From fbd96c98c553fcc573ac365cda9a0ed9d7bd7bd4 Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Wed, 29 Jul 2020 17:25:25 -0400 Subject: [PATCH 01/16] Update the ima_boot_aggregate apsects of the "README" and "help" files Add the missing "evmctl ima_boot_aggregate" info to the README. Update the "help" to include the new "--pcrs" option. In addition, replace the "file" option with "TPM 1.2 BIOS event log". The new format is: ima_boot_aggregate [--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log] Reminder: calculating the TPM PCRs based on the BIOS event log and comparing them with the TPM PCRs should be done prior to calculating the possible boot_aggregate value(s). For TPM 1.2, the TPM 1.2 BIOS event log may be provided as an option when calculating the ima_boot_aggregate. For TPM 2.0, "tsseventextend -sim -if -ns -v", may be used to validate the TPM 2.0 event log. (Note: some TPM 2.0's export the BIOS event log in the TPM 1.2 format.) Signed-off-by: Mimi Zohar --- README | 1 + src/evmctl.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/README b/README index b37325f..321045d 100644 --- a/README +++ b/README @@ -28,6 +28,7 @@ COMMANDS import [--rsa] pubkey keyring sign [-r] [--imahash | --imasig ] [--portable] [--key key] [--pass password] file verify file + ima_boot_aggregate [--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log] ima_sign [--sigfile] [--key key] [--pass password] file ima_verify file ima_hash file diff --git a/src/evmctl.c b/src/evmctl.c index 7ad1150..de7299d 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -2485,7 +2485,7 @@ struct command cmds[] = { {"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"}, {"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"}, {"ima_measurement", cmd_ima_measurement, 0, "[--ignore-violations] [--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file", "Verify measurement list (experimental).\n"}, - {"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[file]", "Calculate per TPM bank boot_aggregate digests\n"}, + {"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log]", "Calculate per TPM bank boot_aggregate digests\n"}, {"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"}, {"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"}, {"sign_hash", cmd_sign_hash, 0, "[--key key] [--pass [password]", "Sign hashes from shaXsum output.\n"}, From d5aed92be4c082ee56feca66ac0896107dc1b0b6 Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Fri, 31 Jul 2020 14:24:04 -0400 Subject: [PATCH 02/16] travis: define travis.yml Initial travis.yml file without the "boot_aggregate" test. Signed-off-by: Mimi Zohar --- .travis.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 .travis.yml diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 0000000..bf28789 --- /dev/null +++ b/.travis.yml @@ -0,0 +1,18 @@ +language: C +addons: + apt: + packages: + - libkeyutils-dev + - libattr1-dev + - attr + - openssl + - libssl-dev + - asciidoc + - xsltproc + - docbook-xsl + - docbook-xml +script: + - autoreconf -i && ./configure && make -j$(nproc) && sudo make install && VERBOSE=1 make check TESTS="ima_hash.test sign_verify.test"; + + - tail -3 tests/ima_hash.log; + - tail -3 tests/sign_verify.log; From 9cd7edf1e042b85048714da96cfa9a5c5c99e2b1 Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Fri, 31 Jul 2020 14:24:05 -0400 Subject: [PATCH 03/16] travis: download, compile, and install a swTPM Verifying the "boot_aggregate" requires reading the TPM PCRs for each of the TPM banks. In test environments without a physical TPM, a software TPM may be used. Signed-off-by: Mimi Zohar --- .travis.yml | 2 ++ tests/install-swtpm.sh | 11 +++++++++++ 2 files changed, 13 insertions(+) create mode 100755 tests/install-swtpm.sh diff --git a/.travis.yml b/.travis.yml index bf28789..fa2a376 100644 --- a/.travis.yml +++ b/.travis.yml @@ -11,6 +11,8 @@ addons: - xsltproc - docbook-xsl - docbook-xml +install: + - ./tests/install-swtpm.sh script: - autoreconf -i && ./configure && make -j$(nproc) && sudo make install && VERBOSE=1 make check TESTS="ima_hash.test sign_verify.test"; diff --git a/tests/install-swtpm.sh b/tests/install-swtpm.sh new file mode 100755 index 0000000..071e9c9 --- /dev/null +++ b/tests/install-swtpm.sh @@ -0,0 +1,11 @@ +#!