ima-evm-utils: tests: verify boot_aggregate

Calculate the boot_aggregate for each TPM bank and verify that the
boot_aggregate in the IMA measurement list matches one of them.

A software TPM may be used to verify the boot_aggregate.  If a
software TPM is not already running on the system, this test
starts one and initializes the TPM PCR banks by walking the sample
binary_bios_measurements event log, included in this directory, and
extending the TPM PCRs.  The associated ascii_runtime_measurements
for verifying the calculated boot_aggregate is included in this
directory as well.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

tests/Makefile.am

@@ -1,7 +1,7 @@
 check_SCRIPTS =
 TESTS = $(check_SCRIPTS)
 
-check_SCRIPTS += ima_hash.test sign_verify.test
+check_SCRIPTS += ima_hash.test sign_verify.test boot_aggregate.test
 
 clean-local:
 	-rm -f *.txt *.out *.sig *.sig2

tests/boot_aggregate.test

@@ -0,0 +1,149 @@
+#!/bin/bash
+
+#
+# Calculate the boot_aggregate for each TPM bank, verifying that the
+# boot_aggregate in the IMA measurement list matches one of them.
+#
+# A software TPM may be used to verify the boot_aggregate.  If a
+# software TPM is not already running on the system, this test
+# starts one and initializes the TPM PCR banks by walking the sample
+# binary_bios_measurements event log, included in this directory, and
+# extending the TPM PCRs.  The associated ascii_runtime_measurements
+# for verifying the calculated boot_aggregate is included in this
+# directory as well.
+
+trap cleanup SIGINT SIGTERM EXIT
+
+# Base VERBOSE on the environment variable, if set.
+VERBOSE="${VERBOSE:-0}"
+
+cd "$(dirname "$0")"
+export PATH=../src:$PATH
+export LD_LIBRARY_PATH=$LD_LIBRARY_PATH
+. ./functions.sh
+_require evmctl
+TSSDIR="$(dirname -- "$(which tssstartup)")"
+
+if [ "$(id -u)" = 0 ] && [ -c "/dev/tpm0" ]; then
+	ASCII_RUNTIME_MEASUREMENTS="/sys/kernel/security/ima/ascii_runtime_measurements"
+else
+	BINARY_BIOS_MEASUREMENTS="./sample-binary_bios_measurements-pcrs-8-9"
+	ASCII_RUNTIME_MEASUREMENTS="./sample-ascii_runtime_measurements-pcrs-8-9"
+	export TPM_INTERFACE_TYPE="socsim"
+	export TPM_COMMAND_PORT=2321
+fi
+
+# Only stop this test's software TPM.  Preferred method: "tsstpmcmd -stop"
+cleanup() {
+	if [ ! -z "${SWTPM_PPID}" ]; then
+		if [ -f "${TSSDIR}/tsstpmcmd" ]; then
+			"${TSSDIR}/tsstpmcmd" -stop
+		else
+			pkill -P "${SWTPM_PPID}"
+		fi
+	fi
+}
+
+# Try to start a software TPM if needed.
+swtpm_start() {
+	local swtpm
+
+	swtpm="$(which tpm_server)"
+	if [ -z "${swtpm}" ]; then
+		echo "SKIP: Softare TPM (tpm_server) not found"
+		return "$SKIP"
+	fi
+
+	pgrep tpm_server
+	if [ $? -eq 0 ]; then
+		echo "INFO: Software TPM (tpm_server) already running"
+		return 114
+	else
+		echo "INFO: Starting software TPM: ${swtpm}"
+		${swtpm} > /dev/null 2>&1 &
+		SWTPM_PPID=$!
+	fi
+	return 0
+}
+
+# Initialize the software TPM using the sample binary_bios_measurements log.
+swtpm_init() {
+	if [ ! -f "${TSSDIR}/tssstartup" ] || [ ! -f "${TSSDIR}/tsseventextend" ]; then
+		echo "SKIP: tssstartup and tsseventextend needed for test"
+		return "$SKIP"
+	fi
+
+	echo "INFO: Walking ${BINARY_BIOS_MEASUREMENTS} initializing the software TPM"
+	"${TSSDIR}/tssstartup"
+#	$(${TSSDIR}/tsseventextend -tpm -if "${BINARY_BIOS_MEASUREMENTS}" -v) 2>&1 > /dev/null
+	"${TSSDIR}/tsseventextend" -tpm -if "${BINARY_BIOS_MEASUREMENTS}" -v > /dev/null 2>&1
+}
+
+# In VERBOSE mode, display the calculated TPM PCRs for the different banks.
+display_pcrs() {
+	local PCRMAX=7
+	local banks=("sha1" "sha256")
+	local i;
+
+	for bank in "${banks[@]}"; do
+		echo "INFO: Displaying ${bank} TPM bank (PCRs 0 - 7)"
+		for i in $(seq 0 $PCRMAX); do
+			rc=0
+			pcr=$("${TSSDIR}/tsspcrread" -halg "${bank}" -ha "${i}" -ns)
+			if [ $rc -ne 0 ]; then
+				echo "INFO: tsspcrread failed: $pcr"
+				break
+			fi
+			echo "$i: $pcr"
+		done
+	done
+}
+
+# The first entry in the IMA measuremnet list is the "boot_aggregate".
+check() {
+	echo "INFO: Calculating the boot_aggregate (PCRs 0 - 7) for multiple banks"
+	bootaggr=$(evmctl ima_boot_aggregate)
+	if [ $? -ne 0 ]; then
+		echo "SKIP: evmctl ima_boot_aggregate: $bootaggr"
+		exit "$SKIP"
+	fi
+
+	boot_aggr=( $bootaggr )
+
+	echo "INFO: Searching for the boot_aggregate in ${ASCII_RUNTIME_MEASUREMENTS}"
+	for hash in "${boot_aggr[@]}"; do
+		if [ "$VERBOSE" != "0" ]; then
+			echo "$hash"
+		fi
+		if grep -q "${hash}" "${ASCII_RUNTIME_MEASUREMENTS}"; then
+			echo "SUCCESS: boot_aggregate ${hash} found"
+			return "$OK"
+		fi
+	done
+	echo "FAILURE: boot_aggregate not found"
+	echo "$bootaggr"
+	return "$FAIL"
+}
+
+# Start and initialize a software TPM as needed
+if [ "$(id -u)" != 0 ] || [ ! -c "/dev/tpm0" ]; then
+	swtpm_start
+	error=$?
+	if [ $error -eq "$SKIP" ]; then
+		echo "skip: swtpm not installed"
+		exit "$SKIP"
+	fi
+
+	if [ $error -eq 0 ]; then
+		swtpm_init
+		if [ $? -eq "$SKIP" ]; then
+			echo "testing boot_aggregate without entries"
+			exit "$SKIP"
+		fi
+	fi
+	if [ "$VERBOSE" != "0" ]; then
+		display_pcrs
+	fi
+fi
+
+expect_pass check

