dh/ima-evm-utils-mirror
1
0
Fork 0
mirror of https://git.code.sf.net/p/linux-ima/ima-evm-utils synced 2025-04-28 06:33:36 +02:00
Code Releases Activity

Compare commits

base: dh:master
Branches Tags
dh:master
dh:next
dh:next-testing
dh:ima-evm-utils-1.3.1-y
dh:ima-evm-utils-1.2.y
dh:v1.5
dh:v1.4
dh:v1.3.2
dh:v1.3.1
dh:v1.3
dh:v1.2.1
dh:v1.2
dh:v1.1
dh:v1.0
dh:v0.9
dh:v0.8
dh:v0.7
dh:v0.6
dh:v0.5
dh:v0.4
dh:v0.1.0
dh:v0.2
dh:v0.3
dh:v0.1.1
..
compare: dh:v1.2
Branches Tags
dh:next
dh:next-testing
dh:master
dh:ima-evm-utils-1.3.1-y
dh:ima-evm-utils-1.2.y
dh:v1.5
dh:v1.4
dh:v1.3.2
dh:v1.3.1
dh:v1.3
dh:v1.2.1
dh:v1.2
dh:v1.1
dh:v1.0
dh:v0.9
dh:v0.8
dh:v0.7
dh:v0.6
dh:v0.5
dh:v0.4
dh:v0.1.0
dh:v0.2
dh:v0.3
dh:v0.1.1

No commits in common. "master" and "v1.2" have entirely different histories.
master ... v1.2

68 changed files with 624 additions and 9322 deletions
Show Stats Expand all files Collapse all files

231
.github/workflows/ci.yml vendored
View File

@ -1,231 +0,0 @@
# Copyright (c) 2021 Petr Vorel <pvorel@suse.cz>
name: "distros"
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
outputs:
LINUX_SHA: ${{ steps.last-commit.outputs.LINUX_SHA }}
name: build
timeout-minutes: 100
strategy:
fail-fast: false
steps:
- uses: actions/checkout@v3
- name: Determine last kernel commit
id: last-commit
shell: bash
run: |
mkdir linux-integrity
pushd linux-integrity
git init
LINUX_URL=${{ vars.LINUX_URL }}
if [ -z "$LINUX_URL" ]; then
LINUX_URL=https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
fi
LINUX_BRANCH=${{ vars.LINUX_BRANCH }}
if [ -z "$LINUX_BRANCH" ]; then
LINUX_BRANCH=next-integrity
fi
git remote add origin $LINUX_URL
LINUX_SHA=$(git ls-remote origin $GITHUB_REF_NAME | awk '{print $1}')
[ -z "$LINUX_SHA" ] && LINUX_SHA=$(git ls-remote origin $LINUX_BRANCH | awk '{print $1}')
echo "LINUX_SHA=$LINUX_SHA" >> $GITHUB_OUTPUT
popd
- name: Cache UML kernel
id: cache-linux
uses: actions/cache@v3
with:
path: linux
key: linux-${{ steps.last-commit.outputs.LINUX_SHA }}-${{ hashFiles('**/kernel-configs/*') }}
- name: Cache signing key
id: cache-key
uses: actions/cache@v3
with:
path: signing_key.pem
key: signing_key.pem-${{ steps.last-commit.outputs.LINUX_SHA }}-${{ hashFiles('**/kernel-configs/*') }}
- name: Compile UML kernel
if: steps.cache-linux.outputs.cache-hit != 'true' || steps.cache-key.outputs.cache-hit != 'true'
shell: bash
run: |
if [ "$DEVTOOLSET" = "yes" ]; then
source /opt/rh/devtoolset-10/enable
fi
if [ "$ARCH" = "i386" ]; then
CROSS_COMPILE_OPT="CROSS_COMPILE=i686-linux-gnu-"
fi
pushd linux-integrity
git pull --depth 1 origin ${{ steps.last-commit.outputs.LINUX_SHA }}
make ARCH=um defconfig
./scripts/kconfig/merge_config.sh -m .config $(ls ../kernel-configs/*)
# Update manually, to specify ARCH=um
make ARCH=um olddefconfig
# Make everything built-in
make ARCH=um localyesconfig
make ARCH=um $CROSS_COMPILE_OPT -j$(nproc)
chmod +x linux
cp linux ..
cp certs/signing_key.pem ..
popd
job:
needs: build
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
# 32bit build
- container: "debian:stable"
env:
CC: gcc
ARCH: i386
TSS: tpm2-tss
VARIANT: i386
COMPILE_SSL: openssl-3.0.5
# cross compilation builds
- container: "debian:stable"
env:
ARCH: ppc64el
CC: powerpc64le-linux-gnu-gcc
TSS: ibmtss
VARIANT: cross-compile
- container: "debian:stable"
env:
ARCH: arm64
CC: aarch64-linux-gnu-gcc
TSS: tpm2-tss
VARIANT: cross-compile
- container: "debian:stable"
env:
ARCH: s390x
CC: s390x-linux-gnu-gcc
TSS: ibmtss
VARIANT: cross-compile
# musl (native)
- container: "alpine:latest"
env:
CC: gcc
TSS: tpm2-tss
# glibc (gcc/clang)
- container: "opensuse/tumbleweed"
env:
CC: clang
TSS: ibmtss
- container: "opensuse/leap"
env:
CC: gcc
TSS: tpm2-tss
- container: "ubuntu:jammy"
env:
CC: gcc
TSS: ibmtss
COMPILE_SSL: openssl-3.0.5
- container: "ubuntu:xenial"
env:
CC: clang
TSS: tpm2-tss
- container: "fedora:latest"
env:
CC: clang
TSS: ibmtss
- container: "fedora:latest"
env:
CC: clang
TSS: ibmtss
TST_ENV: um
TST_KERNEL: ../linux
- container: "centos:7"
env:
CC: gcc
TSS: tpm2-tss
- container: "debian:testing"
env:
CC: clang
TSS: tpm2-tss
- container: "debian:stable"
env:
CC: clang
TSS: ibmtss
- container: "alt:sisyphus"
env:
CC: gcc
TSS: libtpm2-tss-devel
container:
image: ${{ matrix.container }}
env: ${{ matrix.env }}
options: --privileged --device /dev/loop-control -v /dev/shm:/dev/shm
steps:
- name: Show OS
run: cat /etc/os-release
- name: Git checkout
uses: actions/checkout@v1
- name: Install additional packages
run: |
INSTALL=${{ matrix.container }}
INSTALL="${INSTALL%%:*}"
INSTALL="${INSTALL%%/*}"
if [ "$VARIANT" ]; then ARCH="$ARCH" ./ci/$INSTALL.$VARIANT.sh; fi
ARCH="$ARCH" CC="$CC" TSS="$TSS" ./ci/$INSTALL.sh
- name: Build openSSL
run: |
if [ "$COMPILE_SSL" ]; then
COMPILE_SSL="$COMPILE_SSL" VARIANT="$VARIANT" ./tests/install-openssl3.sh; \
fi
- name: Build swtpm
run: |
if [ ! "$VARIANT" ]; then
which tpm_server || which swtpm || \
if which tssstartup; then
./tests/install-swtpm.sh;
fi
fi
- name: Retrieve UML kernel
if: ${{ matrix.env.TST_ENV }}
uses: actions/cache@v3
continue-on-error: false
with:
path: linux
key: linux-${{ needs.build.outputs.LINUX_SHA }}-${{ hashFiles('**/kernel-configs/*') }}
- name: Retrieve signing key
if: ${{ matrix.env.TST_ENV }}
continue-on-error: false
uses: actions/cache@v3
with:
path: signing_key.pem
key: signing_key.pem-${{ needs.build.outputs.LINUX_SHA }}-${{ hashFiles('**/kernel-configs/*') }}
- name: Compiler version
run: $CC --version
- name: Compile
run: CC="$CC" VARIANT="$VARIANT" COMPILE_SSL="$COMPILE_SSL" TST_ENV="$TST_ENV" TST_KERNEL="$TST_KERNEL" ./build.sh

2
.gitignore vendored
View File

@ -21,7 +21,7 @@ missing
compile
libtool
ltmain.sh
test-driver
# Compiled executables
*.o

98
.travis.yml
View File

@ -1,98 +0,0 @@
# Copyright (c) 2017-2021 Petr Vorel <pvorel@suse.cz>
dist: focal
language: C
services:
- docker
matrix:
include:
# 32 bit build
- os: linux
env: DISTRO=debian:stable VARIANT=i386 ARCH=i386 TSS=tpm2-tss COMPILE_SSL=openssl-3.0.5
compiler: gcc
# cross compilation builds
- os: linux
env: DISTRO=debian:stable VARIANT=cross-compile ARCH=ppc64el TSS=ibmtss
compiler: powerpc64le-linux-gnu-gcc
- os: linux
env: DISTRO=debian:stable VARIANT=cross-compile ARCH=arm64 TSS=tpm2-tss
compiler: aarch64-linux-gnu-gcc
- os: linux
env: DISTRO=debian:stable VARIANT=cross-compile ARCH=s390x TSS=ibmtss
compiler: s390x-linux-gnu-gcc
# musl
- os: linux
env: DISTRO=alpine:latest TSS=tpm2-tss CONTAINER=podman CONTAINER_ARGS="--runtime=/usr/bin/crun --network=host"
compiler: gcc
# glibc (gcc/clang)
- os: linux
env: DISTRO=opensuse/tumbleweed TSS=ibmtss CONTAINER=podman CONTAINER_ARGS="--runtime=/usr/bin/crun --network=host"
compiler: clang
- os: linux
env: DISTRO=opensuse/leap TSS=tpm2-tss
compiler: gcc
- os: linux
env: DISTRO=ubuntu:jammy TSS=ibmtss COMPILE_SSL=openssl-3.0.5
compiler: gcc
- os: linux
env: DISTRO=ubuntu:xenial TSS=tpm2-tss
compiler: clang
- os: linux
env: DISTRO=fedora:latest TSS=ibmtss CONTAINER=podman CONTAINER_ARGS="--runtime=/usr/bin/crun --network=host"
compiler: clang
- os: linux
env: DISTRO=centos:7 TSS=tpm2-tss CONTAINER=podman CONTAINER_ARGS="--runtime=/usr/bin/crun --network=host"
compiler: gcc
- os: linux
env: REPO="quay.io/centos/" DISTRO="${REPO}centos:stream8" TSS=tpm2-tss CONTAINER=podman CONTAINER_ARGS="--runtime=/usr/bin/crun --network=host"
compiler: clang
- os: linux
env: DISTRO=debian:testing TSS=tpm2-tss
compiler: clang
- os: linux
env: DISTRO=debian:stable TSS=ibmtss
compiler: gcc
- os: linux
env: REPO="docker.io/library/" DISTRO=${REPO}alt:sisyphus TSS=libtpm2-tss-devel CONTAINER=podman CONTAINER_ARGS="--runtime=/usr/bin/crun --network=host"
compiler: gcc
before_install:
# Tumbleweed requires podman due docker incompatible with glibc 2.33
# (faccessat2) and crun (for clone3).
- CONTAINER="${CONTAINER:-docker}"
- >
if [ "$CONTAINER" = "podman" ]; then
# podman
. /etc/os-release
sudo sh -c "echo 'deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_${VERSION_ID}/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list"
wget -nv https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/xUbuntu_${VERSION_ID}/Release.key -O- | sudo apt-key add -
sudo apt update
sudo apt -y install fuse-overlayfs podman slirp4netns crun
fi
- $CONTAINER info
- DIR="/usr/src/ima-evm-utils"
- printf "FROM $DISTRO\nRUN mkdir -p $DIR\nWORKDIR $DIR\nCOPY . $DIR\n" > Dockerfile
- cat Dockerfile
- $CONTAINER build $CONTAINER_ARGS -t ima-evm-utils .
script:
- INSTALL="${DISTRO#${REPO}}"
- INSTALL="${INSTALL%%:*}"
- INSTALL="${INSTALL%%/*}"
- $CONTAINER run $CONTAINER_ARGS -t ima-evm-utils /bin/sh -c "if [ \"$VARIANT\" ]; then ARCH=\"$ARCH\" ./ci/$INSTALL.$VARIANT.sh; fi && ARCH=\"$ARCH\" CC=\"$CC\" TSS=\"$TSS\" ./ci/$INSTALL.sh && if [ \"$COMPILE_SSL\" ]; then COMPILE_SSL=\"$COMPILE_SSL\" VARIANT=\"$VARIANT\" ./tests/install-openssl3.sh; fi && if [ ! \"$VARIANT\" ]; then which tpm_server || which swtpm || if which tssstartup; then ./tests/install-swtpm.sh; fi; fi && CC=\"$CC\" VARIANT=\"$VARIANT\" COMPILE_SSL=\"$COMPILE_SSL\" ./build.sh"

127
ChangeLog Normal file
View File

@ -0,0 +1,127 @@
2019-07-24 Mimi Zohar <zohar@linux.ibm.com>
version 1.2 new features:
* Generate EVM signatures based on the specified hash algorithm
* include "security.apparmor" in EVM signature
* Add support for writing & verifying "user.xxxx" xattrs for testing
* Support Strebog/Gost hash functions
* Add OpenSSL engine support
* Use of EVP_PKEY OpenSSL API to generate/verify v2 signatures
* Support verifying multiple signatures at once
* Support new template "buf" field and warn about other unknown fields
* Improve OpenSSL error reporting
* Support reading TPM 2.0 PCRs using tsspcrread
Bug fixes and code cleanup:
* Update manpage stylesheet detection
* Fix xattr.h include file
* On error when reading TPM PCRs, don't log gargabe
* Properly return keyid string to calc_keyid_v1/v2 callers, caused by
limiting keyid output to verbose mode
* Fix hash buffer overflow caused by EVM support for larger hashes,
defined MAX_DIGEST_SIZE and MAX_SIGNATURE_SIZE, and added "asserts".
* Linked with libcrypto instead of OpenSSL
* Updated Autotools, replacing INCLUDES with AM_CPPFLAGS
* Include new "hash-info.gen" in tar
* Log the hash algorithm, not just the hash value
* Fixed memory leaks in: EV_MD_CTX, init_public_keys
* Fixed other warnings/bugs discovered by clang, coverity
* Remove indirect calls in verify_hash() to improve code readability
* Don't fallback to using sha1
* Namespace some too generic object names
* Make functions/arrays static if possible
2018-01-28 Mimi Zohar <zohar@us.ibm.com>
version 1.1
* Support the new openssl 1.1 api
* Support for validating multiple pcrs
* Verify the measurement list signature based on the list digest
* Verify the "ima-sig" measurement list using multiple keys
* Fixed parsing the measurement template data field length
* Portable & immutable EVM signatures (new format)
* Multiple fixes that have been lingering in the next branch. Some
are for experimental features that are not yet supported in the
kernel.
2014-07-30 Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
version 1.0
* Recursive hashing
* Immutable EVM signatures (experimental)
* Command 'ima_clear' to remove xattrs
* Support for passing password to the library
* Support for asking password safely from the user
2014-09-23 Dmitry Kasatkin <d.kasatkin@samsung.com>
version 0.9
* Updated README
* man page generated and added to the package
* Use additional SMACK xattrs for EVM signature generation
* Signing functions moved to libimaevm for external use (RPM)
* Fixed setting of correct hash header
2014-05-05 Dmitry Kasatkin <d.kasatkin@samsung.com>
version 0.8
* Symbilic names for keyrings
* Hash list signing
* License text fix for using OpenSSL
* Help output fix
2014-02-17 Dmitry Kasatkin <d.kasatkin@samsung.com>
version 0.7
* Fix symbolic links related bugs
* Provide recursive fixing
* Provide recursive signing
* Move IMA verification to the library (first for LTP use)
* Support for target architecture data size
* Remove obsolete module signing code
* Code cleanup
2013-08-28 Dmitry Kasatkin <d.kasatkin@samsung.com>
version 0.6
* support for asymmetric crypto keys and new signature format (v2)
* fixes to set correct hash algo for digital signature v1
* uuid support for EVM
* signature verification support
* test scripts removed
* README updates
2012-05-18 Dmitry Kasatkin <dmitry.kasatkin@intel.com>
version 0.3
* llistxattr returns 0 if there are no xattrs and it is valid
* Added entry type to directory hash calculation
* inline block variable renamed
* Remove forced tag creation
* Use libexec for programs and scripts
* Some files updated
* Do not search for algorithm as it is known
* Refactored to remove redundant hash initialization code
* Added hash calculation for special files
2012-04-05 Dmitry Kasatkin <dmitry.kasatkin@intel.com>
version 0.2
* added RPM & TAR building makefile rules
* renamed evm-utils to ima-evm-utils
* added command options description
* updated error handling
* refactored redundant code
2012-04-02 Dmitry Kasatkin <dmitry.kasatkin@intel.com>
version 0.1.0
* Fully functional version for lastest 3.x kernels
2011-08-24 Dmitry Kasatkin <dmitry.kasatkin@intel.com>
version 0.1
* Initial public version.

27
INSTALL
View File

@ -9,33 +9,10 @@ are permitted in any medium without royalty provided the copyright
notice and this notice are preserved. This file is offered as-is,
without warranty of any kind.
Prerequisites
=============
This project has the following prerequisites:
(Ubuntu package names)
libkeyutils-dev
libtasn1-dev
libgmp-dev
libnspr4-dev
libnss3-dev
These software TPMs are supported:
https://sourceforge.net/projects/ibmswtpm2/
https://github.com/stefanberger/swtpm
swtpm depends upon
https://github.com/stefanberger/libtpms
Supported TSSes include these. Both are included in some distros.
IBM TSS https://sourceforge.net/projects/ibmtpm20tss/
Intel TSS
Basic Installation
==================
Briefly, the shell commands `autoreconf -i; ./configure; make; make install' should
Briefly, the shell commands `./configure; make; make install' should
configure, build, and install this package. The following
more-detailed instructions are generic; see the `README' file for
instructions specific to this package. Some packages provide this
@ -74,7 +51,7 @@ of `autoconf'.
The simplest way to compile this package is:
1. `cd' to the directory containing the package's source code and type
`autoreconf -i' and then `./configure' to configure the package for your system.
`./configure' to configure the package for your system.
Running `configure' might take a while. While running, it prints
some messages telling which features it is checking for.

10
Makefile.am
View File

@ -1,11 +1,5 @@
SUBDIRS = src tests
if HAVE_PANDOC
SUBDIRS += doc
endif
if MANPAGE_DOCBOOK_XSL
SUBDIRS = src
dist_man_MANS = evmctl.1
endif
doc_DATA = examples/ima-genkey-self.sh examples/ima-genkey.sh examples/ima-gen-local-ca.sh
EXTRA_DIST = autogen.sh $(doc_DATA)
@ -29,7 +23,6 @@ rpm: $(tarname)
cp $(tarname) $(SRCS)/
rpmbuild -ba --nodeps $(SPEC)
if MANPAGE_DOCBOOK_XSL
evmctl.1.html: README
@asciidoc -o $@ $<
@ -42,6 +35,5 @@ rmman:
rm -f evmctl.1
doc: evmctl.1.html rmman evmctl.1
endif
.PHONY: $(tarname)

251
NEWS
View File

@ -1,251 +0,0 @@
2023-2-24 Mimi Zohar <zohar@linux.ibm.com>
version 1.5:
* CI changes:
* New: UML kernel testing environment
* Support for running specific test(s)
* Update distros
* Update software release versions
* New features:
* Signing fs-verity signatures
* Reading TPM 2.0 PCRs via sysfs interface
* New tests:
* Missing IMA mmapped file measurements
* Overlapping IMA policy rules
* EVM portable signatures
* fs-verity file measurements in the IMA measurement list
* Build and library changes:
* OpenSSL 3.0 version related changes
* New configuration options: --disable-engine, --enable-sigv1
* Deprecate IMA signature v1 format
* Misc bug fixes and code cleanup:
* memory leaks, bounds checking, use after free
* Fix and update test output
* Add missing sanity checks
* Documentation:
* Store the sourceforge ima-evm-utils wiki for historical
purposes.
2021-10-22 Mimi Zohar <zohar@linux.ibm.com>
version 1.4:
* Elliptic curve support and tests
* PKCS11 support and tests
* Ability to manually specify the keyid included in the IMA xattr
* Improve IMA measurement list per TPM bank verification
* Linking with IBM TSS
* Set default hash algorithm in package configuration
* (Minimal) support and test EVM portable signatures
* CI testing:
* Refresh and include new distros
* Podman support
* GitHub Actions
* Limit "sudo" usage
* Misc bug fixes and code cleanup
* Fix static analysis bug reports, memory leaks
* Remove experimental code that was never upstreamed in the kernel
* Use unsigned variable, remove unused variables, etc
2020-10-28 Mimi Zohar <zohar@linux.ibm.com>
version 1.3.2:
* Bugfixes: importing keys
* NEW: Docker based travis distro testing
* Travis bugfixes, code cleanup, software version update,
and script removal
* Initial travis testing
2020-08-11 Mimi Zohar <zohar@linux.ibm.com>
version 1.3.1:
* "--pcrs" support for per crypto algorithm
* Drop/rename "ima_measurement" options
* Moved this summary from "Changelog" to "NEWS", removing
requirement for GNU empty files
* Distro build fixes
2020-07-21 Mimi Zohar <zohar@linux.ibm.com>
version 1.3 new features:
* NEW ima-evm-utils regression test infrastructure with two initial
tests:
- ima_hash.test: calculate/verify different crypto hash algorithms
- sign_verify.test: EVM and IMA sign/verify signature tests
* TPM 2.0 support
- Calculate the new per TPM 2.0 bank template data digest
- Support original padding the SHA1 template data digest
- Compare ALL the re-calculated TPM 2.0 bank PCRs against the
TPM 2.0 bank PCR values
- Calculate the per TPM bank "boot_aggregate" values, including
PCRs 8 & 9 in calculation
- Support reading the per TPM 2.0 Bank PCRs using Intel's TSS
- boot_aggregate.test: compare the calculated "boot_aggregate"
values with the "boot_aggregate" value included in the IMA
measurement.
* TPM 1.2 support
- Additionally support reading the TPM 1.2 PCRs from a supplied file
("--pcrs" option)
* Based on original IMA LTP and standalone version support
- Calculate the TPM 1.2 "boot_aggregate" based on the exported
TPM 1.2 BIOS event log.
- In addition to verifying the IMA measurement list against the
the TPM PCRs, verify the IMA template data digest against the
template data. (Based on LTP "--verify" option.)
- Ignore file measurement violations while verifying the IMA
measurement list. (Based on LTP "--validate" option.)
- Verify the file data signature included in the measurement list
based on the file hash also included in the measurement list
(--verify-sig)
- Support original "ima" template (mixed templates not supported)
* Support "sm3" crypto name
Bug fixes and code cleanup:
* Don't exit with -1 on failure, exit with 125
* On signature verification failure, include pathname.
* Provide minimal hash_info.h file in case one doesn't exist, needed
by the ima-evm-utils regression tests.
* On systems with TPM 1.2, skip "boot_aggregate.test" using sample logs
* Fix hash_algo type comparison mismatch
* Simplify/clean up code
* Address compiler complaints and failures
* Fix memory allocations and leaks
* Sanity check provided input files are regular files
* Revert making "tsspcrread" a compile build time decision.
* Limit additional messages based on log level (-v)
2019-07-30 Mimi Zohar <zohar@linux.ibm.com>
version 1.2.1 Bug fixes:
* When verifying multiple file signatures, return correct status
* Don't automatically use keys from x509 certs if user supplied "--rsa"
* Fix verifying DIGSIG_VERSION_1 signatures
* autoconf, openssl fixes
2019-07-24 Mimi Zohar <zohar@linux.ibm.com>
version 1.2 new features:
* Generate EVM signatures based on the specified hash algorithm
* include "security.apparmor" in EVM signature
* Add support for writing & verifying "user.xxxx" xattrs for testing
* Support Strebog/Gost hash functions
* Add OpenSSL engine support
* Use of EVP_PKEY OpenSSL API to generate/verify v2 signatures
* Support verifying multiple signatures at once
* Support new template "buf" field and warn about other unknown fields
* Improve OpenSSL error reporting
* Support reading TPM 2.0 PCRs using tsspcrread
Bug fixes and code cleanup:
* Update manpage stylesheet detection
* Fix xattr.h include file
* On error when reading TPM PCRs, don't log gargabe
* Properly return keyid string to calc_keyid_v1/v2 callers, caused by
limiting keyid output to verbose mode
* Fix hash buffer overflow caused by EVM support for larger hashes,
defined MAX_DIGEST_SIZE and MAX_SIGNATURE_SIZE, and added "asserts".
* Linked with libcrypto instead of OpenSSL
* Updated Autotools, replacing INCLUDES with AM_CPPFLAGS
* Include new "hash-info.gen" in tar
* Log the hash algorithm, not just the hash value
* Fixed memory leaks in: EV_MD_CTX, init_public_keys
* Fixed other warnings/bugs discovered by clang, coverity
* Remove indirect calls in verify_hash() to improve code readability
* Don't fallback to using sha1
* Namespace some too generic object names
* Make functions/arrays static if possible
2018-01-28 Mimi Zohar <zohar@us.ibm.com>
version 1.1
* Support the new openssl 1.1 api
* Support for validating multiple pcrs
* Verify the measurement list signature based on the list digest
* Verify the "ima-sig" measurement list using multiple keys
* Fixed parsing the measurement template data field length
* Portable & immutable EVM signatures (new format)
* Multiple fixes that have been lingering in the next branch. Some
are for experimental features that are not yet supported in the
kernel.
2014-07-30 Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
version 1.0
* Recursive hashing
* Immutable EVM signatures (experimental)
* Command 'ima_clear' to remove xattrs
* Support for passing password to the library
* Support for asking password safely from the user
2014-09-23 Dmitry Kasatkin <d.kasatkin@samsung.com>
version 0.9
* Updated README
* man page generated and added to the package
* Use additional SMACK xattrs for EVM signature generation
* Signing functions moved to libimaevm for external use (RPM)
* Fixed setting of correct hash header
2014-05-05 Dmitry Kasatkin <d.kasatkin@samsung.com>
version 0.8
* Symbilic names for keyrings
* Hash list signing
* License text fix for using OpenSSL
* Help output fix
2014-02-17 Dmitry Kasatkin <d.kasatkin@samsung.com>
version 0.7
* Fix symbolic links related bugs
* Provide recursive fixing
* Provide recursive signing
* Move IMA verification to the library (first for LTP use)
* Support for target architecture data size
* Remove obsolete module signing code
* Code cleanup
2013-08-28 Dmitry Kasatkin <d.kasatkin@samsung.com>
version 0.6
* support for asymmetric crypto keys and new signature format (v2)
* fixes to set correct hash algo for digital signature v1
* uuid support for EVM
* signature verification support
* test scripts removed
* README updates
2012-05-18 Dmitry Kasatkin <dmitry.kasatkin@intel.com>
version 0.3
* llistxattr returns 0 if there are no xattrs and it is valid
* Added entry type to directory hash calculation
* inline block variable renamed
* Remove forced tag creation
* Use libexec for programs and scripts
* Some files updated
* Do not search for algorithm as it is known
* Refactored to remove redundant hash initialization code
* Added hash calculation for special files
2012-04-05 Dmitry Kasatkin <dmitry.kasatkin@intel.com>
version 0.2
* added RPM & TAR building makefile rules
* renamed evm-utils to ima-evm-utils
* added command options description
* updated error handling
* refactored redundant code
2012-04-02 Dmitry Kasatkin <dmitry.kasatkin@intel.com>
version 0.1.0
* Fully functional version for latest 3.x kernels
2011-08-24 Dmitry Kasatkin <dmitry.kasatkin@intel.com>
version 0.1
* Initial public version.

