New to this release is CI support for testing new kernel integrity
features not yet upstreamed and bugfixes, or functionality not enabled
by distros in a User Mode Linux (UML) environment. Testing in a UML
environment also allows saving CI build artifacts, such as private
keys, needed for creating and loading public keys onto the trusted
kernel keyrings. These public keys may be used for code - file data
and metadata - signature verification.
See the NEWS file for a short summary of changes and the git history
for details.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
On systems with OpenSSL sha1 disabled, the sign-verify.test fails:
- openssl dgst -sha1 sha1.txt
- openssl dgst -sha1 -sign test-rsa1024.key -hex sha1.txt
Error setting context
804BD5CF787F0000:error:03000098:digital envelope routines:do_sigver_init:invalid digest:crypto/evp/m_sigver.c:343:
sha1 (test-rsa1024.key) test is skipped (openssl is unable to sign)
Instead of enabling sha1 support on these systems by setting the environment
variable OPENSSL_ENABLE_SHA1_SIGNATURES, generate a sha256 certificate.
Reported-by: Nageswara R Sastry <rnsastry@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Tested-by: Nageswara R Sastry <rnsastry@linux.ibm.com>
Update the README to reflect the changes to "evmctl --help".
Update the "--pass" option format in both the README and evmctl usage
to reflect passing an optional password on the command line (not
recommended). When providing the password, the format is:
"[--pass[=<password>]]".
Also fix some typos.
Still include references to both the deprecated "--rsa" and "--engine"
options.
Related confiigure options:
--enable-sigv1 Build ima-evm-utils with signature v1 support
--disable-engine build ima-evm-utils without OpenSSL engine support
Reported-by: Vitaly Chikunov <vt@altlinux.org> # typos, "--pass" format
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Add tests to ensure that, after applying the kernel patch 'ima: Align
ima_file_mmap() parameters with mmap_file LSM hook', the MMAP_CHECK hook
checks the protections applied by the kernel and not those requested by the
application.
Also ensure that after applying 'ima: Introduce MMAP_CHECK_REQPROT hook',
the MMAP_CHECK_REQPROT hook checks the protections requested by the
application.
Test both with the test_mmap application that by default requests the
PROT_READ protection flag. Its syntax is:
test_mmap <file> <mode>
where mode can be:
- exec: adds the PROT_EXEC protection flag to mmap()
- read_implies_exec: calls the personality() system call with
READ_IMPLIES_EXEC as the first argument before mmap()
- mprotect: adds the PROT_EXEC protection flag to a memory area in addition
to PROT_READ
- exec_on_writable: calls mmap() with PROT_EXEC on a file which has a
writable mapping
Check the different combinations of hooks/modes and ensure that a
measurement entry is found in the IMA measurement list only when it is
expected. No measurement entry should be found when only the PROT_READ
protection flag is requested or the matching policy rule has the
MMAP_CHECK_REQPROT hook and the personality() system call was called with
READ_IMPLIES_EXEC.
mprotect() with PROT_EXEC on an existing memory area protected with
PROT_READ should be denied (with an appraisal rule), regardless of the MMAP
hook specified in the policy. The same applies for mmap() with PROT_EXEC on
a file with a writable mapping.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Add ima_policy_check.awk to check for possible overlapping of a rule being
added by a test with the existing IMA policy (policy replacement by IMA at
the first policy load is not taken into account).
ima_policy_check.awk expects as input the rule to be added, followed by the
IMA policy.
It returns a bit mask with the following values:
- 1: invalid new rule;
- 2: overlap of the new rule with an existing rule in the IMA policy;
- 4: new rule exists in the IMA policy.
Values can be individually checked by the test executing the awk script, to
determine what to do (abort loading, print a warning in case of overlap,
avoid adding an existing rule).
The bit mask allows the test to see multiple statements regarding the new
rule. For example, if the test added anyway an overlapping rule, it could
also see that the policy already contains it at the next test execution,
and does not add it again.
Since ima_policy_check.awk uses GNU extensions (such as the or() function,
or the fourth argument of split()), add gawk as dependency for the CI.
Finally add ima_policy_check.test, to ensure that the awk script behaves as
expected.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Introduce these functions to let the developer specify which kernel patches
are required for the tests to be successful (either pass or fail). If a
test is not successful, print those patches in the test result summary.
First, the developer should declare an array, named PATCHES, with the list
of all kernel patches that are required by the tests. For example:
PATCHES=(
'patch 1 title'
...
'patch N title'
)
Second, the developer could replace the existing expect_pass() and
expect_fail() respectively with expect_pass_if() and expect_fail_if(), and
add the indexes in the PATCHES array as the first argument, enclosed with
quotes. The other parameters of expect_pass() and expect_fail() remain the
same.
In the following example, the PATCHES array has been added to a new test
script, tests/mmap_check.test:
PATCHES=(
'ima: Align ima_file_mmap() parameters with mmap_file LSM hook'
'ima: Introduce MMAP_CHECK_REQPROT hook'
)
Then, expect_pass() has been replaced with expect_pass_if():
expect_pass_if '0' check_mmap "MMAP_CHECK" "read_implies_exec"
The resulting output when a test fails (if the required patch is not
applied) is:
Test: check_mmap (hook="MMAP_CHECK", test_mmap arg: "read_implies_exec")
Result (expect found): not found
Possibly missing patches:
- ima: Align ima_file_mmap() parameters with mmap_file LSM hook
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Prior to the support for reading the TPM 2.0 PCRs via the sysfs
interface, based on environment variables the userspace application read
either the physical or software TPM's PCRs.
With the support for reading the exported TPM 2.0 PCRs via the sysfs
interface, the physical TPM's PCRs are always read. Define a new evmctl
option named '--hwtpm' to limit reading the TPM 2.0 PCRs via the sysfs
interface.
Fixes: a141bd594263 ("add support for reading per bank TPM 2.0 PCRs via sysfs")
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Distro has openSSL 3.0.7, no need to compile own openSSL 3.x.
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
At least on Tumbleweed build fails due openSSL 3.0.7
being installed from package.
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Unlike the original ima-evm-utils ima_hash.test and sign_verify.test
selftests, kernel tests may fail for any number of reasons (e.g. kernel
config, permissions, missing applications, test infrastructure). For
these tests, the full test log is needed to analyze the failure.
Create a phony target in tests/Makefile.am named "check-logs". Based on
test name, output different amounts of the test log.
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
From "Support testing in new enviroments" cover letter:
One of the main limitations of running tests in the current environment is
that features/bug fixes to be tested need to be already included in the
running kernel, which is not always the case.
User Mode Linux (UML) and virtual machines can be used to overcome this
limitation. They allow to create a new environment and run a custom kernel
built by a CI or by the user. The tests can then check the features/bug
fixes of the custom kernel.
Running tests in a new environment also gives the ability to control the
configuration, and to have a clean state for each test by creating new
environments as necessary. The current environment might not allow that,
e.g. for security reasons.
Introduce a mechanism for creating and managing new environments. Expose an
API that allow to transparently create one or multiple environments in a
test script, and to reexecute that script in the new one. Using that API
requires minimal changes to the existing scripts.
The API is generic enough to support different types of enviroments. The
environment can be selected with the TST_ENV environment variable. At the
moment, only UML is supported. QEMU will be added at a later stage.
With the ability to test custom kernels, ima-evm-utils might introduce
specific tests for that, separated from the tests to verify the
ima-evm-utils user space functionality. At the moment, there is no such
distinction, existing tests verify both.
First, fix error messages and a variable in evmctl. Then, add kernel
configuration options for the tests, to be merged with the default
configuration. Add a new job in the Github workflow to build the UML kernel
from a repository and branch specified in the LINUX_URL and LINUX_BRANCH
variables (if the kernel repository does not have a branch with the same
name of the ima-evm-utils one). Per Github documentation, these variables
can be defined at organization, repository and environment level.
Return the correct script exit code if no test was executed. Introduce the
new API for creating and managing new enviroments, for existing and new
test scripts. If TST_ENV is not set, calling the API results in a nop, and
tests are executed in the current environment.
Add the possibility to select individual tests to run in a test script,
with the TST_LIST variable, so that a new environment can be created
multiple times for a subset of tests (useful if for example a test require
kernel settings different from the previous test).
Add tests for EVM portable signatures and modify fsverity.test to use the
new API.
Finally, don't require making changes to the system to run fsverity.test,
install a software dependency after the appropriate repository has been
set up, and temporarily remove CONFIG_DEBUG_SG to avoid a kernel panic
until the patches to fix it are accepted in the upstream kernel.
The travis "fedora:latest" matrix rule fails due to not finding
"haveged". Install "haveged" after enabling EPEL.
Fixes: f106a9022d1f ("Add support for creating a new testing environment in functions.sh")
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Instead of making changes to the system, use in-place built fsverity binary
by adding ../fsverity-utils to the PATH variable, so that the binary can be
found with the 'command -v' command.
Don't delete the fsverity-utils directory, so that the built binary is
available. Not deleting should not be a problem, as the script is meant to
be executed in a CI environment, where cleanup is done by the CI
infrastructure itself.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Adapt fsverity.test by adding calls to the testing environment API in
functions.sh. If TST_ENV is set, create a new environment and run the
kernel specified with the TST_KERNEL environment variable. Otherwise, keep
the current behavior.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Verify that operations on files with EVM portable signatures succeed and
that the new kernel patch set does not break the existing kernel integrity
expectations. Build and install mount-idmapped for ci/fedora.sh, to
additionally test idmapped mounts.
To run the tests, pass the path of the kernel private key with the
TST_KEY_PATH environment variable. If not provided, search first in the
ima-evm-utils top directory, and then in
/lib/modules/$(uname -r)/source/certs/signing_key.pem and
/lib/modules/$(uname -r)/build/certs/signing_key.pem.
Root privileges are required to mount the image, configure IMA/EVM and set
xattrs.
Set TST_ENV to 'um', to relaunch the script in a new environment after
booting an UML kernel. The UML kernel path must be specified with the
TST_KERNEL environment variable.
Alternatively, set the TST_EVM_CHANGE_MODE variable to 1, to change the
current EVM mode, if a test needs a different one. Otherwise, execute only
the tests compatible with the current EVM mode.
Also set the EVM_ALLOW_METADATA_WRITES flag in the EVM mode, before
launching the script, to run the check_evm_revalidate() test. Execute:
echo 4 > /sys/kernel/security/evm
The last two environment variables above affect which tests will run the
next time the script is executed. Without setting TST_ENV, changes to the
current EVM mode will be irreversibly done in the host. Next time, unless
the host is rebooted, only tests compatible with the last EVM mode set will
run. The others will be skipped.
By setting TST_ENV, this problem does not arise as, every time the
environment is created, it will be clean with no flags set in the EVM mode.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
It might be desirable, due to restrictions in the testing environment, to
execute tests individually. Introduce the TST_LIST variable, which can be
set with the name of the test to execute. If the variable is set,
expect_pass and expect_fail automatically skip the tests when the first
argument of those functions does not match the value of TST_LIST.
TST_LIST can be also used in new environments, to execute a subset of
defined tests for each environment. It is sufficient to add the variable
and its value to the kernel command line.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Add the new functions _run_env(), _exit_env(), _init_env() and
_cleanup_env() to run the tests inside a new environment specified with the
TST_ENV environment variable.
A typical structure of a script with tests is:
trap '_report_exit_and_cleanup _cleanup_env cleanup' \
SIGINT SIGTERM SIGSEGV EXIT
cleanup() {
<test cleanup>
}
<tests implementations>
_run_env "$TST_KERNEL" "$PWD/$(basename "$0")" "env_var1=$env_var1 ..."
_exit_env "$TST_KERNEL"
_init_env
<tests init>
<tests call>
If TST_ENV is not set or empty, don't create a new testing environment and
perform the cleanup in the current environment. Don't create a new testing
environment also if the script is already executed in a new environment, to
avoid loops. Instead, for cleanup, do it in the new environment and skip it
in the host environment (if the cleanup function is passed to
_cleanup_env()).
Signal to the creator of the environment failures of tests or of the script
itself run in the new environment (if the exit code is 1 ($FAIL) or 99
($HARDFAIL)) with an unclean shutdown of the system.
Add haveged and systemd as dependencies for the tests in ci/fedora.sh,
respectively for initializing the random number generator and for shutting
down the system in the new environment.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
If an error occurs before any test is executed, _report_exit_and_cleanup()
returns 77 ($SKIP) as exit code, which might not reflect the real exit code
at the time the script terminated its execution.
If the function registered in the shell trap() is a cleanup function
calling _report_exit_and_cleanup() inside, the latter will not have access
to the exit code at the time of the trap but instead to the exit code of
the cleanup function.