tests/sample-ascii_runtime_measurements-pcrs-8-9

@@ -0,0 +1 @@
+10 2e03b3fdb0014fc8bae2a07ca33ae67125b290f3 ima-ng sha256:83d19723ef3b3c05bb8ae70d86b3886c158f2408f1b71ed265886a7b79eb700e boot_aggregate

tests/sample-tpm-2.0-pcrs-8-9

@@ -0,0 +1,25 @@
+pcrread: tsspcrread -halg sha1
+0: 92c1850372e9493929aa9a2e9ea953e21ff1be45
+1: 41c54039ca2750ea60d8ab7c48b142b10aba5667
+2: b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236
+3: b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236
+4: 4c1a19aad90f770956ff5ee00334a2d548b1a350
+5: a1444a8a9904666165730168b3ae489447d3cef7
+6: b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236
+7: 5c6327a67ff36f138e0b7bb1d2eafbf8a6e52ebf
+8: fed489d2e5f9f85136e5ff53553d5f8b978dbe1a
+9: a2fa191f2622bb014702013bfebfca9fe210d9e5
+10: 3134641a3e8a1f5f75fa850bb21c3104d6ab863b
+11: 0000000000000000000000000000000000000000
+12: 0000000000000000000000000000000000000000
+13: 0000000000000000000000000000000000000000
+14: 71161a5707051fa7d6f584d812240b2e80f61942
+15: 0000000000000000000000000000000000000000
+16: 0000000000000000000000000000000000000000
+17: ffffffffffffffffffffffffffffffffffffffff
+18: ffffffffffffffffffffffffffffffffffffffff
+19: ffffffffffffffffffffffffffffffffffffffff
+20: ffffffffffffffffffffffffffffffffffffffff
+21: ffffffffffffffffffffffffffffffffffffffff
+22: ffffffffffffffffffffffffffffffffffffffff
+23: 0000000000000000000000000000000000000000

tests/test_ascii_runtime_measurements

@@ -0,0 +1,3 @@
+10 cf41b43c4031672fcc2bd358b309ad33b977424f ima-ng sha256:f1b4c7c9b27e94569f4c2b64051c452bc609c3cb891dd7fae06b758f8bc83d14 boot_aggregate
+10 983dcd8e6f7c84a1a5f10e762d1850623966ceab ima-ng sha256:ae06e032a65fed8102aff5f8f31c678dcf2eb25b826f77ecb699faa0411f89e0 /init
+10 b6e4d01c73f6e4b698eaf48e7d76a2bae0c02514 ima-ng sha256:4b1764ee112aa8b2a6ae9a3a2f1e272b6601681f610708497673cd49e5bd2f5c /bin/sh