Coverity complains about the existing "if (!fread(....))" and inverse
syntax. Change it to make Coverity happy.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Remove support for filtering on file types unsupported by IMA from evmctl.
This now prevents func(de->d_name) to be invoked on symlinks, block device
files, etc. since signature verification on those file types is not
supported by IMA in the kernel.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
If the pcr is invalid, evmctl will crash while accessing
an invalid memory address. Verify the pcr is in the
expected range.
Also, correct range of an existing check.
Signed-off-by: Frank Sorenson <sorenson@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
TPM 2.0 banks may be extended either with a padded SHA1 hash or more
recently with a per TPM bank calculated hash. If the measurement list
is carried across kexec, the original kernel might extend the TPM
differently than the new kernel.
Support for verifying a mixed IMA measurement list is not supported. To
permit verifying just the SHA1 bank, specify "--verify-bank=sha1" on the
command line.
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
When a system is very busy with IMA taking measurements into more than
one bank, then we often do not get the PCR 10 values of the sha1 bank
that represents the same log entry as the reading of the PCR value of
the sha256 bank. In other words, the reading of the PCR 10 value from
the sha1 bank may represent the PCR 10 state at the time of the
n-th entry in the log while the reading of the PCR 10 value from the
sha256 bank may represent the state at the time of a later-than-n entry.
The result currently is that the PCR measurements do not match and
on a busy system the tool may not easily report a successful match.
This patch fixes this issue by separating the TPM bank comparison for
each one of the banks being looked and using a bit mask for checking
which banks have already been matched. Once the mask has become 0
all PCR banks have been successfully matched.
A run on a busy system may result in the output as follows indicating
PCR bank matches at the n-th entry for the sha1 bank and at a later
entry, possibly n + 1 or n + 2 or so, for the sha256 bank. The
output is interleaved with a match of the sha1 bank against 'padded
matching'.
$ evmctl ima_measurement --ignore-violations /sys/kernel/security/ima/binary_runtime_measurements -v
sha1: PCRAgg 10: 381cc6139e2fbda76037ec0946089aeccaaa5374
sha1: TPM PCR-10: 381cc6139e2fbda76037ec0946089aeccaaa5374
sha1 PCR-10: succeed at entry 4918
sha1: PCRAgg 10: 381cc6139e2fbda76037ec0946089aeccaaa5374
sha1: TPM PCR-10: 381cc6139e2fbda76037ec0946089aeccaaa5374
sha1 PCR-10: succeed at entry 4918
[...]
sha256: PCRAgg 10: c21dcb7098b3d7627f7aaeddf8aff68a65209027274d82af52be2fd302193eb7
sha256: TPM PCR-10: c21dcb7098b3d7627f7aaeddf8aff68a65209027274d82af52be2fd302193eb7
sha256 PCR-10: succeed at entry 4922
Matched per TPM bank calculated digest(s).
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Commit 4928548d9d87 ("Add support for portable EVM format") added
support for generating portable and immutable signatures. Support
verifying them, using either the security.ima or the user.ima.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Add the missing "evmctl ima_boot_aggregate" info to the README. Update
the "help" to include the new "--pcrs" option. In addition, replace
the "file" option with "TPM 1.2 BIOS event log". The new format is:
ima_boot_aggregate [--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log]
Reminder: calculating the TPM PCRs based on the BIOS event log and
comparing them with the TPM PCRs should be done prior to calculating the
possible boot_aggregate value(s).
For TPM 1.2, the TPM 1.2 BIOS event log may be provided as an option
when calculating the ima_boot_aggregate. For TPM 2.0, "tsseventextend
-sim -if <binary_bios_measurements> -ns -v", may be used to validate
the TPM 2.0 event log.
(Note: some TPM 2.0's export the BIOS event log in the TPM 1.2 format.)
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
IMA records file "Time of Measure, Time of Use (ToMToU)" and "open
writers" integrity violations by adding a record to the measurement
list containing one value (0x00's), but extending the TPM with a
different value (0xFF's).
To avoid known file integrity violations, the builtin "tcb" measurement
policy should be replaced with a custom policy as early as possible.
This patch renames the existing "--validate" option to
"--ignore-violations".
Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
While walking the IMA measurement list re-calculating the PCRS,
ima_measurement should always re-calculate the template data digest
and verify it against the measurement list value.
This patch removes the "--verify" option.
On success, return 0.
Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Extend the ima_measurement --pcrs option to support per-bank pcr files.
The extended syntax is "--pcrs algorithm,pathname". If no algorithm
is specified, it defaults to sha1 as before. Multiple --pcrs options
are now supported, one per bank of PCRs. The file format remains
unchanged. If --pcrs is specified, only try to read PCRs from the
specified file(s); do not fall back to trying to read from sysfs
or the TPM itself in this case since the user requested use of
the files.