/bin/sh + +set -ex +wget https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm1332.tar.gz/download +mkdir ibmtpm1332 +cd ibmtpm1332 +tar -xvzf ../download +cd src +make -j$(nproc) +sudo cp tpm_server /usr/local/bin/ +cd ../.. From f2fe5929075fbcc47543ca21fcc364cbe59dd397 Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Fri, 31 Jul 2020 14:24:06 -0400 Subject: [PATCH 04/16] travis: dependency on TSS for initializing software TPM Verifying the "boot_aggregate" requires reading the TPM PCRs for each of the TPM banks. In test environments without a physical TPM, a software TPM may be used, but requires initializing the TPM PCRs. By walking and replaying the TPM event log, a software TPM may be properly initialized. Signed-off-by: Mimi Zohar --- .travis.yml | 4 +++- tests/install-tss.sh | 8 ++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) create mode 100755 tests/install-tss.sh diff --git a/.travis.yml b/.travis.yml index fa2a376..0a34765 100644 --- a/.travis.yml +++ b/.travis.yml @@ -13,8 +13,10 @@ addons: - docbook-xml install: - ./tests/install-swtpm.sh + - ./tests/install-tss.sh script: - - autoreconf -i && ./configure && make -j$(nproc) && sudo make install && VERBOSE=1 make check TESTS="ima_hash.test sign_verify.test"; + - autoreconf -i && ./configure && make -j$(nproc) && sudo make install && VERBOSE=1 make check; - tail -3 tests/ima_hash.log; - tail -3 tests/sign_verify.log; + - tail -3 tests/boot_aggregate.log; diff --git a/tests/install-tss.sh b/tests/install-tss.sh new file mode 100755 index 0000000..c9c179e --- /dev/null +++ b/tests/install-tss.sh @@ -0,0 +1,8 @@ +#!/bin/sh + +set -ex +git clone https://git.code.sf.net/p/ibmtpm20tss/tss +cd tss +autoreconf -i && ./configure --disable-tpm-1.2 --disable-hwtpm && make -j$(nproc) && sudo make install +cd .. +rm -rf tss From 3ff5d99edc435b85e58ee812e0c13b81c702e2ea Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Fri, 31 Jul 2020 14:24:07 -0400 Subject: [PATCH 05/16] travis: support tpm2-tss Running the "boot_aggregate" test without a physical TPM, requires installing and initializing a software TPM. For now, use the same method of initializing the TPM, based on the IBM tss, for both the IBM and Intel's tss. Build both the IBM and INTEL's tss. Signed-off-by: Mimi Zohar --- .travis.yml | 17 ++++++++++++++++- tests/install-tpm2-tss.sh | 19 +++++++++++++++++++ 2 files changed, 35 insertions(+), 1 deletion(-) create mode 100755 tests/install-tpm2-tss.sh diff --git a/.travis.yml b/.travis.yml index 0a34765..11a827c 100644 --- a/.travis.yml +++ b/.travis.yml @@ -11,12 +11,27 @@ addons: - xsltproc - docbook-xsl - docbook-xml +matrix: + include: + - env: TSS=ibmtss + - env: TSS=tpm2-tss install: + - if [ "${TSS}" = "tpm2-tss" ]; then + sudo apt-get install lcov pandoc autoconf-archive liburiparser-dev; + sudo apt-get install libdbus-1-dev libglib2.0-dev dbus-x11 libgcrypt-dev; + sudo apt-get install libssl-dev doxygen libjson-c-dev; + sudo apt-get install libini-config-dev libltdl-dev; + sudo apt-get install uuid-dev libcurl4-openssl-dev; + ./tests/install-tpm2-tss.sh; + fi - ./tests/install-swtpm.sh - ./tests/install-tss.sh + script: + - export LD_LIBRARY_PATH=/usr/local/lib64:/usr/local/lib; + - export PATH=$PATH:/usr/local/bin; - autoreconf -i && ./configure && make -j$(nproc) && sudo make install && VERBOSE=1 make check; - tail -3 tests/ima_hash.log; - tail -3 tests/sign_verify.log; - - tail -3 tests/boot_aggregate.log; + - tail -20 tests/boot_aggregate.log; diff --git a/tests/install-tpm2-tss.sh b/tests/install-tpm2-tss.sh new file mode 100755 index 0000000..7a71b57 --- /dev/null +++ b/tests/install-tpm2-tss.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +git clone https://github.com/tpm2-software/tpm2-tss.git +cd tpm2-tss +./bootstrap +./configure +make -j$(nproc) +sudo make install +sudo ldconfig +cd .. +rm -rf tpm2-tss + +git clone https://github.com/tpm2-software/tpm2-tools.git +cd tpm2-tools +./bootstrap && ./configure --prefix=/usr +make -j$(nproc) +sudo make install +cd .. +rm -rf tpm2-tools From 1b5146db99a4fed8aac64dcdd6550e9d8055f3bc Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Mon, 3 Aug 2020 14:14:42 -0400 Subject: [PATCH 06/16] travis: define dist as "bionic" Default to using "bionic". Mimi Zohar --- .travis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.travis.yml b/.travis.yml index 11a827c..cdfba49 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,3 +1,4 @@ +dist: bionic language: C addons: apt: From 3b70893edfe1040cb7993677b537ce059d6ba71d Mon Sep 17 00:00:00 2001 From: Petr Vorel Date: Thu, 13 Aug 2020 20:25:24 +0200 Subject: [PATCH 07/16] configure: Fix tss2-esys check Check tss2-esys with Esys_Free() instead of Esys_PCR_Read(). That should be the newest dependency. That