From fbd96c98c553fcc573ac365cda9a0ed9d7bd7bd4 Mon Sep 17 00:00:00 2001
From: Mimi Zohar <zohar@linux.ibm.com>
Date: Wed, 29 Jul 2020 17:25:25 -0400
Subject: [PATCH 1/6] Update the ima_boot_aggregate apsects of the "README" and
 "help" files

Add the missing "evmctl ima_boot_aggregate" info to the README.  Update
the "help" to include the new "--pcrs" option.  In addition, replace
the "file" option with "TPM 1.2 BIOS event log".  The new format is:

ima_boot_aggregate [--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log]

Reminder: calculating the TPM PCRs based on the BIOS event log and
comparing them with the TPM PCRs should be done prior to calculating the
possible boot_aggregate value(s).

For TPM 1.2, the TPM 1.2 BIOS event log may be provided as an option
when calculating the ima_boot_aggregate.  For TPM 2.0, "tsseventextend
-sim -if <binary_bios_measurements> -ns -v", may be used to validate
the TPM 2.0 event log.

(Note: some TPM 2.0's export the BIOS event log in the TPM 1.2 format.)

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 README       | 1 +
 src/evmctl.c | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/README b/README
index b37325f..321045d 100644
--- a/README
+++ b/README
@@ -28,6 +28,7 @@ COMMANDS
  import [--rsa] pubkey keyring
  sign [-r] [--imahash | --imasig ] [--portable] [--key key] [--pass password] file
  verify file
+ ima_boot_aggregate [--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log]
  ima_sign [--sigfile] [--key key] [--pass password] file
  ima_verify file
  ima_hash file
diff --git a/src/evmctl.c b/src/evmctl.c
index 7ad1150..de7299d 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -2485,7 +2485,7 @@ struct command cmds[] = {
 	{"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"},
 	{"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
 	{"ima_measurement", cmd_ima_measurement, 0, "[--ignore-violations] [--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file", "Verify measurement list (experimental).\n"},
-	{"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[file]", "Calculate per TPM bank boot_aggregate digests\n"},
+	{"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log]", "Calculate per TPM bank boot_aggregate digests\n"},
 	{"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
 	{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
 	{"sign_hash", cmd_sign_hash, 0, "[--key key] [--pass [password]", "Sign hashes from shaXsum output.\n"},

From d5aed92be4c082ee56feca66ac0896107dc1b0b6 Mon Sep 17 00:00:00 2001
From: Mimi Zohar <zohar@linux.ibm.com>
Date: Fri, 31 Jul 2020 14:24:04 -0400
Subject: [PATCH 2/6] travis: define travis.yml

Initial travis.yml file without the "boot_aggregate" test.

Signed-off-by: Mimi Zohar <zoahr@linux.ibm.com>
---
 .travis.yml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 .travis.yml

diff --git a/.travis.yml b/.travis.yml
new file mode 100644
index 0000000..bf28789
--- /dev/null
+++ b/.travis.yml
@@ -0,0 +1,18 @@
+language: C
+addons:
+ apt:
+  packages:
+   - libkeyutils-dev
+   - libattr1-dev
+   - attr
+   - openssl
+   - libssl-dev
+   - asciidoc
+   - xsltproc
+   - docbook-xsl
+   - docbook-xml
+script:
+   - autoreconf -i && ./configure && make -j$(nproc) && sudo make install && VERBOSE=1 make check TESTS="ima_hash.test sign_verify.test";
+
+   - tail -3 tests/ima_hash.log;
+   - tail -3 tests/sign_verify.log;

From 9cd7edf1e042b85048714da96cfa9a5c5c99e2b1 Mon Sep 17 00:00:00 2001
From: Mimi Zohar <zohar@linux.ibm.com>
Date: Fri, 31 Jul 2020 14:24:05 -0400
Subject: [PATCH 3/6] travis: download, compile, and install a swTPM

Verifying the "boot_aggregate" requires reading the TPM PCRs for each of
the TPM banks.  In test environments without a physical TPM, a software
TPM may be used.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 .travis.yml            |  2 ++
 tests/install-swtpm.sh | 11 +++++++++++
 2 files changed, 13 insertions(+)
 create mode 100755 tests/install-swtpm.sh

diff --git a/.travis.yml b/.travis.yml
index bf28789..fa2a376 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -11,6 +11,8 @@ addons:
    - xsltproc
    - docbook-xsl
    - docbook-xml
+install:
+   - ./tests/install-swtpm.sh
 script:
    - autoreconf -i && ./configure && make -j$(nproc) && sudo make install && VERBOSE=1 make check TESTS="ima_hash.test sign_verify.test";
 
diff --git a/tests/install-swtpm.sh b/tests/install-swtpm.sh
new file mode 100755
index 0000000..071e9c9
--- /dev/null
+++ b/tests/install-swtpm.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+set -ex
+wget https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm1332.tar.gz/download
+mkdir ibmtpm1332
+cd ibmtpm1332
+tar -xvzf ../download
+cd src
+make -j$(nproc)
+sudo cp tpm_server /usr/local/bin/
+cd ../..

