The default hash algorithm for evmctl is today hardcoded in the libimaevm.c
file. To facilitate package maintainers across different distributions to
set their own default hash algorithm, this patch adds the
--with-default-hash=<algo> option to the configuration script.
The chosen algorithm will then be checked by its available in the kernel,
otherwise IMA won't be able to verify files hashed by the user. For that,
the kernel header hash_info.h used as the source of supported hashes. In
case the hash_info.h header is not present, the configuration script warns
about it, but uses whatever the user specified in the option.
Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Add support for pkcs11 private keys for signing a v2 hash.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
If the key has the pkcs11: URI prefix then setup the pkcs11 engine
if the user hasn't chosen a specific engine already.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Extend the global libimaevm_params structure with an ENGINE field 'eng'
and use it in place of the local ENGINE variable in main().
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Move the code that sets up an OpenSSL engine into its own function.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Handle failure to initialize the openssl engine. For example,
$ ./src/evmctl --engine foo
engine foo isn't available
140322992015168:error:25066067:DSO support routines:dlfcn_load:could not load the shared library:crypto/dso/dso_dlfcn.c:118:filename(/usr/lib64/engines-1.1/foo.so): /usr/lib64/engines-1.1/foo.so: cannot open shared object file: No such file or directory
140322992015168:error:25070067:DSO support routines:DSO_load:could not load the shared library:crypto/dso/dso_lib.c:162:
140322992015168:error:260B6084:engine routines:dynamic_load:dso not found:crypto/engine/eng_dyn.c:414:
140322992015168:error:2606A074:engine routines:ENGINE_by_id:no such engine:crypto/engine/eng_list.c:334:id=foo
Segmentation fault (core dumped)
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
If the user did not use the --pass option to provide a key password,
get the key password from the EVMCTL_KEY_PASSWORD environment variable.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
The variable "password" is not freed nor returned in case get_password()
succeeds. Return it instead of the intermediary variable "pwd". Issue found
by Coverity scan tool.
src/evmctl.c:2565: leaked_storage: Variable "password" going out of scope
leaks the storage it points to.
Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
PCR numbers are naturally unsigned values. Further, they are
32 bits, even on 64-bit machines. This change eliminates the
need for negative value and overflow tests.
The parameter name is changed from j and idx to pcr_handle, which is
more descriptive and is similar to the parameter name used in the TPM
2.0 specification.
Signed-off-by: Ken Goldman <kgoldman@us.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Allow user to specify `--keyid-from-cert cert.pem' to extract keyid from
SKID of the certificate file. PEM or DER format is auto-detected.
This commit creates ABI change for libimaevm, due to adding new function
ima_read_keyid(). Newer clients cannot work with older libimaevm.
Together with previous commit it creates backward-incompatible ABI
change, thus soname should be incremented on release.
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Allow user to set signature's keyid using `--keyid' option. Keyid should
correspond to SKID in certificate, when keyid is calculated using SHA-1
in libimaevm it may mismatch keyid extracted by the kernel from SKID of
certificate (the way public key is presented to the kernel), thus making
signatures not verifiable. This may happen when certificate is using non
SHA-1 SKID (see rfc7093) or just 'unique number' (see rfc5280 4.2.1.2).
As a last resort user may specify arbitrary keyid using the new option.
This commit creates ABI change for libimaevm, because of adding
additional parameter to imaevm_params - newer libimaevm cannot work
with older clients.
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Reported-by: Elvira Khabirova <lineprinter0@gmail.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Since we are not signing directory entries, remove the left-over check
with S_ISDIR().
Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Coverity complains about the existing "if (!fread(....))" and inverse
syntax. Change it to make Coverity happy.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Remove support for filtering on file types unsupported by IMA from evmctl.
This now prevents func(de->d_name) to be invoked on symlinks, block device
files, etc. since signature verification on those file types is not
supported by IMA in the kernel.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
If the pcr is invalid, evmctl will crash while accessing
an invalid memory address. Verify the pcr is in the
expected range.
Also, correct range of an existing check.
Signed-off-by: Frank Sorenson <sorenson@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
TPM 2.0 banks may be extended either with a padded SHA1 hash or more
recently with a per TPM bank calculated hash. If the measurement list
is carried across kexec, the original kernel might extend the TPM
differently than the new kernel.
Support for verifying a mixed IMA measurement list is not supported. To
permit verifying just the SHA1 bank, specify "--verify-bank=sha1" on the
command line.
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
When a system is very busy with IMA taking measurements into more than
one bank, then we often do not get the PCR 10 values of the sha1 bank
that represents the same log entry as the reading of the PCR value of
the sha256 bank. In other words, the reading of the PCR 10 value from
the sha1 bank may represent the PCR 10 state at the time of the
n-th entry in the log while the reading of the PCR 10 value from the
sha256 bank may represent the state at the time of a later-than-n entry.
The result currently is that the PCR measurements do not match and
on a busy system the tool may not easily report a successful match.
This patch fixes this issue by separating the TPM bank comparison for
each one of the banks being looked and using a bit mask for checking
which banks have already been matched. Once the mask has become 0
all PCR banks have been successfully matched.