means we depend on tss2-esys >= 2.1.0 instead of 2.0.0. Signed-off-by: Petr Vorel Reviewed-by: Bruno Meneguele (Fedora,CentOS 8(RHEL actually)) Signed-off-by: Mimi Zohar --- configure.ac | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index 971a712..8e13b61 100644 --- a/configure.ac +++ b/configure.ac @@ -30,9 +30,9 @@ AC_SUBST(KERNEL_HEADERS) AC_CHECK_HEADER(unistd.h) AC_CHECK_HEADERS(openssl/conf.h) -AC_CHECK_LIB([tss2-esys], [Esys_PCR_Read]) +AC_CHECK_LIB([tss2-esys], [Esys_Free]) AC_CHECK_LIB([tss2-rc], [Tss2_RC_Decode]) -AM_CONDITIONAL([USE_PCRTSS], [test "x$ac_cv_lib_tss2_esys_Esys_PCR_Read" = "xyes"]) +AM_CONDITIONAL([USE_PCRTSS], [test "x$ac_cv_lib_tss2_esys_Esys_Free" = "xyes"]) AC_CHECK_HEADERS(sys/xattr.h, , [AC_MSG_ERROR([sys/xattr.h header not found. You need the c-library development package.])]) AC_CHECK_HEADERS(keyutils.h, , [AC_MSG_ERROR([keyutils.h header not found. You need the libkeyutils development package.])]) @@ -77,6 +77,6 @@ echo echo "Configuration:" echo " debug: $pkg_cv_enable_debug" echo " openssl-conf: $enable_openssl_conf" -echo " tss2-esys: $ac_cv_lib_tss2_esys_Esys_PCR_Read" +echo " tss2-esys: $ac_cv_lib_tss2_esys_Esys_Free" echo " tss2-rc-decode: $ac_cv_lib_tss2_rc_Tss2_RC_Decode" echo From 9620d8b70dc1b30afa56003b2c7a4636068bcb73 Mon Sep 17 00:00:00 2001 From: Petr Vorel Date: Thu, 13 Aug 2020 20:25:25 +0200 Subject: [PATCH 08/16] man: Fix xmlcatalog path detection for catalogs which return plain file path (e.g. /usr/.../manpages/docbook.xsl) instead of URI which starts with file://). In that case sed printed empty string. Fixes: 5fa7d35 ("autotools: Try to find correct manpage stylesheet path") Signed-off-by: Petr Vorel Reviewed-by: Bruno Meneguele (Fedora,CentOS 8(RHEL actually)) Signed-off-by: Mimi Zohar --- m4/manpage-docbook-xsl.m4 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/m4/manpage-docbook-xsl.m4 b/m4/manpage-docbook-xsl.m4 index 24ae55a..2d8436e 100644 --- a/m4/manpage-docbook-xsl.m4 +++ b/m4/manpage-docbook-xsl.m4 @@ -1,4 +1,4 @@ -dnl Copyright (c) 2018 Petr Vorel +dnl Copyright (c) 2018-2020 Petr Vorel dnl Find docbook manpage stylesheet AC_DEFUN([EVMCTL_MANPAGE_DOCBOOK_XSL], [ @@ -19,7 +19,7 @@ AC_DEFUN([EVMCTL_MANPAGE_DOCBOOK_XSL], [ if test "x${XMLCATALOG}" != "x" -a "x$have_xmlcatalog_file" = "xyes"; then DOCBOOK_XSL_URI="http://docbook.sourceforge.net/release/xsl/current" DOCBOOK_XSL_PATH="manpages/docbook.xsl" - MANPAGE_DOCBOOK_XSL=$(${XMLCATALOG} ${XML_CATALOG_FILE} ${DOCBOOK_XSL_URI}/${DOCBOOK_XSL_PATH} | sed -n 's|^file:/\+|/|p;q') + MANPAGE_DOCBOOK_XSL=$(${XMLCATALOG} ${XML_CATALOG_FILE} ${DOCBOOK_XSL_URI}/${DOCBOOK_XSL_PATH} | sed 's|^file:/\+|/|') fi if test "x${MANPAGE_DOCBOOK_XSL}" = "x"; then MANPAGE_DOCBOOK_XSL="/usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl" From 4a67103e9d9280273b349aebeedbb37eb3870aeb Mon Sep 17 00:00:00 2001 From: Petr Vorel Date: Thu, 13 Aug 2020 20:25:26 +0200 Subject: [PATCH 09/16] man: Generate doc targets only when XSL found As requiring manpages/docbook.xsl breaks build if not found. Also rewrite the check to add more debug info. Signed-off-by: Petr Vorel Reviewed-by: Bruno Meneguele (Fedora,CentOS 8(RHEL actually)) Signed-off-by: Mimi Zohar --- Makefile.am | 4 ++++ configure.ac | 1 + m4/manpage-docbook-xsl.m4 | 34 +++++++++++++++++++++++++++------- 3 files changed, 32 insertions(+), 7 deletions(-) diff --git a/Makefile.am b/Makefile.am index 45c6f82..17fd478 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,5 +1,7 @@ SUBDIRS = src tests +if MANPAGE_DOCBOOK_XSL dist_man_MANS = evmctl.1 +endif doc_DATA = examples/ima-genkey-self.sh examples/ima-genkey.sh examples/ima-gen-local-ca.sh EXTRA_DIST = autogen.sh $(doc_DATA) @@ -23,6 +25,7 @@ rpm: $(tarname) cp $(tarname) $(SRCS)/ rpmbuild -ba --nodeps $(SPEC) +if MANPAGE_DOCBOOK_XSL evmctl.1.html: README @asciidoc -o $@ $< @@ -35,5 +38,6 @@ rmman: rm -f evmctl.1 doc: evmctl.1.html rmman evmctl.1 +endif .PHONY: $(tarname) diff --git a/configure.ac b/configure.ac index 8e13b61..a2e68d0 100644 --- a/configure.ac +++ b/configure.ac @@ -79,4 +79,5 @@ echo " debug: $pkg_cv_enable_debug" echo " openssl-conf: $enable_openssl_conf" echo " tss2-esys: $ac_cv_lib_tss2_esys_Esys_Free" echo " tss2-rc-decode: $ac_cv_lib_tss2_rc_Tss2_RC_Decode" +echo " doc: $have_doc" echo diff --git a/m4/manpage-docbook-xsl.m4 b/m4/manpage-docbook-xsl.m4 index 2d8436e..25c8ce5 100644 --- a/m4/manpage-docbook-xsl.m4 +++ b/m4/manpage-docbook-xsl.m4 @@ -2,6 +2,9 @@ dnl Copyright (c) 2018-2020 Petr Vorel dnl