dh/ima-evm-utils-mirror
1
0
Fork 0
mirror of https://git.code.sf.net/p/linux-ima/ima-evm-utils synced 2025-04-28 06:33:36 +02:00
Code Releases Activity

ima-evm-utils: improve reading TPM 1.2 PCRs

Browse Source 
Instead of reading the TPM 1.2 PCRs one at a time, opening and closing
the securityfs file each time, read all of PCRs at once.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This commit is contained in:
Mimi Zohar 2020-07-08 18:48:24 -04:00
parent 663dfd5efb
commit b102db4180
1 changed files with 19 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
src/evmctl.c
View File

@ -152,6 +152,14 @@ static void print_usage(struct command *cmd);
static const char *xattr_ima = "security.ima"; static const char *xattr_ima = "security.ima";
static const char *xattr_evm = "security.evm"; static const char *xattr_evm = "security.evm";
struct tpm_bank_info {
int digest_size;
int supported;
const char *algo_name;
uint8_t digest[MAX_DIGEST_SIZE];
uint8_t pcr[NUM_PCRS][MAX_DIGEST_SIZE];
};
static int bin2file(const char *file, const char *ext, const unsigned char *data, int len) static int bin2file(const char *file, const char *ext, const unsigned char *data, int len)
{ {
FILE *fp; FILE *fp;
@ -1366,13 +1374,13 @@ static int cmd_ima_clear(struct command *cmd)
static char *pcrs = "/sys/class/tpm/tpm0/device/pcrs"; /* Kernels >= 4.0 */ static char *pcrs = "/sys/class/tpm/tpm0/device/pcrs"; /* Kernels >= 4.0 */
static char *misc_pcrs = "/sys/class/misc/tpm0/device/pcrs"; static char *misc_pcrs = "/sys/class/misc/tpm0/device/pcrs";
static int tpm_pcr_read(int idx, uint8_t *pcr, int len) /* Read all of the TPM 1.2 PCRs */
static int tpm_pcr_read(struct tpm_bank_info *tpm_banks, int len)
{ {
FILE *fp; FILE *fp;
char *p, pcr_str[7], buf[70]; /* length of the TPM string */ char *p, pcr_str[7], buf[70]; /* length of the TPM string */
int result = -1; int result = -1;
int i = 0;
sprintf(pcr_str, "PCR-%2.2d", idx);
fp = fopen(pcrs, "r"); fp = fopen(pcrs, "r");
if (!fp) if (!fp)
@ -1385,11 +1393,10 @@ static int tpm_pcr_read(int idx, uint8_t *pcr, int len)
p = fgets(buf, sizeof(buf), fp); p = fgets(buf, sizeof(buf), fp);
if (!p) if (!p)
break; break;
if (!strncmp(p, pcr_str, 6)) { sprintf(pcr_str, "PCR-%2.2d", i);
hex2bin(pcr, p + 7, len); if (!strncmp(p, pcr_str, 6))
result = 0; hex2bin(tpm_banks[0].pcr[i++], p + 7, len);
break; result = 0;
}
} }
fclose(fp); fclose(fp);
return result; return result;
@ -1571,14 +1578,6 @@ void ima_ng_show(struct template_entry *entry)
} }
} }
struct tpm_bank_info {
int digest_size;
int supported;
const char *algo_name;
uint8_t digest[MAX_DIGEST_SIZE];
uint8_t pcr[NUM_PCRS][MAX_DIGEST_SIZE];
};
static void set_bank_info(struct tpm_bank_info *bank, const char *algo_name) static void set_bank_info(struct tpm_bank_info *bank, const char *algo_name)
{ {
const EVP_MD *md; const EVP_MD *md;
@ -1771,11 +1770,9 @@ static int read_tpm_pcrs(int num_banks, struct tpm_bank_info *tpm_banks)
{ {
int i; int i;
for (i = 0; i < NUM_PCRS; i++) { if (tpm_pcr_read(tpm_banks, SHA_DIGEST_LENGTH)) {
if (tpm_pcr_read(i, tpm_banks[0].pcr[i], SHA_DIGEST_LENGTH)) { log_debug("Failed to read TPM 1.2 PCRs.\n");
log_debug("Failed to read TPM 1.2 PCRs.\n"); return -1;
return -1;
}
} }
tpm_banks[0].supported = 1; tpm_banks[0].supported = 1;
@ -1796,7 +1793,7 @@ static int read_tpm_banks(int num_banks, struct tpm_bank_info *bank)
int i, j; int i, j;
int err; int err;
/* First try reading PCRs from exported TPM 1.2 securityfs file */ /* First try reading PCRs from exported TPM 1.2 sysfs file */
if (read_tpm_pcrs(num_banks, bank) == 0) if (read_tpm_pcrs(num_banks, bank) == 0)
return 0; return 0;