diff --git a/ChangeLog b/ChangeLog deleted file mode 100644 index d8ba520..0000000 --- a/ChangeLog +++ /dev/null @@ -1,184 +0,0 @@ -2020-07-21 Mimi Zohar - - version 1.3 new features: - * NEW ima-evm-utils regression test infrastructure with two initial - tests: - - ima_hash.test: calculate/verify different crypto hash algorithms - - sign_verify.test: EVM and IMA sign/verify signature tests - * TPM 2.0 support - - Calculate the new per TPM 2.0 bank template data digest - - Support original padding the SHA1 template data digest - - Compare ALL the re-calculated TPM 2.0 bank PCRs against the - TPM 2.0 bank PCR values - - Calculate the per TPM bank "boot_aggregate" values, including - PCRs 8 & 9 in calculation - - Support reading the per TPM 2.0 Bank PCRs using Intel's TSS - - boot_aggregate.test: compare the calculated "boot_aggregate" - values with the "boot_aggregate" value included in the IMA - measurement. - * TPM 1.2 support - - Additionally support reading the TPM 1.2 PCRs from a supplied file - ("--pcrs" option) - * Based on original IMA LTP and standalone version support - - Calculate the TPM 1.2 "boot_aggregate" based on the exported - TPM 1.2 BIOS event log. - - In addition to verifying the IMA measurement list against the - the TPM PCRs, verify the IMA template data digest against the - template data. (Based on LTP "--verify" option.) - - Ignore file measurement violations while verifying the IMA - measurment list. (Based on LTP "--validate" option.) - - Verify the file data signature included in the measurement list - based on the file hash also included in the measurement list - (--verify-sig) - - Support original "ima" template (mixed templates not supported) - * Support "sm3" crypto name - - Bug fixes and code cleanup: - * Don't exit with -1 on failure, exit with 125 - * On signature verification failure, include pathname. - * Provide minimal hash_info.h file in case one doesn't exist, needed - by the ima-evm-utils regression tests. - * On systems with TPM 1.2, skip "boot_aggregate.test" using sample logs - * Fix hash_algo type comparison mismatch - * Simplify/clean up code - * Address compiler complaints and failures - * Fix memory allocations and leaks - * Sanity check provided input files are regular files - * Revert making "tsspcrread" a compile build time decision. - * Limit additional messages based on log level (-v) - -2019-07-30 Mimi Zohar - - version 1.2.1 Bug fixes: - * When verifying multiple file signatures, return correct status - * Don't automatically use keys from x509 certs if user supplied "--rsa" - * Fix verifying DIGSIG_VERSION_1 signatures - * autoconf, openssl fixes - - -2019-07-24 Mimi Zohar - - version 1.2 new features: - * Generate EVM signatures based on the specified hash algorithm - * include "security.apparmor" in EVM signature - * Add support for writing & verifying "user.xxxx" xattrs for testing - * Support Strebog/Gost hash functions - * Add OpenSSL engine support - * Use of EVP_PKEY OpenSSL API to generate/verify v2 signatures - * Support verifying multiple signatures at once - * Support new template "buf" field and warn about other unknown fields - * Improve OpenSSL error reporting - * Support reading TPM 2.0 PCRs using tsspcrread - - Bug fixes and code cleanup: - * Update manpage stylesheet detection - * Fix xattr.h include file - * On error when reading TPM PCRs, don't log gargabe - * Properly return keyid string to calc_keyid_v1/v2 callers, caused by - limiting keyid output to verbose mode - * Fix hash buffer overflow caused by EVM support for larger hashes, - defined MAX_DIGEST_SIZE and MAX_SIGNATURE_SIZE, and added "asserts". - * Linked with libcrypto instead of OpenSSL - * Updated Autotools, replacing INCLUDES with AM_CPPFLAGS - * Include new "hash-info.gen" in tar - * Log the hash algorithm, not just the hash value - * Fixed memory leaks in: EV_MD_CTX, init_public_keys - * Fixed other warnings/bugs discovered by clang, coverity - * Remove indirect calls in verify_hash() to improve code readability - * Don't fallback to using sha1 - * Namespace some too generic object names - * Make functions/arrays static if possible - - -2018-01-28 Mimi Zohar - - version 1.1 - * Support the new openssl 1.1 api - * Support for validating multiple pcrs - * Verify the measurement list signature based on the list digest - * Verify the "ima-sig" measurement list using multiple keys - * Fixed parsing the measurement template data field length - * Portable & immutable EVM signatures (new format) - * Multiple fixes that have been lingering in the next branch. Some - are for experimental