This is required, because when TPM HW available (i.e. -c /dev/tpm0),
evmctl ima_boot_aggregate returns sha1:xxxx.
skip requires to move cleanup().
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
[zohar@linux.ibm.com: move test so it works with sample logs]
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
The existing variable names swtpm and swtpm1 is confusing. Rename
"swtpm" to "tpm_server" and "swtpm1" as "swtpm".
Suggested-by: Ken Goldman <kgoldman@us.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
The software TPM might not be listening for commands yet. Try re-sending
the tssstartup.
Reported-by: Ken Goldman <kgoldman@us.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
The default value raw is appropriate for 'swtpm'. tpm_server
uses the Microsoft packet encapsulation, so the env variable
must have the value mssim.
Signed-off-by: Ken Goldman <kgoldman@us.ibm.com>
Fixes: f831508297cd ("Install the swtpm package, if available")
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
The "boot_aggregate.test" requires either a hardware or software TPM.
Support using the swtpm, if packaged for the distro, in addition to
tpm_server.
Note: Some travis/<distro>.sh scripts are links to other scripts.
Don't fail the build of the linked script if the swtpm package doesn't
exist.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Acked-by: Bruno Meneguele <bmeneg@redhat.com>
boot_aggregate test make use of a software TPM 2.0 in case it doesn't find
any /dev/tpm0 in the system or if the test is ran as a normal user. However,
when the system has a discrete TPM 1.2 and the user runs the test with a
non-root user evmctl fails to return the software TPM 2.0 boot aggregate
value because it tries to access TPM 1.2 the sysfs PCRs file and,
consequently, the test fails. Thus TPM 2.0 log test is not supported on
systems with a discrete TPM 1.2
Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Searching for the last "boot_aggregate" record in the measurement list
could inadvertently match a filename containing the string
"boot_aggregate". Prevent this from happening.
Reviewed-by: Bruno Meneguele <bmeneg@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
display_pcrs() should include PCRS 8 - 9 as they are non-zeros on some
systems. boot_aggregate may span PCRs 0 - 9 so check()'s info message
should be fixed accordingly.
Signed-off-by: Maurizio Drocco <maurizio.drocco@ibm.com>
Use the "functions.sh" tty color scheme, which defines SKIP as CYAN.
FAILURE: RED (31)
SUCCESS: GREEN (32)
SKIP: CYAN (36)
Should VERBOSE or informational messages be color coded?
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
For each kexec, an additional "boot_aggregate" will appear in the
measurement list, assuming the previous measurement list is carried
across kexec.
Verify that the last "boot_aggregate" record in the IMA measurement list
matches. The "boot_aggregate" is either the last field (e.g. "ima-ng")
or the second to last field (e.g. "ima-sig") in the measurement list
record.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Calculate the boot_aggregate for each TPM bank and verify that the
boot_aggregate in the IMA measurement list matches one of them.
A software TPM may be used to verify the boot_aggregate. If a
software TPM is not already running on the system, this test
starts one and initializes the TPM PCR banks by walking the sample
binary_bios_measurements event log, included in this directory, and
extending the TPM PCRs. The associated ascii_runtime_measurements
for verifying the calculated boot_aggregate is included in this
directory as well.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