Find docbook manpage stylesheet AC_DEFUN([EVMCTL_MANPAGE_DOCBOOK_XSL], [ + DOCBOOK_XSL_URI="http://docbook.sourceforge.net/release/xsl/current" + DOCBOOK_XSL_PATH="manpages/docbook.xsl" + AC_PATH_PROGS(XMLCATALOG, xmlcatalog) AC_ARG_WITH([xml-catalog], AC_HELP_STRING([--with-xml-catalog=CATALOG], @@ -9,20 +12,37 @@ AC_DEFUN([EVMCTL_MANPAGE_DOCBOOK_XSL], [ [with_xml_catalog=/etc/xml/catalog]) XML_CATALOG_FILE="$with_xml_catalog" AC_SUBST([XML_CATALOG_FILE]) - AC_MSG_CHECKING([for XML catalog ($XML_CATALOG_FILE)]) - if test -f "$XML_CATALOG_FILE"; then - have_xmlcatalog_file=yes - AC_MSG_RESULT([found]) + + if test "x${XMLCATALOG}" = "x"; then + AC_MSG_WARN([xmlcatalog not found, cannot search for $DOCBOOK_XSL_PATH]) else - AC_MSG_RESULT([not found]) + AC_MSG_CHECKING([for XML catalog ($XML_CATALOG_FILE)]) + if test -f "$XML_CATALOG_FILE"; then + have_xmlcatalog_file=yes + AC_MSG_RESULT([found]) + else + AC_MSG_RESULT([not found, cannot search for $DOCBOOK_XSL_PATH]) + fi fi + if test "x${XMLCATALOG}" != "x" -a "x$have_xmlcatalog_file" = "xyes"; then - DOCBOOK_XSL_URI="http://docbook.sourceforge.net/release/xsl/current" - DOCBOOK_XSL_PATH="manpages/docbook.xsl" MANPAGE_DOCBOOK_XSL=$(${XMLCATALOG} ${XML_CATALOG_FILE} ${DOCBOOK_XSL_URI}/${DOCBOOK_XSL_PATH} | sed 's|^file:/\+|/|') fi + if test "x${MANPAGE_DOCBOOK_XSL}" = "x"; then MANPAGE_DOCBOOK_XSL="/usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl" + AC_MSG_WARN([trying a default path for $DOCBOOK_XSL_PATH]) fi + + if test -f "$MANPAGE_DOCBOOK_XSL"; then + have_doc=yes + AC_MSG_NOTICE([using $MANPAGE_DOCBOOK_XSL for generating doc]) + else + AC_MSG_WARN([$DOCBOOK_XSL_PATH not found, generating doc will be skipped]) + MANPAGE_DOCBOOK_XSL= + have_doc=no + fi + AM_CONDITIONAL(MANPAGE_DOCBOOK_XSL, test "x$have_doc" = xyes) + AC_SUBST(MANPAGE_DOCBOOK_XSL) ]) From 5b764057f3992a744fc29e0ec1efb40f64e350f0 Mon Sep 17 00:00:00 2001 From: Petr Vorel Date: Thu, 13 Aug 2020 20:25:27 +0200 Subject: [PATCH 10/16] install-swtpm.sh: Ignore certificate for download Some distros in Travis CI (e.g. Debian and Ubuntu) have problems with downloading from sourceforge.net due unknown certificate issuer: --2020-08-11 14:47:51-- https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm1332.tar.gz/download Resolving sourceforge.net (sourceforge.net)... 216.105.38.13 Connecting to sourceforge.net (sourceforge.net)|216.105.38.13|:443... connected. ERROR: The certificate of 'sourceforge.net' is not trusted. ERROR: The certificate of 'sourceforge.net' doesn't have a known issuer. This is a preparation for future commit (moving to docker based Travis CI). Signed-off-by: Petr Vorel Reviewed-by: Bruno Meneguele (Fedora,CentOS 8(RHEL actually)) Signed-off-by: Mimi Zohar --- tests/install-swtpm.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/install-swtpm.sh b/tests/install-swtpm.sh index 071e9c9..2afcf17 100755 --- a/tests/install-swtpm.sh +++ b/tests/install-swtpm.sh @@ -1,7 +1,7 @@ #!/bin/sh set -ex -wget https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm1332.tar.gz/download +wget --no-check-certificate https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm1332.tar.gz/download mkdir ibmtpm1332 cd ibmtpm1332 tar -xvzf ../download From 60e1535438b63b324ffa8d47e3ebc6859626f2fc Mon Sep 17 00:00:00 2001 From: Petr Vorel Date: Thu, 13 Aug 2020 20:25:28 +0200 Subject: [PATCH 11/16] install-swtpm.sh: Update ibmtpm to version 1637 Signed-off-by: Petr Vorel Reviewed-by: Bruno Meneguele (Fedora,CentOS 8(RHEL actually)) Signed-off-by: Mimi Zohar --- tests/install-swtpm.sh | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/tests/install-swtpm.sh b/tests/install-swtpm.sh index 2afcf17..2d8293a 100755 --- a/tests/install-swtpm.sh +++ b/tests/install-swtpm.sh @@ -1,9 +1,11 @@ #!/bin/sh - set -ex -wget --no-check-certificate https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm1332.tar.gz/download -mkdir ibmtpm1332 -cd ibmtpm1332 + +version=1637 + +wget --no-check-certificate https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm${version}.tar.gz/download +mkdir ibmtpm$version +cd ibmtpm$version tar -xvzf ../download cd src make -j$(nproc) From 83e7925cbe7bdd930b56b85c53638fb60c6e9d08 Mon Sep 17 00:00:00 2001 From: Petr Vorel Date: Thu, 13 Aug 2020 20:25:29 +0200 Subject: [PATCH 12/16] Remove install-tpm2-tss.sh tpm2-software is being packaged in major distros nowadays. Signed-off-by: Petr Vorel Reviewed-by: Bruno Meneguele (Fedora,CentOS 8(RHEL actually)) Signed-off-by: Mimi Zohar --- tests/install-tpm2-tss.sh | 19 ------------------- 1 file changed, 19 deletions(-) delete mode 100755 tests/install-tpm2-tss.sh diff --git a/tests/install-tpm2-tss.sh b/tests/install-tpm2-tss.sh deleted file mode 100755 index 7a71b57..0000000 --- a/tests/install-tpm2-tss.