features that are not yet supported in the - kernel. - -2014-07-30 Dmitry Kasatkin - - version 1.0 - * Recursive hashing - * Immutable EVM signatures (experimental) - * Command 'ima_clear' to remove xattrs - * Support for passing password to the library - * Support for asking password safely from the user - -2014-09-23 Dmitry Kasatkin - - version 0.9 - * Updated README - * man page generated and added to the package - * Use additional SMACK xattrs for EVM signature generation - * Signing functions moved to libimaevm for external use (RPM) - * Fixed setting of correct hash header - -2014-05-05 Dmitry Kasatkin - - version 0.8 - * Symbilic names for keyrings - * Hash list signing - * License text fix for using OpenSSL - * Help output fix - -2014-02-17 Dmitry Kasatkin - - version 0.7 - * Fix symbolic links related bugs - * Provide recursive fixing - * Provide recursive signing - * Move IMA verification to the library (first for LTP use) - * Support for target architecture data size - * Remove obsolete module signing code - * Code cleanup - -2013-08-28 Dmitry Kasatkin - - version 0.6 - * support for asymmetric crypto keys and new signature format (v2) - * fixes to set correct hash algo for digital signature v1 - * uuid support for EVM - * signature verification support - * test scripts removed - * README updates - -2012-05-18 Dmitry Kasatkin - - version 0.3 - * llistxattr returns 0 if there are no xattrs and it is valid - * Added entry type to directory hash calculation - * inline block variable renamed - * Remove forced tag creation - * Use libexec for programs and scripts - * Some files updated - * Do not search for algorithm as it is known - * Refactored to remove redundant hash initialization code - * Added hash calculation for special files - -2012-04-05 Dmitry Kasatkin - - version 0.2 - * added RPM & TAR building makefile rules - * renamed evm-utils to ima-evm-utils - * added command options description - * updated error handling - * refactored redundant code - -2012-04-02 Dmitry Kasatkin - - version 0.1.0 - * Fully functional version for lastest 3.x kernels - -2011-08-24 Dmitry Kasatkin - - version 0.1 - * Initial public version. - diff --git a/NEWS b/NEWS index e69de29..d8ba520 100644 --- a/NEWS +++ b/NEWS @@ -0,0 +1,184 @@ +2020-07-21 Mimi Zohar + + version 1.3 new features: + * NEW ima-evm-utils regression test infrastructure with two initial + tests: + - ima_hash.test: calculate/verify different crypto hash algorithms + - sign_verify.test: EVM and IMA sign/verify signature tests + * TPM 2.0 support + - Calculate the new per TPM 2.0 bank template data digest + - Support original padding the SHA1 template data digest + - Compare ALL the re-calculated TPM 2.0 bank PCRs against the + TPM 2.0 bank PCR values + - Calculate the per TPM bank "boot_aggregate" values, including + PCRs 8 & 9 in calculation + - Support reading the per TPM 2.0 Bank PCRs using Intel's TSS + - boot_aggregate.test: compare the calculated "boot_aggregate" + values with the "boot_aggregate" value included in the IMA + measurement. + * TPM 1.2 support + - Additionally support reading the TPM 1.2 PCRs from a supplied file + ("--pcrs" option) + * Based on original IMA LTP and standalone version support + - Calculate the TPM 1.2 "boot_aggregate" based on the exported + TPM 1.2 BIOS event log. + - In addition to verifying the IMA measurement list against the + the TPM PCRs, verify the IMA template data digest against the + template data. (Based on LTP "--verify" option.) + - Ignore file measurement violations while verifying the IMA + measurment list. (Based on LTP "--validate" option.) + - Verify the file data signature included in the measurement list + based on the file hash also included in the measurement list + (--verify-sig) + - Support original "ima" template (mixed templates not supported) + * Support "sm3" crypto name + + Bug fixes and code cleanup: + * Don't exit with -1 on failure, exit with 125 + * On signature verification failure, include pathname. + * Provide minimal hash_info.h file in case one doesn't exist, needed + by the ima-evm-utils regression tests. + * On systems with TPM 1.2, skip "boot_aggregate.test" using sample logs + * Fix hash_algo type comparison mismatch + * Simplify/clean up code + * Address compiler complaints and failures + * Fix memory allocations and leaks + * Sanity check provided input files are regular files + * Revert making "tsspcrread" a compile build time decision. + * Limit additional messages based on log level (-v) + +2019-07-30 Mimi Zohar + + version 1.2.1 Bug fixes: + * When verifying multiple file