Create per-bank pcr files, depends on "tpm: add sysfs exports for all
banks of PCR registers" kernel patch:
$ cat tpm2pcrread.sh
for alg in sha1 sha256
do
rm -f pcr-$alg
pcr=0;
while [ $pcr -lt 24 ];
do
printf "PCR-%02d: " $pcr >> pcr-$alg;
cat /sys/class/tpm/tpm0/pcr-$alg/$pcr >> pcr-$alg;
pcr=$[$pcr+1];
done
done
$ sh ./tpm2pcrread.sh
Pass only the sha1 PCRs to evmctl defaulting to sha1:
$ sudo evmctl ima_measurement --pcrs pcr-sha1 /sys/kernel/security/integrity/ima/binary_runtime_measurements
Pass only the sha1 PCRs to evmctl with explicit selection of sha1:
$ sudo evmctl ima_measurement --pcrs sha1,pcr-sha1 /sys/kernel/security/integrity/ima/binary_runtime_measurements
Pass both sha1 and sha256 PCRs to evmctl:
$ sudo evmctl ima_measurement --pcrs sha1,pcr-sha1 --pcrs sha256,pcr-sha256 /sys/kernel/security/integrity/ima/binary_runtime_measurements
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
[zohar@linux.ibm.com: although support for exporting TPM 2.0 PCRs has
not yet been upstreamed, add support for the file format anyway.]
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Helps to indicate when the template data digest verification fails.
Indicate the problematic record in the measurement list based on
log level and fail verification.
fixes: ff26f9704ec4 ("ima-evm-utils: calculate and verify the template
data digest")
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Parameter expects to be a copy of /sys/class/tpm/tpm0/device/pcrs (i.e.
regular file, not a directory, block or character device, socket, ...)
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Parameter expects to be a copy of
/sys/kernel/security/tpm0/binary_bios_measurements (i.e. regular file,
not a directory, block or character device, socket, ...)
Fixes: f49e982 ("ima-evm-utils: read the TPM 1.2 binary_bios_measurements")
Signed-off-by: Petr Vorel <pvorel@suse.cz>
[zohar@linux.ibm.com: updated to check stat result]
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
There was no room for placing the '\0' at the end of boot_aggregate value,
thus printf() was reading 1 byte beyond the array limit.
Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
OpenSSL context should be freed in case of versions >= 1.1 before leaving
the function in case EVP_DigestUpdate() returns any error.
Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Distros running older OpenSSL versions (<= 1.1) fail to build due to the
empty label at the end of calc_bootaggr(). For these, that label is no-op.
Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Address the new compiler complaints:
- while reading the template data
- while reading the exported TPM 1.2 PCRs
- while reading the TPM event log
Reported-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
The file signature stored in the ima_measurement list is verified based
on the file hash. Instead of reading the file data to calculate the
file hash, compare with the file hash stored in the template data. In
both cases, the set of public keys need to be specified.
This patch renames the "--list" option to "verify-sig" option.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Reading the TPM PCRs before walking the measurement list guarantees
the measurement list contains all the records, possibly too many records.
Compare the re-calculated hash after each extend with both the per bank
TPM PCR digests and the SHA1 paddeded TPM PCR digests.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Reading the TPM PCRs before walking the measurement list guarantees
the measurement list contains all the records.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
"evmctl ima_measurement" walks the IMA measurement list calculating the
PCRs and verifies the calculated values against the system's PCRs.
Instead of reading the system's PCRs, provide the PCRs as a file. For
TPM 1.2 the PCRs are exported via a securityfs file.
Verifying the IMA measurement list against the exported TPM 1.2 PCRs
file may be used remotely for regression testing. If used in a
production environment, the provided TPM PCRs must be compared with
those included in the TPM 1.2 quote as well.
This patch defines an evmctl ima_measurement "--pcrs <filename>" option.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Initially the sha1 digest, including violations, was padded with zeroes
before being extended into the other TPM banks. Support walking the
IMA measurement list, calculating the per TPM bank SHA1 padded
digest(s).
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Instead of reading the TPM 1.2 PCRs one at a time, opening and closing
the securityfs file each time, read all of PCRs at once.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
An IMA measurement list may not contain "ima" and other template
formats. Fail verifying the ima_measurement test.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Instead of just calculating the "boot_aggregate" based on the current
TPM PCRs, the original LTP and standalone ima_boot_aggregate test walked
the TPM 1.2 event log, calculating the PCRs.
If the TPM 1.2 event log is provided as an option on the "evmctl
ima_boot_aggregate" command, read the event log, calculate the sha1
PCRs, and calculate the "boot_aggregate" based on these PCRs.
The code for walking the IMA measurement list is based on the LTP and
standalone ima_boot_aggregate tests. Similar support for reading the
TPM 2.0 event log to calculate the PCRs requires the TPM 2.0 event log
to be exported or a TSS to read the event log. Parsing the TPM 2.0
event log is not supported here.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
The original "ima" template digest included just a SHA1 file data hash
and a fixed 255 character pathname in the hash calculation. Two main
differences exist between the "ima" template and other template formats.