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/sh - -git clone https://github.com/tpm2-software/tpm2-tss.git -cd tpm2-tss -./bootstrap -./configure -make -j$(nproc) -sudo make install -sudo ldconfig -cd .. -rm -rf tpm2-tss - -git clone https://github.com/tpm2-software/tpm2-tools.git -cd tpm2-tools -./bootstrap && ./configure --prefix=/usr -make -j$(nproc) -sudo make install -cd .. -rm -rf tpm2-tools From ccbac508b5192241a7536f459595df9ece2a8c62 Mon Sep 17 00:00:00 2001 From: Petr Vorel Date: Thu, 13 Aug 2020 20:25:30 +0200 Subject: [PATCH 13/16] autogen.sh: Cleanup m4 directory exists, force parameter is not needed. Remove commented out "old way". Signed-off-by: Petr Vorel Reviewed-by: Bruno Meneguele (Fedora,CentOS 8(RHEL actually)) Signed-off-by: Mimi Zohar --- autogen.sh | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/autogen.sh b/autogen.sh index d01bb43..902f2bc 100755 --- a/autogen.sh +++ b/autogen.sh @@ -1,16 +1,4 @@ #! /bin/sh - set -e -# new way -# strange, but need this for Makefile.am, because it has -I m4 -test -d m4 || mkdir m4 -autoreconf -f -i - -# old way -#libtoolize --automake --copy --force -#aclocal -#autoconf --force -#autoheader --force -#automake --add-missing --copy --force-missing --gnu - +autoreconf -i From 851f8c7907a74dddf89ebf602b74c20b9e74119a Mon Sep 17 00:00:00 2001 From: Petr Vorel Date: Thu, 13 Aug 2020 20:25:31 +0200 Subject: [PATCH 14/16] tests: Require cmp cmp is not by default installed on some containers (unlike other tools e.g. cut, tr from coreutils or grep). Also cmp implementation from busybox doesn't support -b, thus detect it. Signed-off-by: Petr Vorel Reviewed-by: Bruno Meneguele (Fedora,CentOS 8(RHEL actually)) Signed-off-by: Mimi Zohar --- tests/sign_verify.test | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/tests/sign_verify.test b/tests/sign_verify.test index 118c3f6..4f08bed 100755 --- a/tests/sign_verify.test +++ b/tests/sign_verify.test @@ -18,7 +18,14 @@ cd "$(dirname "$0")" || exit 1 PATH=../src:$PATH source ./functions.sh -_require evmctl openssl xxd getfattr + +_require cmp evmctl getfattr openssl xxd + +if cmp -b 2>&1 | grep -q "invalid option"; then + echo "cmp does not support -b (cmp from busybox?) Use cmp from diffutils" + exit "$HARDFAIL" +fi + ./gen-keys.sh >/dev/null 2>&1 trap _report_exit EXIT From 6c78911350fc2bbee4e2e03053a4bf0404e81ebf Mon Sep 17 00:00:00 2001 From: Petr Vorel Date: Thu, 13 Aug 2020 20:25:32 +0200 Subject: [PATCH 15/16] travis: Switch to docker based builds This requires to have distro specific install scripts and build.sh script. For now ibmswtpm2 is compiled just for native builds (depends on gcc, compiled natively). libtmps/swtpm could be used. Signed-off-by: Petr Vorel Reviewed-by: Bruno Meneguele (Fedora,CentOS 8(RHEL actually)) [zohar@linux.ibm.com: removed debugging in travis/fedora.sh] Signed-off-by: Mimi Zohar --- .travis.yml | 106 +++++++++++++++++++++++---------- build.sh | 97 ++++++++++++++++++++++++++++++ travis/alpine.sh | 50 ++++++++++++++++ travis/centos.sh | 1 + travis/debian.cross-compile.sh | 23 +++++++ travis/debian.i386.sh | 11 ++++ travis/debian.sh | 54 +++++++++++++++++ travis/fedora.sh | 43 +++++++++++++ travis/opensuse.sh | 1 + travis/tumbleweed.sh | 45 ++++++++++++++ travis/ubuntu.sh | 1 + 11 files changed, 399 insertions(+), 33 deletions(-) create mode 100755 build.sh create mode 100755 travis/alpine.sh create mode 120000 travis/centos.sh create mode 100755 travis/debian.cross-compile.sh create mode 100755 travis/debian.i386.sh create mode 100755 travis/debian.sh create mode 100755 travis/fedora.sh create mode 120000 travis/opensuse.sh create mode 100755 travis/tumbleweed.sh create mode 120000 travis/ubuntu.sh diff --git a/.travis.yml b/.travis.yml index cdfba49..849fcb6 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,38 +1,78 @@ dist: bionic language: C -addons: - apt: - packages: - - libkeyutils-dev - - libattr1-dev - - attr - - openssl - - libssl-dev - - asciidoc - - xsltproc - - docbook-xsl - - docbook-xml +services: + - docker + matrix: - include: - - env: TSS=ibmtss - - env: TSS=tpm2-tss -install: - - if [ "${TSS}" = "tpm2-tss" ]; then - sudo apt-get install lcov pandoc autoconf-archive liburiparser-dev; - sudo apt-get install