54
README
View File

@ -25,43 +25,32 @@ COMMANDS
--version
help <command>
import [--rsa (deprecated)] pubkey keyring
sign [-r] [--imahash | --imasig ] [--key key] [--pass[=<password>] file
import [--rsa] pubkey keyring
sign [-r] [--imahash | --imasig ] [--portable] [--key key] [--pass password] file
verify file
ima_sign [--sigfile] [--key key] [--pass[=<password>]] file
ima_sign [--sigfile] [--key key] [--pass password] file
ima_verify file
ima_setxattr [--sigfile file]
ima_hash file
ima_measurement [--ignore-violations] [--verify-sig [--key "key1, key2, ..."]]
[--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...]
[--verify-bank hash-algorithm] file
ima_boot_aggregate [--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log]
[--hwtpm]
ima_measurement [--key "key1, key2, ..."] [--list] file
ima_fix [-t fdsxm] path
ima_clear [-t fdsxm] path
sign_hash [--veritysig] [--key key] [--pass=<password>]
sign_hash [--key key] [--pass password]
hmac [--imahash | --imasig ] file
OPTIONS
-------
-a, --hashalgo sha1, sha224, sha256, sha384, sha512, streebog256, streebog512 (default: sha256)
-a, --hashalgo sha1 (default), sha224, sha256, sha384, sha512
-s, --imasig make IMA signature
--veritysig sign an fs-verity file digest hash
-d, --imahash make IMA hash
-f, --sigfile store IMA signature in .sig file instead of xattr
--xattr-user store xattrs in user namespace (for testing purposes)
--rsa use RSA key type and signing scheme v1 (deprecated)
--rsa use RSA key type and signing scheme v1
-k, --key path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem)
or a pkcs11 URI
--keyid n overwrite signature keyid with a 32-bit value in hex (for signing)
--keyid-from-cert file
read keyid value from SKID of a x509 cert file
-o, --portable generate portable EVM signatures
-p, --pass password for encrypted signing key
-r, --recursive recurse into directories (sign)
-t, --type file types to fix 'fxm' (f: file)
-t, --type file types to fix 'fdsxm' (f: file, d: directory, s: block/char/symlink)
x - skip fixing if both ima and evm xattrs exist (use with caution)
m - stay on the same filesystem (like 'find -xdev')
-n print result to stdout instead of setting xattr
@ -69,26 +58,10 @@ OPTIONS
--smack use extra SMACK xattrs for EVM
--m32 force EVM hmac/signature for 32 bit target system
--m64 force EVM hmac/signature for 64 bit target system
--engine e preload OpenSSL engine e (such as: gost) is deprecated
--ino use custom inode for EVM
--uid use custom UID for EVM
--gid use custom GID for EVM
--mode use custom Mode for EVM
--generation use custom Generation for EVM(unspecified: from FS, empty: use 0)
--ima use custom IMA signature for EVM
--selinux use custom Selinux label for EVM
--caps use custom Capabilities for EVM(unspecified: from FS, empty: do not use)
--pcrs file containing TPM pcrs, one per hash-algorithm/bank
--ignore-violations ignore ToMToU measurement violations
--verify-sig verify the file signature based on the file hash, both
stored in the template data.
--engine e preload OpenSSL engine e (such as: gost)
-v increase verbosity level
-h, --help display this help and exit
Environment variables:
EVMCTL_KEY_PASSWORD : Private key password to use; do not use --pass option
INTRODUCTION
------------
@ -147,9 +120,6 @@ for signing and importing the key.
Second key format uses X509 DER encoded public key certificates and uses asymmetric key support
in the kernel (since kernel 3.9). CONFIG_INTEGRITY_ASYMMETRIC_KEYS must be enabled (default).
For v2 signatures x509 certificate (containing the public key) could be appended to the
private key (they both are in PEM format) to automatically extract keyid from its Subject
Key Identifier (SKID).
Integrity keyrings
----------------
@ -219,7 +189,7 @@ asymmetric keys support:
Configuration file x509_evm.genkey:
# Beginning of the file
# Begining of the file
[ req ]
default_bits = 1024
distinguished_name = req_distinguished_name
@ -270,7 +240,7 @@ following steps:
Configuration file ima-local-ca.genkey:
# Beginning of the file
# Begining of the file
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
@ -301,7 +271,7 @@ Produce X509 in DER format for using while building the kernel:
Configuration file ima.genkey:
# Beginning of the file
# Begining of the file
[ req ]
default_bits = 1024
distinguished_name = req_distinguished_name

2
acinclude.m4
View File

@ -2,7 +2,7 @@
AC_DEFUN([PKG_ARG_ENABLE],
[
AC_MSG_CHECKING(whether to enable $1)
AC_ARG_ENABLE([$1], AS_HELP_STRING([--enable-$1], [enable $1 (default is $2)]),
AC_ARG_ENABLE([$1], AC_HELP_STRING([--enable-$1], [enable $1 (default is $2)]),
[pkg_cv_enable_$1=$enableval],
[AC_CACHE_VAL([pkg_cv_enable_$1], [pkg_cv_enable_$1=$2])])
if test $pkg_cv_enable_$1 = yes; then

14
autogen.sh
View File

@ -1,4 +1,16 @@
#! /bin/sh
set -e
autoreconf -i
# new way
# strange, but need this for Makefile.am, because it has -I m4
test -d m4 || mkdir m4
autoreconf -f -i
# old way
#libtoolize --automake --copy --force
#aclocal
#autoconf --force
#autoheader --force
#automake --add-missing --copy --force-missing --gnu

113
build.sh
View File

@ -1,113 +0,0 @@
#!/bin/sh
# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
if [ -n "$CI" ]; then
# If we under CI only thing we can analyze is logs so better to enable
# verbosity to a maximum.
set -x
# This is to make stdout and stderr synchronous in the logs.
exec 2>&1
mount -t securityfs -o rw securityfs /sys/kernel/security
fi
set -e
CC="${CC:-gcc}"
CFLAGS="${CFLAGS:--Wformat -Werror=format-security -Werror=implicit-function-declaration -Werror=return-type -fno-common}"
PREFIX="${PREFIX:-$HOME/ima-evm-utils-install}"
export LD_LIBRARY_PATH="$PREFIX/lib64:$PREFIX/lib:/usr/local/lib64:/usr/local/lib"
export PATH="$PREFIX/bin:/usr/local/bin:$PATH"
title()
{
echo "===== $1 ====="
}
log_exit()
{
local ret="${3:-$?}"
local log="$1"
local msg="$2"
local prefix
echo "=== $log ==="
[ $ret -eq 0 ] || prefix="FAIL: "
cat $log
echo
echo "$prefix$msg, see output of $log above"
exit $ret
}
cd `dirname $0`
if [ "$COMPILE_SSL" ]; then
echo "COMPILE_SSL: $COMPILE_SSL"
export CFLAGS="-I/opt/openssl3/include $CFLAGS"
export LD_LIBRARY_PATH="/opt/openssl3/lib64:/opt/openssl3/lib:$HOME/src/ima-evm-utils/src/.libs:$LD_LIBRARY_PATH"
export LDFLAGS="-L/opt/openssl3/lib64 -L/opt/openssl3/lib $LDFLAGS"
export PATH="/opt/openssl3/bin:$HOME/src/ima-evm-utils/src/.libs:$PATH"
fi
case "$VARIANT" in
i386)
echo "32-bit compilation"
export CFLAGS="-m32 $CFLAGS" LDFLAGS="-m32 $LDFLAGS"
export PKG_CONFIG_LIBDIR=/usr/lib/i386-linux-gnu/pkgconfig
;;
cross-compile)
host="${CC%-gcc}"
export CROSS_COMPILE="${host}-"
host="--host=$host"
echo "cross compilation: $host"
echo "CROSS_COMPILE: '$CROSS_COMPILE'"
;;
*)
if [ "$VARIANT" ]; then
echo "Wrong VARIANT: '$VARIANT'" >&2
exit 1
fi
echo "native build"
;;
esac
title "compiler version"
$CC --version
echo "CFLAGS: '$CFLAGS'"
echo "LDFLAGS: '$LDFLAGS'"
echo "PREFIX: '$PREFIX'"
title "configure"
./autogen.sh
./configure --prefix=$PREFIX $host || log_exit config.log "configure failed"
title "make"
make -j$(nproc)
make install
title "test"
if [ "$VARIANT" = "cross-compile" ]; then
echo "skip make check on cross compilation"
exit 0
fi
ret=0
VERBOSE=1 make check || ret=$?
title "logs"
if [ $ret -eq 0 ]; then
cd tests; make check_logs; cd ..
exit 0
fi
cat tests/test-suite.log
if [ $ret -eq 77 ]; then
msg="WARN: some tests skipped"
ret=0
else
msg="FAIL: tests exited: $ret"
fi
log_exit tests/test-suite.log "$msg" $ret

54
ci/alpine.sh
View File

@ -1,54 +0,0 @@
#!/bin/sh
# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
set -ex
if [ -z "$CC" ]; then
echo "missing \$CC!" >&2
exit 1
fi
case "$TSS" in
ibmtss) echo "No IBM TSS package, will be installed from git" >&2; TSS=;;
tpm2-tss) TSS="tpm2-tss-dev";;
'') echo "Missing TSS!" >&2; exit 1;;
*) echo "Unsupported TSS: '$TSS'!" >&2; exit 1;;
esac
# ibmswtpm2 requires gcc
[ "$CC" = "gcc" ] || CC="gcc $CC"
apk update
apk add \
$CC $TSS \
asciidoc \
attr \
attr-dev \
autoconf \
automake \
bash \
diffutils \
docbook-xml \
docbook-xsl \
e2fsprogs-extra \
keyutils-dev \
libtool \
libxslt \
linux-headers \
make \
musl-dev \
openssl \
openssl-dev \
pkgconfig \
procps \
sudo \
util-linux \
wget \
which \
xxd \
gawk
if [ ! "$TSS" ]; then
apk add git
../tests/install-tss.sh
fi

29
ci/alt.sh
View File

@ -1,29 +0,0 @@
#!/bin/sh -ex
# SPDX-License-Identifier: GPL-2.0-only
#
# Install build env for ALT Linux
apt-get update -y
# rpm-build brings basic build environment with gcc, make, autotools, etc.
apt-get install -y \
$CC \
$TSS \
asciidoc \
attr \
e2fsprogs \
fsverity-utils-devel \
gnutls-utils \
libattr-devel \
libkeyutils-devel \
libp11 \
libssl-devel \
openssl \
openssl-gost-engine \
rpm-build \
softhsm \
util-linux \
wget \
xsltproc \
xxd \
&& control openssl-gost enabled

1
ci/centos.sh
View File

@ -1 +0,0 @@
fedora.sh

23
ci/debian.cross-compile.sh
View File

@ -1,23 +0,0 @@
#!/bin/sh
# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
set -ex
if [ -z "$ARCH" ]; then
echo "missing \$ARCH!" >&2
exit 1
fi
case "$ARCH" in
arm64) gcc_arch="aarch64";;
ppc64el) gcc_arch="powerpc64le";;
s390x) gcc_arch="$ARCH";;
*) echo "unsupported arch: '$ARCH'!" >&2; exit 1;;
esac
dpkg --add-architecture $ARCH
apt update
apt install -y --no-install-recommends \
dpkg-dev \
gcc-${gcc_arch}-linux-gnu \
libc6-dev-${ARCH}-cross

11
ci/debian.i386.sh
View File

@ -1,11 +0,0 @@
#!/bin/sh
# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
set -ex
dpkg --add-architecture i386
apt update
apt install -y --no-install-recommends \
linux-libc-dev:i386 \
gcc-multilib \
pkg-config:i386

61
ci/debian.sh
View File

@ -1,61 +0,0 @@
#!/bin/sh
# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
set -ex
# workaround for Ubuntu impish asking to interactively configure tzdata
export DEBIAN_FRONTEND="noninteractive"
if [ -z "$CC" ]; then
echo "missing \$CC!" >&2
exit 1
fi
# debian.*.sh must be run first
if [ "$ARCH" ]; then
ARCH=":$ARCH"
unset CC
else
apt update
fi
# ibmswtpm2 requires gcc
[ "$CC" = "gcc" ] || CC="gcc $CC"
case "$TSS" in
ibmtss) TSS="libtss-dev";;
tpm2-tss) TSS="libtss2-dev";;
'') echo "Missing TSS!" >&2; exit 1;;
*) [ "$TSS" ] && echo "Unsupported TSS: '$TSS'!" >&2; exit 1;;
esac
apt="apt install -y --no-install-recommends"
$apt \
$CC $TSS \
asciidoc \
attr \
autoconf \
automake \
diffutils \
debianutils \
docbook-xml \
docbook-xsl \
e2fsprogs \
gzip \
libattr1-dev$ARCH \
libkeyutils-dev$ARCH \
libssl-dev$ARCH \
libtool \
make \
openssl \
pkg-config \
procps \
sudo \
util-linux \
wget \
xsltproc \
gawk
$apt xxd || $apt vim-common
$apt libengine-gost-openssl1.1$ARCH || true
$apt softhsm gnutls-bin libengine-pkcs11-openssl1.1$ARCH || true

68
ci/fedora.sh
View File

@ -1,68 +0,0 @@
#!/bin/sh
# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
set -e
if [ -z "$CC" ]; then
echo "missing \$CC!" >&2
exit 1
fi
case "$TSS" in
ibmtss) TSS="tss2-devel";;
tpm2-tss) TSS="tpm2-tss-devel";;
'') echo "Missing TSS!" >&2; exit 1;;
*) echo "Unsupported TSS: '$TSS'!" >&2; exit 1;;
esac
# ibmswtpm2 requires gcc
[ "$CC" = "gcc" ] || CC="gcc $CC"
yum -y install \
$CC $TSS \
asciidoc \
attr \
autoconf \
automake \
diffutils \
docbook-xsl \
e2fsprogs \
git-core \
gnutls-utils \
gzip \
keyutils-libs-devel \
kmod \
libattr-devel \
libtool \
libxslt \
make \
openssl \
openssl-devel \
openssl-pkcs11 \
pkg-config \
procps \
sudo \
util-linux \
vim-common \
wget \
which \
zstd \
systemd \
keyutils \
e2fsprogs \
acl \
libcap
yum -y install docbook5-style-xsl || true
yum -y install swtpm || true
# SoftHSM is available via EPEL on CentOS
if [ -f /etc/centos-release ]; then
yum -y install epel-release
fi
yum -y install softhsm || true
# haveged is available via EPEL on CentOS stream8.
yum -y install haveged || true
./tests/install-fsverity.sh
./tests/install-mount-idmapped.sh

1
ci/opensuse.sh
View File

@ -1 +0,0 @@
tumbleweed.sh

53
ci/tumbleweed.sh
View File

@ -1,53 +0,0 @@
#!/bin/sh
# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
set -ex
if [ -z "$CC" ]; then
echo "missing \$CC!" >&2
exit 1
fi
case "$TSS" in
ibmtss) TSS="ibmtss-devel";;
tpm2-tss) TSS="tpm2-0-tss-devel";;
'') echo "Missing TSS!" >&2; exit 1;;
*) echo "Unsupported TSS: '$TSS'!" >&2; exit 1;;
esac
# clang has some gcc dependency
[ "$CC" = "gcc" ] || CC="gcc $CC"
zypper --non-interactive install --force-resolution --no-recommends \
$CC $TSS \
asciidoc \
attr \
autoconf \
automake \
diffutils \
docbook_5 \
docbook5-xsl-stylesheets \
e2fsprogs \
gzip \
ibmswtpm2 \
keyutils-devel \
libattr-devel \
libopenssl-devel \
libtool \
make \
openssl \
pkg-config \
procps \
sudo \
util-linux \
vim \
wget \
which \
xsltproc \
gawk
zypper --non-interactive install --force-resolution --no-recommends \
gnutls openssl-engine-libp11 softhsm || true
if [ -f /usr/lib/ibmtss/tpm_server -a ! -e /usr/local/bin/tpm_server ]; then
ln -s /usr/lib/ibmtss/tpm_server /usr/local/bin
fi

1
ci/ubuntu.sh
View File

@ -1 +0,0 @@
debian.sh

45
configure.ac
View File

@ -1,8 +1,8 @@
# autoconf script
AC_PREREQ([2.65])
AC_INIT(ima-evm-utils, 1.5, zohar@linux.ibm.com)
AM_INIT_AUTOMAKE([foreign])
AC_INIT(ima-evm-utils, 1.2, zohar@linux.ibm.com)
AM_INIT_AUTOMAKE
AC_CONFIG_HEADERS([config.h])
AC_CONFIG_MACRO_DIR([m4])
@ -15,27 +15,25 @@ AM_PROG_CC_C_O
#AC_PROG_CXX
#AC_PROG_CPP
AC_PROG_INSTALL
AC_PROG_LIBTOOL
#AC_PROG_LN_S
AC_CHECK_PROG(have_pandoc, [pandoc], [yes], [no])
AM_CONDITIONAL([HAVE_PANDOC], [test "x$have_pandoc" = "xyes"])
LT_INIT
# FIXME: Replace `main' with a function in `-lpthread':
#AC_CHECK_LIB([pthread], [main])
# Checks for header files.
AC_HEADER_STDC
PKG_CHECK_MODULES(LIBCRYPTO, [libcrypto >= 0.9.8 ])
AC_SUBST(KERNEL_HEADERS)
AC_CHECK_HEADER(unistd.h)
AC_CHECK_HEADERS(openssl/conf.h)
# Intel TSS
AC_CHECK_LIB([tss2-esys], [Esys_Free])
AC_CHECK_LIB([tss2-rc], [Tss2_RC_Decode])
AM_CONDITIONAL([USE_PCRTSS], [test "x$ac_cv_lib_tss2_esys_Esys_Free" = "xyes"])
# IBM TSS include files
AC_CHECK_HEADER(ibmtss/tss.h, [], [], [[#define TPM_POSIX]])
AM_CONDITIONAL([USE_IBMTSS], [test "x$ac_cv_header_ibmtss_tss_h" = "xyes"])
AC_CHECK_PROG(TSSPCRREAD, [tsspcrread], yes, no)
if test "x$TSSPCRREAD" = "xyes"; then
AC_DEFINE(HAVE_TSSPCRREAD, 1, [Define to 1 if you have tsspcrread binary installed])],
fi
AC_CHECK_HEADERS(sys/xattr.h, , [AC_MSG_ERROR([sys/xattr.h header not found. You need the c-library development package.])])
AC_CHECK_HEADERS(keyutils.h, , [AC_MSG_ERROR([keyutils.h header not found. You need the libkeyutils development package.])])
@ -51,16 +49,6 @@ AC_ARG_ENABLE([openssl_conf],
AC_DEFINE(DISABLE_OPENSSL_CONF, 1, [Define to disable loading of openssl config by evmctl.])
fi], [enable_openssl_conf=yes])
AC_ARG_ENABLE(sigv1,
AS_HELP_STRING([--enable-sigv1], [Build ima-evm-utils with signature v1 support]))
AM_CONDITIONAL([CONFIG_SIGV1], [test "x$enable_sigv1" = "xyes"])
AS_IF([test "$enable_sigv1" != "yes"], [enable_sigv1="no"])
AC_ARG_ENABLE(engine,
[AS_HELP_STRING([--disable-engine], [build ima-evm-utils without OpenSSL engine support])],,[enable_engine=yes])
AC_CHECK_LIB([crypto], [ENGINE_init],, [enable_engine=no])
AM_CONDITIONAL([CONFIG_IMA_EVM_ENGINE], [test "x$enable_engine" = "xyes"])
#debug support - yes for a while
PKG_ARG_ENABLE(debug, "yes", DEBUG, [Enable Debug support])
if test $pkg_cv_enable_debug = yes; then
@ -70,7 +58,6 @@ else
fi
EVMCTL_MANPAGE_DOCBOOK_XSL
AX_DEFAULT_HASH_ALGO([$KERNEL_HEADERS])
# for gcov
#CFLAGS="$CFLAGS -Wall -fprofile-arcs -ftest-coverage"
@ -80,9 +67,6 @@ AX_DEFAULT_HASH_ALGO([$KERNEL_HEADERS])
AC_CONFIG_FILES([Makefile
src/Makefile
tests/Makefile
doc/Makefile
doc/sf/Makefile
packaging/ima-evm-utils.spec
])
AC_OUTPUT
@ -92,13 +76,6 @@ echo
echo
echo "Configuration:"
echo " debug: $pkg_cv_enable_debug"
echo " default-hash: $HASH_ALGO"
echo " openssl-conf: $enable_openssl_conf"
echo " tss2-esys: $ac_cv_lib_tss2_esys_Esys_Free"
echo " tss2-rc-decode: $ac_cv_lib_tss2_rc_Tss2_RC_Decode"
echo " ibmtss: $ac_cv_header_ibmtss_tss_h"
echo " sigv1: $enable_sigv1"
echo " engine: $enable_engine"
echo " doc: $have_doc"
echo " pandoc: $have_pandoc"
echo " tsspcrread: $TSSPCRREAD"
echo

1
doc/Makefile.am
View File

@ -1 +0,0 @@
SUBDIRS = sf

6
doc/sf/Makefile.am
View File

@ -1,6 +0,0 @@
noinst_DATA = sf-wiki.html
sf-wiki.html:sf-wiki.md
pandoc $+ -f markdown -t html > $@
CLEANFILES = sf-wiki.html

46
doc/sf/sf-diagram.html
View File

@ -1,46 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
</STYLE>
<BODY LANG="en-US" DIR="LTR">
<p style="text-align: center; font-family:arial">
<FONT SIZE=+3><b><a href="https://sourceforge.net/p/linux-ima/wiki/Home">
See documentation at Linux IMA/EVM Wiki</a></b></FONT>
<br>
<FONT SIZE=+3><b>Linux Integrity Subsystem</b></FONT>
<p>The goals of the kernel integrity subsystem are to detect if files have
been accidentally or maliciously altered, both remotely and locally,
appraise a file's measurement against a "good" value stored as an extended
attribute, and enforce local file integrity. These goals are complementary
to Mandatory Access Control(MAC) protections provided by LSM modules, such as
SElinux and Smack, which, depending on policy, can attempt to protect file
integrity. The following modules provide several integrity functions:</p>
<object type="text/html" style="float:right" height=450 data="tcg.html-20100504"></object>
<UL>
<LI><B>Collect</B> - measure a file before it is accessed. </li>
<LI><B>Store</B> - add the measurement to a kernel resident list and, if a
hardware Trusted Platform Module (TPM) is present, extend the IMA PCR </li>
<LI><B>Attest</B> -if present, use the TPM to sign the IMA PCR value, to
allow a remote validation of the measurement list.</li>
<LI><B>Appraise</B> - enforce local validation of a measurement against a
'good' value stored in an extended attribute of the file.</li>
<LI><B>Protect</B> - protect a file's security extended attributes
</UL>
<p>The first three functions were introduced with Integrity Measurement
Architecture (IMA) in 2.6.30. The EVM/IMA-appraisal patches add support for
the last two features.</p>
<p>For additional information about the Linux integrity subsystem, refer to the
<a href="http://sourceforge.net/apps/mediawiki/linux-ima/index.php?title=Main_Page">Wiki</a>.
</p>
<H3><a name="Trusted-Computing">Trusted Computing: architecture and opensource components</a></H3>
<P> IMA measurement, one component of the kernel's integrity subsystem, is part
of an overall Integrity Architecture based on the
<a href="https://www.trustedcomputinggroup.org/home">Trusted Computing Group's
</a> open standards, including Trusted Platform Module (TPM), Trusted Boot,
Trusted Software Stack (TSS), Trusted Network Connect (TNC), and Platform
Trust Services (PTS). The diagram shows how these standards relate, and
provides links to the respective specifications and open source
implementations. IMA and EVM can still run on platforms without a
hardware TPM, although without the hardware guarantee of compromise
detection.
</P>
</BODY></HTML>

99
doc/sf/sf-tcg.html
View File

@ -1,99 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<STYLE TYPE="text/css">
.tcg TD, .tcgcell
{
background-color:lightblue;
color:black;
font-family:sans-serif;
font-weight:700;
padding:0;
}
.tcg2 TD, .tcg2cell
{
background-color:white;
color:black;
font-family:sans-serif;
padding:5;
border:0;
}
</STYLE>
<table CLASS="tcg">
<tr> <th COLSPAN=2 ><HREF="http://www.trustedcomputinggroup.org/trusted_computing"></A></th> </tr>
<tr>
<td><h3>Applications
<table ALIGN=RIGHT CLASS="tcg2">
<tr>
<th>spec</th>
<th>info</th>
</tr>
<tr>
<td><a href="http://www.trustedcomputinggroup.org/resources/infrastructure_work_group_platform_trust_services_interface_specification_version_10" target="_top">PTS</a></td>
<td><a href="http://openpts.sourceforge.jp" target="_top">OpenPTS</a></td>
</tr>
<tr><td style="background-color: lightblue"></td>
<td><a href="http://sourceforge.net/projects/trousers/files/tpm-tools/tpm-tools-1.3.2.tar.gz/download" target="_top">tpm-tools</a></td>
</tr>
</table>
<h2></td>
</tr>
<tr>
<td><h3>Libraries
<table ALIGN=RIGHT CLASS="tcg2">
<tr>
<th>spec</th>
<th>info</th>
</tr>
<tr><td><a href="http://www.trustedcomputinggroup.org/developers/software_stack" target="_top">TSS</a></td>
<td><a href="http://trousers.sourceforge.net/" target="_top">TrouSerS</a></td>
</tr>
</table>
</td>
</tr>
<tr><td><h3>Linux Kernel
<table ALIGN=RIGHT CLASS="tcg2">
<tr>
<th>spec</th>
<th>info</th>
</tr>
<tr><td style="background-color: lightblue"></td>
<td><a href="http://linux-ima.sourceforge.net/#Integrity Measurement Architecture" target="_top">IMA</a>,
<a href="http://linux-ima.sourceforge.net/#Linux Extended Verification Module" target="_top">EVM</a></td>
</td>
</tr>
<td><a href="http://www.trustedcomputinggroup.org/files/resource_files/87BCE22B-1D09-3519-ADEBA772FBF02CBD/TCG_PCClientTPMSpecification_1-20_1-00_FINAL.pdf" target="_top">tpm-1.2</a></td>
<td><a href="http://tpmdd.sourceforge.net" target="_top">TPM driver</a></td>
</tr>
</table>
</td>
</tr>
<tr><td><h3>Boot
<table ALIGN=RIGHT CLASS="tcg2">
<tr>
<th>spec</th>
<th>info</th>
</tr>
<tr><td><a href="http://www.trustedcomputinggroup.org/resources/pc_client_work_group_specific_implementation_specification_for_conventional_bios_specification_version_12" target="_top">BIOS</a></td>
<td><a href="http://sourceforge.jp/projects/openpts/wiki/GRUB-IMA" target="_top">GRUB-IMA</a>,
<a href="http://sourceforge.net/projects/tboot" target="_top"> TBOOT</a></td>
</tr>
</td>
</tr>
</table>
<tr><td><h3>Hardware
<table ALIGN=RIGHT CLASS="tcg2">
<tr>
<th>spec</th>
<th>info</th>
</tr>
<tr>
<td><a href="http://www.trustedcomputinggroup.org/developers/trusted_platform_module" target="_top">TPM</a></td>
<td><a href="http://ibmswtpm.sourceforge.net" target="_top">(swTPM)</a></td>
</tr>
</table>
</td>
</tr>
</table>
</BODY>
</HTML>