From f2fe5929075fbcc47543ca21fcc364cbe59dd397 Mon Sep 17 00:00:00 2001
From: Mimi Zohar <zohar@linux.ibm.com>
Date: Fri, 31 Jul 2020 14:24:06 -0400
Subject: [PATCH 4/6] travis: dependency on TSS for initializing software TPM

Verifying the "boot_aggregate" requires reading the TPM PCRs for each of
the TPM banks.  In test environments without a physical TPM, a software
TPM may be used, but requires initializing the TPM PCRs.  By walking and
replaying the TPM event log, a software TPM may be properly initialized.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 .travis.yml          | 4 +++-
 tests/install-tss.sh | 8 ++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)
 create mode 100755 tests/install-tss.sh

diff --git a/.travis.yml b/.travis.yml
index fa2a376..0a34765 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -13,8 +13,10 @@ addons:
    - docbook-xml
 install:
    - ./tests/install-swtpm.sh
+   - ./tests/install-tss.sh
 script:
-   - autoreconf -i && ./configure && make -j$(nproc) && sudo make install && VERBOSE=1 make check TESTS="ima_hash.test sign_verify.test";
+   - autoreconf -i && ./configure && make -j$(nproc) && sudo make install && VERBOSE=1 make check;
 
    - tail -3 tests/ima_hash.log;
    - tail -3 tests/sign_verify.log;
+   - tail -3 tests/boot_aggregate.log;
diff --git a/tests/install-tss.sh b/tests/install-tss.sh
new file mode 100755
index 0000000..c9c179e
--- /dev/null
+++ b/tests/install-tss.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+set -ex
+git clone https://git.code.sf.net/p/ibmtpm20tss/tss
+cd tss
+autoreconf -i && ./configure --disable-tpm-1.2 --disable-hwtpm && make -j$(nproc) && sudo make install
+cd ..
+rm -rf tss

From 3ff5d99edc435b85e58ee812e0c13b81c702e2ea Mon Sep 17 00:00:00 2001
From: Mimi Zohar <zohar@linux.ibm.com>
Date: Fri, 31 Jul 2020 14:24:07 -0400
Subject: [PATCH 5/6] travis: support tpm2-tss

Running the "boot_aggregate" test without a physical TPM, requires
installing and initializing a software TPM.  For now, use the same
method of initializing the TPM, based on the IBM tss, for both the
IBM and Intel's tss.

Build both the IBM and INTEL's tss.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 .travis.yml               | 17 ++++++++++++++++-
 tests/install-tpm2-tss.sh | 19 +++++++++++++++++++
 2 files changed, 35 insertions(+), 1 deletion(-)
 create mode 100755 tests/install-tpm2-tss.sh

diff --git a/.travis.yml b/.travis.yml
index 0a34765..11a827c 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -11,12 +11,27 @@ addons:
    - xsltproc
    - docbook-xsl
    - docbook-xml
+matrix:
+   include:
+     - env: TSS=ibmtss
+     - env: TSS=tpm2-tss
 install:
+   - if [ "${TSS}" = "tpm2-tss" ]; then
+           sudo apt-get install lcov pandoc autoconf-archive liburiparser-dev;
+           sudo apt-get install libdbus-1-dev libglib2.0-dev dbus-x11 libgcrypt-dev;
+           sudo apt-get install libssl-dev doxygen libjson-c-dev;
+           sudo apt-get install libini-config-dev libltdl-dev;
+           sudo apt-get install uuid-dev libcurl4-openssl-dev;
+          ./tests/install-tpm2-tss.sh;
+     fi
    - ./tests/install-swtpm.sh
    - ./tests/install-tss.sh
+
 script:
+   - export LD_LIBRARY_PATH=/usr/local/lib64:/usr/local/lib;
+   - export PATH=$PATH:/usr/local/bin;
    - autoreconf -i && ./configure && make -j$(nproc) && sudo make install && VERBOSE=1 make check;
 
    - tail -3 tests/ima_hash.log;
    - tail -3 tests/sign_verify.log;
-   - tail -3 tests/boot_aggregate.log;
+   - tail -20 tests/boot_aggregate.log;
diff --git a/tests/install-tpm2-tss.sh b/tests/install-tpm2-tss.sh
new file mode 100755
index 0000000..7a71b57
--- /dev/null
+++ b/tests/install-tpm2-tss.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+git clone https://github.com/tpm2-software/tpm2-tss.git
+cd tpm2-tss
+./bootstrap
+./configure
+make -j$(nproc)
+sudo make install
+sudo ldconfig
+cd ..
+rm -rf tpm2-tss
+
+git clone https://github.com/tpm2-software/tpm2-tools.git
+cd tpm2-tools
+./bootstrap && ./configure --prefix=/usr
+make -j$(nproc)
+sudo make install
+cd ..
+rm -rf tpm2-tools

From 1b5146db99a4fed8aac64dcdd6550e9d8055f3bc Mon Sep 17 00:00:00 2001
From: Mimi Zohar <zohar@linux.ibm.com>
Date: Mon, 3 Aug 2020 14:14:42 -0400
Subject: [PATCH 6/6] travis: define dist as "bionic"

Default to using "bionic".

Mimi Zohar <zohar@linux.ibm.com>
---
 .travis.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.travis.yml b/.travis.yml
index 11a827c..cdfba49 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,3 +1,4 @@
+dist: bionic
 language: C
 addons:
  apt: