Remove support for filtering on file types unsupported by IMA from evmctl.
This now prevents func(de->d_name) to be invoked on symlinks, block device
files, etc. since signature verification on those file types is not
supported by IMA in the kernel.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Add the missing "evmctl ima_boot_aggregate" info to the README. Update
the "help" to include the new "--pcrs" option. In addition, replace
the "file" option with "TPM 1.2 BIOS event log". The new format is:
ima_boot_aggregate [--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log]
Reminder: calculating the TPM PCRs based on the BIOS event log and
comparing them with the TPM PCRs should be done prior to calculating the
possible boot_aggregate value(s).
For TPM 1.2, the TPM 1.2 BIOS event log may be provided as an option
when calculating the ima_boot_aggregate. For TPM 2.0, "tsseventextend
-sim -if <binary_bios_measurements> -ns -v", may be used to validate
the TPM 2.0 event log.
(Note: some TPM 2.0's export the BIOS event log in the TPM 1.2 format.)
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
IMA records file "Time of Measure, Time of Use (ToMToU)" and "open
writers" integrity violations by adding a record to the measurement
list containing one value (0x00's), but extending the TPM with a
different value (0xFF's).
To avoid known file integrity violations, the builtin "tcb" measurement
policy should be replaced with a custom policy as early as possible.
This patch renames the existing "--validate" option to
"--ignore-violations".
Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
While walking the IMA measurement list re-calculating the PCRS,
ima_measurement should always re-calculate the template data digest
and verify it against the measurement list value.
This patch removes the "--verify" option.
On success, return 0.
Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Extend the ima_measurement --pcrs option to support per-bank pcr files.
The extended syntax is "--pcrs algorithm,pathname". If no algorithm
is specified, it defaults to sha1 as before. Multiple --pcrs options
are now supported, one per bank of PCRs. The file format remains
unchanged. If --pcrs is specified, only try to read PCRs from the
specified file(s); do not fall back to trying to read from sysfs
or the TPM itself in this case since the user requested use of
the files.
Create per-bank pcr files, depends on "tpm: add sysfs exports for all
banks of PCR registers" kernel patch:
$ cat tpm2pcrread.sh
for alg in sha1 sha256
do
rm -f pcr-$alg
pcr=0;
while [ $pcr -lt 24 ];
do
printf "PCR-%02d: " $pcr >> pcr-$alg;
cat /sys/class/tpm/tpm0/pcr-$alg/$pcr >> pcr-$alg;
pcr=$[$pcr+1];
done
done
$ sh ./tpm2pcrread.sh
Pass only the sha1 PCRs to evmctl defaulting to sha1:
$ sudo evmctl ima_measurement --pcrs pcr-sha1 /sys/kernel/security/integrity/ima/binary_runtime_measurements
Pass only the sha1 PCRs to evmctl with explicit selection of sha1:
$ sudo evmctl ima_measurement --pcrs sha1,pcr-sha1 /sys/kernel/security/integrity/ima/binary_runtime_measurements
Pass both sha1 and sha256 PCRs to evmctl:
$ sudo evmctl ima_measurement --pcrs sha1,pcr-sha1 --pcrs sha256,pcr-sha256 /sys/kernel/security/integrity/ima/binary_runtime_measurements
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
[zohar@linux.ibm.com: although support for exporting TPM 2.0 PCRs has
not yet been upstreamed, add support for the file format anyway.]
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
"--pcrs" compares the re-calculate PCRs against a file containing TPM 1.2 pcrs.
"--validate" ignores ToMToU measurement violations.
"--verify" verifies the template data digest based on the template data.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
The file signature stored in the ima_measurement list is verified based
on the file hash. Instead of reading the file data to calculate the
file hash, compare with the file hash stored in the template data. In
both cases, the set of public keys need to be specified.
This patch renames the "--list" option to "verify-sig" option.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Another method of using GOST algorithms (and cryptographic accelerators)
is via direct preloading of appropriate engine using '--engine' option.
For the gost-engine it should be '--engine gost'.
Usage example:
1. Install gost-engine appropriately. (No need to edit openssl.cnf).
2. Then GOST algorithms should work:
# cp /dev/null a
# evmctl -v ima_hash --engine gost -a streebog256 a
hash: 04123f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
The IMA/EVM attributes are currently stored in the "security" namespace,
which requires root privileges. Storing the ima/evm attributes in the
"user" namespace, instead of the "security" namespace, would be useful
for debugging and testing purposes, and because "--sigfile" does not
work for evm signatures.
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Instead of verifying file signatures included in the measurement list,
by calculating the local file hash, verify the file signature based on the
digest contained in the measurement list.
This patch defines a new option named "--list".
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
On a running system, different software packages might be signed by
different parties. Support verifying signatures in the measurement
list using multiple public keys(eg. -k "key1, key2, ...").
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Add a --portable argument that generates EVM signatures without using
the inode number and generation or fs UUID.
Signed-off-by: Matthew Garrett <mjg59@google.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Changelog:
- immutable and portable flags are exclusive, prevent enabling both.
Add more info on:
* introduction
* EVM formats
* Signature and keys formats
* IMA trusted keys and keyrings
* EVM trusted keys
* Updated scripts and examples
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Update README with additional information to produce initial
evmctl.1 man page. Sligtly reformat it for that purpose as well.
Requires asciidoc, xslproc, docbook-xsl packages to build man page.
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
-u required to provide uuid or '-', which was confusing.
Now -u does not require '-' argument to read uuid automatically.
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Asymmetric keys were introduced in linux-3.7 to verify the signature on
signed kernel modules. The asymmetric keys infrastructure abstracts the
signature verification from the crypto details. Asymmetric crypto keys
support allows to import X509 public key certificate in a DER format
into the kernel keyring. Asymmetric keys require a new signature format.
'evmctl -x' or 'evmctl --x509' option can be used to utilize new
signature format.
Using of key filename after the file name for signing and verification commands
is a bit odd. This patch add '--key' parameter to specify non-default key file.
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Latest version of EVM uses file system UUID as part of an HMAC
calculation to prevent pasting of inode metadata from other file
systems. This patch adds support for adding file system UUID
to HMAC calculation. It is necessary to specify '-u -' or '--uuid -'
on evmctl command line.
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
README updated.
Module signing info has been removed. Module signing is done now in kernel
source tree and uses appended signatures. No need to create sig files or
set extended attributes. Information about test scripts has been removed.
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
To enable module signature verification working on file systems
without extended attributes, or to be able to copy modules by methods,
which does not support extended attribute copying, it is necessary
to store signature in the file. This patch provides command line parameter
for storing signature in .sig file.
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
evmctl provides signing support for IMA/EVM.
Functionality includes signing of file content (IMA), file metadata (EVM),
importing public keys into kernel keyring.
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
