The sourceforge wiki info is dated and requires a major overhaul. Some
of the information already exists in the linux kernel documentation.
For now, save it with the referenced html files.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Change the condition under which pub is freed to make it clearer for the
reader and analyzer.
This change gets rid of the following gcc -fanalyzer warning:
evmctl.c:1140:12: warning: leak of ‘pub’ [CWE-401] [-Wanalyzer-malloc-leak]
1140 | if (imaevm_params.x509)
| ^
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
To avoid numerous warning messages from gcc 12.2.1 when compiling with
-fanalyzer, insert an assert to ensure that algo_name in each bank
is set. The assert resolves the following warnings:
evmctl.c:1998:30: warning: use of NULL where non-null expected [CWE-476] [-Wanalyzer-null-argument]
1998 | if (!strcmp(tpm_banks[j].algo_name, alg)) {
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
evmctl.c: In function ‘ima_measurement’:
evmctl.c:2146:24: warning: use of NULL where non-null expected [CWE-476] [-Wanalyzer-null-argument]
2146 | && strcmp(pseudo_padded_banks[c].algo_name, verify_bank)) {
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
‘ima_measurement’: events 1-2
evmctl.c: In function ‘cmd_ima_bootaggr’:
evmctl.c:2611:33: warning: use of NULL where non-null expected [CWE-476] [-Wanalyzer-null-argument]
2611 | bootaggr_len += strlen(tpm_banks[i].algo_name) + 1;
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Until Linux kernel version 5.11, a TSS was required to read TPM 2.0 PCR
values. A feature which exposed the per bank TPM 2.0 PCRs directly via
sysfs was upstreamed in newer Kernel versions.
Use this recent feature in IMA-EVM-UTILS to remove TSS dependency.
Signed-off-by: Tergel Myanganbayar <tergel@linux.ibm.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Remove unnecessary path check in pcr_ibmtss.c and update the syntax
in the other.
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
The field sizes of the original "ima" template data are static, but
the other template data fields are not. They're prefixed with a size.
Add some data field size sanity checks in ima_show_ng().
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
The template data length is variable, based on the template format.
Define some sort of upper bounds.
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
fread() either returns the number of bytes read or the number of items
of data read. Check that it returns the requested number of items read.
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Before attempting to use the key file, make sure it is a regular file.
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Fix COMPILE_SSL to build for the proper architecture, link with the
appropriate library, and set up library path for evmctl.
Compile OpenSSL with "no-engine" and "no-dynamic-engine" support.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
With the distros shipping OpenSSL 3 with engine support, the original
purpose for compiling OpenSSL 3 to test sm2/sm3 is no longer necessary
and could be removed. Or, it could be re-purposed for building OpenSSL
without engine support, which is needed for testing.
For both travis and github actions, update openssl-3.0.0-beta1 with
openssl-3.0.5.
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Since the distros are now shipping with OpenSSL 3, no need
to build it. Limit the sm2/sm3 test to OpenSSL 3.
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Each record in the IMA measurement list must contain some template data.
Ensure the template data is not zero length.
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Instead of assuming the file hash algorithm is a properly NULL terminated
string, properly limit the "algo:<hash>" field size.
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
On failure to read TPM 2.0 bank PCRs 'errmsg' is not properly set to
NULL after being freed. Fix potential use after free.
Fixes: 3472f9ba9c05 ("ima-evm-utils: read the PCRs for the requested TPM banks")
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
OpenSSL v3 "engine" support is deprecated and replaced with "providers".
Engine support will continue to work for a while, but results in
deprecated declaration and other messages. One option is simply to hide
them ("-Wno-deprecated-declarations"). The other alternative is to
conditionally build ima-evm-utils without OpenSSL engine support and
without disabling deprecated declarations.
Based on "--disable-engine" or "--enable-engine=no" configuration
option, disable OpenSSL "engine" support.