A run on a busy system may result in the output as follows indicating
PCR bank matches at the n-th entry for the sha1 bank and at a later
entry, possibly n + 1 or n + 2 or so, for the sha256 bank. The
output is interleaved with a match of the sha1 bank against 'padded
matching'.
$ evmctl ima_measurement --ignore-violations /sys/kernel/security/ima/binary_runtime_measurements -v
sha1: PCRAgg 10: 381cc6139e2fbda76037ec0946089aeccaaa5374
sha1: TPM PCR-10: 381cc6139e2fbda76037ec0946089aeccaaa5374
sha1 PCR-10: succeed at entry 4918
sha1: PCRAgg 10: 381cc6139e2fbda76037ec0946089aeccaaa5374
sha1: TPM PCR-10: 381cc6139e2fbda76037ec0946089aeccaaa5374
sha1 PCR-10: succeed at entry 4918
[...]
sha256: PCRAgg 10: c21dcb7098b3d7627f7aaeddf8aff68a65209027274d82af52be2fd302193eb7
sha256: TPM PCR-10: c21dcb7098b3d7627f7aaeddf8aff68a65209027274d82af52be2fd302193eb7
sha256 PCR-10: succeed at entry 4922
Matched per TPM bank calculated digest(s).
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Commit 4928548d9d87 ("Add support for portable EVM format") added
support for generating portable and immutable signatures. Support
verifying them, using either the security.ima or the user.ima.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Add the missing "evmctl ima_boot_aggregate" info to the README. Update
the "help" to include the new "--pcrs" option. In addition, replace
the "file" option with "TPM 1.2 BIOS event log". The new format is:
ima_boot_aggregate [--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log]
Reminder: calculating the TPM PCRs based on the BIOS event log and
comparing them with the TPM PCRs should be done prior to calculating the
possible boot_aggregate value(s).
For TPM 1.2, the TPM 1.2 BIOS event log may be provided as an option
when calculating the ima_boot_aggregate. For TPM 2.0, "tsseventextend
-sim -if <binary_bios_measurements> -ns -v", may be used to validate
the TPM 2.0 event log.
(Note: some TPM 2.0's export the BIOS event log in the TPM 1.2 format.)
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
IMA records file "Time of Measure, Time of Use (ToMToU)" and "open
writers" integrity violations by adding a record to the measurement
list containing one value (0x00's), but extending the TPM with a
different value (0xFF's).
To avoid known file integrity violations, the builtin "tcb" measurement
policy should be replaced with a custom policy as early as possible.
This patch renames the existing "--validate" option to
"--ignore-violations".
Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
While walking the IMA measurement list re-calculating the PCRS,
ima_measurement should always re-calculate the template data digest
and verify it against the measurement list value.
This patch removes the "--verify" option.
On success, return 0.
Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Extend the ima_measurement --pcrs option to support per-bank pcr files.
The extended syntax is "--pcrs algorithm,pathname". If no algorithm
is specified, it defaults to sha1 as before. Multiple --pcrs options
are now supported, one per bank of PCRs. The file format remains
unchanged. If --pcrs is specified, only try to read PCRs from the
specified file(s); do not fall back to trying to read from sysfs
or the TPM itself in this case since the user requested use of
the files.
Create per-bank pcr files, depends on "tpm: add sysfs exports for all
banks of PCR registers" kernel patch:
$ cat tpm2pcrread.sh
for alg in sha1 sha256
do
rm -f pcr-$alg
pcr=0;
while [ $pcr -lt 24 ];
do
printf "PCR-%02d: " $pcr >> pcr-$alg;
cat /sys/class/tpm/tpm0/pcr-$alg/$pcr >> pcr-$alg;
pcr=$[$pcr+1];
done
done
$ sh ./tpm2pcrread.sh
Pass only the sha1 PCRs to evmctl defaulting to sha1:
$ sudo evmctl ima_measurement --pcrs pcr-sha1 /sys/kernel/security/integrity/ima/binary_runtime_measurements
Pass only the sha1 PCRs to evmctl with explicit selection of sha1:
$ sudo evmctl ima_measurement --pcrs sha1,pcr-sha1 /sys/kernel/security/integrity/ima/binary_runtime_measurements
Pass both sha1 and sha256 PCRs to evmctl:
$ sudo evmctl ima_measurement --pcrs sha1,pcr-sha1 --pcrs sha256,pcr-sha256 /sys/kernel/security/integrity/ima/binary_runtime_measurements
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
[zohar@linux.ibm.com: although support for exporting TPM 2.0 PCRs has
not yet been upstreamed, add support for the file format anyway.]
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Helps to indicate when the template data digest verification fails.
Indicate the problematic record in the measurement list based on
log level and fail verification.
fixes: ff26f9704ec4 ("ima-evm-utils: calculate and verify the template
data digest")
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Parameter expects to be a copy of /sys/class/tpm/tpm0/device/pcrs (i.e.
regular file, not a directory, block or character device, socket, ...)
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Parameter expects to be a copy of
/sys/kernel/security/tpm0/binary_bios_measurements (i.e. regular file,
not a directory, block or character device, socket, ...)