libdbus-1-dev libglib2.0-dev dbus-x11 libgcrypt-dev; - sudo apt-get install libssl-dev doxygen libjson-c-dev; - sudo apt-get install libini-config-dev libltdl-dev; - sudo apt-get install uuid-dev libcurl4-openssl-dev; - ./tests/install-tpm2-tss.sh; - fi - - ./tests/install-swtpm.sh - - ./tests/install-tss.sh + include: + # 32 bit build + - os: linux + env: DISTRO=debian:stable VARIANT=i386 ARCH=i386 TSS=tpm2-tss + compiler: gcc + + # cross compilation builds + - os: linux + env: DISTRO=debian:stable VARIANT=cross-compile ARCH=ppc64el TSS=ibmtss + compiler: powerpc64le-linux-gnu-gcc + + - os: linux + env: DISTRO=debian:stable VARIANT=cross-compile ARCH=arm64 TSS=tpm2-tss + compiler: aarch64-linux-gnu-gcc + + - os: linux + env: DISTRO=debian:stable VARIANT=cross-compile ARCH=s390x TSS=ibmtss + compiler: s390x-linux-gnu-gcc + + # musl + - os: linux + env: DISTRO=alpine:latest TSS=tpm2-tss + compiler: gcc + + # glibc (gcc/clang) + - os: linux + env: DISTRO=opensuse/tumbleweed TSS=ibmtss + compiler: clang + + - os: linux + env: DISTRO=opensuse/leap TSS=tpm2-tss + compiler: gcc + + - os: linux + env: DISTRO=ubuntu:eoan TSS=ibmtss + compiler: gcc + + - os: linux + env: DISTRO=ubuntu:xenial TSS=tpm2-tss + compiler: clang + + - os: linux + env: DISTRO=fedora:latest TSS=ibmtss + compiler: clang + + - os: linux + env: DISTRO=centos:7 TSS=tpm2-tss + compiler: gcc + + - os: linux + env: DISTRO=centos:latest TSS=tpm2-tss + compiler: clang + + - os: linux + env: DISTRO=debian:testing TSS=tpm2-tss + compiler: clang + + - os: linux + env: DISTRO=debian:stable TSS=ibmtss + compiler: gcc + +before_install: + - df -hT + - DIR="/usr/src/ima-evm-utils" + - printf "FROM $DISTRO\nRUN mkdir -p $DIR\nWORKDIR $DIR\nCOPY . $DIR\n" > Dockerfile + - cat Dockerfile + - docker build -t ima-evm-utils . script: - - export LD_LIBRARY_PATH=/usr/local/lib64:/usr/local/lib; - - export PATH=$PATH:/usr/local/bin; - - autoreconf -i && ./configure && make -j$(nproc) && sudo make install && VERBOSE=1 make check; - - - tail -3 tests/ima_hash.log; - - tail -3 tests/sign_verify.log; - - tail -20 tests/boot_aggregate.log; + - INSTALL="${DISTRO%%:*}" + - INSTALL="${INSTALL%%/*}" + - docker run -t ima-evm-utils /bin/sh -c "cd travis && if [ \"$VARIANT\" ]; then ARCH=\"$ARCH\" ./$INSTALL.$VARIANT.sh; fi && ARCH=\"$ARCH\" CC=\"$CC\" TSS=\"$TSS\" ./$INSTALL.sh && if [ ! \"$VARIANT\" ]; then which tpm_server || ../tests/install-swtpm.sh; fi && CC=\"$CC\" VARIANT=\"$VARIANT\" ../build.sh" diff --git a/build.sh b/build.sh new file mode 100755 index 0000000..b922fa6 --- /dev/null +++ b/build.sh @@ -0,0 +1,97 @@ +#!/bin/sh +# Copyright (c) 2020 Petr Vorel + +set -e + +CC="${CC:-gcc}" +CFLAGS="${CFLAGS:--Wformat -Werror=format-security -Werror=implicit-function-declaration -Werror=return-type -fno-common}" +PREFIX="${PREFIX:-$HOME/ima-evm-utils-install}" + +export LD_LIBRARY_PATH="$PREFIX/lib64:$PREFIX/lib:/usr/local/lib64:/usr/local/lib" +export PATH="$PREFIX/bin:/usr/local/bin:$PATH" + +title() +{ + echo "===== $1 =====" +} + +log_exit() +{ + local ret="${3:-$?}" + local log="$1" + local msg="$2" + local prefix + + echo "=== $log ===" + [ $ret -eq 0 ] || prefix="FAIL: " + cat $log + echo + echo "$prefix$msg, see output of $log above" + exit $ret +} + +cd `dirname $0` + +case "$VARIANT" in + i386) + echo "32-bit compilation" + export CFLAGS="-m32 $CFLAGS" LDFLAGS="-m32 $LDFLAGS" + export PKG_CONFIG_LIBDIR=/usr/lib/i386-linux-gnu/pkgconfig + ;; + cross-compile) + host="${CC%-gcc}" + export CROSS_COMPILE="${host}-" + host="--host=$host" + echo "cross compilation: $host" + echo "CROSS_COMPILE: '$CROSS_COMPILE'" + ;; + *) + if [ "$VARIANT" ]; then + echo "Wrong VARIANT: '$VARIANT'" >&2 + exit 1 + fi + echo "native build" + ;; +esac + +title "compiler version" +$CC --version +echo "CFLAGS: '$CFLAGS'" +echo "LDFLAGS: '$LDFLAGS'" +echo "PREFIX: '$PREFIX'" + +title "configure" +./autogen.sh +./configure --prefix=$PREFIX $host || log_exit config.log "configure failed" + +title "make" +make -j$(nproc) +make install + +title "test" +if [ "$VARIANT" = "cross-compile" ]; then + echo "skip make check on cross compilation" + exit 0 +fi + +ret=0 +VERBOSE=1 make check || ret=$? + +title "logs" +if [ $ret -eq 0 ]; then + tail -3 tests/ima_hash.log + tail -3 tests/sign_verify.log + tail -20 tests/boot_aggregate.log + exit 0 +fi + +cat tests/test-suite.log + +if [ $ret -eq 77 ]; then + msg="WARN: some tests skipped" + ret=0 +else + msg="FAIL: tests exited: $ret" +fi + +log_exit tests/test-suite.log "$msg" $ret diff --git a/travis/alpine.sh b/travis/alpine.sh new file mode 100755 index 0000000..63d7954 --- /dev/null +++ b/travis/alpine.sh @@ -0,0 +1,50 @@ +#!