932
doc/sf/sf-wiki.md
View File

@ -1,932 +0,0 @@
The goals of the kernel integrity subsystem are to detect if files have been accidentally or maliciously altered, both remotely and locally, appraise a file's measurement against a "good" value stored as an extended attribute, and enforce local file integrity. These goals are complementary to Mandatory Access Control(MAC) protections provided by LSM modules, such as SElinux and Smack, which, depending on policy, can attempt to protect file integrity.
[TOC]
## Overview
### Features
The following modules provide several integrity functions:
- **Collect** measure a file before it is accessed.
- **Store** add the measurement to a kernel resident list and, if a
hardware Trusted Platform Module (TPM) is present, extend the IMA
PCR
- **Attest** if present, use the TPM to sign the IMA PCR value, to
allow a remote validation of the measurement list.
- **Appraise** enforce local validation of a measurement against a
“good” value stored in an extended attribute of the file.
- **Protect** protect a file's security extended attributes
(including appraisal hash) against off-line attack.
- **Audit** audit the file hashes.
The first three functions were introduced with Integrity Measurement Architecture ([IMA](#integrity-measurement-architecture-ima)) in 2.6.30. The "appraise" and "protect" features were originally posted as a single [EVM](#linux-extended-verification-module-evm)/[IMA-appraisal](#ima-appraisal) patch set for in the 2.6.36 timeframe, but were subsequently split. EVM, the "protect" feature, was upstreamed in Linux 3.2, using a simplier and more secure method for loading the 'evm-key', based on the new Kernel Key Retention [Trusted and Encrypted keys](#creating-trusted-and-evm-encrypted-keys). EVM support for protecting file metadata based on digital signatures was upstreamed in the Linux 3.3. IMA-appraisal, the fourth aspect, appraising a file's integrity, was upstreamed in Linux 3.7.
The goals, design, and benefits of these features are further described in the whitepaper ["An Overview of the Linux Integrity Subsystem"](http://downloads.sf.net/project/linux-ima/linux-ima/Integrity_overview.pdf "http://downloads.sf.net/project/linux-ima/linux-ima/Integrity_overview.pdf").
### Components
IMA-measurement, one component of the kernel's integrity subsystem, is part of an overall Integrity Architecture based on the Trusted Computing Group's open standards, including Trusted Platform Module (TPM), Trusted Boot, Trusted Software Stack (TSS), Trusted Network Connect (TNC), and Platform Trust Services (PTS). The linux-ima project page contains a [diagram](http://linux-ima.sourceforge.net/) showing how these standards relate, and provides links to the respective specifications and open source implementations. IMA-measurement and EVM can still run on platforms without a hardware TPM, although without the hardware guarantee of compromise detection.
IMA-appraisal, a second component of the kernel's integrity subsystem, extends the "secure boot" concept of verifying a file's integrity, before transferring control or allowing the file to be accessed by the OS.
IMA-audit, another component of the kernel's integrity subsystem, includes file hashes in the system audit logs, which can be used to augment existing system security analytics/forensics.
The IMA-measurement, IMA-appraisal, and IMA-audit aspects of the kernel's integrity subsystem complement each other, but can be configured and used independently of each other.
## Integrity Measurement Architecture (IMA-measurement)
IMA-measurement is an open source trusted computing component. IMA maintains a runtime measurement list and, if anchored in a hardware Trusted Platform Module(TPM), an aggregate integrity value over this list. The benefit of anchoring the aggregate integrity value in the TPM is that the measurement list cannot be compromised by any software attack, without being detectable. Hence, on a trusted boot system, IMA-measurement can be used to attest to the system's runtime integrity.
### Enabling IMA-measurement
IMA was first included in the 2.6.30 kernel. For distros that enable IMA by default in their kernels, collecting IMA measurements simply requires rebooting the kernel with a builtin "ima_policy=" on the boot command line. (Fedora/RHEL may also require the boot command line parameter 'ima=on'.)
To determine if your distro enables IMA by default, mount securityfs (mount -t securityfs security /sys/kernel/security), if it isn't already mounted, and then check if '<securityfs>/integrity/ima' exists. If it exists, IMA is indeed enabled. On systems without IMA enabled, [recompile the kernel](#compiling-the-kernel-with-evmima-appraisal-enabled) with the config option 'CONFIG_IMA' enabled.
### Controlling IMA-measurement
IMA is controlled with several kernel command line parameters:
ima_audit= informational audit logging
Format: { "0" | "1" }
0 -- normal integrity auditing messages. (Default)
1 -- enable additional informational integrity auditing messages.
(eg. Although file measurements are only added to the measurement list once and cached, if the inode is flushed, subsequent access to the inode will result in re-measuring the file and attempting to add the measurement again to the measurement list. Enabling ima_audit will log such attempts.)
ima_policy= builtin policy
Format: {"tcb" | "appraise_tcb" | "secure-boot"}
**NEW** Linux-4.13 default: no policy
ima_template= template used
Format: { "ima" | "ima-ng" | "ima-sig" }
Linux 3.13 default: "ima-ng"
ima_hash= hash used
Format: { "sha1" | "md5" | "sha256" | "sha512" | "wp512" | ... }
'ima' template default: "sha1"
Linux 3.13 default: "sha256"
ima_tcb (deprecated)
If specified, enables the TCB policy, which meets the needs of the Trusted Computing Base. This means IMA will measure all programs exec'd, files mmap'd for exec, and all files opened for read by uid=0.
### IMA Measurement List
IMA-measurements maintains a runtime measurement list, which can be displayed as shown below.
- mount securityfs as /sys/kernel/security
$ su -c 'mkdir /sys/kernel/security'
$ su -c 'mount -t securityfs securityfs /sys/kernel/security'
Modify /etc/fstab to mount securityfs on boot.
- display the runtime measurement list (Only root is allowed access to securityfs files.)
Example 1: 'ima-ng' template
$ su -c 'head -5 /sys/kernel/security/ima/ascii_runtime_measurements'
PCR template-hash filedata-hash filename-hint
10 91f34b5c671d73504b274a919661cf80dab1e127 ima-ng sha1:1801e1be3e65ef1eaa5c16617bec8f1274eaf6b3 boot_aggregate
10 8b1683287f61f96e5448f40bdef6df32be86486a ima-ng sha256:efdd249edec97caf9328a4a01baa99b7d660d1afc2e118b69137081c9b689954 /init
10 ed893b1a0bc54ea5cd57014ca0a0f087ce71e4af ima-ng sha256:1fd312aa6e6417a4d8dcdb2693693c81892b3db1a6a449dec8e64e4736a6a524 /usr/lib64/ld-2.16.so
10 9051e8eb6a07a2b10298f4dc2342671854ca432b ima-ng sha256:3d3553312ab91bb95ae7a1620fedcc69793296bdae4e987abc5f8b121efd84b8 /etc/ld.so.cache
PCR: default CONFIG_IMA_MEASURE_PCR_IDX is 10
template-hash: sha1 hash(filedata-hash length, filedata-hash, pathname length, pathname)
filedata-hash: sha256 hash(filedata)
Example 2: 'ima-sig' template (same format as ima-ng, but with an appended signature when present)
PCR template-hash filedata-hash filename-hint file-signature
10 f63c10947347c71ff205ebfde5971009af27b0ba ima-sig sha256:6c118980083bccd259f069c2b3c3f3a2f5302d17a685409786564f4cf05b3939 /usr/lib64/libgspell-1.so.1.0.0 0302046e6c10460100aa43a4b1136f45735669632ad ...
10 595eb9bf805874b459ce073af158378f274ea961 ima-sig sha256:8632769297867a80a9614caa98034d992441e723f0b383ca529faa306c640638 /usr/lib64/gedit/plugins/libmodelines.so 0302046e6c104601002394b70ab93 ...
Example 3: *original* 'ima' template
PCR template-hash filedata-hash filename-hint
10 7971593a7ad22a7cce5b234e4bc5d71b04696af4 ima b5a166c10d153b7cc3e5b4f1eab1f71672b7c524 boot_aggregate
10 2c7020ad8cab6b7419e4973171cb704bdbf52f77 ima e09e048c48301268ff38645f4c006137e42951d0 /init
10 ef7a0aff83dd46603ebd13d1d789445365adb3b3 ima 0f8b3432535d5eab912ad3ba744507e35e3617c1 /init
10 247dba6fc82b346803660382d1973c019243e59f ima 747acb096b906392a62734916e0bb39cef540931 ld-2.9.so
10 341de30a46fa55976b26e55e0e19ad22b5712dcb ima 326045fc3d74d8c8b23ac8ec0a4d03fdacd9618a ld.so.cache
PCR: default CONFIG_IMA_MEASURE_PCR_IDX is 10
template-hash: sha1 hash(filedata-hash, filename-hint)
filedata-hash: sha1 hash(filedata)
The first element in the runtime measurement list, shown above, is the boot_aggregate. The boot_aggregate is a SHA1 hash over tpm registers 0-7, assuming a TPM chip exists, and zeroes, if the TPM chip does not exist.
- display the bios measurement list entries, used in calculating the boot aggregate
$ su -c 'head /sys/kernel/security/tpm0/ascii_bios_measurements'
0 f797cb88c4b07745a129f35ea01b47c6c309cda9 08 [S-CRTM Version]
0 dca68da0707a9a52b24db82def84f26fa463b44d 01 [POST CODE]
0 dd9efa31c88f467c3d21d3b28de4c53b8d55f3bc 01 [POST CODE]
0 dd261ca7511a7daf9e16cb572318e8e5fbd22963 01 [POST CODE]
0 df22cabc0e09aabf938bcb8ff76853dbcaae670d 01 [POST CODE]
0 a0d023a7f94efcdbc8bb95ab415d839bdfd73e9e 01 [POST CODE]
0 38dd128dc93ff91df1291a1c9008dcf251a0ef39 01 [POST CODE]
0 dd261ca7511a7daf9e16cb572318e8e5fbd22963 01 [POST CODE]
0 df22cabc0e09aabf938bcb8ff76853dbcaae670d 01 [POST CODE]
0 a0d023a7f94efcdbc8bb95ab415d839bdfd73e9e 01 [POST CODE]
### Verifying IMA Measurements
The IMA tests programs are part of the [Linux Test Project.](https://github.com/linux-test-project/ltp/wiki)
- Download, compile, and install the standalone version of the IMA LTP test programs in /usr/local/bin.
$ wget -O ltp-ima-standalone-v2.tar.gz http://downloads.sf.net/project/linux-ima/linux-ima/ltp-ima-standalone-v2.tar.gz
$ tar -xvzf ltp-ima-standalone-v2.tar.gz
ima-tests/Makefile
ima-tests/README
ima-tests/ima_boot_aggregate.c
ima-tests/ima_measure.c
ima-tests/ima_mmap.c
ima-tests/ima_sigv2.c
ima-tests/ltp-tst-replacement.c
ima-tests/pkeys.c
ima-tests/rsa_oid.c
ima-tests/config.h
ima-tests/debug.h
ima-tests/hash_info.h
ima-tests/ima_sigv2.h
ima-tests/list.h
ima-tests/pkeys.h
ima-tests/rsa.h
ima-tests/test.h
$ cd ima-tests
$ make
$ su -c 'make install'
- ima_boot_aggregate <tpm_bios file>
Using the TPM's binary bios measurement list, re-calculate the boot aggregate.
$ su -c '/usr/local/bin/ima_boot_aggregate /sys/kernel/security/tpm0/binary_bios_measurements'
000 f797cb88c4b07745a129f35ea01b47c6c309cda9
000 dca68da0707a9a52b24db82def84f26fa463b44d
< snip >
005 6895eb784cdaf843eaad522e639f75d24d4c1ff5
PCR-00: 07274edf7147abda49200100fd668ce2c3a374d7
PCR-01: 48dff4fbf3a34d56a08dfc1504a3a9d707678ff7
PCR-02: 53de584dcef03f6a7dac1a240a835893896f218d
PCR-03: 3a3f780f11a4b49969fcaa80cd6e3957c33b2275
PCR-04: acb44e9dd4594d3f121df2848f572e4d891f0574
PCR-05: df72e880e68a2b52e6b6738bb4244b932e0f1c76
PCR-06: 585e579e48997fee8efd20830c6a841eb353c628
PCR-07: 3a3f780f11a4b49969fcaa80cd6e3957c33b2275
boot_aggregate:b5a166c10d153b7cc3e5b4f1eab1f71672b7c524
and compare the value with the ascii_runtime_measurement list value.
$ su -c 'cat /sys/kernel/security/ima/ascii_runtime_measurements | grep boot_aggregate'
10 7971593a7ad22a7cce5b234e4bc5d71b04696af4 ima b5a166c10d153b7cc3e5b4f1eab1f71672b7c524 boot_aggregate
<br>
- ima_measure <binary_runtime_measurements> \[--validate\] \[--verify\] \[--verbose\]
using the IMA binary measurement list, calculate the PCR aggregate value
$ su -c '/usr/local/bin/ima_measure /sys/kernel/security/ima/binary_runtime_measurements --validate'
PCRAggr (re-calculated): B4 D1 93 D8 FB 31 B4 DD 36 5D DA AD C1 51 AC 84 FA 88 78 1B
and compare it against the PCR value
$ cat /sys/devices/pnp0/00:0a/pcrs | grep PCR-10
PCR-10: B4 D1 93 D8 FB 31 B4 DD 36 5D DA AD C1 51 AC 84 FA 88 78 1B
### IMA re-measuring files
Part of the TCG requirement is that all Trusted Computing Base (TCB) files be measured, and re-measured if the file has changed, before reading/executing the file. IMA detects file changes based on i_version. To re-measure a file after it has changed, the filesystem must support i_version and, if needed, be mounted with i_version (eg. ext3, ext4). Not all filesystems require the explicit mount option. With commit a2a2c3c8580a ("ima: Use i_version only when filesystem supports it") i_version is considered an optimization. If i_version is not enabled, either because the local filesystem does not support it or the filesystem was not mounted with i_version, the file will now always be re-measured, whether or not the file changed, but only new measurements will be added to the measurement list.
- Attempt to mount a filesystem with i_version support.
$ su -c 'mount -o remount,rw,iversion /home'
mount: you must specify the filesystem type
Attempt to remount '/home' with i_version support, shown above, failed. Please install a version of the [util-linux-ng-2.15-rc1](http://www.kernel.org/pub/linux/utils/util-linux-ng/v2.15/ "http://www.kernel.org/pub/linux/utils/util-linux-ng/v2.15/") package or later.
- To automatically mount a filesystem with i_version support, update /etc/fstab.
UUID=blah /home ext3 defaults,iversion
- Mount the root filesystem with i_version.
- For systems with /etc/rc.sysinit, update the mount options
adding 'iversion':
# Remount the root filesystem read-write.
update_boot_stage RCmountfs
if remount_needed ; then
action $"Remounting root filesystem in read-write mode: " mount -n -o remount,rw,iversion /
fi
- For systems using dracut, root 'mount' options can be specified on the boot
command line using 'rootflags'. Add 'rootflags=i_version'. Unlike 'mount',
which expects 'iversion', notice that on the boot command line 'i_version'
contains an underscore.
### Linux-audit support
As of [Linux-audit](http://people.redhat.com/sgrubb/audit/ "http://people.redhat.com/sgrubb/audit/") 2.0, support for integrity auditing messages is available.
### Defining an LSM specific policy
The ima_tcb default measurement policy in linux-2.6.30 measures all system sensitive files - executables, mmapped libraries, and files opened for read by root. These measurements, the measurement list and the aggregate integrity value, can be used to attest to a system's
runtime integrity. Based on these measurements, a remote party can detect whether critical system files have been modified or if malicious software has been executed.
Default policy
dont_measure fsmagic=PROC_SUPER_MAGIC
dont_measure fsmagic=SYSFS_MAGIC
dont_measure fsmagic=DEBUGFS_MAGIC
dont_measure fsmagic=TMPFS_MAGIC
dont_measure fsmagic=SECURITYFS_MAGIC
dont_measure fsmagic=SELINUX_MAGIC
measure func=BPRM_CHECK
measure func=FILE_MMAP mask=MAY_EXEC
< add LSM specific rules here >
measure func=PATH_CHECK mask=MAY_READ uid=0
But not all files opened by root for read, are necessarily part of the Trusted Computing Base (TCB), and therefore do not need to be measured. Linux Security Modules (LSM) maintain file metadata, which can be leveraged to limit the number of files measured.
Examples: adding LSM specific rules
SELinux:
dont_measure obj_type=var_log_t
dont_measure obj_type=auditd_log_t
Smack:
measure subj_user=_ func=INODE_PERM mask=MAY_READ
To replace the default policy 'cat' the custom IMA measurement policy and redirect the output to "< securityfs >/ima/policy". Both dracut and systemd have been modified to load the custom IMA policy. If the IMA policy contains LSM labels, then the LSM policy must be loaded prior to the IMA policy. (eg. if systemd loads the SELinux policy, then systemd must also load the IMA policy.)
systemd commit c8161158 adds support for loading a custom IMA measurement policy. Simply place the custom IMA policy in /etc/ima/ima-policy. systemd will automatically load the custom policy.
dracut commit 0c71fb6 add initramfs support for loading the custom IMA measurement policy. Build and install dracut (git://git.kernel.org/pub/scm/boot/dracut/dracut.git), to load the custom IMA measurement policy(default: /etc/sysconfig/ima-policy).
For more information on defining an LSM specific measurement/appraisal/audit policy, refer to the kernel Documentation/ABI/testing/ima_policy.
## IMA-appraisal
IMA currently maintains an integrity measurement list used for remote attestation. The IMA-appraisal extension adds local integrity validation and enforcement of the measurement against a "good" value stored as an extended attribute 'security.ima'. The initial method for validating 'security.ima' are hashed based, which provides file data integrity, and digital signature based, which in addition to providing file data integrity, provides authenticity.
### Enabling IMA-appraisal
IMA-appraisal was upstreamed in Linux 3.7. For distros that enable IMA-appraisal by default in their kernels, appraising file measurements requires rebooting the kernel first with the boot command line parameters 'ima_appraise_tcb' and ima_appraise='fix' to [label the filesystem](#labeling-the-filesystem-with-securityima-extended-attributes). Once labeled, reboot with just the 'ima_appraise_tcb' boot command line parameter.
Refer to [compiling the kernel](#compiling-the-kernel-with-evmima-appraisal-enabled) for directions on configuring and building a new kernel with IMA-appraisal support enabled.
### Understanding the IMA-appraisal policy
The IMA-appraisal policy extends the measurement policy ABI with two new keywords: appraise/dont_appraise. The default appraise policy appraises all files owned by root. Like the default measurement policy, the default appraisal policy does not appraise pseudo filesystem files (eg. debugfs, tmpfs, securityfs, or selinuxfs.)
Additional rules can be added to the default IMA measurement/appraisal policy, which take advantage of the SELinux labels, for a more fine grained policy. Refer to Documentation/ABI/testing/ima_policy.
### Labeling the filesystem with 'security.ima' extended attributes
A new boot parameter 'ima_appraise=' has been defined in order to label existing file systems with the 'security.ima' extended attribute.
- ima_appraise= appraise integrity measurements\
Format: { "off" | "log" | "fix" } \
off - is a runtime parameter that turns off integrity appraisal verification.
enforce - verifies and enforces runtime file integrity. \[default\]
fix - for non-digitally signed files, updates the 'security.ima' xattr to reflect the existing file hash.
After building a kernel with IMA-appraisal enabled and verified that the filesystems are mounted with [i_version](#ima-re-measuring-files) support, to label the filesystem, reboot with the boot command line options 'ima_appraise_tcb' and 'ima_appraise=fix'. Opening a file owned by root, will cause the 'security.ima' extended attributes to be written. For example, to label the entire filesystem, execute:
`find / \\( -fstype rootfs -o ext4 -type f \\) -uid 0 -exec head -n 1
'{}' >/dev/null \\;`
### Labeling 'immutable' files with digital signatures
'Immutable' files, such as ELF executables, can be digitally signed, storing the digital signature in the 'security.ima' xattr. Creating the digital signature requires generating an RSA private/public key pair. The private key is used to sign the file, while the public key is used to verify the signature. For example, to digitally sign all kernel modules, replace <RSA private key>, below, with the pathname to your RSA private key, and execute:
`find /lib/modules -name "\*.ko" -type f -uid 0 -exec evmctl sign --imasig '{}' <RSA private key> \;`
evmctl manual page is here [evmctl.1.html](http://linux-ima.sourceforge.net/evmctl.1.html)
### Running with IMA-appraisal
Once the filesystem has been properly labeled, before rebooting, re-install the new labeled kernel. Modify the [initramfs](#building-an-initramfs-to-load-keys) to load the RSA public key on the IMA keyring, using evmctl. Reboot with the 'ima_appraise_tcb' and, possibly, the 'rootflags=i_version' options.
## Extending trusted and secure boot to the OS
( Place holder )
### Including file signatures in the measurement list
The 'ima-sig' template, in addition to the file data hash and the full pathname, includes the file signature, as stored in the 'security.ima' extended attribute.
10 d27747646f317e3ca1205287d0615073fe676bc6 ima-sig sha1:08f8f20c14e89da468bb238
d2012c9458ae67f6a /usr/bin/mkdir 030202afab451100802b22e3ed9f6a70fb5babf030d1181
8152b493bd6bfd916005fad7fdcfd7f88d43f6cffaf6fd1ea3b75032dd702b661d4717729e4a3fa4
ee95a47f239955491fc8064eca8cb96302d305d59750ae4ffde0a5f615f910475eee72ae0306e4ae
0269d7d04af2a485898eec3286795d621e83b7dedc99f5019b7ee49b189f3ded0a2
# getfattr -m ^security --dump -e hex /usr/bin/mkdir
# file: usr/bin/mkdir
security.evm=0x0238b0cdd9e97d5bed3bcde5a4793ef8da6fe7c7cc
security.ima=0x030202afab451100802b22e3ed9f6a70fb5babf030d11818152b493bd6bfd916005fad
7fdcfd7f88d43f6cffaf6fd1ea3b75032dd702b661d4717729e4a3fa4ee95a47f239955491fc8064eca8cb
96302d305d59750ae4ffde0a5f615f910475eee72ae0306e4ae0269d7d04af2a485898eec3286795d621e8
3b7dedc99f5019b7ee49b189f3ded0a2
### Signing IMA-appraisal keys
( Place holder )
## IMA-audit
IMA-audit includes file hashes in the audit log, which can be used to augment existing system security analytics/forensics. IMA-audit extends the IMA policy ABI with the policy action keyword - "audit".
Example policy to audit executable file hashes
audit func=BPRM_CHECK
## Linux Extended Verification Module (EVM)
EVM detects offline tampering of the security extended attributes (e.g. security.selinux, security.SMACK64, security.ima), which is the basis for LSM permission decisions and, with the IMA-appraisal extension, integrity appraisal decisions. EVM provides a framework, and two methods for detecting offline tampering of the security extended attributes. The initial method maintains an HMAC-sha1 across a set of security extended attributes, storing the HMAC as the extended attribute 'security.evm'. The other method is based on a digital signature of the security extended attributes hash. To verify the integrity of an extended attribute, EVM exports evm_verifyxattr(), which re-calculates either the HMAC or the hash, and compares it with the version stored in 'security.evm'.
### Enabling EVM
EVM was upstreamed in Linux 3.2. EVM-digital-signatures is currently in the Linux 3.3 release candidate.
Refer to [compiling the kernel](#compiling-the-kernel-with-evmima-appraisal-enabled), for directions on configuring and building a new kernel with EVM support.
### Running EVM
EVM is configured automatically to protect standard “security” extended attributes:
- security.ima (IMA's stored “good” hash for the file)
- security.selinux (the selinux label/context on the file)
- security.SMACK64 (Smack's label on the file)
- security.capability (Capability's label on executables)
EVM protects the configured extended attributes with an HMAC across their data, keyed with an EVM key provided at boot time. EVM looks for this key named 'evm-key' on root's key ring. Refer to [trusted and EVM encrypted keys](#creating-trusted-and-evm-encrypted-keys), for directions on creating EVM keys. Once loaded, EVM can be activated by writing a '1' to the evm securityfs file: `**echo "1" >/sys/kernel/security/evm**`
Before EVM is activated, any requested integrity appraisals are unknown, so the EVM startup should be done early in the boot process, preferably entirely within the kernel and initramfs (which are measured by trusted grub) and before any reference to the real root filesystem. To build an initramfs with EVM enabled, build and install dracut (git://git.kernel.org/pub/scm/boot/dracut/dracut.git), which contains the trusted and EVM dracut modules.
### Labeling the filesystem with 'security.evm'
A new boot parameter 'evm=fix' has been defined in order to label existing file systems with the 'security.evm' extended attribute.
After building a kernel with EVM, IMA-appraisal, and trusted and encrypted keys enabled, installed the trusted and EVM dracut modules, created the EVM key, and verified that the filesystems are mounted, including root, with [i_version](#ima-re-measuring-files) support, to label the filesystem, reboot with the command line options 'ima_tcb', 'ima_appraise_tcb', 'ima_appraise=fix', 'evm=fix' and, possibly, 'rootflags=i_version'.
Once EVM is started, as existing file metadata changes or as new files are created, EVM assumes that the LSM has approved such changes, and automatically updates the HMACs accordingly, assuming the existing value is valid. In fix mode, opening a file owned by root, will fix the 'security.ima' extended attribute, causing the 'security.evm' extended attribute to be written as well, regardless if the existing security 'ima' or 'evm' extended attributes are valid. To label the entire filesystem, execute:
`find / -fstype ext4 -type f -uid 0 -exec head -n 1 '{}' >/dev/null \;`
The following sign_file script can be used to label all 'ELF' files with EVM and IMA digital signatures, and all other files with just an EVM digital signature.
sign_file:
#!/bin/sh
#label "immutable" files with EVM/IMA digital signatures
#label everything else with just EVM digital signatures
file $1 | grep 'ELF' > /dev/null
if [ $? -eq 0 ]; then
evmctl sign --imasig $1 /home/zohar/privkey_evm.pem
else
evmctl sign --imahash $1 /home/zohar/privkey_evm.pem
fi
Instead of opening the file using head, digitally sign the files:
`find / \( -fstype rootfs -o -fstype ext3 -o -fstype ext4 \) -type f -exec sign_file.sh {} \;`
Once the filesystem has been properly labeled, before rebooting, re-install the new labeled kernel. Modify the initramfs to load the RSA public keys on the EVM and IMA keyring. Reboot with just the 'ima_tcb', 'ima_appraise_tcb' and, possibly, 'rootflags=i_version' options.
## Compiling the kernel with EVM/IMA-appraisal enabled
For those unfamiliar with building a linux kernel, here is a short list of existing websites.
- [http://kernelnewbies.org/KernelBuild](http://kernelnewbies.org/KernelBuild "http://kernelnewbies.org/KernelBuild")
- [http://fedoraproject.org/wiki/BuildingUpstreamKernel](http://fedoraproject.org/wiki/BuildingUpstreamKernel "http://fedoraproject.org/wiki/BuildingUpstreamKernel")
- [https://wiki.ubuntu.com/KernelTeam/GitKernelBuild](https://wiki.ubuntu.com/KernelTeam/GitKernelBuild "https://wiki.ubuntu.com/KernelTeam/GitKernelBuild")
### Configuring the kernel
Depending on the distro, some of these options might already be enabled, but not necessarily as builtin. For distros with recent kernels, download the distro's kernel source and recompile the kernel with the additional .config options, below. (Refer to the distro's documentation for building and installing the kernel from source.)
For IMA, enable the following .config options:
CONFIG_INTEGRITY=y
CONFIG_IMA=y
CONFIG_IMA_MEASURE_PCR_IDX=10
CONFIG_IMA_AUDIT=y
CONFIG_IMA_LSM_RULES=y
For IMA-appraisal, enable the following .config options:
CONFIG_INTEGRITY_SIGNATURE=y
CONFIG_INTEGRITY=y
CONFIG_IMA_APPRAISE=y
EVM has a dependency on encrypted keys, which should be encrypted/decrypted using a trusted key. For those systems without a TPM, the EVM key could be encrypted/decrypted with a user-defined key instead. For EVM, enable the following .config options:
CONFIG_TCG_TPM=y
CONFIG_KEYS=y
CONFIG_TRUSTED_KEYS=y
CONFIG_ENCRYPTED_KEYS=y
CONFIG_INTEGRITY_SIGNATURE=y
CONFIG_INTEGRITY=y
CONFIG_EVM=y
For the new 'ima-ng'/'ima-sig' template support(linux 3.13), clone the stable tree.
$ cd ~/src/kernel
$ git clone git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git
$ cd linux-stable
$ git remote update
$ git checkout --track -b linux-3.13.y origin/linux-3.13.y
and enable these additional .config options:
CONFIG_IMA_NG_TEMPLATE=y
CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
CONFIG_IMA_DEFAULT_HASH_SHA256=y
### Installing the new kernel
If enabling EVM, before installing the new kernel, follow the directions for creating the EVM encrypted key (#creating_trusted_and_evm_encrypted keys) and EVM/IMA public keys (#creating_and_loading_the_evm_and_ima_publicprivate_keypairs).
Install the kernel as normal.
$ su -c "make modules_install install"
## Creating trusted and EVM encrypted keys
Trusted and encrypted keys are two new key types (upstreamed in 2.6.38) added to the existing kernel key ring service. Both of these new types are variable length symmetic keys and, in both cases, are created in the kernel. User space sees, stores, and loads only encrypted blobs. Trusted Keys require the availability of a Trusted Platform Module (TPM) chip for greater security, while encrypted keys can be used on any system. All user level blobs, are displayed and loaded in hex ascii for convenience, and are integrity verified.
Depending on the distro, trusted and encrypted keys might not be enabled. Refer to [compiling the kernel](#compiling-the-kernel-with-evmima-appraisal_enabled), for directions on configuring and building a new kernel with trusted and encrypted key support.
The trusted and EVM dracut modules, by default, looks for the trusted and EVM encrypted keys in /etc/keys. To create and save the kernel master and EVM keys,
$ su -c 'mkdir -p /etc/keys'
# To create and save the kernel master key (trusted type):
$ su -c 'modprobe trusted encrypted'
$ su -c 'keyctl add trusted kmk-trusted "new 32" @u'
$ su -c 'keyctl pipe `keyctl search @u trusted kmk-trusted` >/etc/keys/kmk-trusted.blob'
# Create the EVM encrypted key
$ su -c 'keyctl add encrypted evm-key "new trusted:kmk-trusted 32" @u'
$ su -c 'keyctl pipe `keyctl search @u encrypted evm-key` >/etc/keys/evm-trusted.blob'
For those systems which don't have a TPM, but want to experiment with EVM, create a user key of 32 random bytes, and an EVM user encrypted key. Unlike trusted/encrypted keys, user type key data is visible to userspace.
$ su -c 'mkdir -p /etc/keys'
# To create and save the kernel master key (user type):
$ su -c 'modprobe trusted encrypted'
$ su -c 'keyctl add user kmk-user "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u'
$ su -c 'keyctl pipe `keyctl search @u user kmk-user` > /etc/keys/kmk-user.blob'
# Create the EVM encrypted key
$ su -c 'keyctl add encrypted evm-key "new user:kmk-user 32" @u'
$ su -c 'keyctl pipe `keyctl search @u encrypted evm-key` >/etc/keys/evm-user.blob'
Update /etc/sysconfig/masterkey to reflect using a 'user-defined' master key type.
MULTIKERNELMODE="NO"
MASTERKEYTYPE="user"
MASTERKEY="/etc/keys/kmk-${MASTERKEYTYPE}.blob"
Similarly update /etc/sysconfig/evm or on the boot command line specify the EVM key filename (eg. 'evmkey=/etc/keys/evm-user.blob'.)
<br>
## Creating and loading the EVM and IMA public/private keypairs
### Digital Signatures: generating an RSA public/private key pair
# generate unencrypted private key
openssl genrsa -out privkey_evm.pem 1024
# or generate encrypted (password protected) private key
openssl genrsa -des3 -out privkey_evm.pem 1024
# or convert unencrypted key to encrypted on
openssl rsa -in /etc/keys/privkey_evm.pem -out privkey_evm_enc.pem -des3
or
openssl pkcs8 -topk8 -in /etc/keys/privkey_evm.pem -out privkey_evm_enc.pem
openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem
### ima-evm-utils: installing the package from source
ima-evem-utils is used to sign files, using the private key, and to load the public keys on the ima/evm keyrings. ima-evm-utils can be cloned from git repo with the following command:
git clone git://linux-ima.git.sourceforge.net/gitroot/linux-ima/ima-evm-utils.git
cd ima-evm-utils
./autogen.sh
./configure
make
sudo make install
evmctl manual page is here [evmctl.1.html](http://linux-ima.sourceforge.net/evmctl.1.html)
### IMA/EVM keyrings: loading the public keys
ima_id=`keyctl newring _ima @u`
evmctl import /etc/keys/pubkey_ima.pem $ima_id
evm_id=`keyctl newring _evm @u`
evmctl import /etc/keys/pubkey_evm.pem $evm_id
## Building an initramfs to load keys
Modify the initramfs to load the EVM encrypted key and the EVM/IMA public keys on their respective keyrings.
### dracut
Dracut commits 0c71fb6 and e1ed2a2 add support for loading the masterkey and the EVM encrypted key, not the EVM/IMA public keys (todo).
0c71fb6 dracut: added new module integrityy
e1ed2a2 dracut: added new module masterkey
Clone dracut (git://git.kernel.org/pub/scm/boot/dracut/dracut.git). By default, the masterkey and integrity modules are not enabled in the dracut git tree. Edit module-setup in both directories, changing the check() return value to 0. 'make' and 'install' dracut.
Create an initramfs:
# dracut -H -f /boot/initramfs-<kernel> <kernel> -M
And add a grub2 menu entry:
# grub2-mkconfig -o /boot/grub2/grub.cfg
### initramfs-tools
To enable IMA/EVM in initramfs-tools it is necessary to add just 2 files to /etc/initramfs-tools directory.
/etc/initramfs-tools/hooks/ima.sh:
#!/bin/sh
echo "Adding IMA binaries"
. /usr/share/initramfs-tools/hook-functions
copy_exec /etc/keys/evm-key
copy_exec /etc/keys/pubkey_evm.pem
copy_exec /etc/ima_policy
copy_exec /bin/keyctl
copy_exec /usr/bin/evmctl /bin/evmctl
/etc/initramfs-tools/scripts/local-top/ima.sh:
#!/bin/sh -e
PREREQ=""
# Output pre-requisites
prereqs()
{
echo "$PREREQ"
}
case "$1" in
prereqs)
prereqs
exit 0
;;
esac
grep -q "ima=off" /proc/cmdline && exit 1
mount -n -t securityfs securityfs /sys/kernel/security
IMA_POLICY=/sys/kernel/security/ima/policy
LSM_POLICY=/etc/ima_policy
grep -v "^#" $LSM_POLICY >$IMA_POLICY
# import EVM HMAC key
keyctl show |grep -q kmk || keyctl add user kmk "testing123" @u
keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u
#keyctl revoke kmk
# import Module public key
mod_id=`keyctl newring _module @u`
evmctl import /etc/keys/pubkey_evm.pem $mod_id
# import IMA public key
ima_id=`keyctl newring _ima @u`
evmctl import /etc/keys/pubkey_evm.pem $ima_id
# import EVM public key
evm_id=`keyctl newring _evm @u`
evmctl import /etc/keys/pubkey_evm.pem $evm_id
# enable EVM
echo "1" > /sys/kernel/security/evm
# enable module checking
#echo "1" > /sys/kernel/security/module_check
generate new initramfs:
update-initramfs -k 3.4.0-rc5-kds+ -u
Edit GRUB bootloader /boot/grub/custom.cfg:
menuentry 'IMA' {
set gfxpayload=$linux_gfx_mode
insmod gzio
insmod part_msdos
insmod ext2
set root='(hd0,msdos1)'
# add following string to kernel command line to enable "fix" mode: "ima_appraise=fix evm=fix"
linux /boot/vmlinuz-3.4.0-rc5-kds+ root=/dev/sda1 ro nosplash ima_audit=1 ima_tcb=1 ima_appraise_tcb=1
initrd /boot/initrd.img-3.4.0-rc5-kds+
}
## IMA policy examples
### Builtin policys
**Enabled on the boot command line:**
*ima_tcb* - measures all files read as root and all files executed
*ima_appraise_tcb* - appraises all files owned by root
### audit log all executables
# audit log all executables
audit func=BPRM_CHECK mask=MAY_EXEC
### Measure nothing, appraise everything
#
# Integrity measure policy
#
# Do not measure anything, but appraise everything
#
# PROC_SUPER_MAGIC
dont_appraise fsmagic=0x9fa0
# SYSFS_MAGIC
dont_appraise fsmagic=0x62656572
# DEBUGFS_MAGIC
dont_appraise fsmagic=0x64626720
# TMPFS_MAGIC
dont_appraise fsmagic=0x01021994
# RAMFS_MAGIC
dont_appraise fsmagic=0x858458f6
# DEVPTS_SUPER_MAGIC
dont_appraise fsmagic=0x1cd1
# BIFMT
dont_appraise fsmagic=0x42494e4d
# SECURITYFS_MAGIC
dont_appraise fsmagic=0x73636673
# SELINUXFS_MAGIC
dont_appraise fsmagic=0xf97cff8c
appraise
## ima-evm-utils
ima-evm-utils package provides the *evmctl* utility that can be used for producing and verifying digital signatures, which are used by Linux kernel integrity subsystem. It can be also used to import keys into the kernel keyring.
evmctl manual page is located here: [http://linux-ima.sourceforge.net/evmctl.1.html](http://linux-ima.sourceforge.net/evmctl.1.html)
<br>
## Using IMA/EVM on Android
Enabling IMA/EVM is not very difficult task but involves few tricky steps related to file system creation and labeling.
Android source code is kept in GIT repositories and usually downloaded using 'repo' tool.
IMA/EVM support was implemented using Android 5.0.2 source tree and tested on Huawei P8.
Set of patches is located [here](https://sourceforge.net/projects/linux-ima/files/Android%20patches/).
### Kernel configuration
Kernel source code is usually located in the 'kernel' folder in the root of the Android source tree.
Huawei P8 runs on HiSilicon Kirin 930/935 64 bit ARM CPU.
Default kernel configuration file is 'kernel/arch/arm64/configs/hisi_3635_defconfig'
Following lines were added:
# Integrity
CONFIG_INTEGRITY=y
CONFIG_IMA=y
CONFIG_IMA_MEASURE_PCR_IDX=10
CONFIG_IMA_AUDIT=y
CONFIG_IMA_LSM_RULES=y
CONFIG_INTEGRITY_SIGNATURE=y
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
CONFIG_IMA_APPRAISE=y
CONFIG_EVM=y
# Keys
CONFIG_KEYS=y
CONFIG_KEYS_DEBUG_PROC_KEYS=y
CONFIG_TRUSTED_KEYS=y
CONFIG_ENCRYPTED_KEYS=y
### Kernel command line parameters
Kernel command line parameters are usually specified in board configuration files, such as BoardConfig.mk, for example, 'device/hisi/hi3635/BoardConfig.mk
Add following lines to the file:
BOARD_KERNEL_CMDLINE += ima_audit=1
BOARD_KERNEL_CMDLINE += ima_tcb ima_appraise_tcb
# enable fix mode while testing
BOARD_KERNEL_CMDLINE += ima_appraise=fix evm=fix
### IMA boot initialization
To boot Android, devices usually have boot partition which is flashed with boot.img.
boot.img consist of the kernel and compressed ramdisk which includes Android root filesystem.
boot.img is usually protected using digital signature which is verified by the Android bootloader as a part of Secure Boot process.
Root filesystem contains Android 'init' system and minimal set of tools, which is required to initialize and mount rest of filesystems, including '/system' and '/data'.
Android uses own 'init' system (system/core/init) which reads configuration from '/init.rc' and multiple sourced '/init.*.rc' scripts located in the root folder.
We used to use shell scripts to load IMA/EVM keys and policy. On desktop systems there is no limitation on ramdisk size, but on Android devices it is limited by the size of the boot partition. Android ramdisk/root filesystem does not include shell, but including adding shell, keyctl, evmctl makes ramdisk so big so that boot.img does not fit to the boot partition.
For that reason it was necessary to implement IMA/EVM initialization functionality as native program 'ima-init'.
This patch ([0004-ima_init-tool-to-load-IMA-EVM-keys-and-policy.patch](http://sourceforge.net/projects/linux-ima/files/Android%20patches/0004-ima_init-tool-to-load-IMA-EVM-keys-and-policy.patch/view)) adds 'system/extras/ima-init' project to the Android source tree. It builds '/ima-init' initialization program and generates private and public keys to sign filesystem image usign EVM signatures and verify them during runtime.
ima-init project also includes 'ima_key_gen.sh' script to generate keys and certificates and also basic 'ima_policy', which needs to be changed based on the particular need.
ima-init and public keys are included in the ramdisk root filesystem.
In order to initialize IMA/EVM it is necessary add like following configuration to relevant init.rc file:
service ima /sbin/ima_init
class main
user root
group root
disabled
seclabel u:r:init:s0
oneshot
Above example add 'ima' service which is used to initialize IMA.
IMA service needs to be started using 'start ima' before mounting any real filesystem. For example it was added to the 'on fs' target before mounting 'system' partition.
on fs
mount securityfs none /sys/kernel/security
start ima
wait /dev/block/mmcblk0p38
mount ext4 /dev/block/mmcblk0p38 /system ro
wait /dev/block/mmcblk0p40
mount ext4 /dev/block/mmcblk0p40 /data nosuid nodev noatime data=ordered,i_version
### Mounting filesystems (with iversion)
In order IMA would update 'security.ima' when file changes, it is necessary to mount filesystems with i_version support. Android usually mounts all filesystems in init.rc scripts using 'mount' command. Notice in the example above that '/data' partition is mounted using 'i_version' options.
Desktop mount tool from mount package recognizes iversion option and pass necessary flag to mount system call. Unrecognized options are passed as a string in the last argument of the mount system call to the kernel filesystem module. Kernel filesystem modules recognize 'i_version' option instead of 'iversion'. Thus on the desktop systems it is possible to use both iversion and i_version options.
Android tools do not recognize 'iversion' option. It is necessary to use 'i_version' option.
init.rc 'mount' command options are located after the mount point. All except last are 'init' builtin options and *only* the last option is passed as a string to the mount system call. Thus it is necessary to put 'i_version' option as a last option or to add it to the comma separated option list as above.
### Filesystem labeling
Filesystem labeling with digital signatures has to be done during image creation process. It can be done using two approaches.
The easiest approach is to label ready image. It requires following steps:
1. convert sparse image to normal image using simg2img tool
1. 'loop mount' the image
1. label filesystem using evmctl tool
1. unmount image
1. convert image back to sparse image using img2simg tool
But mount operation would require root privileges to mount filesystem.
Android 'make_ext4fs' tool is used to create filesystem image. It provides support for labeling filesystem using 'security labels' (SELinux). We extended make_ext4fs to compute and set IMA/EVM signatures while creating a filesystem. It uses extended version of 'evmctl' to compute signatures by passing all relevant file metadata using evmctl command line parameters.
Here is a patch that adds IMA/EVM support to the make_ext4fs ([0003-IMA-EVM-labelling-support.patch](http://sourceforge.net/projects/linux-ima/files/Android%20patches/0003-IMA-EVM-labelling-support.patch/view)).
### Additional tools
It is convenient for testing and debugging to have additional tools such as keyctl and getfattr tools on the device.
#### evmctl
For Android, 'evmct' is a host only tool to compute IMA/EVM signatures and convert RSA keys to the kernel binary format.
'evmctl' was extended to pass file metadata using command line parameters:
--ino use custom inode for EVM
--uid use custom UID for EVM
--gid use custom GID for EVM
--mode use custom Mode for EVM
--generation use custom Generation for EVM(unspecified: from FS, empty: use 0)
--ima use custom IMA signature for EVM
--selinux use custom Selinux label for EVM
--caps use custom Capabilities for EVM(unspecified: from FS, empty: do not use)
#### keyctl
This patch ([0002-keyctl-tool.patch](http://sourceforge.net/projects/linux-ima/files/Android%20patches/0002-keyctl-tool.patch/view)) adds project system/extras/keyctl.
#### getfattr
This patch ([0001-getfattr-tool.patch](http://sourceforge.net/projects/linux-ima/files/Android%20patches/0001-getfattr-tool.patch/view)) adds project system/extras/getfattr.
<br>
## Frequently asked questions
- Why is the first entry in the IMA measurement list (/sys/kernel/security ima/ascii_runtime_measurements) are 0's?
The first entry is the TPM boot aggregate containing PCR values 0 -
7. Enable the TPM in BIOS and take ownership.
- How do I take ownership of the TPM?
To take ownership of the TPM, download the tpm-tools, start tcsd (eg. 'service tcsd start'), and execute "tpm_takeownership -u -z". This will set the SRK key to the well-known secret(20 zeroes) and prompt for the TPM owner password.
- Why are there 0x00 entries in the measurement list?
The measurement list is invalidated, when a regular file is opened for read and, at the same time, opened for write. In the majority of cases, these files should not have been measured in the first place (eg. log files). In other cases, the application needs to be fixed.
- Why aren't files re-measured and added to the IMA measurement list
after being updated?
To detect files changing, the filesystem needs to be mounted with i_version support. For the root filesystem, either update /etc/rc.sysinit or add 'rootflags=i_version' boot command line option. For all other filesystems, modify /etc/fstab.
- Why doesn't the measurement list verify?
On some systems, after a suspend/resume, the TPM measurement list does not verify. On those systems, add the boot command line option "tpm.suspend_pcr=< unused PCR >".
- Why are there two /init entries in the measurement list?
The first '/init' is from the initramfs. The second /init is from the root filesystem (eg. /sbin/init). The IMA ng/nglong template patches will provide additional metadata to help correlate measurement entries and files.
- Why am I unable to boot the new EVM/IMA-appraisal enabled kernel?
After building a new kernel with EVM/IMA-appraisal enabled, the filesystem must be labeled with 'security.evm' and 'security.ima' extended attributes. After creating an [EVM
key](#creating_trusted_and_evm_encrypted_keys), boot the new kernel with the 'ima_tcb', 'evm=fix', 'ima_appraise_tcb', 'ima_appraise=fix', and, possibly, 'rootflags=i_version' boot
command line options. Refer to [labeling the filesystem](#labeling-the-filesystem-with-securityima-extended-attributes) with 'security.evm'.
- How do I enable the measurement policy for local/remote attestation, without enabling IMA-appraisal?
Boot with the 'ima_tcb' command line option.
- How do I enable the appraise policy, without the measurement policy?
Boot with the 'ima_appraise_tcb' command line option.
## Links
- IMA/EVM utils man page:
[http://linux-ima.sourceforge.net/evmctl.1.html](http://linux-ima.sourceforge.net/evmctl.1.html)
- Linux IMA project page:
[https://sourceforge.net/projects/linux-ima/](https://sourceforge.net/projects/linux-ima/ "https://sourceforge.net/projects/linux-ima/")
- Old web site:
[http://linux-ima.sourceforge.net/](http://linux-ima.sourceforge.net/ "http://linux-ima.sourceforge.net/")
- GIT repositories:
[https://sourceforge.net/p/linux-ima/ima-evm-utils](https://sourceforge.net/p/linux-ima/ima-evm-utils/)
[Old](/apps/mediawiki/linux-ima/index.php?title=Main_Page_OLD "Old")
Converted from http://sourceforge.net/apps/mediawiki/linux-ima/index.php?title=Main_Page_OLD
[[project_screenshots]]
[[project_admins]]
[[download_button]]

