ima-evm-utils: don't hardcode validating the IMA measurement list

File time of measure, time of use (ToMToU) violations are annotated in the measurement list by including a template data digest of zeroes, but extending the TPM with 0xFF's. This causes validating the measurement against the TPM PCRs to fail. To validate the measurement list against the PCRs requires replacing the zero template data digest with OxFF's. The default behavior, unless specifically requested, should be to fail the measurement list verification. Support validating the measurement list based on a "--validate" option. Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2025-04-27 22:32:31 +02:00 · 2020-07-05 02:31:52 -04:00 · 2020-07-05 02:31:52 -04:00 · bb62a7115e
commit bb62a7115e
parent 747bf9e890
1 changed files with 6 additions and 2 deletions
--- a/src/evmctl.c
+++ b/src/evmctl.c
@ -1412,7 +1412,7 @@ struct template_entry {
 static uint8_t zero[MAX_DIGEST_SIZE];
 static uint8_t fox[MAX_DIGEST_SIZE];

-int validate = 1;
+static int validate = 0;

 static int ima_verify_template_hash(struct template_entry *entry)
 {
@ -2156,7 +2156,7 @@ struct command cmds[] = {
 	{"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"},
 	{"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"},
 	{"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
-	{"ima_measurement", cmd_ima_measurement, 0, "file", "Verify measurement list (experimental).\n"},
+	{"ima_measurement", cmd_ima_measurement, 0, "[--validate] file", "Verify measurement list (experimental).\n"},
 	{"ima_boot_aggregate", cmd_ima_bootaggr, 0, "", "Calculate per TPM bank boot_aggregate digests\n"},
 	{"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
 	{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
@ -2195,6 +2195,7 @@ static struct option opts[] = {
 	{"list", 0, 0, 138},
 	{"engine", 1, 0, 139},
 	{"xattr-user", 0, 0, 140},
+	{"validate", 0, 0, 141},
 	{}

 };
@ -2373,6 +2374,9 @@ int main(int argc, char *argv[])
 			xattr_ima = "user.ima";
 			xattr_evm = "user.evm";
 			break;
+		case 141: /* --validate */
+			validate = 1;
+			break;
 		case '?':
 			exit(1);
 			break;