As suggested by Vitaly,
- verify ENGINE_init symbol is defined in libcrypto
- disable engine support if either OPENSSL_NO_DYNAMIC_ENGINE or
OPENSSL_NO_ENGINE variables are defined
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
When EVP_MD_CTX_new() call was added, the corresponding EVP_MD_CTX_free()
was never called. Properly free it.
Fixes: 81010f0d87ef ("ima-evm-utils: Add backward compatible support for openssl 1.1")
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Calculating the EVM HMAC and labeling the filesystem was originally
included in ima-evm-utils for debugging purposes only. For now,
instead of removing EVM HMAC support just replace the low level
HMAC_ calls with EVP_ calls.
The '-a, --hashalgo' specifies the IMA hash or signature algorithm.
The kernel EVM HMAC is limited to SHA1. Fix ima-evm-utils by hard
coding the EVM HMAC algorithm to SHA1.
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
OpenSSL v3 emits deprecated warnings for SHA1 functions. Use the
EVP_ functions when walking the TPM 1.2 binary bios measurements
to calculate the TPM 1.2 PCRs.
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
The original IMA file signatures were based on a SHA1 hash. Kernel
support for other hash algorithms was subsequently upstreamed. Deprecate
"--rsa" support.
Define "--enable-sigv1" option to configure signature v1 support.
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Remove AC_PROG_LIBTOOL and AC_HEAD_STDC. Replace AC_HELP_STRING with
AS_HELP_STRING.
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Although Github Actions is available on Github Enterprise Server 3.x
single server edition, as well as the unpaid version, it is not
available in Github Enterprise Server 3.x cluster edition[1].
Continue updating travis.yml.
[1] https://docs.github.com/en/enterprise-server@3.0/admin/release-notes#github-packages
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Writing either security.ima hashes or security.evm hmacs from userspace
will fail regardless of the IMA or EVM fix mode. In fix mode, 'touch'
will force security.ima and security.evm to be updated.
Make the setxattr error messages more explicit and clear errno.
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Define a log_errno_reset macro to emit the errno string at or near the
time of error, similar to the existing log_errno macro, but also reset
errno to avoid dangling or duplicate errno messages on exit.
The initial usage is for non-critical file open failures.
Suggested-by: Vitaly Chikunov <vt@altlinux.org>
Reviewed-by: Vitaly Chikunov <vt@altlinux.org>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This reverts commit acb19d1894a4a95471b8d2346cd6c3ecf3385110, based on
the mailing list discussion and will be fixed in the next commit.
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Link: https://lore.kernel.org/linux-integrity/20220915153659.dtykhzitxdrlpasq@altlinux.org/
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
bash is a dependency for tests, not being installed by default on
containers.
This fixes:
../test-driver: line 112: ./ima_hash.test: not found
../test-driver: line 112: ./sign_verify.test: not found
../test-driver: line 112: ./boot_aggregate.test: not found
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Ubuntu 21.10 impish EOL in 2022-04 (next month).
Replace it with the latest stable release (EOL 2027-04).
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
ima-evm-utils does not attempt to calculate or even read the fs-verity
file hash, but can verify the fs-verity signature based on the fsverity
file hash, both contained in the measurement list record.
Example:
evmctl ima_measurement --key <DER encoded public key> \
--verify-sig /sys/kernel/security/ima/binary_runtime_measurements
Modify 'sig' argument of verify_hash() to be the full xattr in order to
differentiate signatures types.
Note:
Kernel commit b1aaab22e263 ("ima: pass full xattr with the signature")
added the 'type' to signature_v2_hdr struct, which hasn't been reflected
here. (todo)
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Sign fs-verity file digests provided in the format as produced by
"fsverity digest". The output is of the same format as the input,
but with the file signature appended. Use setfattr to write the
signature as security.ima xattr.
fsverity digest format: <algo>:<hash> <pathname>
output format: <algo>:<hash> <pathname> <signature>
Instead of directly signing the fsverity hash, to disambiguate the
original IMA signatures from the fs-verity signatures stored in the
security.ima xattr a new signature format version 3 (sigv3) was
defined as the hash of the xattr type (enum evm_ima_xattr_type),
the hash algorithm (enum hash_algo), and the hash.