213
kernel-configs/base
View File

@ -1,213 +0,0 @@
CONFIG_LOCALVERSION="-dont-use"
CONFIG_WATCH_QUEUE=y
CONFIG_AUDIT=y
CONFIG_AUDITSYSCALL=y
CONFIG_HZ_PERIODIC=y
CONFIG_LOG_BUF_SHIFT=17
CONFIG_USER_NS=y
CONFIG_PID_NS=y
CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y
CONFIG_KALLSYMS_ALL=y
CONFIG_SYSTEM_DATA_VERIFICATION=y
CONFIG_TRACEPOINTS=y
CONFIG_CON_CHAN="xterm"
CONFIG_SSL_CHAN="pty"
CONFIG_MODULE_SIG_FORMAT=y
CONFIG_MODULE_SIG=y
CONFIG_MODULE_SIG_FORCE=y
CONFIG_MODULE_SIG_ALL=y
CONFIG_MODULE_SIG_SHA1=y
CONFIG_MODULE_SIG_HASH="sha1"
CONFIG_MODULES_TREE_LOOKUP=y
CONFIG_BLK_DEBUG_FS=y
CONFIG_ASN1=y
CONFIG_UNINLINE_SPIN_UNLOCK=y
CONFIG_SLUB=y
CONFIG_COMPACTION=y
CONFIG_COMPACT_UNEVICTABLE_DEFAULT=1
CONFIG_MIGRATION=y
CONFIG_BLK_DEV_LOOP=y
CONFIG_LEGACY_PTY_COUNT=256
CONFIG_NULL_TTY=y
CONFIG_SERIAL_DEV_BUS=y
CONFIG_SERIAL_DEV_CTRL_TTYPORT=y
CONFIG_VALIDATE_FS_PARSER=y
CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_EXT4_FS_SECURITY=y
CONFIG_EXT4_DEBUG=y
CONFIG_REISERFS_FS_XATTR=y
CONFIG_REISERFS_FS_POSIX_ACL=y
CONFIG_REISERFS_FS_SECURITY=y
CONFIG_FS_POSIX_ACL=y
CONFIG_FS_VERITY=y
CONFIG_FS_VERITY_BUILTIN_SIGNATURES=y
CONFIG_TMPFS_POSIX_ACL=y
CONFIG_TMPFS_XATTR=y
CONFIG_CONFIGFS_FS=y
CONFIG_KEYS=y
CONFIG_ENCRYPTED_KEYS=y
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_PATH=y
CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,bpf"
CONFIG_CRYPTO_AEAD2=y
CONFIG_CRYPTO_SKCIPHER=y
CONFIG_CRYPTO_SKCIPHER2=y
CONFIG_CRYPTO_RNG=y
CONFIG_CRYPTO_RNG2=y
CONFIG_CRYPTO_RNG_DEFAULT=y
CONFIG_CRYPTO_AKCIPHER2=y
CONFIG_CRYPTO_AKCIPHER=y
CONFIG_CRYPTO_KPP2=y
CONFIG_CRYPTO_ACOMP2=y
CONFIG_CRYPTO_MANAGER=y
CONFIG_CRYPTO_MANAGER2=y
CONFIG_CRYPTO_NULL2=y
CONFIG_CRYPTO_RSA=y
CONFIG_CRYPTO_ECC=y
CONFIG_CRYPTO_ECDSA=y
CONFIG_CRYPTO_AES=y
CONFIG_CRYPTO_CBC=y
CONFIG_CRYPTO_HMAC=y
CONFIG_CRYPTO_MD5=y
CONFIG_CRYPTO_SHA1=y
CONFIG_CRYPTO_SHA256=y
CONFIG_CRYPTO_SHA512=y
CONFIG_CRYPTO_WP512=y
CONFIG_CRYPTO_LZO=y
CONFIG_CRYPTO_ZSTD=y
CONFIG_CRYPTO_DRBG_MENU=y
CONFIG_CRYPTO_DRBG_HMAC=y
CONFIG_CRYPTO_DRBG=y
CONFIG_CRYPTO_JITTERENTROPY=y
CONFIG_CRYPTO_HASH_INFO=y
CONFIG_ASYMMETRIC_KEY_TYPE=y
CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
CONFIG_X509_CERTIFICATE_PARSER=y
CONFIG_PKCS8_PRIVATE_KEY_PARSER=y
CONFIG_PKCS7_MESSAGE_PARSER=y
CONFIG_PKCS7_TEST_KEY=y
CONFIG_SIGNED_PE_FILE_VERIFICATION=y
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
CONFIG_MODULE_SIG_KEY_TYPE_RSA=y
CONFIG_SYSTEM_TRUSTED_KEYRING=y
CONFIG_SYSTEM_TRUSTED_KEYS=""
CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
CONFIG_SECONDARY_TRUSTED_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
CONFIG_SYSTEM_REVOCATION_LIST=y
CONFIG_SYSTEM_REVOCATION_KEYS=""
CONFIG_SYSTEM_BLACKLIST_AUTH_UPDATE=y
CONFIG_BINARY_PRINTF=y
CONFIG_CRYPTO_LIB_AES=y
CONFIG_CRYPTO_LIB_SHA256=y
CONFIG_CRC_CCITT=y
CONFIG_XXHASH=y
CONFIG_AUDIT_GENERIC=y
CONFIG_LZO_COMPRESS=y
CONFIG_LZO_DECOMPRESS=y
CONFIG_ZSTD_COMMON=y
CONFIG_ZSTD_COMPRESS=y
CONFIG_ZSTD_DECOMPRESS=y
CONFIG_ASSOCIATIVE_ARRAY=y
CONFIG_SGL_ALLOC=y
CONFIG_GLOB=y
CONFIG_CLZ_TAB=y
CONFIG_MPILIB=y
CONFIG_SIGNATURE=y
CONFIG_OID_REGISTRY=y
CONFIG_STACKDEPOT=y
CONFIG_STACKDEPOT_ALWAYS_INIT=y
CONFIG_PRINTK_TIME=y
CONFIG_PRINTK_CALLER=y
CONFIG_DYNAMIC_DEBUG=y
CONFIG_DYNAMIC_DEBUG_CORE=y
CONFIG_DEBUG_INFO_DWARF5=y
CONFIG_GDB_SCRIPTS=y
CONFIG_FRAME_WARN=2048
CONFIG_READABLE_ASM=y
CONFIG_DEBUG_SECTION_MISMATCH=y
CONFIG_DEBUG_FS=y
CONFIG_DEBUG_FS_ALLOW_ALL=y
CONFIG_UBSAN=y
CONFIG_CC_HAS_UBSAN_BOUNDS=y
CONFIG_UBSAN_BOUNDS=y
CONFIG_UBSAN_ONLY_BOUNDS=y
CONFIG_UBSAN_SHIFT=y
CONFIG_UBSAN_DIV_ZERO=y
CONFIG_UBSAN_BOOL=y
CONFIG_UBSAN_ENUM=y
CONFIG_UBSAN_ALIGNMENT=y
CONFIG_PAGE_EXTENSION=y
CONFIG_DEBUG_PAGEALLOC=y
CONFIG_DEBUG_PAGEALLOC_ENABLE_DEFAULT=y
CONFIG_SLUB_DEBUG=y
CONFIG_SLUB_DEBUG_ON=y
CONFIG_PAGE_OWNER=y
CONFIG_PAGE_POISONING=y
CONFIG_DEBUG_OBJECTS=y
CONFIG_DEBUG_OBJECTS_FREE=y
CONFIG_DEBUG_OBJECTS_TIMERS=y
CONFIG_DEBUG_OBJECTS_WORK=y
CONFIG_DEBUG_OBJECTS_RCU_HEAD=y
CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER=y
CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1
CONFIG_DEBUG_KMEMLEAK=y
CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE=16000
CONFIG_DEBUG_KMEMLEAK_AUTO_SCAN=y
CONFIG_DEBUG_STACK_USAGE=y
CONFIG_SCHED_STACK_END_CHECK=y
CONFIG_DEBUG_SHIRQ=y
CONFIG_PANIC_ON_OOPS=y
CONFIG_PANIC_ON_OOPS_VALUE=1
CONFIG_LOCKUP_DETECTOR=y
CONFIG_SOFTLOCKUP_DETECTOR=y
CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC=y
CONFIG_DETECT_HUNG_TASK=y
CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
CONFIG_BOOTPARAM_HUNG_TASK_PANIC=y
CONFIG_WQ_WATCHDOG=y
CONFIG_DEBUG_TIMEKEEPING=y
CONFIG_PROVE_LOCKING=y
CONFIG_PROVE_RAW_LOCK_NESTING=y
CONFIG_LOCK_STAT=y
CONFIG_DEBUG_RT_MUTEXES=y
CONFIG_DEBUG_SPINLOCK=y
CONFIG_DEBUG_MUTEXES=y
CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y
CONFIG_DEBUG_RWSEMS=y
CONFIG_DEBUG_LOCK_ALLOC=y
CONFIG_LOCKDEP=y
CONFIG_LOCKDEP_BITS=15
CONFIG_LOCKDEP_CHAINS_BITS=16
CONFIG_LOCKDEP_STACK_TRACE_BITS=19
CONFIG_LOCKDEP_STACK_TRACE_HASH_BITS=14
CONFIG_LOCKDEP_CIRCULAR_QUEUE_BITS=12
CONFIG_WW_MUTEX_SELFTEST=y
CONFIG_CSD_LOCK_WAIT_DEBUG=y
CONFIG_TRACE_IRQFLAGS=y
CONFIG_DEBUG_IRQFLAGS=y
CONFIG_DEBUG_LIST=y
CONFIG_DEBUG_PLIST=y
CONFIG_DEBUG_NOTIFIERS=y
CONFIG_BUG_ON_DATA_CORRUPTION=y
CONFIG_PROVE_RCU=y
CONFIG_RCU_TRACE=y
CONFIG_NOP_TRACER=y
CONFIG_TRACE_CLOCK=y
CONFIG_RING_BUFFER=y
CONFIG_EVENT_TRACING=y
CONFIG_CONTEXT_SWITCH_TRACER=y
CONFIG_PREEMPTIRQ_TRACEPOINTS=y
CONFIG_TRACING=y
CONFIG_DRM=n
CONFIG_USB=n
CONFIG_SOUND=n
CONFIG_9P_FS=y
CONFIG_9P_FS_POSIX_ACL=y
CONFIG_9P_FS_SECURITY=y
CONFIG_ETHERNET=n
CONFIG_WLAN=n

29
kernel-configs/integrity
View File

@ -1,29 +0,0 @@
CONFIG_INTEGRITY=y
CONFIG_INTEGRITY_SIGNATURE=y
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
CONFIG_INTEGRITY_TRUSTED_KEYRING=y
CONFIG_INTEGRITY_AUDIT=y
CONFIG_IMA=y
CONFIG_IMA_MEASURE_PCR_IDX=10
CONFIG_IMA_NG_TEMPLATE=y
CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
CONFIG_IMA_DEFAULT_HASH_SHA256=y
CONFIG_IMA_DEFAULT_HASH="sha256"
CONFIG_IMA_WRITE_POLICY=y
CONFIG_IMA_READ_POLICY=y
CONFIG_IMA_APPRAISE=y
CONFIG_IMA_ARCH_POLICY=y
CONFIG_IMA_APPRAISE_BUILD_POLICY=y
CONFIG_IMA_APPRAISE_BOOTPARAM=y
CONFIG_IMA_APPRAISE_MODSIG=y
CONFIG_IMA_TRUSTED_KEYRING=y
CONFIG_IMA_BLACKLIST_KEYRING=y
CONFIG_IMA_LOAD_X509=y
CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
CONFIG_EVM=y
CONFIG_EVM_ATTR_FSUUID=y
CONFIG_EVM_ADD_XATTRS=y
CONFIG_EVM_LOAD_X509=y
CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der"

36
m4/default-hash-algo.m4
View File

@ -1,36 +0,0 @@
dnl Copyright (c) 2021 Bruno Meneguele <bmeneg@redhat.com>
dnl Check hash algorithm availability in the kernel
dnl
dnl $1 - $KERNEL_HEADERS
AC_DEFUN([AX_DEFAULT_HASH_ALGO], [
HASH_INFO_HEADER="$1/include/uapi/linux/hash_info.h"
AC_ARG_WITH([default_hash],
AS_HELP_STRING([--with-default-hash=ALGORITHM], [specifies the default hash algorithm to be used]),
[HASH_ALGO=$withval],
[HASH_ALGO=sha256])
AC_PROG_SED()
HASH_ALGO="$(echo $HASH_ALGO | $SED 's/\(.*\)/\L\1\E/')"
AC_CHECK_HEADER([$HASH_INFO_HEADER],
[HAVE_HASH_INFO_HEADER=yes],
[AC_MSG_WARN([$HASH_INFO_HEADER not found.])])
if test "x$HAVE_HASH_INFO_HEADER" = "x"; then
AC_MSG_RESULT([using $HASH_ALGO algorithm as default hash algorith])
AC_DEFINE_UNQUOTED(DEFAULT_HASH_ALGO, "$HASH_ALGO", [Define default hash algorithm])
else
AC_PROG_GREP()
$SED -n 's/HASH_ALGO_\(.*\),/\L\1\E/p' $HASH_INFO_HEADER | $GREP -w $HASH_ALGO > /dev/null
have_hash=$?
if test $have_hash -ne 0; then
AC_MSG_ERROR([$HASH_ALGO algorithm specified, but not provided by the kernel], 1)
else
AC_MSG_NOTICE([using $HASH_ALGO as default hash algorithm])
AC_DEFINE_UNQUOTED(DEFAULT_HASH_ALGO, "$HASH_ALGO", [Define default hash algorithm])
fi
fi
])

40
m4/manpage-docbook-xsl.m4
View File

@ -1,48 +1,28 @@
dnl Copyright (c) 2018-2020 Petr Vorel <pvorel@suse.cz>
dnl Copyright (c) 2018 Petr Vorel <pvorel@suse.cz>
dnl Find docbook manpage stylesheet
AC_DEFUN([EVMCTL_MANPAGE_DOCBOOK_XSL], [
DOCBOOK_XSL_URI="http://docbook.sourceforge.net/release/xsl/current"
DOCBOOK_XSL_PATH="manpages/docbook.xsl"
AC_PATH_PROGS(XMLCATALOG, xmlcatalog)
AC_ARG_WITH([xml-catalog],
AS_HELP_STRING([--with-xml-catalog=CATALOG],
AC_HELP_STRING([--with-xml-catalog=CATALOG],
[path to xml catalog to use]),,
[with_xml_catalog=/etc/xml/catalog])
XML_CATALOG_FILE="$with_xml_catalog"
AC_SUBST([XML_CATALOG_FILE])
if test "x${XMLCATALOG}" = "x"; then
AC_MSG_WARN([xmlcatalog not found, cannot search for $DOCBOOK_XSL_PATH])
AC_MSG_CHECKING([for XML catalog ($XML_CATALOG_FILE)])
if test -f "$XML_CATALOG_FILE"; then
have_xmlcatalog_file=yes
AC_MSG_RESULT([found])
else
AC_MSG_CHECKING([for XML catalog ($XML_CATALOG_FILE)])
if test -f "$XML_CATALOG_FILE"; then
have_xmlcatalog_file=yes
AC_MSG_RESULT([found])
else
AC_MSG_RESULT([not found, cannot search for $DOCBOOK_XSL_PATH])
fi
AC_MSG_RESULT([not found])
fi
if test "x${XMLCATALOG}" != "x" -a "x$have_xmlcatalog_file" = "xyes"; then
MANPAGE_DOCBOOK_XSL=$(${XMLCATALOG} ${XML_CATALOG_FILE} ${DOCBOOK_XSL_URI}/${DOCBOOK_XSL_PATH} | sed 's|^file:/\+|/|')
DOCBOOK_XSL_URI="http://docbook.sourceforge.net/release/xsl/current"
DOCBOOK_XSL_PATH="manpages/docbook.xsl"
MANPAGE_DOCBOOK_XSL=$(${XMLCATALOG} ${XML_CATALOG_FILE} ${DOCBOOK_XSL_URI}/${DOCBOOK_XSL_PATH} | sed -n 's|^file:/\+|/|p;q')
fi
if test "x${MANPAGE_DOCBOOK_XSL}" = "x"; then
MANPAGE_DOCBOOK_XSL="/usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl"
AC_MSG_WARN([trying a default path for $DOCBOOK_XSL_PATH])
fi
if test -f "$MANPAGE_DOCBOOK_XSL"; then
have_doc=yes
AC_MSG_NOTICE([using $MANPAGE_DOCBOOK_XSL for generating doc])
else
AC_MSG_WARN([$DOCBOOK_XSL_PATH not found, generating doc will be skipped])
MANPAGE_DOCBOOK_XSL=
have_doc=no
fi
AM_CONDITIONAL(MANPAGE_DOCBOOK_XSL, test "x$have_doc" = xyes)
AC_SUBST(MANPAGE_DOCBOOK_XSL)
])

2
packaging/ima-evm-utils.spec
View File

@ -1,5 +1,5 @@
Name: ima-evm-utils
Version: 1.5
Version: 1.2
Release: 1%{?dist}
Summary: ima-evm-utils - IMA/EVM control utility
Group: System/Libraries

1
src/.gitignore vendored
View File

@ -1,2 +1 @@
hash_info.h
tmp_hash_info.h

41
src/Makefile.am
View File

@ -4,17 +4,9 @@ libimaevm_la_SOURCES = libimaevm.c
libimaevm_la_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS)
# current[:revision[:age]]
# result: [current-age].age.revision
libimaevm_la_LDFLAGS = -version-info 4:0:0
libimaevm_la_LDFLAGS = -version-info 1:0:0
libimaevm_la_LIBADD = $(LIBCRYPTO_LIBS)
if CONFIG_SIGV1
libimaevm_la_CFLAGS = -DCONFIG_SIGV1
endif
if CONFIG_IMA_EVM_ENGINE
libimaevm_la_CFLAGS = -DCONFIG_IMA_EVM_ENGINE
endif
include_HEADERS = imaevm.h
nodist_libimaevm_la_SOURCES = hash_info.h
@ -25,39 +17,12 @@ hash_info.h: Makefile
bin_PROGRAMS = evmctl
evmctl_SOURCES = evmctl.c utils.c
evmctl_SOURCES = evmctl.c
evmctl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS)
evmctl_LDFLAGS = $(LDFLAGS_READLINE)
evmctl_LDADD = $(LIBCRYPTO_LIBS) -lkeyutils libimaevm.la
# Enable IMA signature version 1
if CONFIG_SIGV1
evmctl_CFLAGS = -DCONFIG_SIGV1
endif
# Enable "--engine" support
if CONFIG_IMA_EVM_ENGINE
evmctl_CFLAGS = -DCONFIG_IMA_EVM_ENGINE
endif
# USE_PCRTSS uses the Intel TSS
if USE_PCRTSS
evmctl_SOURCES += pcr_tss.c
# USE_IBMTSS uses the IBM TSS
else
if USE_IBMTSS
evmctl_SOURCES += pcr_ibmtss.c
evmctl_LDADD += -libmtss
# uses the IBM TSS command line utilities
else
evmctl_SOURCES += pcr_tsspcrread.c
endif
endif
AM_CPPFLAGS = -I$(top_srcdir) -include config.h
CLEANFILES = hash_info.h tmp_hash_info.h
CLEANFILES = hash_info.h
DISTCLEANFILES = @DISTCLEANFILES@

1746
src/evmctl.c
View File

File diff suppressed because it is too large Load Diff

50
src/hash_info.gen
View File

@ -18,54 +18,11 @@ KERNEL_HEADERS=$1
HASH_INFO_H=uapi/linux/hash_info.h
HASH_INFO=$KERNEL_HEADERS/include/$HASH_INFO_H
TMPHASHINFO="./tmp_hash_info.h"
gen_hashinfo() {
cat << __EOF__ >$TMPHASHINFO
/* SPDX-License-Identifier: GPL-2.0+ WITH Linux-syscall-note */
/*
* Hash Info: Hash algorithms information
*
* Copyright (c) 2013 Dmitry Kasatkin <d.kasatkin@samsung.com>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the Free
* Software Foundation; either version 2 of the License, or (at your option)
* any later version.
*
*/
enum hash_algo {
HASH_ALGO_MD4,
HASH_ALGO_MD5,
HASH_ALGO_SHA1,
HASH_ALGO_RIPE_MD_160,
HASH_ALGO_SHA256,
HASH_ALGO_SHA384,
HASH_ALGO_SHA512,
HASH_ALGO_SHA224,
HASH_ALGO_RIPE_MD_128,
HASH_ALGO_RIPE_MD_256,
HASH_ALGO_RIPE_MD_320,
HASH_ALGO_WP_256,
HASH_ALGO_WP_384,
HASH_ALGO_WP_512,
HASH_ALGO_TGR_128,
HASH_ALGO_TGR_160,
HASH_ALGO_TGR_192,
HASH_ALGO_SM3_256,
HASH_ALGO__LAST
};
__EOF__
}
# Allow to specify kernel-headers past include/
if [ ! -e $HASH_INFO ]; then
HASH_INFO2=$KERNEL_HEADERS/$HASH_INFO_H
if [ -e $HASH_INFO2 ]; then
HASH_INFO=$HASH_INFO2
else
gen_hashinfo
HASH_INFO="$TMPHASHINFO"
fi
fi
@ -84,10 +41,9 @@ echo "};"
echo "const char *const hash_algo_name[HASH_ALGO__LAST] = {"
sed -n 's/HASH_ALGO_\(.*\),/\1 \L\1\E/p' $HASH_INFO | \
while read a b; do
# Normalize text hash name: sm3 algorithm name is different from
# the macro definition, which is also the only special case of an
# underscore between digits. Remove all other underscores.
b=$(echo "$b" | sed "s/sm3_256/sm3/g;s/_//g")
# Normalize text hash name: if it contains underscore between
# digits replace it with a dash, other underscores are removed.
b=$(echo "$b" | sed "s/\([0-9]\)_\([0-9]\)/\1-\2/g;s/_//g")
printf '\t%-26s = "%s",\n' "[HASH_ALGO_$a]" "$b"
done
echo "};"