signatures, return correct status + * Don't automatically use keys from x509 certs if user supplied "--rsa" + * Fix verifying DIGSIG_VERSION_1 signatures + * autoconf, openssl fixes + + +2019-07-24 Mimi Zohar + + version 1.2 new features: + * Generate EVM signatures based on the specified hash algorithm + * include "security.apparmor" in EVM signature + * Add support for writing & verifying "user.xxxx" xattrs for testing + * Support Strebog/Gost hash functions + * Add OpenSSL engine support + * Use of EVP_PKEY OpenSSL API to generate/verify v2 signatures + * Support verifying multiple signatures at once + * Support new template "buf" field and warn about other unknown fields + * Improve OpenSSL error reporting + * Support reading TPM 2.0 PCRs using tsspcrread + + Bug fixes and code cleanup: + * Update manpage stylesheet detection + * Fix xattr.h include file + * On error when reading TPM PCRs, don't log gargabe + * Properly return keyid string to calc_keyid_v1/v2 callers, caused by + limiting keyid output to verbose mode + * Fix hash buffer overflow caused by EVM support for larger hashes, + defined MAX_DIGEST_SIZE and MAX_SIGNATURE_SIZE, and added "asserts". + * Linked with libcrypto instead of OpenSSL + * Updated Autotools, replacing INCLUDES with AM_CPPFLAGS + * Include new "hash-info.gen" in tar + * Log the hash algorithm, not just the hash value + * Fixed memory leaks in: EV_MD_CTX, init_public_keys + * Fixed other warnings/bugs discovered by clang, coverity + * Remove indirect calls in verify_hash() to improve code readability + * Don't fallback to using sha1 + * Namespace some too generic object names + * Make functions/arrays static if possible + + +2018-01-28 Mimi Zohar + + version 1.1 + * Support the new openssl 1.1 api + * Support for validating multiple pcrs + * Verify the measurement list signature based on the list digest + * Verify the "ima-sig" measurement list using multiple keys + * Fixed parsing the measurement template data field length + * Portable & immutable EVM signatures (new format) + * Multiple fixes that have been lingering in the next branch. Some + are for experimental features that are not yet supported in the + kernel. + +2014-07-30 Dmitry Kasatkin + + version 1.0 + * Recursive hashing + * Immutable EVM signatures (experimental) + * Command 'ima_clear' to remove xattrs + * Support for passing password to the library + * Support for asking password safely from the user + +2014-09-23 Dmitry Kasatkin + + version 0.9 + * Updated README + * man page generated and added to the package + * Use additional SMACK xattrs for EVM signature generation + * Signing functions moved to libimaevm for external use (RPM) + * Fixed setting of correct hash header + +2014-05-05 Dmitry Kasatkin + + version 0.8 + * Symbilic names for keyrings + * Hash list signing + * License text fix for using OpenSSL + * Help output fix + +2014-02-17 Dmitry Kasatkin + + version 0.7 + * Fix symbolic links related bugs + * Provide recursive fixing + * Provide recursive signing + * Move IMA verification to the library (first for LTP use) + * Support for target architecture data size + * Remove obsolete module signing code + * Code cleanup + +2013-08-28 Dmitry Kasatkin + + version 0.6 + * support for asymmetric crypto keys and new signature format (v2) + * fixes to set correct hash algo for digital signature v1 + * uuid support for EVM + * signature verification support + * test scripts removed + * README updates + +2012-05-18 Dmitry Kasatkin + + version 0.3 + * llistxattr returns 0 if there are no xattrs and it is valid + * Added entry type to directory hash calculation + * inline block variable renamed + * Remove forced tag creation + * Use libexec for programs and scripts + * Some files updated + * Do not search for algorithm as it is known + * Refactored to remove redundant hash initialization code + * Added hash calculation for special files + +2012-04-05 Dmitry Kasatkin + + version 0.2 + * added RPM & TAR building makefile rules + * renamed evm-utils to ima-evm-utils + * added command options description + * updated error handling + * refactored redundant code + +2012-04-02 Dmitry Kasatkin + + version 0.1.0 + * Fully functional version for lastest 3.x kernels + +2011-08-24 Dmitry Kasatkin + + version 0.1 + * Initial public version. + diff --git a/configure.ac b/configure.ac index 772b025..971a712 100644 --- a/configure.ac +++ b/configure.ac @@ -2,7 +2,7 @@ AC_PREREQ([2.65]) AC_INIT(ima-evm-utils, 1.3, zohar@linux.ibm.com) -AM_INIT_AUTOMAKE +AM_INIT_AUTOMAKE([foreign]) AC_CONFIG_HEADERS([config.h]) AC_CONFIG_MACRO_DIR([m4])