Fixes: f49e982 ("ima-evm-utils: read the TPM 1.2 binary_bios_measurements")
Signed-off-by: Petr Vorel <pvorel@suse.cz>
[zohar@linux.ibm.com: updated to check stat result]
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
There was no room for placing the '\0' at the end of boot_aggregate value,
thus printf() was reading 1 byte beyond the array limit.
Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
OpenSSL context should be freed in case of versions >= 1.1 before leaving
the function in case EVP_DigestUpdate() returns any error.
Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Distros running older OpenSSL versions (<= 1.1) fail to build due to the
empty label at the end of calc_bootaggr(). For these, that label is no-op.
Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Address the new compiler complaints:
- while reading the template data
- while reading the exported TPM 1.2 PCRs
- while reading the TPM event log
Reported-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
The file signature stored in the ima_measurement list is verified based
on the file hash. Instead of reading the file data to calculate the
file hash, compare with the file hash stored in the template data. In
both cases, the set of public keys need to be specified.
This patch renames the "--list" option to "verify-sig" option.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Reading the TPM PCRs before walking the measurement list guarantees
the measurement list contains all the records, possibly too many records.
Compare the re-calculated hash after each extend with both the per bank
TPM PCR digests and the SHA1 paddeded TPM PCR digests.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Reading the TPM PCRs before walking the measurement list guarantees
the measurement list contains all the records.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
"evmctl ima_measurement" walks the IMA measurement list calculating the
PCRs and verifies the calculated values against the system's PCRs.
Instead of reading the system's PCRs, provide the PCRs as a file. For
TPM 1.2 the PCRs are exported via a securityfs file.
Verifying the IMA measurement list against the exported TPM 1.2 PCRs
file may be used remotely for regression testing. If used in a
production environment, the provided TPM PCRs must be compared with
those included in the TPM 1.2 quote as well.
This patch defines an evmctl ima_measurement "--pcrs <filename>" option.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Initially the sha1 digest, including violations, was padded with zeroes
before being extended into the other TPM banks. Support walking the
IMA measurement list, calculating the per TPM bank SHA1 padded
digest(s).
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Instead of reading the TPM 1.2 PCRs one at a time, opening and closing
the securityfs file each time, read all of PCRs at once.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
An IMA measurement list may not contain "ima" and other template
formats. Fail verifying the ima_measurement test.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Instead of just calculating the "boot_aggregate" based on the current
TPM PCRs, the original LTP and standalone ima_boot_aggregate test walked
the TPM 1.2 event log, calculating the PCRs.
If the TPM 1.2 event log is provided as an option on the "evmctl
ima_boot_aggregate" command, read the event log, calculate the sha1
PCRs, and calculate the "boot_aggregate" based on these PCRs.
The code for walking the IMA measurement list is based on the LTP and
standalone ima_boot_aggregate tests. Similar support for reading the
TPM 2.0 event log to calculate the PCRs requires the TPM 2.0 event log
to be exported or a TSS to read the event log. Parsing the TPM 2.0
event log is not supported here.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
The original "ima" template digest included just a SHA1 file data hash
and a fixed 255 character pathname in the hash calculation. Two main
differences exist between the "ima" template and other template formats.
The other template data formats are prefixed with the template data
length and each field is prefixed with the field length,
These differences simplify verifying the other template formats against
the TPM PCRs without necessarily understanding each and every template
field.
Support for the original "ima" templat formate is based on the original
LTP and IMA standalone versions.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Validating a TPM quote of PCR-10, the default IMA PCR, requires not only
sending the quote to the verifier, but the IMA measurement list as well.
The attestation server can verify the IMA measurement list simply by
walking the measurement list and re-calculating the PCRs based on the
template data digest. In addition, the attestation server could verify
the template data digest based on the template data.
The LTP and standalone "ima_measure" test optionally verify the template
data digest. Similarly add "--verify" support to conditionally verify
the template data digest against the template data.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
File time of measure, time of use (ToMToU) violations are annotated in
the measurement list by including a template data digest of zeroes, but
extending the TPM with 0xFF's. This causes validating the measurement
against the TPM PCRs to fail. To validate the measurement list against
the PCRs requires replacing the zero template data digest with OxFF's.
The default behavior, unless specifically requested, should be to fail
the measurement list verification. Support validating the measurement
list based on a "--validate" option.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
The template data digest for file measurement time of measure, time of
use (ToMToU) violations is zero. Don't calculate the template data
digest for the different banks.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Instead of emitting the per TPM PCR bank "boot_aggregate" values one
at a time, store them in a buffer and emit them all at once.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
The IMA measurement list boot_aggregate is the link between the preboot
event log and the IMA measurement list. Read and calculate all the
possible per TPM bank boot_aggregate digests based on PCRs 0 - 7.
Reading the TPM PCRs requires root permission, unless access to the
device (/dev/tpm0 or /dev/tpmrm0) has been granted.
Prior to calculating the boot_aggregate, the TPM PCRs themselves should
be validated by walking the TPM event log and re-calculating the PCRs.
(Such a test should be included as part of the TSS regression testsuites.)
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