35
src/imaevm.h
View File

@ -46,15 +46,8 @@
#include <syslog.h>
#include <stdbool.h>
#include <errno.h>
#include <sys/types.h>
#include <openssl/rsa.h>
#ifdef CONFIG_IMA_EVM_ENGINE
#include <openssl/engine.h>
#endif
#if defined(OPENSSL_NO_ENGINE) || defined(OPENSSL_NO_DYNAMIC_ENGINE)
#undef CONFIG_IMA_EVM_ENGINE
#endif
#include <openssl/rsa.h>
#ifdef USE_FPRINTF
#define do_log(level, fmt, args...) \
@ -81,26 +74,12 @@
#define log_err(fmt, args...) do_log(LOG_ERR, fmt, ##args)
#define log_errno(fmt, args...) do_log(LOG_ERR, fmt ": errno: %s (%d)\n", ##args, strerror(errno), errno)
#ifndef DEFAULT_HASH_ALGO
#define DEFAULT_HASH_ALGO "sha256"
#endif
#define DATA_SIZE 4096
#define SHA1_HASH_LEN 20
#define MAX_DIGEST_SIZE 64
#define MAX_SIGNATURE_SIZE 1024
/*
* The maximum template data size is dependent on the template format. For
* example the 'ima-modsig' template includes two signatures - one for the
* entire file, the other without the appended signature - and other fields
* (e.g. file digest, file name, file digest without the appended signature).
*
* Other template formats are much smaller.
*/
#define MAX_TEMPLATE_SIZE (MAX_SIGNATURE_SIZE * 4)
#define __packed __attribute__((packed))
enum evm_ima_xattr_type {
@ -109,7 +88,6 @@ enum evm_ima_xattr_type {
EVM_IMA_XATTR_DIGSIG,
IMA_XATTR_DIGEST_NG,
EVM_XATTR_PORTABLE_DIGSIG,
IMA_VERITY_DIGSIG,
};
struct h_misc {
@ -155,8 +133,7 @@ enum digest_algo {
enum digsig_version {
DIGSIG_VERSION_1 = 1,
DIGSIG_VERSION_2,
DIGSIG_VERSION_3 /* hash of ima_file_id struct (portion used) */
DIGSIG_VERSION_2
};
struct pubkey_hdr {
@ -219,8 +196,6 @@ struct libimaevm_params {
const char *hash_algo;
const char *keyfile;
const char *keypass;
uint32_t keyid; /* keyid overriding value, unless 0. (Host order.) */
ENGINE *eng;
};
struct RSA_ASN1_template {
@ -228,7 +203,7 @@ struct RSA_ASN1_template {
size_t size;
};
#define NUM_PCRS 24
#define NUM_PCRS 20
#define DEFAULT_PCR 10
extern struct libimaevm_params imaevm_params;
@ -243,14 +218,10 @@ EVP_PKEY *read_pub_pkey(const char *keyfile, int x509);
void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len);
void calc_keyid_v2(uint32_t *keyid, char *str, EVP_PKEY *pkey);
int key2bin(RSA *key, unsigned char *pub);
uint32_t imaevm_read_keyid(const char *certfile);
int sign_hash(const char *algo, const unsigned char *hash, int size, const char *keyfile, const char *keypass, unsigned char *sig);
int verify_hash(const char *file, const unsigned char *hash, int size, unsigned char *sig, int siglen);
int ima_verify_signature(const char *file, unsigned char *sig, int siglen, unsigned char *digest, int digestlen);
void init_public_keys(const char *keyfiles);
int imaevm_hash_algo_from_sig(unsigned char *sig);
const char *imaevm_hash_algo_by_id(int algo);
int calc_hash_sigv3(enum evm_ima_xattr_type type, const char *algo, const unsigned char *in_hash, unsigned char *out_hash);
#endif

523
src/libimaevm.c
View File

@ -45,7 +45,6 @@
#include <sys/param.h>
#include <sys/stat.h>
#include <asm/byteorder.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <dirent.h>
#include <string.h>
@ -53,14 +52,11 @@
#include <assert.h>
#include <ctype.h>
#include <openssl/asn1.h>
#include <openssl/crypto.h>
#include <openssl/pem.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/err.h>
#include <openssl/engine.h>
#include "imaevm.h"
#include "hash_info.h"
@ -75,7 +71,6 @@ static const char *const pkey_hash_algo[PKEY_HASH__LAST] = {
[PKEY_HASH_SHA384] = "sha384",
[PKEY_HASH_SHA512] = "sha512",
[PKEY_HASH_SHA224] = "sha224",
[PKEY_HASH_SM3_256] = "sm3",
[PKEY_HASH_STREEBOG_256] = "md_gost12_256",
[PKEY_HASH_STREEBOG_512] = "md_gost12_512",
};
@ -87,21 +82,21 @@ static const char *const pkey_hash_algo_kern[PKEY_HASH__LAST] = {
};
struct libimaevm_params imaevm_params = {
.verbose = LOG_INFO,
.verbose = LOG_INFO - 1,
.x509 = 1,
.hash_algo = DEFAULT_HASH_ALGO,
.hash_algo = "sha1",
};
static void __attribute__ ((constructor)) libinit(void);
void imaevm_do_hexdump(FILE *fp, const void *ptr, int len, bool newline)
void imaevm_do_hexdump(FILE *fp, const void *ptr, int len, bool cr)
{
int i;
uint8_t *data = (uint8_t *) ptr;
for (i = 0; i < len; i++)
fprintf(fp, "%02x", data[i]);
if (newline)
if (cr)
fprintf(fp, "\n");
}
@ -110,7 +105,7 @@ void imaevm_hexdump(const void *ptr, int len)
imaevm_do_hexdump(stdout, ptr, len, true);
}
const char *imaevm_hash_algo_by_id(int algo)
static const char *get_hash_algo_by_id(int algo)
{
if (algo < PKEY_HASH__LAST)
return pkey_hash_algo[algo];
@ -118,7 +113,7 @@ const char *imaevm_hash_algo_by_id(int algo)
return hash_algo_name[algo];
log_err("digest %d not found\n", algo);
return NULL;
return "unknown";
}
/* Output all remaining openssl error messages. */
@ -160,7 +155,7 @@ static int add_file_hash(const char *file, EVP_MD_CTX *ctx)
for (size = stats.st_size; size; size -= len) {
len = MIN(size, bs);
if (fread(data, len, 1, fp) != 1) {
if (!fread(data, len, 1, fp)) {
if (ferror(fp)) {
log_err("fread() failed\n\n");
goto out;
@ -181,6 +176,67 @@ out:
return err;
}
static int add_dir_hash(const char *file, EVP_MD_CTX *ctx)
{
int err;
struct dirent *de;
DIR *dir;
unsigned long long ino, off;
unsigned int type;
int result = 0;
dir = opendir(file);
if (!dir) {
log_err("Failed to open: %s\n", file);
return -1;
}
while ((de = readdir(dir))) {
ino = de->d_ino;
off = de->d_off;
type = de->d_type;
log_debug("entry: %s, ino: %llu, type: %u, off: %llu, reclen: %hu\n",
de->d_name, ino, type, off, de->d_reclen);
err = EVP_DigestUpdate(ctx, de->d_name, strlen(de->d_name));
/*err |= EVP_DigestUpdate(ctx, &off, sizeof(off));*/
err |= EVP_DigestUpdate(ctx, &ino, sizeof(ino));
err |= EVP_DigestUpdate(ctx, &type, sizeof(type));
if (!err) {
log_err("EVP_DigestUpdate() failed\n");
output_openssl_errors();
result = 1;
break;
}
}
closedir(dir);
return result;
}
static int add_link_hash(const char *path, EVP_MD_CTX *ctx)
{
int err;
char buf[1024];
err = readlink(path, buf, sizeof(buf));
if (err <= 0)
return -1;
log_info("link: %s -> %.*s\n", path, err, buf);
return !EVP_DigestUpdate(ctx, buf, err);
}
static int add_dev_hash(struct stat *st, EVP_MD_CTX *ctx)
{
uint32_t dev = st->st_rdev;
unsigned major = (dev & 0xfff00) >> 8;
unsigned minor = (dev & 0xff) | ((dev >> 12) & 0xfff00);
log_info("device: %u:%u\n", major, minor);
return !EVP_DigestUpdate(ctx, &dev, sizeof(dev));
}
int ima_calc_hash(const char *file, uint8_t *hash)
{
const EVP_MD *md;
@ -221,8 +277,18 @@ int ima_calc_hash(const char *file, uint8_t *hash)
case S_IFREG:
err = add_file_hash(file, pctx);
break;
case S_IFDIR:
err = add_dir_hash(file, pctx);
break;
case S_IFLNK:
err = add_link_hash(file, pctx);
break;
case S_IFIFO: case S_IFSOCK:
case S_IFCHR: case S_IFBLK:
err = add_dev_hash(&st, pctx);
break;
default:
log_err("Unsupported file type (0x%x)", st.st_mode & S_IFMT);
log_errno("Unsupported file type");
err = -1;
goto err;
}
@ -250,29 +316,16 @@ EVP_PKEY *read_pub_pkey(const char *keyfile, int x509)
{
FILE *fp;
EVP_PKEY *pkey = NULL;
struct stat st;
if (!keyfile)
return NULL;
fp = fopen(keyfile, "r");
if (!fp) {
if (imaevm_params.verbose > LOG_INFO)
log_info("Failed to open keyfile: %s\n", keyfile);
log_err("Failed to open keyfile: %s\n", keyfile);
return NULL;
}
if (fstat(fileno(fp), &st) == -1) {
log_err("Failed to fstat key file: %s\n", keyfile);
goto out;
}
if ((st.st_mode & S_IFMT) != S_IFREG) {
if (imaevm_params.verbose > LOG_INFO)
log_err("Key file is not regular file: %s\n", keyfile);
goto out;
}
if (x509) {
X509 *crt = d2i_X509_fp(fp, NULL);
@ -302,7 +355,6 @@ out:
return pkey;
}
#if CONFIG_SIGV1
RSA *read_pub_key(const char *keyfile, int x509)
{
EVP_PKEY *pkey;
@ -362,7 +414,6 @@ static int verify_hash_v1(const char *file, const unsigned char *hash, int size,
return 0;
}
#endif /* CONFIG_SIGV1 */
struct public_key_entry {
struct public_key_entry *next;
@ -410,6 +461,8 @@ void init_public_keys(const char *keyfiles)
keyfiles_free = tmp_keyfiles;
while ((keyfile = strsep(&tmp_keyfiles, ", \t")) != NULL) {
if (!keyfile)
break;
if ((*keyfile == '\0') || (*keyfile == ' ') ||
(*keyfile == '\t'))
continue;
@ -436,21 +489,10 @@ void init_public_keys(const char *keyfiles)
}
/*
* Verify a signature, prefixed with the signature_v2_hdr, either based
* directly or indirectly on the file data hash.
*
* version 2: directly based on the file data hash (e.g. sha*sum)
* version 3: indirectly based on the hash of the struct ima_file_id, which
* contains the xattr type (enum evm_ima_xattr_type), the hash
* algorithm (enum hash_algo), and the file data hash
* (e.g. fsverity digest).
*
* Return: 0 verification good, 1 verification bad, -1 error.
*
* (Note: signature_v2_hdr struct does not contain the 'type'.)
*/
static int verify_hash_common(const char *file, const unsigned char *hash,
int size, unsigned char *sig, int siglen)
static int verify_hash_v2(const char *file, const unsigned char *hash, int size,
unsigned char *sig, int siglen)
{
int ret = -1;
EVP_PKEY *pkey, *pkey_free = NULL;
@ -468,22 +510,11 @@ static int verify_hash_common(const char *file, const unsigned char *hash,
if (!pkey) {
uint32_t keyid = hdr->keyid;
if (imaevm_params.verbose > LOG_INFO)
log_info("%s: verification failed: unknown keyid %x\n",
file, __be32_to_cpup(&keyid));
log_info("%s: verification failed: unknown keyid %x\n",
file, __be32_to_cpup(&keyid));
return -1;
}
#if defined(EVP_PKEY_SM2) && OPENSSL_VERSION_NUMBER < 0x30000000
/* If EC key are used, check whether it is SM2 key */
if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
if (curve == NID_sm2)
EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2);
}
#endif
st = "EVP_PKEY_CTX_new";
if (!(ctx = EVP_PKEY_CTX_new(pkey, NULL)))
goto err;
@ -520,128 +551,6 @@ err:
return ret;
}
/*
* Verify a signature, prefixed with the signature_v2_hdr, directly based
* on the file data hash.
*
* Return: 0 verification good, 1 verification bad, -1 error.
*/
static int verify_hash_v2(const char *file, const unsigned char *hash,
int size, unsigned char *sig, int siglen)
{
/* note: signature_v2_hdr does not contain 'type', use sig + 1 */
return verify_hash_common(file, hash, size, sig + 1, siglen - 1);
}
/*
* Verify a signature, prefixed with the signature_v2_hdr, indirectly based
* on the file data hash.
*
* Return: 0 verification good, 1 verification bad, -1 error.
*/
static int verify_hash_v3(const char *file, const unsigned char *hash,
int size, unsigned char *sig, int siglen)
{
unsigned char sigv3_hash[MAX_DIGEST_SIZE];
int ret;
ret = calc_hash_sigv3(sig[0], NULL, hash, sigv3_hash);
if (ret < 0)
return ret;
/* note: signature_v2_hdr does not contain 'type', use sig + 1 */
return verify_hash_common(file, sigv3_hash, size, sig + 1, siglen - 1);
}
#define HASH_MAX_DIGESTSIZE 64 /* kernel HASH_MAX_DIGESTSIZE is 64 bytes */
struct ima_file_id {
__u8 hash_type; /* xattr type [enum evm_ima_xattr_type] */
__u8 hash_algorithm; /* Digest algorithm [enum hash_algo] */
__u8 hash[HASH_MAX_DIGESTSIZE];
} __packed;
/*
* Calculate the signature format version 3 hash based on the portion
* of the ima_file_id structure used, not the entire structure.
*
* On success, return the hash length, otherwise for openssl errors
* return 1, other errors return -EINVAL.
*/
int calc_hash_sigv3(enum evm_ima_xattr_type type, const char *algo,
const unsigned char *in_hash, unsigned char *out_hash)
{
struct ima_file_id file_id = { .hash_type = IMA_VERITY_DIGSIG };
uint8_t *data = (uint8_t *) &file_id;
const EVP_MD *md;
EVP_MD_CTX *pctx;
unsigned int mdlen;
int err;
#if OPENSSL_VERSION_NUMBER < 0x10100000
EVP_MD_CTX ctx;
pctx = &ctx;
#else
pctx = EVP_MD_CTX_new();
#endif
int hash_algo;
int hash_size;
unsigned int unused;
if (type != IMA_VERITY_DIGSIG) {
log_err("Only fsverity supports signature format v3 (sigv3)\n");
return -EINVAL;
}
if (!algo)
algo = imaevm_params.hash_algo;
if ((hash_algo = imaevm_get_hash_algo(algo)) < 0) {
log_err("Hash algorithm %s not supported\n", algo);
return -EINVAL;
}
file_id.hash_algorithm = hash_algo;
md = EVP_get_digestbyname(algo);
if (!md) {
log_err("EVP_get_digestbyname(%s) failed\n", algo);
err = 1;
goto err;
}
hash_size = EVP_MD_size(md);
memcpy(file_id.hash, in_hash, hash_size);
err = EVP_DigestInit(pctx, md);
if (!err) {
log_err("EVP_DigestInit() failed\n");
err = 1;
goto err;
}
unused = HASH_MAX_DIGESTSIZE - hash_size;
if (!EVP_DigestUpdate(pctx, data, sizeof(file_id) - unused)) {
log_err("EVP_DigestUpdate() failed\n");
err = 1;
goto err;
}
err = EVP_DigestFinal(pctx, out_hash, &mdlen);
if (!err) {
log_err("EVP_DigestFinal() failed\n");
err = 1;
goto err;
}
err = mdlen;
err:
if (err == 1)
output_openssl_errors();
#if OPENSSL_VERSION_NUMBER >= 0x10100000
EVP_MD_CTX_free(pctx);
#endif
return err;
}
int imaevm_get_hash_algo(const char *algo)
{
int i;
@ -666,11 +575,11 @@ int imaevm_get_hash_algo(const char *algo)
return -1;
}
int imaevm_hash_algo_from_sig(unsigned char *sig)
static int get_hash_algo_from_sig(unsigned char *sig)
{
uint8_t hashalgo;
if (sig[0] == DIGSIG_VERSION_1) {
if (sig[0] == 1) {
hashalgo = ((struct signature_hdr *)sig)->hash;
if (hashalgo >= DIGEST_ALGO_MAX)
@ -684,7 +593,7 @@ int imaevm_hash_algo_from_sig(unsigned char *sig)
default:
return -1;
}
} else if (sig[0] == DIGSIG_VERSION_2 || sig[0] == DIGSIG_VERSION_3) {
} else if (sig[0] == 2) {
hashalgo = ((struct signature_v2_hdr *)sig)->hash_algo;
if (hashalgo >= PKEY_HASH__LAST)
return -1;
@ -693,29 +602,19 @@ int imaevm_hash_algo_from_sig(unsigned char *sig)
return -1;
}
int verify_hash(const char *file, const unsigned char *hash, int size,
unsigned char *sig, int siglen)
int verify_hash(const char *file, const unsigned char *hash, int size, unsigned char *sig,
int siglen)
{
/* Get signature type from sig header */
if (sig[1] == DIGSIG_VERSION_1) {
#if CONFIG_SIGV1
if (sig[0] == DIGSIG_VERSION_1) {
const char *key = NULL;
/* Read pubkey from RSA key */
if (!imaevm_params.keyfile)
key = "/etc/keys/pubkey_evm.pem";
else
key = imaevm_params.keyfile;
return verify_hash_v1(file, hash, size, sig + 1, siglen - 1,
key);
#else
log_info("Signature version 1 deprecated.");
return -1;
#endif
} else if (sig[1] == DIGSIG_VERSION_2) {
return verify_hash_v1(file, hash, size, sig, siglen, key);
} else if (sig[0] == DIGSIG_VERSION_2) {
return verify_hash_v2(file, hash, size, sig, siglen);
} else if (sig[1] == DIGSIG_VERSION_3) {
return verify_hash_v3(file, hash, size, sig, siglen);
} else
return -1;
}
@ -726,40 +625,34 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
unsigned char hash[MAX_DIGEST_SIZE];
int hashlen, sig_hash_algo;
if (sig[0] != EVM_IMA_XATTR_DIGSIG && sig[0] != IMA_VERITY_DIGSIG) {
log_err("%s: xattr ima has no signature\n", file);
if (sig[0] != 0x03) {
log_err("xattr ima has no signature\n");
return -1;
}
if (!digest && sig[0] == IMA_VERITY_DIGSIG) {
log_err("%s: calculating the fs-verity digest is not supported\n", file);
return -1;
}
sig_hash_algo = imaevm_hash_algo_from_sig(sig + 1);
sig_hash_algo = get_hash_algo_from_sig(sig + 1);
if (sig_hash_algo < 0) {
log_err("%s: Invalid signature\n", file);
log_err("Invalid signature\n");
return -1;
}
/* Use hash algorithm as retrieved from signature */
imaevm_params.hash_algo = imaevm_hash_algo_by_id(sig_hash_algo);
imaevm_params.hash_algo = get_hash_algo_by_id(sig_hash_algo);
/*
* Validate the signature based on the digest included in the
* measurement list, not by calculating the local file digest.
*/
if (digest && digestlen > 0)
return verify_hash(file, digest, digestlen, sig, siglen);
if (digestlen > 0)
return verify_hash(file, digest, digestlen, sig + 1, siglen - 1);
hashlen = ima_calc_hash(file, hash);
if (hashlen <= 1)
return hashlen;
assert(hashlen <= sizeof(hash));
return verify_hash(file, hash, hashlen, sig, siglen);
return verify_hash(file, hash, hashlen, sig + 1, siglen - 1);
}
#if CONFIG_SIGV1
/*
* Create binary key representation suitable for kernel
*/
@ -818,7 +711,6 @@ void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len
if (imaevm_params.verbose > LOG_INFO)
log_info("keyid-v1: %s\n", str);
}
#endif /* CONFIG_SIGV1 */
/*
* Calculate keyid of the public_key part of EVP_PKEY
@ -850,170 +742,27 @@ void calc_keyid_v2(uint32_t *keyid, char *str, EVP_PKEY *pkey)
X509_PUBKEY_free(pk);
}
/*
* Extract SKID from x509 in openssl portable way.
*/
static const unsigned char *x509_get_skid(X509 *x, int *len)
{
#if OPENSSL_VERSION_NUMBER < 0x10100000
ASN1_STRING *skid;
/*
* This will cache extensions.
* OpenSSL uses this method itself.
*/
if (X509_check_purpose(x, -1, -1) != 1)
return NULL;
skid = x->skid;
#else
const ASN1_OCTET_STRING *skid = X509_get0_subject_key_id(x);
#endif
if (len)
*len = ASN1_STRING_length(skid);
#if OPENSSL_VERSION_NUMBER < 0x10100000
return ASN1_STRING_data(x->skid);
#else
return ASN1_STRING_get0_data(skid);
#endif
}
/*
* read_keyid_from_cert() - Read keyid from SKID from x509 certificate file
* @keyid_be: Output 32-bit keyid in network order (BE);
* @certfile: Input filename.
* @try_der: true: try to read in DER from if there is no PEM,
* cert is considered mandatory and error will be issued
* if there is no cert;
* false: only try to read in PEM form, cert is considered
* optional.
* Return: 0 on success, -1 on error.
*/
static int read_keyid_from_cert(uint32_t *keyid_be, const char *certfile, int try_der)
{
X509 *x = NULL;
FILE *fp;
const unsigned char *skid;
int skid_len;
if (!(fp = fopen(certfile, "r"))) {
log_err("Cannot open %s: %s\n", certfile, strerror(errno));
return -1;
}
if (!PEM_read_X509(fp, &x, NULL, NULL)) {
if (ERR_GET_REASON(ERR_peek_last_error()) == PEM_R_NO_START_LINE) {
ERR_clear_error();
if (try_der) {
rewind(fp);
d2i_X509_fp(fp, &x);
} else {
/*
* Cert is optional and there is just no PEM
* header, then issue debug message and stop
* trying.
*/
log_debug("%s: x509 certificate not found\n",
certfile);
fclose(fp);
return -1;
}
}
}
fclose(fp);
if (!x) {
ERR_print_errors_fp(stderr);
log_err("read keyid: %s: Error reading x509 certificate\n",
certfile);
return -1;
}
if (!(skid = x509_get_skid(x, &skid_len))) {
log_err("read keyid: %s: SKID not found\n", certfile);
goto err_free;
}
if (skid_len < sizeof(*keyid_be)) {
log_err("read keyid: %s: SKID too short (len %d)\n", certfile,
skid_len);
goto err_free;
}
memcpy(keyid_be, skid + skid_len - sizeof(*keyid_be), sizeof(*keyid_be));
log_info("keyid %04x (from %s)\n", ntohl(*keyid_be), certfile);
X509_free(x);
return 0;
err_free:
X509_free(x);
return -1;
}
/*
* imaevm_read_keyid() - Read 32-bit keyid from the cert file
* @certfile: File with certificate in PEM or DER form.
*
* Try to read keyid from Subject Key Identifier (SKID) of x509 certificate.
* Autodetect if cert is in PEM (tried first) or DER encoding.
*
* Return: 0 on error or 32-bit keyid in host order otherwise.
*/
uint32_t imaevm_read_keyid(const char *certfile)
{
uint32_t keyid_be = 0;
read_keyid_from_cert(&keyid_be, certfile, true);
/* On error keyid_be will not be set, returning 0. */
return ntohl(keyid_be);
}
static EVP_PKEY *read_priv_pkey(const char *keyfile, const char *keypass)
{
FILE *fp;
EVP_PKEY *pkey = NULL;
EVP_PKEY *pkey;
if (!strncmp(keyfile, "pkcs11:", 7)) {
#ifdef CONFIG_IMA_EVM_ENGINE
if (!imaevm_params.keyid) {
log_err("When using a pkcs11 URI you must provide the keyid with an option\n");
return NULL;
}
if (keypass) {
if (!ENGINE_ctrl_cmd_string(imaevm_params.eng, "PIN", keypass, 0)) {
log_err("Failed to set the PIN for the private key\n");
goto err_engine;
}
}
pkey = ENGINE_load_private_key(imaevm_params.eng, keyfile, NULL, NULL);
if (!pkey) {
log_err("Failed to load private key %s\n", keyfile);
goto err_engine;
}
#else
log_err("OpenSSL \"engine\" support is disabled\n");
goto err_engine;
#endif
} else {
fp = fopen(keyfile, "r");
if (!fp) {
log_err("Failed to open keyfile: %s\n", keyfile);
return NULL;
}
pkey = PEM_read_PrivateKey(fp, NULL, NULL, (void *)keypass);
if (!pkey) {
log_err("Failed to PEM_read_PrivateKey key file: %s\n",
keyfile);
output_openssl_errors();
}
fclose(fp);
fp = fopen(keyfile, "r");
if (!fp) {
log_err("Failed to open keyfile: %s\n", keyfile);
return NULL;
}
pkey = PEM_read_PrivateKey(fp, NULL, NULL, (void *)keypass);
if (!pkey) {
log_err("Failed to PEM_read_PrivateKey key file: %s\n",
keyfile);
output_openssl_errors();
}
fclose(fp);
return pkey;
err_engine:
output_openssl_errors();
return NULL;
}
#if CONFIG_SIGV1
static RSA *read_priv_key(const char *keyfile, const char *keypass)
{
EVP_PKEY *pkey;
@ -1124,7 +873,6 @@ out:
RSA_free(key);
return len;
}
#endif /* CONFIG_SIGV1 */
/*
* @sig is assumed to be of (MAX_SIGNATURE_SIZE - 1) size
@ -1163,7 +911,7 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash,
return -1;
}
log_info("hash(%s): ", algo);
log_info("hash(%s): ", imaevm_params.hash_algo);
log_dump(hash, size);
pkey = read_priv_pkey(keyfile, imaevm_params.keypass);
@ -1174,29 +922,12 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash,
hdr->version = (uint8_t) DIGSIG_VERSION_2;
hdr->hash_algo = imaevm_get_hash_algo(algo);
if (hdr->hash_algo == (uint8_t)-1) {
if (hdr->hash_algo == -1) {
log_err("sign_hash_v2: hash algo is unknown: %s\n", algo);
return -1;
}
#if defined(EVP_PKEY_SM2) && OPENSSL_VERSION_NUMBER < 0x30000000
/* If EC key are used, check whether it is SM2 key */
if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
if (curve == NID_sm2)
EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2);
}
#endif
if (imaevm_params.keyid)
keyid = htonl(imaevm_params.keyid);
else {
int keyid_read_failed = read_keyid_from_cert(&keyid, keyfile, false);
if (keyid_read_failed)
calc_keyid_v2(&keyid, name, pkey);
}
calc_keyid_v2(&keyid, name, pkey);
hdr->keyid = keyid;
st = "EVP_PKEY_CTX_new";
@ -1206,7 +937,7 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash,
if (!EVP_PKEY_sign_init(ctx))
goto err;
st = "EVP_get_digestbyname";
if (!(md = EVP_get_digestbyname(algo)))
if (!(md = EVP_get_digestbyname(imaevm_params.hash_algo)))
goto err;
st = "EVP_PKEY_CTX_set_signature_md";
if (!EVP_PKEY_CTX_set_signature_md(ctx, md))
@ -1239,26 +970,14 @@ int sign_hash(const char *hashalgo, const unsigned char *hash, int size, const c
if (keypass)
imaevm_params.keypass = keypass;
if (imaevm_params.x509)
return sign_hash_v2(hashalgo, hash, size, keyfile, sig);
#if CONFIG_SIGV1
else
return sign_hash_v1(hashalgo, hash, size, keyfile, sig);
#endif
log_info("Signature version 1 deprecated.");
return -1;
return imaevm_params.x509 ?
sign_hash_v2(hashalgo, hash, size, keyfile, sig) :
sign_hash_v1(hashalgo, hash, size, keyfile, sig);
}
static void libinit()
{
#if OPENSSL_VERSION_NUMBER < 0x10100000
OpenSSL_add_all_algorithms();
OPENSSL_add_all_algorithms_conf();
#else
OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS |
OPENSSL_INIT_ADD_ALL_DIGESTS, NULL);
ERR_load_crypto_strings();
#endif
}

3
src/pcr.h
View File

@ -1,3 +0,0 @@
int tpm2_pcr_supported(void);
int tpm2_pcr_read(const char *algo_name, uint32_t pcr_handle, uint8_t *hwpcr,
int len, char **errmsg);