To solve this issue, pass the cleanup function and its arguments to
_report_exit_and_cleanup(), so that the latter can first get the script
exit code and then can execute the cleanup function.
Finally, if no test was executed, return the exit code at the time of the
trap() instead of 77.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Add a build job, prerequisite of the existing job, to compile the UML
kernel and upload it and the signing key to a cache. Github configuration
should have two variables: LINUX_URL, the full URL of the kernel
repository; LINUX_BRANCH, the branch to check out as fallback if the kernel
repository does not have the same branch name as the one being pushed for
ima-evm-utils. See:
https://docs.github.com/en/actions/learn-github-actions/variables
for directions on how to define those variables.
If the two variables are not defined, the default values are:
LINUX_URL=https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
LINUX_BRANCH=next-integrity
If there is a cache hit (same kernel commit and same kernel configuration),
next time the UML kernel will not be rebuilt. To use the cache, it is
necessary to install zstd in the container. Add this dependency to
ci/fedora.sh.
The cache can be managed at the following URL:
https://github.com/<username>/ima-evm-utils/actions/caches
The page also offers the possibility to clean the cache, to force
rebuilding the kernel.
Add a new entry in the testing matrix, for the fedora-latest container
image, to run the tests with the UML kernel. The entry differs from the
others for the new environment variable TST_ENV, set to 'um', and
TST_KERNEL set to '../linux', as the tests will be executed from the
tests/ directory in ima-evm-utils.
Add a new volume to the container, /dev/shm from the host, as it is
required for running the UML kernel.
Extend the existing job with steps to download the UML kernel and signing
key from the cache. The new steps are executed only if the matrix entry has
TST_ENV set.
Finally, pass TST_ENV and TST_KERNEL to the tests. A test should also
propagate these variables to the new environment, by passing them to the
kernel command line.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Add kernel-configs/base with changes to be applied to the default kernel
configuration, generated with 'make defconfig'.
Add kernel-configs/integrity, with integrity-specific configuration
options.
Splitting changes helps to identify more easily the desired group of
options. In the future, options could be split even further.
All changes in this directory will be applied with the merge_config.sh
script from the kernel source code in a Github workflow step.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Make sure that the function name in the error message corresponds to the
actual function called.
Rename mdlen and hash respectively to siglen and sig. Also, initialize
siglen to the size of sig (MAX_DIGEST_SIZE), as this is recommended in the
documentation of EVP_DigestSignFinal().
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This code path can be triggered if someone inadvertedly swaps the key
with the certificate in the evmctl command line. Our `x` variable would
be NULL, and we need to abort further processing of the certificate.
Signed-off-by: Alberto Mardegan <a.mardegan@omp.ru>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This does not make fsverity.test working on GA CI, though.
- `--device /dev/loop-control' is required for losetup(8) to work.
- `--privileged' is required foo mount(8) to work, and this makes
`--security-opt seccomp=unconfined' redundant.
- GA container does not have `/sys/kernel/security' mounted which is
needed for `/sys/kernel/security/integrity/ima/policy'.
- Enable `set -x` in CI as the logs is everything we have to analyze on
failures.
Update: with these changes and the UML kernel support, the fsverity.test
is working properly.
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
[zohar@linux.ibm.com: updated patch description]
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Test IMA support for including fs-verity enabled file measurements
in the IMA measurement list based on the ima-ngv2 and ima-sigv2
records.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
The sourceforge wiki info is dated and requires a major overhaul. Some
of the information already exists in the linux kernel documentation.
For now, save it with the referenced html files.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Change the condition under which pub is freed to make it clearer for the
reader and analyzer.