/bin/sh +# Copyright (c) 2020 Petr Vorel +set -ex + +if [ -z "$CC" ]; then + echo "missing \$CC!" >&2 + exit 1 +fi + +case "$TSS" in +ibmtss) echo "No IBM TSS package, will be installed from git" >&2; TSS=;; +tpm2-tss) TSS="tpm2-tss-dev";; +'') echo "Missing TSS!" >&2; exit 1;; +*) echo "Unsupported TSS: '$TSS'!" >&2; exit 1;; +esac + +# ibmswtpm2 requires gcc +[ "$CC" = "gcc" ] || CC="gcc $CC" + +apk update + +apk add \ + $CC $TSS \ + asciidoc \ + attr \ + attr-dev \ + autoconf \ + automake \ + diffutils \ + docbook-xml \ + docbook-xsl \ + keyutils-dev \ + libtool \ + libxslt \ + linux-headers \ + make \ + musl-dev \ + openssl \ + openssl-dev \ + pkgconfig \ + procps \ + sudo \ + wget \ + which \ + xxd + +if [ ! "$TSS" ]; then + apk add git + ../tests/install-tss.sh +fi diff --git a/travis/centos.sh b/travis/centos.sh new file mode 120000 index 0000000..1479a43 --- /dev/null +++ b/travis/centos.sh @@ -0,0 +1 @@ +fedora.sh \ No newline at end of file diff --git a/travis/debian.cross-compile.sh b/travis/debian.cross-compile.sh new file mode 100755 index 0000000..5456d12 --- /dev/null +++ b/travis/debian.cross-compile.sh @@ -0,0 +1,23 @@ +#!/bin/sh +# Copyright (c) 2020 Petr Vorel +set -ex + +if [ -z "$ARCH" ]; then + echo "missing \$ARCH!" >&2 + exit 1 +fi + +case "$ARCH" in +arm64) gcc_arch="aarch64";; +ppc64el) gcc_arch="powerpc64le";; +s390x) gcc_arch="$ARCH";; +*) echo "unsupported arch: '$ARCH'!" >&2; exit 1;; +esac + +dpkg --add-architecture $ARCH +apt update + +apt install -y --no-install-recommends \ + dpkg-dev \ + gcc-${gcc_arch}-linux-gnu \ + libc6-dev-${ARCH}-cross diff --git a/travis/debian.i386.sh b/travis/debian.i386.sh new file mode 100755 index 0000000..1cad06e --- /dev/null +++ b/travis/debian.i386.sh @@ -0,0 +1,11 @@ +#!/bin/sh +# Copyright (c) 2020 Petr Vorel +set -ex + +dpkg --add-architecture i386 +apt update + +apt install -y --no-install-recommends \ + linux-libc-dev:i386 \ + gcc-multilib \ + pkg-config:i386 diff --git a/travis/debian.sh b/travis/debian.sh new file mode 100755 index 0000000..ad7d2c0 --- /dev/null +++ b/travis/debian.sh @@ -0,0 +1,54 @@ +#!/bin/sh +# Copyright (c) 2020 Petr Vorel +set -ex + +if [ -z "$CC" ]; then + echo "missing \$CC!" >&2 + exit 1 +fi + +# debian.*.sh must be run first +if [ "$ARCH" ]; then + ARCH=":$ARCH" + unset CC +else + apt update +fi + +# ibmswtpm2 requires gcc +[ "$CC" = "gcc" ] || CC="gcc $CC" + +case "$TSS" in +ibmtss) TSS="libtss-dev";; +tpm2-tss) TSS="libtss2-dev";; +'') echo "Missing TSS!" >&2; exit 1;; +*) [ "$TSS" ] && echo "Unsupported TSS: '$TSS'!" >&2; exit 1;; +esac + +apt="apt install -y --no-install-recommends" + +$apt \ + $CC $TSS \ + asciidoc \ + attr \ + autoconf \ + automake \ + diffutils \ + debianutils \ + docbook-xml \ + docbook-xsl \ + gzip \ + libattr1-dev$ARCH \ + libkeyutils-dev$ARCH \ + libssl-dev$ARCH \ + libtool \ + make \ + openssl \ + pkg-config \ + procps \ + sudo \ + wget \ + xsltproc \ + +$apt xxd || $apt vim-common +$apt libengine-gost-openssl1.1$ARCH || true diff --git a/travis/fedora.sh b/travis/fedora.sh new file mode 100755 index 0000000..058e172 --- /dev/null +++ b/travis/fedora.sh @@ -0,0 +1,43 @@ +#!/bin/sh +# Copyright (c) 2020 Petr Vorel +set -e + +if [ -z "$CC" ]; then + echo "missing \$CC!" >&2 + exit 1 +fi + +case "$TSS" in +ibmtss) TSS="tss2-devel";; +tpm2-tss) TSS="tpm2-tss-devel";; +'') echo "Missing TSS!" >&2; exit 1;; +*) echo "Unsupported TSS: '$TSS'!" >&2; exit 1;; +esac + +# ibmswtpm2 requires gcc +[ "$CC" = "gcc" ] || CC="gcc $CC" + +yum -y install \ + $CC $TSS \ + asciidoc \ + attr \ + autoconf \ + automake \ + diffutils \ + docbook-xsl \ + gzip \ + keyutils-libs-devel \ + libattr-devel \ + libtool \ + libxslt \ + make \ + openssl \ + openssl-devel \ + pkg-config \ + procps \ + sudo \ + vim-common \ + wget \ + which + +yum -y install docbook5-style-xsl || true diff --git a/travis/opensuse.sh b/travis/opensuse.sh new file mode 120000 index 0000000..11c5f4b --- /dev/null +++ b/travis/opensuse.sh @@ -0,0 +1 @@ +tumbleweed.sh \ No newline at end of file diff --git a/travis/tumbleweed.sh b/travis/tumbleweed.sh new file mode 100755 index 0000000..ec4dc43 --- /dev/null +++ b/travis/tumbleweed.sh @@ -0,0 +1,45 @@ +#!