154
src/pcr_ibmtss.c
View File

@ -1,154 +0,0 @@
// SPDX-License-Identifier: GPL-2.0
/*
* Support PCR reading implementation based on IBM TSS2
*
* Copyright (C) 2021 IBM Ken Goldman <kgoldman@us.ibm.com>
*/
#include <errno.h>
#include <limits.h>
#include <stdio.h>
#include <string.h>
#include <stdint.h>
#include <openssl/sha.h>
#define USE_FPRINTF
#include "utils.h"
#include "imaevm.h"
#define TPM_POSIX /* use Posix, not Windows constructs in TSS */
#undef MAX_DIGEST_SIZE /* imaevm uses a different value than the TSS */
#include <ibmtss/tss.h>
int tpm2_pcr_supported(void)
{
if (imaevm_params.verbose > LOG_INFO)
log_info("Using ibmtss to read PCRs\n");
return 1;
}
/* Table mapping C strings to TCG algorithm identifiers */
typedef struct tdAlgorithm_Map {
const char *algorithm_string;
TPMI_ALG_HASH algid;
} Algorithm_Map;
Algorithm_Map algorithm_map[] = {
{ "sha1", TPM_ALG_SHA1},
{ "sha256", TPM_ALG_SHA256},
#if 0 /* uncomment as these digest algorithms are supported */
{ "", TPM_ALG_SHA384},
{ "", TPM_ALG_SHA512},
{ "", TPM_ALG_SM3_256},
{ "", TPM_ALG_SHA3_256},
{ "", TPM_ALG_SHA3_384},
{ "", TPM_ALG_SHA3_512},
#endif
};
/*
* algorithm_string_to_algid() converts a digest algorithm from a C string to a
* TCG algorithm identifier as defined in the TCG Algorithm Regisrty..
*
* Returns TPM_ALG_ERROR if the string has an unsupported value.
*/
static TPMI_ALG_HASH algorithm_string_to_algid(const char *algorithm_string)
{
size_t i;
for (i=0 ; i < sizeof(algorithm_map)/sizeof(Algorithm_Map) ; i++) {
if (strcmp(algorithm_string, algorithm_map[i].algorithm_string)
== 0) {
return algorithm_map[i].algid; /* if match */
}
}
return TPM_ALG_ERROR;
}
/*
* tpm2_pcr_read - read the PCR
*
* algo_name: PCR digest algorithm (the PCR bank) as a C string
* pcr_handle: PCR number to read
* hwpcr: buffer for the PCR output in binary
* len: allocated size of hwpcr and should match the digest algorithm
*/
int tpm2_pcr_read(const char *algo_name, uint32_t pcr_handle, uint8_t *hwpcr,
int len, char **errmsg)
{
int ret = 0; /* function return code */
TPM_RC rc = 0; /* TCG return code */
TPM_RC rc1 = 0; /* secondary return code */
PCR_Read_In pcr_read_in; /* command input */
PCR_Read_Out pcr_read_out; /* response output */
TSS_CONTEXT *tss_context = NULL;
TPMI_ALG_HASH alg_id; /* PCR algorithm */
alg_id = algorithm_string_to_algid(algo_name);
if (alg_id == TPM_ALG_ERROR) {
ret = asprintf(errmsg, "tpm2_pcr_read: unknown algorithm %s",
algo_name);
if (ret == -1) /* the contents of errmsg is undefined */
*errmsg = NULL;
rc = 1;
goto end;
}
rc = TSS_Create(&tss_context);
if (rc != 0)
goto end;
/* call TSS to execute the command */
pcr_read_in.pcrSelectionIn.count = 1;
pcr_read_in.pcrSelectionIn.pcrSelections[0].hash = alg_id;
pcr_read_in.pcrSelectionIn.pcrSelections[0].sizeofSelect = 3;
pcr_read_in.pcrSelectionIn.pcrSelections[0].pcrSelect[0] = 0;
pcr_read_in.pcrSelectionIn.pcrSelections[0].pcrSelect[1] = 0;
pcr_read_in.pcrSelectionIn.pcrSelections[0].pcrSelect[2] = 0;
pcr_read_in.pcrSelectionIn.pcrSelections[0].pcrSelect[pcr_handle / 8] =
1 << (pcr_handle % 8);
rc = TSS_Execute(tss_context,
(RESPONSE_PARAMETERS *)&pcr_read_out,
(COMMAND_PARAMETERS *)&pcr_read_in,
NULL,
TPM_CC_PCR_Read,
TPM_RH_NULL, NULL, 0);
if (rc != 0)
goto end;
/* nothing read, bank missing */
if (pcr_read_out.pcrValues.count == 0) {
ret = asprintf(errmsg, "tpm2_pcr_read: returned count 0 for %s",
algo_name);
if (ret == -1) /* the contents of errmsg is undefined */
*errmsg = NULL;
rc = 1;
goto end;
}
/* len parameter did not match the digest algorithm */
else if (pcr_read_out.pcrValues.digests[0].t.size != len) {
ret = asprintf(errmsg,
"tpm2_pcr_read: "
"expected length %d actual %u for %s",
len, pcr_read_out.pcrValues.digests[0].t.size,
algo_name);
if (ret == -1) /* the contents of errmsg is undefined */
*errmsg = NULL;
rc = 1;
goto end;
} else {
memcpy(hwpcr,
pcr_read_out.pcrValues.digests[0].t.buffer,
pcr_read_out.pcrValues.digests[0].t.size);
}
end:
/* Call delete even on errors to free context resources */
rc1 = TSS_Delete(tss_context);
/* map TCG return code to function return code */
if ((rc == 0) && (rc1 == 0))
return 0;
else
return -1;
}

192
src/pcr_tss.c
View File

@ -1,192 +0,0 @@
/*
* ima-evm-utils - IMA/EVM support utilities
*
* Copyright (C) 2011 Nokia Corporation
* Copyright (C) 2011,2012,2013 Intel Corporation
* Copyright (C) 2013,2014 Samsung Electronics
*
* Authors:
* Dmitry Kasatkin <dmitry.kasatkin@nokia.com>
* <dmitry.kasatkin@intel.com>
* <d.kasatkin@samsung.com>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* version 2 as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* As a special exception, the copyright holders give permission to link the
* code of portions of this program with the OpenSSL library under certain
* conditions as described in each individual source file and distribute
* linked combinations including the program with the OpenSSL library. You
* must comply with the GNU General Public License in all respects
* for all of the code used other than as permitted herein. If you modify
* file(s) with this exception, you may extend this exception to your
* version of the file(s), but you are not obligated to do so. If you do not
* wish to do so, delete this exception statement from your version. If you
* delete this exception statement from all source files in the program,
* then also delete it in the license file.
*
* File: pcr_tss.c
* PCR reading implementation based on Intel TSS2
*/
#include <stdio.h>
#include <string.h>
#include <openssl/sha.h>
#ifdef HAVE_LIBTSS2_ESYS
# include <tss2/tss2_esys.h>
# ifdef HAVE_LIBTSS2_RC
# include <tss2/tss2_rc.h>
# define LIB "tss2-rc-decode"
# else
# define LIB "tss2-esys"
# endif
#endif /* HAVE_LIBTSS2_ESYS */
#define USE_FPRINTF
#include "imaevm.h"
int tpm2_pcr_supported(void)
{
if (imaevm_params.verbose > LOG_INFO)
log_info("Using %s to read PCRs.\n", LIB);
return 1;
}
static int pcr_selections_match(TPML_PCR_SELECTION *a, TPML_PCR_SELECTION *b)
{
int i, j;
if (a->count != b->count)
return 0;
for (i = 0; i < a->count; i++) {
if (a->pcrSelections[i].hash != b->pcrSelections[i].hash)
return 0;
if (a->pcrSelections[i].sizeofSelect != b->pcrSelections[i].sizeofSelect)
return 0;
for (j = 0; j < a->pcrSelections[i].sizeofSelect; j++) {
if (a->pcrSelections[i].pcrSelect[j] != b->pcrSelections[i].pcrSelect[j])
return 0;
}
}
return 1;
}
static inline int tpm2_set_errmsg(char **errmsg, const char *message, TSS2_RC ret)
{
#ifdef HAVE_LIBTSS2_RC
return asprintf(errmsg, "%s: %s", message, Tss2_RC_Decode(ret));
#else
return asprintf(errmsg, "%s: #%d", message, ret);
#endif
}
static TPM2_ALG_ID algo_to_tss2(const char *algo_name)
{
if (!strcmp(algo_name, "sha1"))
return TPM2_ALG_SHA1;
else if (!strcmp(algo_name, "sha256"))
return TPM2_ALG_SHA256;
return TPM2_ALG_ERROR;
}
int tpm2_pcr_read(const char *algo_name, uint32_t pcr_handle, uint8_t *hwpcr,
int len, char **errmsg)
{
TSS2_ABI_VERSION abi_version = {
.tssCreator = 1,
.tssFamily = 2,
.tssLevel = 1,
.tssVersion = 108,
};
ESYS_CONTEXT *ctx = NULL;
TSS2_RC ret = 0;
TPML_PCR_SELECTION *pcr_select_out;
TPML_DIGEST *pcr_digests;
UINT32 pcr_update_counter;
TPM2_ALG_ID algid = algo_to_tss2(algo_name);
if (algid == TPM2_ALG_ERROR) {
ret = asprintf(errmsg, "unsupported tss2 algorithm");
if (ret == -1) /* the contents of errmsg are undefined */
*errmsg = NULL;
return -1;
}
TPML_PCR_SELECTION pcr_select_in = {
.count = 1,
.pcrSelections = {
{
.hash = algid,
.sizeofSelect = 3,
.pcrSelect = { 0x00, 0x00, 0x00 },
}
}
};
pcr_select_in.pcrSelections[0].pcrSelect[pcr_handle / 8] =
(1 << (pcr_handle % 8));
ret = Esys_Initialize(&ctx, NULL, &abi_version);
if (ret != TPM2_RC_SUCCESS) {
ret = tpm2_set_errmsg(errmsg, "esys initialize failed", ret);
if (ret == -1) /* the contents of errmsg are undefined */
*errmsg = NULL;
return -1;
}
ret = Esys_PCR_Read(ctx,
ESYS_TR_NONE,
ESYS_TR_NONE,
ESYS_TR_NONE,
&pcr_select_in,
&pcr_update_counter,
&pcr_select_out,
&pcr_digests);
Esys_Finalize(&ctx);
if (ret != TPM2_RC_SUCCESS) {
ret = tpm2_set_errmsg(errmsg, "esys PCR reading failed", ret);
if (ret == -1) /* the contents of errmsg is undefined */
*errmsg = NULL;
return -1;
}
if (!pcr_selections_match(&pcr_select_in, pcr_select_out)) {
Esys_Free(pcr_select_out);
Esys_Free(pcr_digests);
ret = asprintf(errmsg, "TPM returned incorrect PCRs");
if (ret == -1) /* the contents of errmsg are undefined */
*errmsg = NULL;
return -1;
}
Esys_Free(pcr_select_out);
if (pcr_digests->count != 1 || pcr_digests->digests[0].size != len) {
Esys_Free(pcr_digests);
ret = asprintf(errmsg, "TPM returned incorrect digests");
if (ret == -1) /* the contents of errmsg is undefined */
*errmsg = NULL;
return -1;
}
memcpy(hwpcr, pcr_digests->digests[0].buffer, len);
Esys_Free(pcr_digests);
return 0;
}

111
src/pcr_tsspcrread.c
View File

@ -1,111 +0,0 @@
/*
* ima-evm-utils - IMA/EVM support utilities
*
* Copyright (C) 2011 Nokia Corporation
* Copyright (C) 2011,2012,2013 Intel Corporation
* Copyright (C) 2013,2014 Samsung Electronics
*
* Authors:
* Dmitry Kasatkin <dmitry.kasatkin@nokia.com>
* <dmitry.kasatkin@intel.com>
* <d.kasatkin@samsung.com>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* version 2 as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* As a special exception, the copyright holders give permission to link the
* code of portions of this program with the OpenSSL library under certain
* conditions as described in each individual source file and distribute
* linked combinations including the program with the OpenSSL library. You
* must comply with the GNU General Public License in all respects
* for all of the code used other than as permitted herein. If you modify
* file(s) with this exception, you may extend this exception to your
* version of the file(s), but you are not obligated to do so. If you do not
* wish to do so, delete this exception statement from your version. If you
* delete this exception statement from all source files in the program,
* then also delete it in the license file.
*
* File: pcr_tsspcrread.c
* PCR reading implementation based on IBM TSS2
*/
#include <errno.h>
#include <limits.h>
#include <stdio.h>
#include <string.h>
#include <stdint.h>
#include <openssl/sha.h>
#define USE_FPRINTF
#include "utils.h"
#include "imaevm.h"
#define CMD "tsspcrread"
static char path[PATH_MAX];
int tpm2_pcr_supported(void)
{
if (imaevm_params.verbose > LOG_INFO)
log_info("Using %s to read PCRs.\n", CMD);
if (get_cmd_path(CMD, path, sizeof(path))) {
log_info("Couldn't find '%s' in %s\n", CMD, path);
return 0;
}
log_debug("Found '%s' in %s\n", CMD, path);
return 1;
}
int tpm2_pcr_read(const char *algo_name, uint32_t pcr_handle, uint8_t *hwpcr,
int len, char **errmsg)
{
FILE *fp;
char pcr[100]; /* may contain an error */
char cmd[PATH_MAX + 50];
int ret;
sprintf(cmd, "%s -halg %s -ha %u -ns 2> /dev/null",
path, algo_name, pcr_handle);
fp = popen(cmd, "r");
if (!fp) {
ret = asprintf(errmsg, "popen failed: %s", strerror(errno));
if (ret == -1) /* the contents of errmsg is undefined */
*errmsg = NULL;
return -1;
}
if (fgets(pcr, sizeof(pcr), fp) == NULL) {
ret = asprintf(errmsg, "tsspcrread failed: %s",
strerror(errno));
if (ret == -1) /* the contents of errmsg is undefined */
*errmsg = NULL;
ret = pclose(fp);
return -1;
}
/* get the popen "cmd" return code */
ret = pclose(fp);
/* Treat an unallocated bank as an error */
if (!ret && (strlen(pcr) < SHA_DIGEST_LENGTH))
ret = -1;
if (!ret)
hex2bin(hwpcr, pcr, len);
else
*errmsg = strndup(pcr, strlen(pcr) - 1); /* remove newline */
return ret;
}

115
src/utils.c
View File

@ -1,115 +0,0 @@
// SPDX-License-Identifier: GPL-2.0
/*
* utils: set of common functions
*
* Copyright (C) 2020 Patrick Uiterwijk <patrick@puiterwijk.org>
* Copyright (C) 2010 Cyril Hrubis <chrubis@suse.cz>
*/
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <unistd.h>
#include "utils.h"
#ifndef MIN
# define MIN(a, b) ({ \
typeof(a) _a = (a); \
typeof(b) _b = (b); \
_a < _b ? _a : _b; \
})
#endif /* MIN */
static int file_exist(const char *path)
{
struct stat st;
if (!access(path, R_OK) && !stat(path, &st) && S_ISREG(st.st_mode))
return 1;
return 0;
}
int get_cmd_path(const char *prog_name, char *buf, size_t buf_len)
{
const char *path = (const char *)getenv("PATH");
const char *start = path;
const char *end;
size_t size, ret;
if (path == NULL)
return -1;
do {
end = strchr(start, ':');
if (end != NULL)
snprintf(buf, MIN(buf_len, (size_t) (end - start + 1)),
"%s", start);
else
snprintf(buf, buf_len, "%s", start);
size = strlen(buf);
/*
* "::" inside $PATH, $PATH ending with ':' or $PATH starting
* with ':' should be expanded into current working directory.
*/
if (size == 0) {
snprintf(buf, buf_len, ".");
size = strlen(buf);
}
/*
* If there is no '/' ad the end of path from $PATH add it.
*/
if (buf[size - 1] != '/')
ret =
snprintf(buf + size, buf_len - size, "/%s",
prog_name);
else
ret =
snprintf(buf + size, buf_len - size, "%s",
prog_name);
if (buf_len - size > ret && file_exist(buf))
return 0;
if (end != NULL)
start = end + 1;
} while (end != NULL);
return -1;
}
int hex_to_bin(char ch)
{
if ((ch >= '0') && (ch <= '9'))
return ch - '0';
ch = tolower(ch);
if ((ch >= 'a') && (ch <= 'f'))
return ch - 'a' + 10;
return -1;
}
int hex2bin(void *dst, const char *src, size_t count)
{
int hi, lo;
while (count--) {
if (*src == ' ')
src++;
hi = hex_to_bin(*src++);
lo = hex_to_bin(*src++);
if ((hi < 0) || (lo < 0))
return -1;
*(uint8_t *)dst++ = (hi << 4) | lo;
}
return 0;
}

6
src/utils.h
View File

@ -1,6 +0,0 @@
#include <ctype.h>
#include <sys/types.h>
int get_cmd_path(const char *prog_name, char *buf, size_t buf_len);
int hex_to_bin(char ch);
int hex2bin(void *dst, const char *src, size_t count);

16
tests/.gitignore vendored
View File

@ -1,16 +0,0 @@
# Generated by test driver
*.log
*.trs
# Generated by tests
*.txt
*.out
*.sig
*.sig2
# Generated certs and keys (by gen-keys.sh)
*.cer
*.pub
*.key
*.conf

29
tests/Makefile.am
View File

@ -1,29 +0,0 @@
check_SCRIPTS =
TESTS = $(check_SCRIPTS)
check_SCRIPTS += ima_hash.test sign_verify.test boot_aggregate.test \
fsverity.test portable_signatures.test ima_policy_check.test \
mmap_check.test
check_PROGRAMS := test_mmap
.PHONY: check_logs
check_logs:
@for log in $(TEST_LOGS); do \
echo -e "\n***" $$log "***" ; \
case $$log in \
ima_hash.log | sign_verify.log ) \
tail -3 $$log ; \
grep "skipped" $$log && grep "skipped" $$log | wc -l ;; \
*) \
cat $$log ;; \
esac ; \
done
clean-local:
-rm -f *.txt *.out *.sig *.sig2
distclean: distclean-keys
.PHONY: distclean-keys
distclean-keys:
./gen-keys.sh clean

200
tests/boot_aggregate.test
View File

@ -1,200 +0,0 @@
#!/bin/bash
#
# Calculate the boot_aggregate for each TPM bank, verifying that the
# boot_aggregate in the IMA measurement list matches one of them.
#
# A software TPM may be used to verify the boot_aggregate. If a
# software TPM is not already running on the system, this test
# starts one and initializes the TPM PCR banks by walking the sample
# binary_bios_measurements event log, included in this directory, and
# extending the TPM PCRs. The associated ascii_runtime_measurements
# for verifying the calculated boot_aggregate is included in this
# directory as well.
trap '_report_exit_and_cleanup cleanup' SIGINT SIGTERM EXIT
# Base VERBOSE on the environment variable, if set.
VERBOSE="${VERBOSE:-0}"
cd "$(dirname "$0")"
export PATH=../src:$PATH
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH
. ./functions.sh
_require evmctl
TSSDIR="$(dirname -- "$(which tssstartup)")"
PCRFILE="/sys/class/tpm/tpm0/device/pcrs"
MISC_PCRFILE="/sys/class/misc/tpm0/device/pcrs"
# Only stop this test's software TPM
cleanup() {
if [ -n "${SWTPM_PID}" ]; then
kill -SIGTERM "${SWTPM_PID}"
elif [ -n "${TPMSERVER_PID}" ]; then
"${TSSDIR}/tsstpmcmd" -stop
fi
}
# Try to start a software TPM if needed.
swtpm_start() {
local tpm_server swtpm
tpm_server="$(which tpm_server)"
swtpm="$(which swtpm)"
if [ -z "${tpm_server}" ] && [ -z "${swtpm}" ]; then
echo "${CYAN}SKIP: Software TPM (tpm_server and swtpm) not found${NORM}"
return "$SKIP"
fi
if [ -n "${swtpm}" ]; then
pgrep swtpm
if [ $? -eq 0 ]; then
echo "INFO: Software TPM (swtpm) already running"
return 114
else
echo "INFO: Starting software TPM: ${swtpm}"
mkdir -p ./myvtpm
${swtpm} socket --tpmstate dir=./myvtpm --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init > /dev/null 2>&1 &
SWTPM_PID=$!
fi
elif [ -n "${tpm_server}" ]; then
# tpm_server uses the Microsoft simulator encapsulated packet format
export TPM_SERVER_TYPE="mssim"
pgrep tpm_server
if [ $? -eq 0 ]; then
echo "INFO: Software TPM (tpm_server) already running"
return 114
else
echo "INFO: Starting software TPM: ${tpm_server}"
${tpm_server} > /dev/null 2>&1 &
TPMSERVER_PID=$!
fi
fi
return 0
}
# Initialize the software TPM using the sample binary_bios_measurements log.
swtpm_init() {
if [ ! -f "${TSSDIR}/tssstartup" ] || [ ! -f "${TSSDIR}/tsseventextend" ]; then
echo "${CYAN}SKIP: tssstartup and tsseventextend needed for test${NORM}"
return "$SKIP"
fi
echo "INFO: Sending software TPM startup"
"${TSSDIR}/tssstartup"
if [ $? -ne 0 ]; then
echo "INFO: Retry sending software TPM startup"
sleep 1
"${TSSDIR}/tssstartup"
fi
if [ $? -ne 0 ]; then
echo "INFO: Software TPM startup failed"
return "$SKIP"
fi
echo "INFO: Walking ${BINARY_BIOS_MEASUREMENTS} initializing the software TPM"
# $(${TSSDIR}/tsseventextend -tpm -if "${BINARY_BIOS_MEASUREMENTS}" -v) 2>&1 > /dev/null
"${TSSDIR}/tsseventextend" -tpm -if "${BINARY_BIOS_MEASUREMENTS}" -v > /dev/null 2>&1
}
# In VERBOSE mode, display the calculated TPM PCRs for the different banks.
display_pcrs() {
local PCRMAX=9
local banks=("sha1" "sha256")
local i;
for bank in "${banks[@]}"; do
echo "INFO: Displaying ${bank} TPM bank (PCRs 0 - 9)"
for i in $(seq 0 $PCRMAX); do
rc=0
pcr=$("${TSSDIR}/tsspcrread" -halg "${bank}" -ha "${i}" -ns)
if [ $rc -ne 0 ]; then
echo "INFO: tsspcrread failed: $pcr"
break
fi
echo "$i: $pcr"
done
done
}
# The first entry in the IMA measurement list is the "boot_aggregate".
# For each kexec, an additional "boot_aggregate" will appear in the
# measurement list, assuming the previous measurement list is carried
# across the kexec.
#
# Verify that the last "boot_aggregate" record in the IMA measurement
# list matches.
check() {
local options=$1
echo "INFO: Calculating the boot_aggregate (PCRs 0 - 9) for multiple banks"
bootaggr=$(evmctl ima_boot_aggregate ${options})
if [ $? -ne 0 ]; then
echo "${CYAN}SKIP: evmctl ima_boot_aggregate: $bootaggr${NORM}"
exit "$SKIP"
fi
boot_aggr=( $bootaggr )
echo "INFO: Searching for the boot_aggregate in ${ASCII_RUNTIME_MEASUREMENTS}"
for hash in "${boot_aggr[@]}"; do
if [ "$VERBOSE" != "0" ]; then
echo "$hash"
fi
if grep -e " boot_aggregate$" -e " boot_aggregate.$" "${ASCII_RUNTIME_MEASUREMENTS}" | tail -n 1 | grep -q "${hash}"; then
echo "${GREEN}SUCCESS: boot_aggregate ${hash} found${NORM}"
return "$OK"
fi
done
echo "${RED}FAILURE: boot_aggregate not found${NORM}"
echo "$bootaggr"
return "$FAIL"
}
if [ "$(id -u)" = 0 ] && [ -c "/dev/tpm0" ]; then
BOOTAGGR_OPTIONS="--hwtpm"
ASCII_RUNTIME_MEASUREMENTS="/sys/kernel/security/ima/ascii_runtime_measurements"
if [ ! -d "/sys/kernel/security/ima" ]; then
echo "${CYAN}SKIP: CONFIG_IMA not enabled${NORM}"
exit "$SKIP"
fi
else
BINARY_BIOS_MEASUREMENTS="./sample-binary_bios_measurements-pcrs-8-9"
ASCII_RUNTIME_MEASUREMENTS="./sample-ascii_runtime_measurements-pcrs-8-9"
export TPM_INTERFACE_TYPE="socsim"
export TPM_COMMAND_PORT=2321
export TPM_PLATFORM_PORT=2322
export TPM_SERVER_NAME="localhost"
# swtpm uses the raw, unencapsulated packet format
export TPM_SERVER_TYPE="raw"
fi
# Start and initialize a software TPM as needed
if [ "$(id -u)" != 0 ] || [ ! -c "/dev/tpm0" ]; then
if [ -f "$PCRFILE" ] || [ -f "$MISC_PCRFILE" ]; then
echo "${CYAN}SKIP: system has discrete TPM 1.2, sample TPM 2.0 event log test not supported.${NORM}"
exit "$SKIP"
fi
swtpm_start
error=$?
if [ $error -eq "$SKIP" ]; then
echo "skip: swtpm not installed"
exit "$SKIP"
fi
if [ $error -eq 0 ]; then
swtpm_init
if [ $? -eq "$SKIP" ]; then
echo "testing boot_aggregate without entries"
exit "$SKIP"
fi
fi
if [ "$VERBOSE" != "0" ]; then
display_pcrs
fi
fi
expect_pass check $BOOTAGGR_OPTIONS

385
tests/fsverity.test
View File

@ -1,385 +0,0 @@
#!/bin/bash
# SPDX-License-Identifier: GPL-2.0
#
# Test IMA support for including fs-verity enabled files measurements
# in the IMA measurement list.
#
# Define policy rules showing the different types of IMA and fs-verity
# records in the IMA measurement list. Include examples of files that
# are suppose to be fs-verity enabled, but aren't.
#
# test 1: IMA policy rule using the new ima-ngv2 template
# - Hash prefixed with "ima:"
#
# test 2: fs-verity IMA policy rule using the new ima-ngv2 template
# - fs-verity hash prefixed with "verity:"
# - Non fs-verity enabled file, zeros prefixed with "verity:"
#
# test 3: IMA policy rule using the new ima-sigv2 template
# - Hash prefixed with "ima:"
# - Appended signature, when available.
#
# test 4: fs-verity IMA policy rule using the new ima-sigv2 template
# - fs-verity hash prefixed with "verity:"
# - Non fs-verity enabled file, zeros prefixed with "verity:"
# - Appended IMA signature of fs-verity file hash, when available.
# To avoid affecting the system's IMA custom policy or requiring a
# reboot between tests, define policy rules based on UUID. However,
# since the policy rules are walked sequentially, the system's IMA
# custom policy rules might take precedence.
cd "$(dirname "$0")" || exit 1
PATH=../src:../fsverity-utils:$PATH
source ./functions.sh
# Base VERBOSE on the environment variable, if set.
VERBOSE="${VERBOSE:-0}"
IMA_POLICY_FILE="/sys/kernel/security/integrity/ima/policy"
IMA_MEASUREMENT_LIST="/sys/kernel/security/integrity/ima/ascii_runtime_measurements"
TST_MNT="/tmp/fsverity-test"
TST_IMG="/tmp/test.img"
LOOPBACK_MOUNTED=0
FSVERITY="$(which fsverity)"
_require dd mkfs blkid e2fsck tune2fs evmctl setfattr
./gen-keys.sh >/dev/null 2>&1
trap '_report_exit_and_cleanup _cleanup_env cleanup' SIGINT SIGTERM EXIT
cleanup() {
if [ -e $TST_MNT ]; then
if [ $LOOPBACK_MOUNTED -eq 1 ]; then
umount $TST_MNT
fi
if [ -f "$TST_IMG" ]; then
rm "$TST_IMG"
fi
fi
}
# Loopback mount a file
mount_loopback_file() {
local ret
if [ ! -d $TST_MNT ]; then
mkdir $TST_MNT
fi
# if modprobe loop; then
# echo "${CYAN}INFO: modprobe loop failed${NORM}"
# fi
if ! losetup -f &> /dev/null; then
echo "${RED}FAILURE: losetup${NORM}"
exit "$FAIL"
fi
mount -v -o loop ${TST_IMG} $TST_MNT
ret=$?
if [ "${ret}" -eq 0 ]; then
LOOPBACK_MOUNTED=1
fi
return "$ret"
}
# Change the loopback mounted filesystem's UUID in between tests
change_loopback_file_uuid() {
echo " "
[ "$VERBOSE" -ge 1 ] && echo "INFO: Changing loopback file uuid"
umount $TST_MNT
if ! e2fsck -y -f ${TST_IMG} &> /dev/null; then
echo "${RED}FAILURE: e2fsck${NORM}"
exit "$FAIL"
fi
if ! tune2fs -f ${TST_IMG} -U random &> /dev/null; then
echo "${RED}FAILURE: change UUID${NORM}"
exit "$FAIL"
fi
[ "$VERBOSE" -ge 1 ] && echo "INFO: Remounting loopback filesystem"
if ! mount_loopback_file; then
echo "${RED}FAILURE: re-mounting loopback filesystem${NORM}"
exit "$FAIL"
fi
return 0
}
# Create a file to be loopback mounted
create_loopback_file() {
local fs_type=$1
local options=""
echo "INFO: Creating loopback filesystem"
case $fs_type in
ext4|f2fs)
options="-O verity"
;;
btrfs)
;;
*)
echo "${RED}FAILURE: unsupported fs-verity filesystem${NORM}"
exit "${FAIL}"
;;
esac
[ "$VERBOSE" -ge 2 ] && echo "INFO: Creating a file to be loopback mounted with options: $options"
if ! dd if=/dev/zero of="${TST_IMG}" bs=100M count=6 &> /dev/null; then
echo "${RED}FAILURE: creating ${TST_IMG}${NORM}"
exit "$FAIL"
fi
echo "INFO: Building an $fs_type filesystem"
if ! mkfs -t "$fs_type" -q "${TST_IMG}" "$options"; then
echo "${RED}FAILURE: Creating $fs_type filesystem${NORM}"
exit "$FAIL"
fi
echo "INFO: Mounting loopback filesystem"
if ! mount_loopback_file; then
echo "${RED}FAILURE: mounting loopback filesystem${NORM}"
exit "$FAIL"
fi
return 0
}
get_current_uuid() {
[ "$VERBOSE" -ge 2 ] && echo "INFO: Getting loopback file uuid"
if ! UUID=$(blkid -s UUID -o value ${TST_IMG}); then
echo "${RED}FAILURE: to get UUID${NORM}"
return "$FAIL"
fi
return 0
}
unqualified_bprm_rule() {
local test=$1
local rule=$2
local rule_match="measure func=BPRM_CHECK"
local rule_dontmatch="fsuuid"
if [ -z "${rule##*$digest_type=verity*}" ]; then
if grep "$rule_match" $IMA_POLICY_FILE | grep -v "$rule_dontmatch" &> /dev/null; then
return "$SKIP"
fi
fi
return 0
}
load_policy_rule() {
local test=$1
local rule=$2
if ! get_current_uuid; then
echo "${RED}FAILURE:FAILED getting uuid${NORM}"
exit "$FAIL"
fi
unqualified_bprm_rule "${test}" "${rule}"
if [ $? -eq "${SKIP}" ]; then
echo "${CYAN}SKIP: fsuuid unqualified \"BPRM_CHECK\" rule exists${NORM}"
return "$SKIP"
fi
echo "$test: rule: $rule fsuuid=$UUID"
if ! echo "$rule fsuuid=$UUID" > $IMA_POLICY_FILE; then
echo "${CYAN}SKIP: Loading policy rule failed, skipping test${NORM}"
return "$SKIP"
fi
return 0
}
create_file() {
local test=$1
local type=$2
TST_FILE=$(mktemp -p $TST_MNT -t "${type}".XXXXXX)
[ "$VERBOSE" -ge 1 ] && echo "INFO: creating $TST_FILE"
# heredoc to create a script
cat <<-EOF > "$TST_FILE"
#!/bin/bash
echo "Hello" &> /dev/null
EOF
chmod a+x "$TST_FILE"
}
measure-verity() {
local test=$1
local verity="${2:-disabled}"
local digest_filename
local error="$OK"
local KEY=$PWD/test-rsa2048.key
create_file "$test" verity-hash
if [ "$verity" = "enabled" ]; then
msg="Measuring fs-verity enabled file $TST_FILE"
if ! "$FSVERITY" enable "$TST_FILE" &> /dev/null; then
echo "${CYAN}SKIP: Failed enabling fs-verity on $TST_FILE${NORM}"
return "$SKIP"
fi
else
msg="Measuring non fs-verity enabled file $TST_FILE"
fi
# Sign the fsverity digest and write it as security.ima xattr.
# "evmctl sign_hash" input: <digest> <filename>
# "evmctl sign_hash" output: <digest> <filename> <signature>
[ "$VERBOSE" -ge 2 ] && echo "INFO: Signing the fsverity digest"
xattr=$("$FSVERITY" digest "$TST_FILE" | evmctl sign_hash --veritysig --key "$KEY" 2> /dev/null)
sig=$(echo "$xattr" | cut -d' ' -f3)
# On failure to write security.ima xattr, the signature will simply
# not be appended to the measurement list record.
if ! setfattr -n security.ima -v "0x$sig" "$TST_FILE"; then
echo "${CYAN}INFO: Failed to write security.ima xattr${NORM}"
fi
"$TST_FILE"
# "fsverity digest" calculates the fsverity hash, even for
# non fs-verity enabled files.
digest_filename=$("$FSVERITY" digest "$TST_FILE")
[ "$VERBOSE" -ge 2 ] && echo "INFO: verity:$digest_filename"
grep "verity:$digest_filename" $IMA_MEASUREMENT_LIST &> /dev/null
ret=$?
# Not finding the "fsverity digest" result in the IMA measurement
# list is expected for non fs-verity enabled files. The measurement
# list will contain zeros for the file hash.
if [ $ret -eq 1 ]; then
error="$FAIL"
if [ "$verity" = "enabled" ]; then
echo "${RED}FAILURE: ${msg} ${NORM}"
else
echo "${GREEN}SUCCESS: ${msg}, fsverity digest not found${NORM}"
fi
else
if [ "$verity" = "enabled" ]; then
echo "${GREEN}SUCCESS: ${msg} ${NORM}"
else
error="$FAIL"
echo "${RED}FAILURE: ${msg} ${NORM}"
fi
fi
return "$error"
}
measure-ima() {
local test=$1
local digest_filename
local error="$OK"
local hashalg
local digestsum
create_file "$test" ima-hash
"$TST_FILE"
hashalg=$(grep "${TST_FILE}" $IMA_MEASUREMENT_LIST | cut -d':' -f2)
if [ -z "${hashalg}" ]; then
echo "${CYAN}SKIP: Measurement record with algorithm not found${NORM}"
return "$SKIP"
fi
digestsum=$(which "${hashalg}"sum)
if [ -z "${digestsum}" ]; then
echo "${CYAN}SKIP: ${hashalg}sum is not installed${NORM}"
return "$SKIP"
fi
# sha1sum,sha256sum return: <digest> <2 spaces> <filename>
# Remove the extra space before the filename
digest_filename=$(${digestsum} "$TST_FILE" | sed "s/\ \ /\ /")
[ "$VERBOSE" -ge 2 ] && echo "$test: $digest_filename"
if grep "$digest_filename" $IMA_MEASUREMENT_LIST &> /dev/null; then
echo "${GREEN}SUCCESS: Measuring $TST_FILE ${NORM}"
else
error="$FAIL"
echo "${RED}FAILURE: Measuring $TST_FILE ${NORM}"
fi
return "$error"
}
# Run in the new environment if TST_ENV is set.
_run_env "$TST_KERNEL" "$PWD/$(basename "$0")" "TST_ENV=$TST_ENV TST_KERNEL=$TST_KERNEL PATH=$PATH LD_LIBRARY_PATH=$LD_LIBRARY_PATH VERBOSE=$VERBOSE"
# Exit from the creator of the new environment.
_exit_env "$TST_KERNEL"
# Mount filesystems in the new environment.
_init_env
# Dependency on being able to read and write the IMA policy file.
# Requires both CONFIG_IMA_WRITE_POLICY, CONFIG_IMA_READ_POLICY be
# enabled.
if [ -e "$IMA_POLICY_FILE" ]; then
mode=$(stat -c "%a" $IMA_POLICY_FILE)
if [ "$mode" != "600" ]; then
echo "${CYAN}SKIP: IMA policy file must be read-write${NORM}"
exit "$SKIP"
fi
else
echo "${CYAN}SKIP: $IMA_POLICY_FILE does not exist${NORM}"
exit "$SKIP"
fi
# Skip the test if fsverity is not found; using _require fails the test.
if [ -z "$FSVERITY" ]; then
echo "${CYAN}SKIP: fsverity is not installed${NORM}"
exit "$SKIP"
fi
if [ "x$(id -u)" != "x0" ]; then
echo "${CYAN}SKIP: Must be root to execute this test${NORM}"
exit "$SKIP"
fi
create_loopback_file ext4
# Commit 989dc72511f7 ("ima: define a new template field named 'd-ngv2' and
# templates") introduced ima-ngv2 and ima-sigv2 in linux-5.19.
__skip() { return "$SKIP"; }
# IMA policy rule using the ima-ngv2 template
if load_policy_rule test1 "measure func=BPRM_CHECK template=ima-ngv2"; then
expect_pass measure-ima test1
else
expect_pass __skip
fi
# fsverity IMA policy rule using the ima-ngv2 template
change_loopback_file_uuid
if load_policy_rule test2 "measure func=BPRM_CHECK template=ima-ngv2 digest_type=verity"; then
expect_fail measure-verity test2
expect_pass measure-verity test2 enabled
else
expect_pass __skip
expect_pass __skip
fi
# IMA policy rule using the ima-sigv2 template
change_loopback_file_uuid
if load_policy_rule test3 "measure func=BPRM_CHECK template=ima-sigv2"; then
expect_pass measure-ima test3
else
expect_pass __skip
fi
# fsverity IMA policy rule using the ima-sigv2 template
change_loopback_file_uuid
if load_policy_rule test4 "measure func=BPRM_CHECK template=ima-sigv2 digest_type=verity"; then
expect_fail measure-verity test4
expect_pass measure-verity test4 enabled
else
expect_pass __skip
expect_pass __skip
fi
exit