This change gets rid of the following gcc -fanalyzer warning:
evmctl.c:1140:12: warning: leak of ‘pub’ [CWE-401] [-Wanalyzer-malloc-leak]
1140 | if (imaevm_params.x509)
| ^
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
To avoid numerous warning messages from gcc 12.2.1 when compiling with
-fanalyzer, insert an assert to ensure that algo_name in each bank
is set. The assert resolves the following warnings:
evmctl.c:1998:30: warning: use of NULL where non-null expected [CWE-476] [-Wanalyzer-null-argument]
1998 | if (!strcmp(tpm_banks[j].algo_name, alg)) {
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
evmctl.c: In function ‘ima_measurement’:
evmctl.c:2146:24: warning: use of NULL where non-null expected [CWE-476] [-Wanalyzer-null-argument]
2146 | && strcmp(pseudo_padded_banks[c].algo_name, verify_bank)) {
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
‘ima_measurement’: events 1-2
evmctl.c: In function ‘cmd_ima_bootaggr’:
evmctl.c:2611:33: warning: use of NULL where non-null expected [CWE-476] [-Wanalyzer-null-argument]
2611 | bootaggr_len += strlen(tpm_banks[i].algo_name) + 1;
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Until Linux kernel version 5.11, a TSS was required to read TPM 2.0 PCR
values. A feature which exposed the per bank TPM 2.0 PCRs directly via
sysfs was upstreamed in newer Kernel versions.
Use this recent feature in IMA-EVM-UTILS to remove TSS dependency.
Signed-off-by: Tergel Myanganbayar <tergel@linux.ibm.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Remove unnecessary path check in pcr_ibmtss.c and update the syntax
in the other.
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
The field sizes of the original "ima" template data are static, but
the other template data fields are not. They're prefixed with a size.
Add some data field size sanity checks in ima_show_ng().
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
The template data length is variable, based on the template format.
Define some sort of upper bounds.
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
fread() either returns the number of bytes read or the number of items
of data read. Check that it returns the requested number of items read.
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Before attempting to use the key file, make sure it is a regular file.
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Fix COMPILE_SSL to build for the proper architecture, link with the
appropriate library, and set up library path for evmctl.
Compile OpenSSL with "no-engine" and "no-dynamic-engine" support.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
With the distros shipping OpenSSL 3 with engine support, the original
purpose for compiling OpenSSL 3 to test sm2/sm3 is no longer necessary
and could be removed. Or, it could be re-purposed for building OpenSSL
without engine support, which is needed for testing.
For both travis and github actions, update openssl-3.0.0-beta1 with
openssl-3.0.5.
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Since the distros are now shipping with OpenSSL 3, no need
to build it. Limit the sm2/sm3 test to OpenSSL 3.
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Each record in the IMA measurement list must contain some template data.
Ensure the template data is not zero length.
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Instead of assuming the file hash algorithm is a properly NULL terminated
string, properly limit the "algo:<hash>" field size.
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
On failure to read TPM 2.0 bank PCRs 'errmsg' is not properly set to
NULL after being freed. Fix potential use after free.
Fixes: 3472f9ba9c05 ("ima-evm-utils: read the PCRs for the requested TPM banks")
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
OpenSSL v3 "engine" support is deprecated and replaced with "providers".
Engine support will continue to work for a while, but results in
deprecated declaration and other messages. One option is simply to hide
them ("-Wno-deprecated-declarations"). The other alternative is to
conditionally build ima-evm-utils without OpenSSL engine support and
without disabling deprecated declarations.
Based on "--disable-engine" or "--enable-engine=no" configuration
option, disable OpenSSL "engine" support.
As suggested by Vitaly,
- verify ENGINE_init symbol is defined in libcrypto
- disable engine support if either OPENSSL_NO_DYNAMIC_ENGINE or
OPENSSL_NO_ENGINE variables are defined
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
When EVP_MD_CTX_new() call was added, the corresponding EVP_MD_CTX_free()
was never called. Properly free it.
Fixes: 81010f0d87ef ("ima-evm-utils: Add backward compatible support for openssl 1.1")
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Calculating the EVM HMAC and labeling the filesystem was originally
included in ima-evm-utils for debugging purposes only. For now,
instead of removing EVM HMAC support just replace the low level
HMAC_ calls with EVP_ calls.
The '-a, --hashalgo' specifies the IMA hash or signature algorithm.
The kernel EVM HMAC is limited to SHA1. Fix ima-evm-utils by hard
coding the EVM HMAC algorithm to SHA1.
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
OpenSSL v3 emits deprecated warnings for SHA1 functions. Use the
EVP_ functions when walking the TPM 1.2 binary bios measurements
to calculate the TPM 1.2 PCRs.
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
The original IMA file signatures were based on a SHA1 hash. Kernel
support for other hash algorithms was subsequently upstreamed. Deprecate
"--rsa" support.
Define "--enable-sigv1" option to configure signature v1 support.
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