/bin/sh +# Copyright (c) 2020 Petr Vorel +set -ex + +if [ -z "$CC" ]; then + echo "missing \$CC!" >&2 + exit 1 +fi + +case "$TSS" in +ibmtss) TSS="ibmtss-devel";; +tpm2-tss) TSS="tpm2-0-tss-devel";; +'') echo "Missing TSS!" >&2; exit 1;; +*) echo "Unsupported TSS: '$TSS'!" >&2; exit 1;; +esac + +# clang has some gcc dependency +[ "$CC" = "gcc" ] || CC="gcc $CC" + +zypper --non-interactive install --force-resolution --no-recommends \ + $CC $TSS \ + asciidoc \ + attr \ + autoconf \ + automake \ + diffutils \ + docbook_5 \ + docbook5-xsl-stylesheets \ + gzip \ + ibmswtpm2 \ + keyutils-devel \ + libattr-devel \ + libopenssl-devel \ + libtool \ + make \ + openssl \ + pkg-config \ + procps \ + sudo \ + vim \ + wget \ + which \ + xsltproc + +[ -f /usr/lib/ibmtss/tpm_server ] && ln -s /usr/lib/ibmtss/tpm_server /usr/local/bin diff --git a/travis/ubuntu.sh b/travis/ubuntu.sh new file mode 120000 index 0000000..0edcb8b --- /dev/null +++ b/travis/ubuntu.sh @@ -0,0 +1 @@ +debian.sh \ No newline at end of file From f831508297cd33051aff4925203b3e44b790d3ec Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Fri, 14 Aug 2020 14:19:53 -0400 Subject: [PATCH 16/16] Install the swtpm package, if available The "boot_aggregate.test" requires either a hardware or software TPM. Support using the swtpm, if packaged for the distro, in addition to tpm_server. Note: Some travis/.sh scripts are links to other scripts. Don't fail the build of the linked script if the swtpm package doesn't exist. Signed-off-by: Mimi Zohar Reviewed-by: Petr Vorel Acked-by: Bruno Meneguele --- .travis.yml | 2 +- tests/boot_aggregate.test | 42 ++++++++++++++++++++++++++++----------- travis/fedora.sh | 1 + 3 files changed, 32 insertions(+), 13 deletions(-) diff --git a/.travis.yml b/.travis.yml index 849fcb6..9bea5d1 100644 --- a/.travis.yml +++ b/.travis.yml @@ -75,4 +75,4 @@ before_install: script: - INSTALL="${DISTRO%%:*}" - INSTALL="${INSTALL%%/*}" - - docker run -t ima-evm-utils /bin/sh -c "cd travis && if [ \"$VARIANT\" ]; then ARCH=\"$ARCH\" ./$INSTALL.$VARIANT.sh; fi && ARCH=\"$ARCH\" CC=\"$CC\" TSS=\"$TSS\" ./$INSTALL.sh && if [ ! \"$VARIANT\" ]; then which tpm_server || ../tests/install-swtpm.sh; fi && CC=\"$CC\" VARIANT=\"$VARIANT\" ../build.sh" + - docker run -t ima-evm-utils /bin/sh -c "cd travis && if [ \"$VARIANT\" ]; then ARCH=\"$ARCH\" ./$INSTALL.$VARIANT.sh; fi && ARCH=\"$ARCH\" CC=\"$CC\" TSS=\"$TSS\" ./$INSTALL.sh && if [ ! \"$VARIANT\" ]; then which tpm_server || which swtpm || ../tests/install-swtpm.sh; fi && CC=\"$CC\" VARIANT=\"$VARIANT\" ../build.sh" diff --git a/tests/boot_aggregate.test b/tests/boot_aggregate.test index 43de67d..1c7b1f2 100755 --- a/tests/boot_aggregate.test +++ b/tests/boot_aggregate.test @@ -33,11 +33,15 @@ else ASCII_RUNTIME_MEASUREMENTS="./sample-ascii_runtime_measurements-pcrs-8-9" export TPM_INTERFACE_TYPE="socsim" export TPM_COMMAND_PORT=2321 + export TPM_PLATFORM_PORT=2322 + export TPM_SERVER_NAME="localhost" + export TPM_SERVER_TYPE="raw" + fi # Only stop this test's software TPM. Preferred method: "tsstpmcmd -stop" cleanup() { - if [ ! -z "${SWTPM_PPID}" ]; then + if [ -n "${SWTPM_PPID}" ]; then if [ -f "${TSSDIR}/tsstpmcmd" ]; then "${TSSDIR}/tsstpmcmd" -stop else @@ -48,22 +52,36 @@ cleanup() { # Try to start a software TPM if needed. swtpm_start() { - local swtpm + local swtpm swtpm1 swtpm="$(which tpm_server)" - if [ -z "${swtpm}" ]; then - echo "${CYAN}SKIP: Softare TPM (tpm_server) not found${NORM}" + swtpm1="$(which swtpm)" + if [ -z "${swtpm}" ] && [ -z "${swtpm1}" ]; then + echo "${CYAN}SKIP: Softare TPM (tpm_server and swtpm) not found${NORM}" return "$SKIP" fi - pgrep tpm_server - if [ $? -eq 0 ]; then - echo "INFO: Software TPM (tpm_server) already running" - return 114 - else - echo "INFO: Starting software TPM: ${swtpm}" - ${swtpm} > /dev/null 2>&1 & - SWTPM_PPID=$! + if [ -n "${swtpm1}" ]; then + pgrep swtpm1 + if [ $? -eq 0 ]; then + echo "INFO: Software TPM (swtpm) already running" + return 114 + else + echo "INFO: Starting software TPM: ${swtpm1}" + mkdir ./myvtpm + ${swtpm1} socket --tpmstate dir=./myvtpm --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init > /dev/null 2>&1 & + SWTPM_PPID=$! + fi + elif [ -n "${swtpm}" ]; then + pgrep swtpm + if [ $? -eq 0 ]; then + echo "INFO: Software TPM (tpm_server) already running" + return 114 + else + echo "INFO: Starting software TPM: ${swtpm}" + ${swtpm} > /dev/null 2>&1 & + SWTPM_PPID=$! + fi fi return 0 } diff --git a/travis/fedora.sh b/travis/fedora.sh index 058e172..2d80915 100755 --- a/travis/fedora.sh +++ b/travis/fedora.sh @@ -41,3 +41,4 @@ yum -y install \ which yum -y install docbook5-style-xsl || true +yum -y install swtpm || true