462
tests/functions.sh
View File

@ -1,462 +0,0 @@
#!/bin/bash
# SPDX-License-Identifier: GPL-2.0
#
# ima-evm-utils tests bash functions
#
# Copyright (C) 2020 Vitaly Chikunov <vt@altlinux.org>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# Tests accounting
declare -i testspass=0 testsfail=0 testsskip=0
# Exit codes (compatible with automake)
declare -r OK=0
declare -r FAIL=1
declare -r HARDFAIL=99 # hard failure no matter testing mode
declare -r SKIP=77
# You can set env VERBOSE=1 to see more output from evmctl
VERBOSE=${VERBOSE:-0}
V=vvvv
V=${V:0:$VERBOSE}
V=${V:+-$V}
# Exit if env FAILEARLY is defined.
# Used in expect_{pass,fail}.
exit_early() {
if [ "$FAILEARLY" ]; then
exit "$1"
fi
}
# Require particular executables to be present
_require() {
ret=
for i; do
if ! type $i; then
echo "$i is required for test"
ret=1
fi
done
[ $ret ] && exit "$HARDFAIL"
}
# Non-TTY output is never colored
if [ -t 1 ]; then
RED=$'\e[1;31m'
GREEN=$'\e[1;32m'
YELLOW=$'\e[1;33m'
BLUE=$'\e[1;34m'
CYAN=$'\e[1;36m'
NORM=$'\e[m'
export RED GREEN YELLOW BLUE CYAN NORM
fi
# Test mode determined by TFAIL variable:
# undefined: to success testing
# defined: failure testing
TFAIL=
TMODE=+ # mode character to prepend running command in log
declare -i TNESTED=0 # just for sanity checking
# Run positive test (one that should pass) and account its result
expect_pass() {
local -i ret
if [ -n "$TST_LIST" ] && [ "${TST_LIST/$1/}" = "$TST_LIST" ]; then
[ "$VERBOSE" -gt 1 ] && echo "____ SKIP test: $*"
testsskip+=1
return "$SKIP"
fi
if [ $TNESTED -gt 0 ]; then
echo $RED"expect_pass should not be run nested"$NORM
testsfail+=1
exit "$HARDFAIL"
fi
TFAIL=
TMODE=+
TNESTED+=1
[ "$VERBOSE" -gt 1 ] && echo "____ START positive test: $*"
"$@"
ret=$?
[ "$VERBOSE" -gt 1 ] && echo "^^^^ STOP ($ret) positive test: $*"
TNESTED+=-1
case $ret in
0) testspass+=1 ;;
77) testsskip+=1 ;;
99) testsfail+=1; exit_early 1 ;;
*) testsfail+=1; exit_early 2 ;;
esac
return $ret
}
expect_pass_if() {
local indexes="$1"
local ret idx
shift
expect_pass "$@"
ret=$?
if [ $ret -ne 0 ] && [ $ret -ne 77 ] && [ -n "$PATCHES" ]; then
echo $YELLOW"Possibly missing patches:"$NORM
for idx in $indexes; do
echo $YELLOW" - ${PATCHES[$((idx))]}"$NORM
done
fi
return $ret
}
# Eval negative test (one that should fail) and account its result
expect_fail() {
local ret
if [ -n "$TST_LIST" ] && [ "${TST_LIST/$1/}" = "$TST_LIST" ]; then
[ "$VERBOSE" -gt 1 ] && echo "____ SKIP test: $*"
testsskip+=1
return "$SKIP"
fi
if [ $TNESTED -gt 0 ]; then
echo $RED"expect_fail should not be run nested"$NORM
testsfail+=1
exit "$HARDFAIL"
fi
TFAIL=yes
TMODE=-
TNESTED+=1
[ "$VERBOSE" -gt 1 ] && echo "____ START negative test: $*"
"$@"
ret=$?
[ "$VERBOSE" -gt 1 ] && echo "^^^^ STOP ($ret) negative test: $*"
TNESTED+=-1
case $ret in
0) testsfail+=1; exit_early 3 ;;
77) testsskip+=1 ;;
99) testsfail+=1; exit_early 4 ;;
*) testspass+=1 ;;
esac
# Restore defaults (as in positive tests)
# for tests to run without wrappers
TFAIL=
TMODE=+
return $ret
}
expect_fail_if() {
local indexes="$1"
local ret idx
shift
expect_fail "$@"
ret=$?
if { [ $ret -eq 0 ] || [ $ret -eq 99 ]; } && [ -n "$PATCHES" ]; then
echo $YELLOW"Possibly missing patches:"$NORM
for idx in $indexes; do
echo $YELLOW" - ${PATCHES[$((idx))]}"$NORM
done
fi
return $ret
}
# return true if current test is positive
_test_expected_to_pass() {
[ ! $TFAIL ]
}
# return true if current test is negative
_test_expected_to_fail() {
[ $TFAIL ]
}
# Show blank line and color following text to red
# if it's real error (ie we are in expect_pass mode).
color_red_on_failure() {
if _test_expected_to_pass; then
echo "$RED"
COLOR_RESTORE=true
fi
}
# For hard errors
color_red() {
echo "$RED"
COLOR_RESTORE=true
}
color_restore() {
[ $COLOR_RESTORE ] && echo "$NORM"
COLOR_RESTORE=
}
ADD_DEL=
ADD_TEXT_FOR=
# _evmctl_run should be run as `_evmctl_run ... || return'
_evmctl_run() {
local op=$1 out=$1-$$.out
local text_for=${FOR:+for $ADD_TEXT_FOR}
# Additional parameters:
# ADD_DEL: additional files to rm on failure
# ADD_TEXT_FOR: append to text as 'for $ADD_TEXT_FOR'
cmd="evmctl $V $EVMCTL_ENGINE $*"
echo $YELLOW$TMODE "$cmd"$NORM
$cmd >"$out" 2>&1
ret=$?
# Shell special and signal exit codes (except 255)
if [ $ret -ge 126 ] && [ $ret -lt 255 ]; then
color_red
echo "evmctl $op failed hard with ($ret) $text_for"
sed 's/^/ /' "$out"
color_restore
rm "$out" $ADD_DEL
ADD_DEL=
ADD_TEXT_FOR=
return "$HARDFAIL"
elif [ $ret -gt 0 ]; then
color_red_on_failure
echo "evmctl $op failed" ${TFAIL:+properly} "with ($ret) $text_for"
# Show evmctl output only in verbose mode or if real failure.
if _test_expected_to_pass || [ "$VERBOSE" ]; then
sed 's/^/ /' "$out"
fi
color_restore
rm "$out" $ADD_DEL
ADD_DEL=
ADD_TEXT_FOR=
return "$FAIL"
elif _test_expected_to_fail; then
color_red
echo "evmctl $op wrongly succeeded $text_for"
sed 's/^/ /' "$out"
color_restore
else
[ "$VERBOSE" ] && sed 's/^/ /' "$out"
fi
rm "$out"
ADD_DEL=
ADD_TEXT_FOR=
return "$OK"
}
# Extract xattr $attr from $file into $out file skipping $pref'ix
_extract_xattr() {
local file=$1 attr=$2 out=$3 pref=$4
getfattr -n "$attr" -e hex "$file" \
| grep "^$attr=" \
| sed "s/^$attr=$pref//" \
| xxd -r -p > "$out"
}
# Test if xattr $attr in $file matches $prefix
# Show error and fail otherwise.
_test_xattr() {
local file=$1 attr=$2 prefix=$3
local text_for=${ADD_TEXT_FOR:+ for $ADD_TEXT_FOR}
if ! getfattr -n "$attr" -e hex "$file" | egrep -qx "$attr=$prefix"; then
color_red_on_failure
echo "Did not find expected hash$text_for:"
echo " $attr=$prefix"
echo ""
echo "Actual output below:"
getfattr -n "$attr" -e hex "$file" | sed 's/^/ /'
color_restore
rm "$file"
ADD_TEXT_FOR=
return "$FAIL"
fi
ADD_TEXT_FOR=
}
# Try to enable gost-engine if needed.
_enable_gost_engine() {
# Do not enable if it's already working (enabled by user)
if ! openssl md_gost12_256 /dev/null >/dev/null 2>&1 \
&& openssl engine gost >/dev/null 2>&1; then
export EVMCTL_ENGINE="--engine gost"
export OPENSSL_ENGINE="-engine gost"
fi
}
# Show test stats and exit into automake test system
# with proper exit code (same as ours). Do cleanups.
_report_exit_and_cleanup() {
local exit_code=$?
if [ -n "${WORKDIR}" ]; then
rm -rf "${WORKDIR}"
fi
"$@"
if [ $testsfail -gt 0 ]; then
echo "================================="
echo " Run with FAILEARLY=1 $0 $*"
echo " To stop after first failure"
echo "================================="
fi
[ $testspass -gt 0 ] && echo -n "$GREEN" || echo -n "$NORM"
echo -n "PASS: $testspass"
[ $testsskip -gt 0 ] && echo -n "$YELLOW" || echo -n "$NORM"
echo -n " SKIP: $testsskip"
[ $testsfail -gt 0 ] && echo -n "$RED" || echo -n "$NORM"
echo " FAIL: $testsfail"
echo "$NORM"
# Signal failure to the testing environment creator with an unclean shutdown.
if [ -n "$TST_ENV" ] && [ $$ -eq 1 ]; then
if [ -z "$(command -v poweroff)" ]; then
echo "Warning: cannot properly shutdown system"
fi
# If no test was executed and the script was successful,
# do a clean shutdown.
if [ $testsfail -eq 0 ] && [ $testspass -eq 0 ] && [ $testsskip -eq 0 ] &&
[ $exit_code -ne "$FAIL" ] && [ $exit_code -ne "$HARDFAIL" ]; then
poweroff -f
fi
# If tests were executed and no test failed, do a clean shutdown.
if { [ $testspass -gt 0 ] || [ $testsskip -gt 0 ]; } &&
[ $testsfail -eq 0 ]; then
poweroff -f
fi
fi
if [ $testsfail -gt 0 ]; then
exit "$FAIL"
elif [ $testspass -gt 0 ]; then
exit "$OK"
elif [ $testsskip -gt 0 ]; then
exit "$SKIP"
else
exit "$exit_code"
fi
}
# Setup SoftHSM for local testing by calling the softhsm_setup script.
# Use the provided workdir as the directory where SoftHSM will store its state
# into.
# Upon successfully setting up SoftHSM, this function sets the global variables
# OPENSSL_ENGINE and OPENSSL_KEYFORM so that the openssl command line tool can
# use SoftHSM. Also the PKCS11_KEYURI global variable is set to the test key's
# pkcs11 URI.
_softhsm_setup() {
local workdir="$1"
local msg
export SOFTHSM_SETUP_CONFIGDIR="${workdir}/softhsm"
export SOFTHSM2_CONF="${workdir}/softhsm/softhsm2.conf"
mkdir -p "${SOFTHSM_SETUP_CONFIGDIR}"
msg=$(./softhsm_setup setup 2>&1)
if [ $? -eq 0 ]; then
echo "softhsm_setup setup succeeded: $msg"
PKCS11_KEYURI=$(echo $msg | sed -n 's|^keyuri: \(.*\)|\1|p')
export EVMCTL_ENGINE="--engine pkcs11"
export OPENSSL_ENGINE="-engine pkcs11"
export OPENSSL_KEYFORM="-keyform engine"
else
echo "softhsm_setup setup failed: ${msg}"
fi
}
# Tear down the SoftHSM setup and clean up the environment
_softhsm_teardown() {
./softhsm_setup teardown &>/dev/null
rm -rf "${SOFTHSM_SETUP_CONFIGDIR}"
unset SOFTHSM_SETUP_CONFIGDIR SOFTHSM2_CONF PKCS11_KEYURI \
EVMCTL_ENGINE OPENSSL_ENGINE OPENSSL_KEYFORM
}
# Syntax: _run_env <kernel> <init> <additional kernel parameters>
_run_env() {
if [ -z "$TST_ENV" ]; then
return
fi
if [ $$ -eq 1 ]; then
return
fi
if [ "$TST_ENV" = "um" ]; then
expect_pass "$1" rootfstype=hostfs rw init="$2" quiet mem=2048M "$3"
else
echo $RED"Testing environment $TST_ENV not supported"$NORM
exit "$FAIL"
fi
}
# Syntax: _exit_env <kernel>
_exit_env() {
if [ -z "$TST_ENV" ]; then
return
fi
if [ $$ -eq 1 ]; then
return
fi
exit "$OK"
}
# Syntax: _init_env
_init_env() {
if [ -z "$TST_ENV" ]; then
return
fi
if [ $$ -ne 1 ]; then
return
fi
mount -t tmpfs tmpfs /tmp
mount -t proc proc /proc
mount -t sysfs sysfs /sys
mount -t securityfs securityfs /sys/kernel/security
if [ -n "$(command -v haveged 2> /dev/null)" ]; then
$(command -v haveged) -w 1024 &> /dev/null
fi
pushd "$PWD" > /dev/null || exit "$FAIL"
}
# Syntax: _cleanup_env <cleanup function>
_cleanup_env() {
if [ -z "$TST_ENV" ]; then
$1
return
fi
if [ $$ -ne 1 ]; then
return
fi
$1
umount /sys/kernel/security
umount /sys
umount /proc
umount /tmp
}

161
tests/gen-keys.sh
View File

@ -1,161 +0,0 @@
#!/bin/bash
# SPDX-License-Identifier: GPL-2.0
#
# Generate keys for the tests
#
# Copyright (C) 2020 Vitaly Chikunov <vt@altlinux.org>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
cd "$(dirname "$0")" || exit 1
PATH=../src:$PATH
type openssl
log() {
echo >&2 - "$*"
eval "$@"
}
if [ "$1" = clean ]; then
rm -f test-ca.conf
elif [ "$1" = force ] || [ ! -e test-ca.conf ] \
|| [ gen-keys.sh -nt test-ca.conf ]; then
cat > test-ca.conf <<- EOF
[ req ]
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = v3_ca
[ req_distinguished_name ]
O = IMA-CA
CN = IMA/EVM certificate signing key
emailAddress = ca@ima-ca
[ v3_ca ]
basicConstraints=CA:TRUE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
[ skid ]
basicConstraints=CA:TRUE
subjectKeyIdentifier=12345678
authorityKeyIdentifier=keyid:always,issuer
EOF
fi
# RSA
# Second key will be used for wrong key tests.
for m in 1024 1024_skid 2048; do
if [ "$1" = clean ] || [ "$1" = force ] \
|| [ gen-keys.sh -nt test-rsa$m.key ]; then
rm -f test-rsa$m.cer test-rsa$m.key test-rsa$m.pub
fi
if [ "$1" = clean ]; then
continue
fi
if [ -z "${m%%*_*}" ]; then
# Add named extension.
bits=${m%_*}
ext="-extensions ${m#*_}"
else
bits=$m
ext=
fi
if [ ! -e test-rsa$m.key ]; then
log openssl req -verbose -new -nodes -utf8 -sha256 -days 10000 -batch -x509 $ext \
-config test-ca.conf \
-newkey rsa:$bits \
-out test-rsa$m.cer -outform DER \
-keyout test-rsa$m.key
# for v1 signatures
log openssl pkey -in test-rsa$m.key -out test-rsa$m.pub -pubout
if [ $m = 1024_skid ]; then
# Create combined key+cert.
log openssl x509 -inform DER -in test-rsa$m.cer >> test-rsa$m.key
fi
fi
done
for curve in prime192v1 prime256v1; do
if [ "$1" = clean ] || [ "$1" = force ]; then
rm -f test-$curve.cer test-$curve.key test-$curve.pub
fi
if [ "$1" = clean ]; then
continue
fi
if [ ! -e test-$curve.key ]; then
log openssl req -verbose -new -nodes -utf8 -sha256 -days 10000 -batch -x509 \
-config test-ca.conf \
-newkey ec \
-pkeyopt ec_paramgen_curve:$curve \
-out test-$curve.cer -outform DER \
-keyout test-$curve.key
if [ -s test-$curve.key ]; then
log openssl pkey -in test-$curve.key -out test-$curve.pub -pubout
fi
fi
done
# EC-RDSA
for m in \
gost2012_256:A \
gost2012_256:B \
gost2012_256:C \
gost2012_512:A \
gost2012_512:B; do
IFS=':' read -r algo param <<< "$m"
if [ "$1" = clean ] || [ "$1" = force ]; then
rm -f "test-$algo-$param.key" "test-$algo-$param.cer" "test-$algo-$param.pub"
fi
if [ "$1" = clean ]; then
continue
fi
[ -e "test-$algo-$param.key" ] && continue
log openssl req -nodes -x509 -utf8 -days 10000 -batch \
-config test-ca.conf \
-newkey "$algo" \
-pkeyopt "paramset:$param" \
-out "test-$algo-$param.cer" -outform DER \
-keyout "test-$algo-$param.key"
if [ -s "test-$algo-$param.key" ]; then
log openssl pkey -in "test-$algo-$param.key" -out "test-$algo-$param.pub" -pubout
fi
done
# SM2, If openssl 3.0 is installed, gen SM2 keys using
if [ -x /opt/openssl3/bin/openssl ]; then
(PATH=/opt/openssl3/bin:$PATH LD_LIBRARY_PATH=/opt/openssl3/lib
for curve in sm2; do
if [ "$1" = clean ] || [ "$1" = force ]; then
rm -f test-$curve.cer test-$curve.key test-$curve.pub
fi
if [ "$1" = clean ]; then
continue
fi
if [ ! -e test-$curve.key ]; then
log openssl req -verbose -new -nodes -utf8 -days 10000 -batch -x509 \
-sm3 -sigopt "distid:1234567812345678" \
-config test-ca.conf \
-copy_extensions copyall \
-newkey $curve \
-out test-$curve.cer -outform DER \
-keyout test-$curve.key
if [ -s test-$curve.key ]; then
log openssl pkey -in test-$curve.key -out test-$curve.pub -pubout
fi
fi
done)
fi
# This script leaves test-ca.conf, *.cer, *.pub, *.key files for sing/verify tests.
# They are never deleted except by `make distclean'.

79
tests/ima_hash.test
View File

@ -1,79 +0,0 @@
#!/bin/bash
# SPDX-License-Identifier: GPL-2.0
#
# evmctl ima_hash tests
#
# Copyright (C) 2020 Vitaly Chikunov <vt@altlinux.org>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
cd "$(dirname "$0")" || exit 1
PATH=../src:$PATH
source ./functions.sh
_require evmctl openssl getfattr
trap _report_exit_and_cleanup EXIT
set -f # disable globbing
check() {
local alg=$1 prefix=$2 chash=$3 hash
local file=$alg-hash.txt
rm -f "$file"
touch "$file"
# Generate hash with openssl, if it failed skip test,
# unless it's negative test, then pass to evmctl
cmd="openssl dgst $OPENSSL_ENGINE -$alg $file"
echo - "$cmd"
hash=$(set -o pipefail; $cmd 2>/dev/null | cut -d' ' -f2)
if [ $? -ne 0 ] && _test_expected_to_pass; then
echo "${CYAN}$alg test is skipped$NORM"
rm "$file"
return "$SKIP"
fi
if [ "$chash" ] && [ "$chash" != "$hash" ]; then
color_red
echo "Invalid hash for $alg from openssl"
echo "Expected: $chash"
echo "Returned: $hash"
color_restore
rm "$file"
return "$HARDFAIL"
fi
ADD_TEXT_FOR=$alg ADD_DEL=$file \
_evmctl_run ima_hash --hashalgo "$alg" --xattr-user "$file" || return
ADD_TEXT_FOR=$alg \
_test_xattr "$file" user.ima "$prefix$hash" || return
rm "$file"
return "$OK"
}
# check args: algo hdr-prefix canonic-hash
expect_pass check md4 0x01 31d6cfe0d16ae931b73c59d7e0c089c0
expect_pass check md5 0x01 d41d8cd98f00b204e9800998ecf8427e
expect_pass check sha1 0x01 da39a3ee5e6b4b0d3255bfef95601890afd80709
expect_fail check SHA1 0x01 # uppercase
expect_fail check sha512-224 0x01 # valid for pkcs1
expect_fail check sha512-256 0x01 # valid for pkcs1
expect_fail check unknown 0x01 # nonexistent
expect_pass check sha224 0x0407 d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f
expect_pass check sha256 0x0404 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
expect_pass check sha384 0x0405 38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b
expect_pass check sha512 0x0406 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
expect_pass check rmd160 0x0403 9c1185a5c5e9fc54612808977ee8f548b2258d31
expect_pass check sm3 0x0411 1ab21d8355cfa17f8e61194831e81a8f22bec8c728fefb747ed035eb5082aa2b
_enable_gost_engine
expect_pass check md_gost12_256 0x0412 3f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb
expect_pass check streebog256 0x0412 3f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb
expect_pass check md_gost12_512 0x0413 8e945da209aa869f0455928529bcae4679e9873ab707b55315f56ceb98bef0a7362f715528356ee83cda5f2aac4c6ad2ba3a715c1bcd81cb8e9f90bf4c1c1a8a
expect_pass check streebog512 0x0413 8e945da209aa869f0455928529bcae4679e9873ab707b55315f56ceb98bef0a7362f715528356ee83cda5f2aac4c6ad2ba3a715c1bcd81cb8e9f90bf4c1c1a8a

211
tests/ima_policy_check.awk
View File

@ -1,211 +0,0 @@
#! /usr/bin/gawk -f
# SPDX-License-Identifier: GPL-2.0
#
# Copyright (C) 2023 Roberto Sassu <roberto.sassu@huawei.com>
#
# Check a new rule against the loaded IMA policy.
#
# Documentation/ABI/testing/ima_policy (Linux kernel)
# base: [[func=] [mask=] [fsmagic=] [fsuuid=] [fsname=]
# [uid=] [euid=] [gid=] [egid=]
# [fowner=] [fgroup=]]
# lsm: [[subj_user=] [subj_role=] [subj_type=]
# [obj_user=] [obj_role=] [obj_type=]]
# option: [digest_type=] [template=] [permit_directio]
# [appraise_type=] [appraise_flag=]
# [appraise_algos=] [keyrings=]
#
# Rules don't overlap if their actions are unrelated (cannot be matched without
# dont_) and there is no combination of appraise with another do action (e.g.
# measure, audit, hash). The second condition is due to the fact that appraise
# might still forbid other actions expected to be performed by a test that did
# not setup appraisal. Checking appraise for new rules is not sufficient,
# because that rule could be added anyway. By checking existing rules as well,
# a warning will be displayed when tests inserting rules with other do actions
# are reexecuted.
#
# Also, rules don't overlap if both include the same policy keyword(s) (in base
# or lsm, except func), at least one, with a different value. Different func
# values don't imply non-overlap, due to the fact that a test command might
# cause the execution of multiple hooks (e.g. FILE_CHECK in addition to
# MMAP_CHECK). Despite one test is willing to test a particular hook, this could
# have side effects on other tests (e.g. one test sets: appraise func=MMAP_CHECK
# and another: measure func=FILE_CHECK; the second test might see an unexpected
# measurement due to the first test being executed; or the second test cannot
# unexpectedly do mmap).
#
# Currently, the < > operators are not supported and overlapping is asserted
# even if intervals are disjoint. If supported, non-overlapping conditions could
# be found. With the ^ modifier, no disjoint intervals can be found. Overlapping
# is always reported.
#
# Rule equivalence is determined by checking each key/value pair, regardless of
# their order. However, the action must always be at the beginning of the rules.
# Rules with aliases are considered equivalent to those with their source (e.g.
# rules with PATH_CHECK and FILE_MMAP are considered as equivalent to rules with
# FILE_CHECK and MMAP_CHECK).
#
# Return a bit mask with the following values:
# - 1: invalid new rule;
# - 2: overlap of the new rule with an existing rule in the IMA policy;
# - 4: new rule exists in the IMA policy.
BEGIN {
# Policy definitions.
actions_str="measure dont_measure appraise dont_appraise audit hash dont_hash"
split(actions_str, actions_array);
keywords_str="func mask fsmagic fsuuid fsname uid euid gid egid fowner fgroup subj_user subj_role subj_type obj_user obj_role obj_type";
split(keywords_str, keywords_array);
options_str="digest_type template permit_directio appraise_type appraise_flag appraise_algos keyrings";
split(options_str, options_array);
# Key types.
key_type_unknown=0;
key_type_action=1;
key_type_keyword=2;
key_type_option=3;
# Result values.
ret_invalid_rule=1;
ret_rule_overlap=2;
ret_same_rule_exists=4;
for (action_idx in actions_array)
key_types[actions_array[action_idx]]=key_type_action;
for (keyword_idx in keywords_array)
key_types[keywords_array[keyword_idx]]=key_type_keyword;
for (option_idx in options_array)
key_types[options_array[option_idx]]=key_type_option;
new_rule=1;
result=0;
}
{
# Delete arrays from previous rule.
if (!new_rule) {
delete current_rule_array;
delete current_rule_operator_array;
}
# Check empty rules.
if (!length($0)) {
if (new_rule) {
result=or(result, ret_invalid_rule);
exit;
}
next;
}
for (i=1; i<=NF; i++) {
# Parse key/value pair.
split($i, key_value_array, /[=,>,<]/, separator_array);
key=key_value_array[1];
value=key_value_array[2];
if (key == "func") {
# Normalize values of IMA hooks to what IMA will print.
if (value == "FILE_MMAP")
value="MMAP_CHECK";
else if (value == "PATH_CHECK")
value="FILE_CHECK";
}
# Basic validity check (not necessary in general for the IMA policy, but useful to find typos in the tests).
if (key_types[key] == key_type_unknown ||
(i == 1 && key_types[key] != key_type_action)) {
result=or(result, ret_invalid_rule);
exit;
}
# Store key/value pair and operator into an array.
if (new_rule) {
new_rule_array[key]=value;
new_rule_operator_array[key]=separator_array[1];
} else {
current_rule_array[key]=value;
current_rule_operator_array[key]=separator_array[1];
}
# Store original action and action without dont_.
if (i == 1) {
if (new_rule) {
new_rule_action=key;
new_rule_action_sub=key;
gsub(/dont_/, "", new_rule_action_sub);
} else {
current_rule_action=key;
current_rule_action_sub=key;
gsub(/dont_/, "", current_rule_action_sub);
}
}
}
# Go to the next line, to compare the new rule with rules in the IMA policy.
if (new_rule) {
new_rule=0;
next;
}
# No overlap by action (unrelated rules and no combination appraise - <do action>), new rule safe to add to the IMA policy.
if (current_rule_action_sub != new_rule_action_sub &&
(current_rule_action != "appraise" || new_rule_action ~ /^dont_/) &&
(new_rule_action != "appraise" || current_rule_action ~ /^dont_/))
next;
same_rule=1;
overlap_rule=1;
for (key in key_types) {
if (!(key in new_rule_array)) {
# Key in current rule but not in new rule.
if (key in current_rule_array)
same_rule=0;
# Key not in new rule and not in current rule.
continue;
}
if (!(key in current_rule_array)) {
# Key in new rule but not in current rule.
if (key in new_rule_array)
same_rule=0;
# Key not in current rule and not in new rule.
continue;
}
# Same value and operator.
if (new_rule_array[key] == current_rule_array[key] &&
new_rule_operator_array[key] == current_rule_operator_array[key])
continue;
# Different value and/or operator.
same_rule=0;
# Not a policy keyword, not useful to determine overlap.
if (key_types[key] != key_type_keyword)
continue;
# > < operators are not supported, cannot determine overlap.
if (new_rule_operator_array[key] != "=" || current_rule_operator_array[key] != "=")
continue;
# ^ modifier does not make disjoint sets, cannot determine overlap.
if (new_rule_array[key] ~ /^\^/ || current_rule_array[key] ~ /^\^/)
continue;
# One test command can invoke multiple hooks, cannot determine overlap from func.
if (key == "func")
continue;
# No overlap by policy keyword, new rule safe to add to the IMA policy.
overlap_rule=0;
next;
}
if (same_rule)
result=or(result, ret_same_rule_exists);
else if (overlap_rule)
result=or(result, ret_rule_overlap);
}
END {
exit result;
}

