRs before walking the IMA measurement list + * guarantees that all of the measurements are included in + * the PCRs. + */ + if (read_tpm_banks(num_banks, tpm_banks) != 0) + tpmbanks = 0; + while (fread(&entry.header, sizeof(entry.header), 1, fp)) { if (entry.header.name_len > TCG_EVENT_NAME_LEN_MAX) { log_err("%d ERROR: event name too long!\n", @@ -1997,10 +2006,9 @@ static int ima_measurement(const char *file) ima_ng_show(&entry); } - if (read_tpm_banks(num_banks, tpm_banks) != 0) { - err = 0; + if (tpmbanks == 0) log_info("Failed to read any TPM PCRs\n"); - } else { + else { err = compare_tpm_banks(num_banks, pseudo_banks, tpm_banks); if (!err) log_info("Matched per TPM bank calculated digest(s).\n");