The other template data formats are prefixed with the template data
length and each field is prefixed with the field length,
These differences simplify verifying the other template formats against
the TPM PCRs without necessarily understanding each and every template
field.
Support for the original "ima" templat formate is based on the original
LTP and IMA standalone versions.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Validating a TPM quote of PCR-10, the default IMA PCR, requires not only
sending the quote to the verifier, but the IMA measurement list as well.
The attestation server can verify the IMA measurement list simply by
walking the measurement list and re-calculating the PCRs based on the
template data digest. In addition, the attestation server could verify
the template data digest based on the template data.
The LTP and standalone "ima_measure" test optionally verify the template
data digest. Similarly add "--verify" support to conditionally verify
the template data digest against the template data.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
File time of measure, time of use (ToMToU) violations are annotated in
the measurement list by including a template data digest of zeroes, but
extending the TPM with 0xFF's. This causes validating the measurement
against the TPM PCRs to fail. To validate the measurement list against
the PCRs requires replacing the zero template data digest with OxFF's.
The default behavior, unless specifically requested, should be to fail
the measurement list verification. Support validating the measurement
list based on a "--validate" option.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
The template data digest for file measurement time of measure, time of
use (ToMToU) violations is zero. Don't calculate the template data
digest for the different banks.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Instead of emitting the per TPM PCR bank "boot_aggregate" values one
at a time, store them in a buffer and emit them all at once.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
The IMA measurement list boot_aggregate is the link between the preboot
event log and the IMA measurement list. Read and calculate all the
possible per TPM bank boot_aggregate digests based on PCRs 0 - 7.
Reading the TPM PCRs requires root permission, unless access to the
device (/dev/tpm0 or /dev/tpmrm0) has been granted.
Prior to calculating the boot_aggregate, the TPM PCRs themselves should
be validated by walking the TPM event log and re-calculating the PCRs.
(Such a test should be included as part of the TSS regression testsuites.)
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This patch makes it possible to use the Intel TSS2 for getting
PCR values from the SHA1/SHA256 banks on a TPM2.
It is somewhat naive as it doesn't use the multi-PCR selection
that TSS2 is capable of, that is for a future patch.
Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
[zohar@linux.ibm.com: added missing "stdint.h" in pcr_tsspcrread.c]
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Now that read_tpm_banks() reads the TPM 1.2 PCRs, remove the TPM 1.2
specific code for reading and verifying the SHA1 PCRs.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Extend read_tpm_banks() to support TPM 1.2, by reading TPM 1.2 SHA1 PCRs
into the first bank and mark the other banks as disabled.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
After walking the measurement list, re-calculating and extending the TPM
PCRs with the appropriate template digest for each bank, compare the
re-calculated PCR values for each TPM bank with the actual TPM values.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
tpm2_read_pcrs() reads the sha1 PCRs in order to verify the measurmeent
list. This patch adds support for reading other TPM banks.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
IMA currently extends the different TPM banks by padding/truncating the
SHA1 template digest. Although the IMA measurement list only includes
the SHA1 template digest, the template digest could be re-calculated
properly for each bank.
This patch adds support for properly calculating the template hash for
multiple TPM banks - "sha1" and "sha256".
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Opening a file for write when it is already opened for read, results in
a time of measure, time of use (ToMToU) error. Similarly, when opening
a file for read, when it is already opened for write, results in a file
measurement error. These violations are flagged by including 0x00's as
the template digest in the measurement list, but extending the TPM with
0xFF's.
In preparation of extending the TPM banks with bank specific digest
values, increase the "zero" and "fox" variable sizes.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
The TPM spec differentiates between an unknown bank and an unallocated
bank. In terms of re-calculating the PCR, treat them as equivalent.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Change main() return code from -1 to 125 as -1 is not really valid exit
code. 125 is choosen because exit codes for signals start from 126.
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Previously for EVM verify you should specify `--hashalgo' option while
for IMA ima_verify you didn't.
Allow EVM verify to determine hash algo from signature.
Also, this makes two previously static functions to become exportable
and renamed:
get_hash_algo_from_sig -> imaevm_hash_algo_from_sig
get_hash_algo_by_id -> imaevm_hash_algo_by_id
This is needed because EVM hash is calculated (in calc_evm_hash) outside
of library.
imaevm_hash_algo_by_id() will now return NULL if algo is not found.
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
If user wants to verify v1 signature and specify RSA public key in `-k'
option, this key will be attempted to be loaded as x509 certificate and
this process will output errors.
Do not load a key as a x509 cert if user pass `--rsa'.
This is not perfect solution. As now it's possible to specify `-k' and
`--rsa' and v2 signatures will not verify, because of no keys.
This improvement is not added into ima_measurement().
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