Example:
fsverity digest <pathname> | evmctl sign_hash --veritysig \
--key <pem encoded private key>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Not being able to open a file is not necessarily a problem. If
and when it occurs, an informational or error message with the
actual filename is emitted as needed.
Reset 'errno' to prevent the "errno: No such file or directory (2)"
generic message.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Replace CentOS 8 with CentOS stream 8.
Use podman for both CentOS 7 & 8.
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
It EOL in 12/2021 and CI is failing due removed repo:
CentOS Linux 8 - AppStream 232 B/s | 38 B 00:00
Error: Failed to download metadata for repo 'appstream': Cannot prepare internal mirrorlist: No URLs in mirrorlist
Removing only from GitHub Actions, because Mimi Zohar reported Travis
can use centos:stream8.
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Updated both the release and library (ABI change) versions. See the
NEWS file for a short summary and the git history for details.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Instead of returning an image, it prompts for a response. Hardcode
to use docker.io.
Please select an image:
▸ docker.io/library/alt:sisyphus
quay.io/alt:sisyphus
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
As expected, for the same reasons as commit 6287cb76d186 ("travis: Fix
openSUSE Tumbleweed"), replace using docker with podman, but now use
crun.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Both opensuse/tumbleweed and Alt Linux have upgraded to glibc-2.34,
causing the CI testing to fail. Disable seccomp (which is not needed
anyway, since GA uses throwable virtual environments anyway).
options: --security-opt seccomp=unconfined
Suggested-by: Vitaly Chikunov <vt@altlinux.org>
Acked-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Due to SHA1 weaknesses, define a configuration option to set the default
hash algorithm. The set of permitted hash algorithms is defined in the
hash_info.h header file. At the same time, change the default hash
algorithm from SHA1 to SHA256.
The SHA-1 algorithm is considered a weak hash algorithm and there has been
some movement within certain distros to drop its support completely or at
least drop it from the default behavior. ima-evm-utils uses it as the
default algorithm in case the user doesn't explicitly ask for another
through the --with-default-hash configuration time option or --hashalgo/-a
runtime option. With that, make SHA-256 the default hash algorithm instead.
Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
The default hash algorithm for evmctl is today hardcoded in the libimaevm.c
file. To facilitate package maintainers across different distributions to
set their own default hash algorithm, this patch adds the
--with-default-hash=<algo> option to the configuration script.
The chosen algorithm will then be checked by its available in the kernel,
otherwise IMA won't be able to verify files hashed by the user. For that,
the kernel header hash_info.h used as the source of supported hashes. In
case the hash_info.h header is not present, the configuration script warns
about it, but uses whatever the user specified in the option.
Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
From the cover letter:
Add support for signing with pkcs11 URIs so that pkcs11-enabled devices
can also be used for file signing.
Extend the existing sign_verify.test with tests for the new pkcs11 URI support.
Use SoftHSM, when available, as a pkcs11 device for testing.
Get the packages for pkcs11 testing on the CI/CD system, where available.
On those system where it is not available, skip the two tests.
The following distros cannot run the pkcs11 tests:
- Alpine: package with pkcs11 engine not available
- CentOS7: softhsm 2.1.0 is too old for tests to work; tests also fail when
trying to sign with pkcs11 URI using openssl command line tool
- OpenSuSE Leap: softhsm package not available in main repo
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Extend the sign_verify test with a pkcs11-specific test.
Since the openssl command line tool now needs to use a key provided by
an engine, extend some command lines with the additional parameters
'--keyform engine'. These parameters are passed using the global variable
OPENSSL_KEYFORM, which is only set when pkcs11 URIs are used.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Import softhsm_setup script from my swtpm project and contribute
it to this project under dual license BSD 3-clause and GPL 2.0.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Add support for pkcs11 private keys for signing a v2 hash.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
If the key has the pkcs11: URI prefix then setup the pkcs11 engine
if the user hasn't chosen a specific engine already.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
