From f01c449a0c56257ef8d237176e09295d4780b69a Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Tue, 21 Jul 2020 16:29:10 -0400 Subject: [PATCH] ima-evm-utils: Release version 1.3 Updated both the release and library (ABI change) versions. See the "Changelog" for a list of the new features, bug fixes, and code cleanup. Signed-off-by: Mimi Zohar --- ChangeLog | 57 ++++++++++++++++++++++++++++++++++++ configure.ac | 2 +- packaging/ima-evm-utils.spec | 2 +- src/Makefile.am | 2 +- 4 files changed, 60 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 72aebd9..d8ba520 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,60 @@ +2020-07-21 Mimi Zohar + + version 1.3 new features: + * NEW ima-evm-utils regression test infrastructure with two initial + tests: + - ima_hash.test: calculate/verify different crypto hash algorithms + - sign_verify.test: EVM and IMA sign/verify signature tests + * TPM 2.0 support + - Calculate the new per TPM 2.0 bank template data digest + - Support original padding the SHA1 template data digest + - Compare ALL the re-calculated TPM 2.0 bank PCRs against the + TPM 2.0 bank PCR values + - Calculate the per TPM bank "boot_aggregate" values, including + PCRs 8 & 9 in calculation + - Support reading the per TPM 2.0 Bank PCRs using Intel's TSS + - boot_aggregate.test: compare the calculated "boot_aggregate" + values with the "boot_aggregate" value included in the IMA + measurement. + * TPM 1.2 support + - Additionally support reading the TPM 1.2 PCRs from a supplied file + ("--pcrs" option) + * Based on original IMA LTP and standalone version support + - Calculate the TPM 1.2 "boot_aggregate" based on the exported + TPM 1.2 BIOS event log. + - In addition to verifying the IMA measurement list against the + the TPM PCRs, verify the IMA template data digest against the + template data. (Based on LTP "--verify" option.) + - Ignore file measurement violations while verifying the IMA + measurment list. (Based on LTP "--validate" option.) + - Verify the file data signature included in the measurement list + based on the file hash also included in the measurement list + (--verify-sig) + - Support original "ima" template (mixed templates not supported) + * Support "sm3" crypto name + + Bug fixes and code cleanup: + * Don't exit with -1 on failure, exit with 125 + * On signature verification failure, include pathname. + * Provide minimal hash_info.h file in case one doesn't exist, needed + by the ima-evm-utils regression tests. + * On systems with TPM 1.2, skip "boot_aggregate.test" using sample logs + * Fix hash_algo type comparison mismatch + * Simplify/clean up code + * Address compiler complaints and failures + * Fix memory allocations and leaks + * Sanity check provided input files are regular files + * Revert making "tsspcrread" a compile build time decision. + * Limit additional messages based on log level (-v) + +2019-07-30 Mimi Zohar + + version 1.2.1 Bug fixes: + * When verifying multiple file signatures, return correct status + * Don't automatically use keys from x509 certs if user supplied "--rsa" + * Fix verifying DIGSIG_VERSION_1 signatures + * autoconf, openssl fixes + 2019-07-24 Mimi Zohar diff --git a/configure.ac b/configure.ac index e7df7cd..772b025 100644 --- a/configure.ac +++ b/configure.ac @@ -1,7 +1,7 @@ # autoconf script AC_PREREQ([2.65]) -AC_INIT(ima-evm-utils, 1.2, zohar@linux.ibm.com) +AC_INIT(ima-evm-utils, 1.3, zohar@linux.ibm.com) AM_INIT_AUTOMAKE AC_CONFIG_HEADERS([config.h]) AC_CONFIG_MACRO_DIR([m4]) diff --git a/packaging/ima-evm-utils.spec b/packaging/ima-evm-utils.spec index 2db6790..588f93a 100644 --- a/packaging/ima-evm-utils.spec +++ b/packaging/ima-evm-utils.spec @@ -1,5 +1,5 @@ Name: ima-evm-utils -Version: 1.2 +Version: 1.3 Release: 1%{?dist} Summary: ima-evm-utils - IMA/EVM control utility Group: System/Libraries diff --git a/src/Makefile.am b/src/Makefile.am index ba9719b..d6c779f 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -4,7 +4,7 @@ libimaevm_la_SOURCES = libimaevm.c libimaevm_la_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS) # current[:revision[:age]] # result: [current-age].age.revision -libimaevm_la_LDFLAGS = -version-info 1:0:0 +libimaevm_la_LDFLAGS = -version-info 2:0:0 libimaevm_la_LIBADD = $(LIBCRYPTO_LIBS) include_HEADERS = imaevm.h