245
tests/ima_policy_check.test
View File

@ -1,245 +0,0 @@
#!/bin/bash
# SPDX-License-Identifier: GPL-2.0
#
# Copyright (C) 2023 Roberto Sassu <roberto.sassu@huawei.com>
#
# Test for ima_policy_check.awk
trap '_report_exit_and_cleanup' SIGINT SIGTERM EXIT
cd "$(dirname "$0")" || exit 1
. ./functions.sh
export PATH=$PWD:$PATH
check_result() {
local result
echo -e "\nTest: $1"
echo "New rule: $2"
echo "IMA policy: $3"
echo -n "Result (expect $4): "
echo -e "$2\n$3" | ima_policy_check.awk
result=$?
if [ "$result" -ne "$4" ]; then
echo "${RED}$result${NORM}"
return "$FAIL"
fi
echo "${GREEN}$result${NORM}"
return "$OK"
}
# ima_policy_check.awk returns a bit mask with the following values:
# - 1: invalid new rule;
# - 2: overlap of the new rule with an existing rule in the IMA policy;
# - 4: new rule exists in the IMA policy.
# Basic checks.
desc="empty IMA policy"
rule="measure func=FILE_CHECK"
ima_policy=""
expect_pass check_result "$desc" "$rule" "$ima_policy" 0
desc="Empty new rule"
rule=""
ima_policy=""
expect_pass check_result "$desc" "$rule" "$ima_policy" 1
desc="Unknown policy keyword fun"
rule="measure fun=FILE_CHECK"
ima_policy=""
expect_pass check_result "$desc" "$rule" "$ima_policy" 1
desc="Missing action"
rule="func=FILE_CHECK"
ima_policy=""
expect_pass check_result "$desc" "$rule" "$ima_policy" 1
# Non-overlapping rules.
desc="Non-overlapping by action measure/dont_appraise, same func"
rule="measure func=FILE_CHECK"
ima_policy="dont_appraise func=FILE_CHECK"
expect_pass check_result "$desc" "$rule" "$ima_policy" 0
desc="Non-overlapping by action audit/dont_appraise, same func"
rule="audit func=FILE_CHECK"
ima_policy="dont_appraise func=FILE_CHECK"
expect_pass check_result "$desc" "$rule" "$ima_policy" 0
desc="Non-overlapping by action appraise/dont_measure, same func"
rule="appraise func=FILE_CHECK"
ima_policy="dont_measure func=FILE_CHECK"
expect_pass check_result "$desc" "$rule" "$ima_policy" 0
desc="Non-overlapping by action dont_measure/hash, same func"
rule="dont_measure func=FILE_CHECK"
ima_policy="hash func=FILE_CHECK"
expect_pass check_result "$desc" "$rule" "$ima_policy" 0
desc="Non-overlapping by uid, func is equal"
rule="measure func=FILE_CHECK uid=0"
ima_policy="measure uid=1 func=FILE_CHECK"
expect_pass check_result "$desc" "$rule" "$ima_policy" 0
desc="Non-overlapping by uid, func is equal, same policy options"
rule="measure func=FILE_CHECK uid=0 permit_directio"
ima_policy="measure uid=1 func=FILE_CHECK permit_directio"
expect_pass check_result "$desc" "$rule" "$ima_policy" 0
desc="Non-overlapping by mask, func and uid are equal, same policy options"
rule="measure func=FILE_CHECK uid=0 permit_directio mask=MAY_READ"
ima_policy="measure uid=0 mask=MAY_EXEC func=FILE_CHECK permit_directio"
expect_pass check_result "$desc" "$rule" "$ima_policy" 0
desc="Non-overlapping by mask, func and uid are equal, different policy options"
rule="measure func=FILE_CHECK uid=0 permit_directio mask=MAY_READ"
ima_policy="measure uid=0 mask=MAY_EXEC func=FILE_CHECK"
expect_pass check_result "$desc" "$rule" "$ima_policy" 0
# Overlapping and different rules.
desc="same actions, different keywords"
rule="appraise func=FILE_CHECK"
ima_policy="appraise uid=0"
expect_pass check_result "$desc" "$rule" "$ima_policy" 2
desc="unrelated actions with appraise and a do action, same func"
rule="appraise func=FILE_CHECK"
ima_policy="measure func=FILE_CHECK"
expect_pass check_result "$desc" "$rule" "$ima_policy" 2
desc="unrelated actions with appraise and a do action, different func"
rule="appraise func=FILE_CHECK"
ima_policy="measure func=MMAP_CHECK"
expect_pass check_result "$desc" "$rule" "$ima_policy" 2
desc="related actions, same func"
rule="measure func=FILE_CHECK"
ima_policy="dont_measure func=FILE_CHECK"
expect_pass check_result "$desc" "$rule" "$ima_policy" 2
desc="related actions, same func, different policy options"
rule="measure func=FILE_CHECK"
ima_policy="dont_measure func=FILE_CHECK permit_directio"
expect_pass check_result "$desc" "$rule" "$ima_policy" 2
desc="related actions, same func, different policy options"
rule="measure func=FILE_CHECK permit_directio"
ima_policy="dont_measure func=FILE_CHECK"
expect_pass check_result "$desc" "$rule" "$ima_policy" 2
desc="same actions, same func, same mask with different modifier (no disjoint sets with the ^ modifier)"
rule="measure func=FILE_CHECK mask=MAY_EXEC"
ima_policy="measure func=FILE_CHECK mask=^MAY_EXEC"
expect_pass check_result "$desc" "$rule" "$ima_policy" 2
desc="same actions, same func, different mask with same modifier (no disjoint sets with the ^ modifier)"
rule="measure func=FILE_CHECK mask=^MAY_READ"
ima_policy="measure func=FILE_CHECK mask=^MAY_EXEC"
expect_pass check_result "$desc" "$rule" "$ima_policy" 2
desc="same actions, same func, different policy options"
rule="measure func=FILE_CHECK"
ima_policy="measure func=FILE_CHECK permit_directio"
expect_pass check_result "$desc" "$rule" "$ima_policy" 2
desc="same actions, same func, different policy options"
rule="measure func=FILE_CHECK permit_directio"
ima_policy="measure func=FILE_CHECK"
expect_pass check_result "$desc" "$rule" "$ima_policy" 2
desc="same actions, MMAP_CHECK and MMAP_CHECK_REQPROT hooks"
rule="measure func=MMAP_CHECK"
ima_policy="measure func=MMAP_CHECK_REQPROT"
expect_pass check_result "$desc" "$rule" "$ima_policy" 2
desc="related actions, same func, same mask with same modifier"
rule="measure func=FILE_CHECK mask=^MAY_EXEC"
ima_policy="dont_measure func=FILE_CHECK mask=^MAY_EXEC"
expect_pass check_result "$desc" "$rule" "$ima_policy" 2
desc="same actions, same func, different uid with same operator (overlap because operators are not supported)"
rule="measure func=FILE_CHECK uid>0"
ima_policy="measure func=FILE_CHECK uid>1"
expect_pass check_result "$desc" "$rule" "$ima_policy" 2
desc="same actions, same func, same uid with different operator (overlap because operators are not supported)"
rule="measure func=FILE_CHECK uid>1"
ima_policy="measure func=FILE_CHECK uid<1"
expect_pass check_result "$desc" "$rule" "$ima_policy" 2
# Overlapping and same rules.
desc="same actions, same func"
rule="appraise func=FILE_CHECK"
ima_policy="appraise func=FILE_CHECK"
expect_pass check_result "$desc" "$rule" "$ima_policy" 4
desc="same actions, same func, same mask"
rule="appraise mask=MAY_READ func=FILE_CHECK"
ima_policy="appraise func=FILE_CHECK mask=MAY_READ"
expect_pass check_result "$desc" "$rule" "$ima_policy" 4
desc="same actions, same func, same mask, same policy options"
rule="appraise mask=MAY_READ func=FILE_CHECK permit_directio appraise_type=imasig"
ima_policy="appraise func=FILE_CHECK mask=MAY_READ permit_directio appraise_type=imasig"
expect_pass check_result "$desc" "$rule" "$ima_policy" 4
desc="same actions, same func"
rule="measure func=MMAP_CHECK_REQPROT"
ima_policy="measure func=MMAP_CHECK_REQPROT"
expect_pass check_result "$desc" "$rule" "$ima_policy" 4
desc="same actions, same func with alias (PATH_CHECK = FILE_CHECK)"
rule="measure func=FILE_CHECK"
ima_policy="measure func=PATH_CHECK"
expect_pass check_result "$desc" "$rule" "$ima_policy" 4
desc="same actions, same func with alias (PATH_CHECK = FILE_CHECK), same mask with same modifiers"
rule="measure mask=^MAY_READ func=FILE_CHECK"
ima_policy="measure func=PATH_CHECK mask=^MAY_READ"
expect_pass check_result "$desc" "$rule" "$ima_policy" 4
desc="same actions, same func with alias (PATH_CHECK = FILE_CHECK) and same mask with same modifiers, same uid with same operators"
rule="measure mask=^MAY_READ uid>0 func=FILE_CHECK"
ima_policy="measure func=PATH_CHECK mask=^MAY_READ uid>0"
expect_pass check_result "$desc" "$rule" "$ima_policy" 4
desc="same actions, same func with alias (PATH_CHECK = FILE_CHECK) and same mask with same modifiers, same uid with same operators"
rule="measure mask=^MAY_READ uid<1 func=FILE_CHECK"
ima_policy="measure func=PATH_CHECK mask=^MAY_READ uid<1"
expect_pass check_result "$desc" "$rule" "$ima_policy" 4
# Overlapping and two rules (one same, one different).
desc="first: same actions, same func, second: unrelated actions with appraise and a do action"
rule="appraise func=FILE_CHECK"
ima_policy="appraise func=FILE_CHECK\nmeasure func=FILE_CHECK"
expect_pass check_result "$desc" "$rule" "$ima_policy" 6
desc="first: unrelated actions with appraise and a do action, same func, second: same actions"
rule="appraise func=FILE_CHECK"
ima_policy="measure func=FILE_CHECK\nappraise func=FILE_CHECK"
expect_pass check_result "$desc" "$rule" "$ima_policy" 6
desc="first: same actions, same func, same mask, second: different policy options"
rule="appraise mask=MAY_READ func=FILE_CHECK"
ima_policy="appraise func=FILE_CHECK mask=MAY_READ\nappraise func=FILE_CHECK mask=MAY_READ permit_directio"
expect_pass check_result "$desc" "$rule" "$ima_policy" 6
desc="first: same actions, same func with alias (PATH_CHECK = FILE_CHECK), same mask, second: different policy options"
rule="appraise mask=MAY_READ func=FILE_CHECK"
ima_policy="appraise func=PATH_CHECK mask=MAY_READ\nappraise func=FILE_CHECK mask=MAY_READ permit_directio"
expect_pass check_result "$desc" "$rule" "$ima_policy" 6
# Non-overlapping and three rules.
desc="same actions, same func and mask, different uid"
rule="appraise mask=MAY_READ func=FILE_CHECK uid=0"
ima_policy="appraise mask=MAY_READ func=FILE_CHECK uid=1\nappraise mask=MAY_READ func=FILE_CHECK uid=2\nappraise mask=MAY_READ func=FILE_CHECK uid=3"
expect_pass check_result "$desc" "$rule" "$ima_policy" 0
desc="same actions, same func and mask, different uid, except one that is the same"
rule="appraise mask=MAY_READ func=FILE_CHECK uid=0"
ima_policy="appraise mask=MAY_READ func=FILE_CHECK uid=1\nappraise mask=MAY_READ func=FILE_CHECK uid=0\nappraise mask=MAY_READ func=FILE_CHECK uid=3"
expect_pass check_result "$desc" "$rule" "$ima_policy" 4

6
tests/install-fsverity.sh
View File

@ -1,6 +0,0 @@
#!/bin/sh
git clone https://git.kernel.org/pub/scm/fs/fsverity/fsverity-utils.git
cd fsverity-utils
CC=gcc make -j$(nproc)
cd ..

6
tests/install-mount-idmapped.sh
View File

@ -1,6 +0,0 @@
#!/bin/sh
git clone https://github.com/brauner/mount-idmapped.git
cd mount-idmapped
gcc -o mount-idmapped mount-idmapped.c
cd ..

30
tests/install-openssl3.sh
View File

@ -1,30 +0,0 @@
#!/bin/bash
set -ex
if [ -z "$COMPILE_SSL" ]; then
echo "Missing \$COMPILE_SSL!" >&2
exit 1
fi
version=${COMPILE_SSL}
wget --no-check-certificate https://github.com/openssl/openssl/archive/refs/tags/${version}.tar.gz
tar --no-same-owner -xzf ${version}.tar.gz
cd openssl-${version}
if [ "$VARIANT" = "i386" ]; then
echo "32-bit compilation"
FLAGS="-m32 linux-generic32"
fi
./Configure $FLAGS no-engine no-dynamic-engine --prefix=/opt/openssl3 --openssldir=/opt/openssl3
# Uncomment for debugging
# perl configdata.pm --dump | grep engine
make -j$(nproc)
# only install apps and library
sudo make install_sw
cd ..
rm -rf ${version}.tar.gz
rm -rf openssl-${version}

21
tests/install-swtpm.sh
View File

@ -1,21 +0,0 @@
#!/bin/sh -ex
# No need to run via sudo if we already have permissions.
# Also, some distros do not have sudo configured for root:
# `root is not in the sudoers file. This incident will be reported.'
if [ -w /usr/local/bin ]; then
SUDO=
else
SUDO=sudo
fi
version=1682
wget --no-check-certificate https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm${version}.tar.gz/download
mkdir ibmtpm$version
cd ibmtpm$version
tar --no-same-owner -xvzf ../download
cd src
make -j$(nproc)
$SUDO cp tpm_server /usr/local/bin/
cd ../..

8
tests/install-tss.sh
View File

@ -1,8 +0,0 @@
#!/bin/sh
set -ex
git clone https://git.code.sf.net/p/ibmtpm20tss/tss
cd tss
autoreconf -i && ./configure --disable-tpm-1.2 --disable-hwtpm && make -j$(nproc) && sudo make install
cd ..
rm -rf tss

407
tests/mmap_check.test
View File

@ -1,407 +0,0 @@
#!/bin/bash
# SPDX-License-Identifier: GPL-2.0
#
# Copyright (C) 2022-2023 Roberto Sassu <roberto.sassu@huawei.com>
#
# Check the behavior of MMAP_CHECK and MMAP_CHECK_REQPROT
trap '_report_exit_and_cleanup _cleanup_env cleanup' SIGINT SIGTERM SIGSEGV EXIT
PATCHES=(
'ima: Align ima_file_mmap() parameters with mmap_file LSM hook'
'ima: Introduce MMAP_CHECK_REQPROT hook'
)
RET_INVALID_RULE=$((0x0001))
RET_RULE_OVERLAP=$((0x0002))
RET_SAME_RULE_EXISTS=$((0x0004))
EVM_INIT_HMAC=$((0x0001))
EVM_INIT_X509=$((0x0002))
# Base VERBOSE on the environment variable, if set.
VERBOSE="${VERBOSE:-0}"
# Errors defined in test_mmap
ERR_SETUP=1
ERR_TEST=2
cd "$(dirname "$0")" || exit 1
export PATH=$PWD/../src:$PWD:$PATH
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH
. ./functions.sh
_require evmctl
cleanup() {
if [ "$g_loop_mounted" = "1" ]; then
popd > /dev/null || exit "$FAIL"
umount "$g_mountpoint"
fi
if [ -n "$g_dev" ]; then
losetup -d "$g_dev"
fi
if [ -n "$g_image" ]; then
rm -f "$g_image"
fi
if [ -n "$g_mountpoint" ]; then
rm -Rf "$g_mountpoint"
fi
if [ -n "$g_key_path_der" ]; then
rm -f "$g_key_path_der"
fi
}
# Use the fsuuid= IMA policy keyword to select only files created/used by the
# tests below. Also use fowner= to differentiate between files created/used by
# individual tests.
IMA_UUID="28b23254-9467-44c0-b6ba-34b12e85a26e"
MEASURE_MMAP_CHECK_FOWNER=2000
MEASURE_MMAP_CHECK_REQPROT_FOWNER=2001
MEASURE_MMAP_CHECK_RULE="measure func=MMAP_CHECK fsmagic=0xef53 fsuuid=$IMA_UUID fowner=$MEASURE_MMAP_CHECK_FOWNER"
MEASURE_MMAP_CHECK_REQPROT_RULE="measure func=MMAP_CHECK_REQPROT fsmagic=0xef53 fsuuid=$IMA_UUID fowner=$MEASURE_MMAP_CHECK_REQPROT_FOWNER"
APPRAISE_MMAP_CHECK_FOWNER=2002
APPRAISE_MMAP_CHECK_REQPROT_FOWNER=2003
APPRAISE_MMAP_CHECK_RULE="appraise func=MMAP_CHECK fsmagic=0xef53 fsuuid=$IMA_UUID fowner=$APPRAISE_MMAP_CHECK_FOWNER"
APPRAISE_MMAP_CHECK_REQPROT_RULE="appraise func=MMAP_CHECK_REQPROT fsmagic=0xef53 fsuuid=$IMA_UUID fowner=$APPRAISE_MMAP_CHECK_REQPROT_FOWNER"
check_load_ima_rule() {
local result new_policy color
echo -e "$1\n$(cat /sys/kernel/security/ima/policy)" | ima_policy_check.awk
result=$?
if [ $((result & RET_INVALID_RULE)) -eq $RET_INVALID_RULE ]; then
echo "${RED}Invalid rule${NORM}"
return "$HARDFAIL"
fi
if [ $((result & RET_RULE_OVERLAP)) -eq $RET_RULE_OVERLAP ]; then
color=${YELLOW}
if [ -n "$TST_ENV" ]; then
color=${RED}
fi
echo "${color}Possible interference with existing IMA policy rule${NORM}"
if [ -n "$TST_ENV" ]; then
return "$HARDFAIL"
fi
fi
if [ $((result & RET_SAME_RULE_EXISTS)) -eq $RET_SAME_RULE_EXISTS ]; then
return "$OK"
fi
new_policy=$(mktemp -p "$g_mountpoint")
echo "$1" > "$new_policy"
echo "$new_policy" > /sys/kernel/security/ima/policy
result=$?
rm -f "$new_policy"
if [ "$result" -ne 0 ]; then
echo "${RED}Failed to set IMA policy${NORM}"
return "$HARDFAIL"
fi
return "$OK"
}
check_mmap() {
local hook="$1"
local arg="$2"
local test_file fowner rule result test_file_entry
echo -e "\nTest: ${FUNCNAME[0]} (hook=\"$hook\", test_mmap arg: \"$arg\")"
if ! test_file=$(mktemp -p "$PWD"); then
echo "${RED}Cannot create $test_file${NORM}"
return "$HARDFAIL"
fi
if ! echo "test" > "$test_file"; then
echo "${RED}Cannot write $test_file${NORM}"
return "$FAIL"
fi
fowner="$MEASURE_MMAP_CHECK_FOWNER"
rule="$MEASURE_MMAP_CHECK_RULE"
if [ "$hook" = "MMAP_CHECK_REQPROT" ]; then
fowner="$MEASURE_MMAP_CHECK_REQPROT_FOWNER"
rule="$MEASURE_MMAP_CHECK_REQPROT_RULE"
fi
if ! chown "$fowner" "$test_file"; then
echo "${RED}Cannot change owner of $test_file${NORM}"
return "$HARDFAIL"
fi
check_load_ima_rule "$rule"
result=$?
if [ $result -ne "$OK" ]; then
return $result
fi
test_mmap "$test_file" "$arg"
result=$?
if [ $result -ne 0 ] && [ $result -ne "$ERR_TEST" ]; then
echo "${RED}Unexpected exit status $result from test_mmap${NORM}"
return "$HARDFAIL"
fi
if [ "$TFAIL" != "yes" ]; then
echo -n "Result (expect found): "
else
echo -n "Result (expect not found): "
fi
test_file_entry=$(awk '$5 == "'"$test_file"'"' < /sys/kernel/security/ima/ascii_runtime_measurements)
if [ -z "$test_file_entry" ]; then
if [ "$TFAIL" != "yes" ]; then
echo "${RED}not found${NORM}"
else
echo "${GREEN}not found${NORM}"
fi
return "$FAIL"
fi
if [ "$TFAIL" != "yes" ]; then
echo "${GREEN}found${NORM}"
else
echo "${RED}found${NORM}"
fi
if [ "$VERBOSE" -gt 0 ]; then
echo "$test_file_entry"
fi
return "$OK"
}
check_deny() {
local hook="$1"
local arg="$2"
local test_file fowner rule result
echo -e "\nTest: ${FUNCNAME[0]} (hook=\"$hook\", test_mmap arg: \"$arg\")"
if ! test_file=$(mktemp -p "$PWD"); then
echo "${RED}Cannot create $test_file${NORM}"
return "$HARDFAIL"
fi
if ! echo "test" > "$test_file"; then
echo "${RED}Cannot write $test_file${NORM}"
return "$FAIL"
fi
if ! evmctl ima_sign -a sha256 --key "$g_key_path" "$test_file" &> /dev/null; then
echo "${RED}Cannot sign $test_file${NORM}"
return "$HARDFAIL"
fi
fowner="$APPRAISE_MMAP_CHECK_FOWNER"
rule="$APPRAISE_MMAP_CHECK_RULE"
if [ "$hook" = "MMAP_CHECK_REQPROT" ]; then
fowner="$APPRAISE_MMAP_CHECK_REQPROT_FOWNER"
rule="$APPRAISE_MMAP_CHECK_REQPROT_RULE"
fi
if ! chown "$fowner" "$test_file"; then
echo "${RED}Cannot change owner of $test_file${NORM}"
return "$HARDFAIL"
fi
check_load_ima_rule "$rule"
result=$?
if [ $result -ne "$OK" ]; then
return $result
fi
test_mmap "$test_file" exec
result=$?
if [ $result -ne 0 ] && [ $result -ne "$ERR_TEST" ]; then
echo "${RED}Unexpected exit status $result from test_mmap${NORM}"
return "$HARDFAIL"
fi
test_mmap "$test_file" "$arg"
result=$?
if [ $result -ne 0 ] && [ $result -ne "$ERR_TEST" ]; then
echo "${RED}Unexpected exit status $result from test_mmap${NORM}"
return "$HARDFAIL"
fi
if [ "$TFAIL" != "yes" ]; then
echo -n "Result (expect denied): "
else
echo -n "Result (expect allowed): "
fi
if [ $result -eq 0 ]; then
if [ "$TFAIL" != "yes" ]; then
echo "${RED}allowed${NORM}"
else
echo "${GREEN}allowed${NORM}"
fi
return "$FAIL"
fi
if [ "$TFAIL" != "yes" ]; then
echo "${GREEN}denied${NORM}"
else
echo "${RED}denied${NORM}"
fi
return "$OK"
}
# Run in the new environment if TST_ENV is set.
_run_env "$TST_KERNEL" "$PWD/$(basename "$0")" "TST_ENV=$TST_ENV TST_KERNEL=$TST_KERNEL PATH=$PATH LD_LIBRARY_PATH=$LD_LIBRARY_PATH VERBOSE=$VERBOSE TST_KEY_PATH=$TST_KEY_PATH"
# Exit from the creator of the new environment.
_exit_env "$TST_KERNEL"
# Mount filesystems in the new environment.
_init_env
if [ "$(whoami)" != "root" ]; then
echo "${CYAN}This script must be executed as root${NORM}"
exit "$SKIP"
fi
if [ ! -f /sys/kernel/security/ima/policy ]; then
echo "${CYAN}IMA policy file not found${NORM}"
exit "$SKIP"
fi
if ! cat /sys/kernel/security/ima/policy &> /dev/null; then
echo "${CYAN}IMA policy file is not readable${NORM}"
exit "$SKIP"
fi
if [ -n "$TST_KEY_PATH" ]; then
if [ "${TST_KEY_PATH:0:1}" != "/" ]; then
echo "${RED}Absolute path required for the signing key${NORM}"
exit "$FAIL"
fi
if [ ! -f "$TST_KEY_PATH" ]; then
echo "${RED}Kernel signing key not found in $TST_KEY_PATH${NORM}"
exit "$FAIL"
fi
g_key_path="$TST_KEY_PATH"
elif [ -f "$PWD/../signing_key.pem" ]; then
g_key_path="$PWD/../signing_key.pem"
elif [ -f "/lib/modules/$(uname -r)/source/certs/signing_key.pem" ]; then
g_key_path="/lib/modules/$(uname -r)/source/certs/signing_key.pem"
elif [ -f "/lib/modules/$(uname -r)/build/certs/signing_key.pem" ]; then
g_key_path="/lib/modules/$(uname -r)/build/certs/signing_key.pem"
else
echo "${CYAN}Kernel signing key not found${NORM}"
exit "$SKIP"
fi
evm_value=$(cat /sys/kernel/security/evm)
if [ $((evm_value & EVM_INIT_X509)) -eq "$EVM_INIT_X509" ]; then
if [ $((evm_value & EVM_INIT_HMAC)) -ne "$EVM_INIT_HMAC" ]; then
echo "${CYAN}Incompatible EVM mode $evm_value${NORM}"
exit "$SKIP"
fi
fi
g_key_path_der=$(mktemp)
openssl x509 -in "$g_key_path" -out "$g_key_path_der" -outform der
if ! keyctl padd asymmetric pubkey %keyring:.ima < "$g_key_path_der" &> /dev/null; then
echo "${RED}Public key cannot be added to the IMA keyring${NORM}"
exit "$FAIL"
fi
g_mountpoint=$(mktemp -d)
g_image=$(mktemp)
if [ -z "$g_mountpoint" ]; then
echo "${RED}Mountpoint directory not created${NORM}"
exit "$FAIL"
fi
if ! dd if=/dev/zero of="$g_image" bs=1M count=20 &> /dev/null; then
echo "${RED}Cannot create test image${NORM}"
exit "$FAIL"
fi
g_dev=$(losetup -f "$g_image" --show)
if [ -z "$g_dev" ]; then
echo "${RED}Cannot create loop device${NORM}"
exit "$FAIL"
fi
if ! mkfs.ext4 -U "$IMA_UUID" -b 4096 "$g_dev" &> /dev/null; then
echo "${RED}Cannot format $g_dev${NORM}"
exit "$FAIL"
fi
if ! mount -o iversion "$g_dev" "$g_mountpoint"; then
echo "${RED}Cannot mount loop device${NORM}"
exit "$FAIL"
fi
g_loop_mounted=1
pushd "$g_mountpoint" > /dev/null || exit "$FAIL"
# Ensure that IMA does not add a new measurement entry if an application calls
# mmap() with PROT_READ, and a policy rule contains the MMAP_CHECK hook.
# In this case, both the protections requested by the application and the final
# protections applied by the kernel contain only PROT_READ, so there is no
# match with the IMA rule, which expects PROT_EXEC to be set.
expect_fail check_mmap "MMAP_CHECK" ""
# Ensure that IMA adds a new measurement entry if an application calls mmap()
# with PROT_READ | PROT_EXEC, and a policy rule contains the MMAP_CHECK hook.
expect_pass check_mmap "MMAP_CHECK" "exec"
# Same as in the first test, but in this case the application calls the
# personality() system call with READ_IMPLIES_EXEC, which causes the kernel to
# add PROT_EXEC in the final protections passed to the MMAP_CHECK hook.
#
# Ensure that the bug introduced by 98de59bfe4b2 ("take calculation of final
# protections in security_mmap_file() into a helper") is fixed, by passing the
# final protections again to the MMAP_CHECK hook. Due to the bug, the hook
# received the protections requested by the application. Since those protections
# don't have PROT_EXEC, IMA was not creating a measurement entry.
expect_pass_if '0' check_mmap "MMAP_CHECK" "read_implies_exec"
# Repeat the previous three tests, but with the new MMAP_CHECK_REQPROT hook,
# which behaves like the buggy MMAP_CHECK hook. In the third test, expect that
# no new measurement entry is created, since the MMAP_CHECK_REQPROT hook sees
# the protections requested by the application (PROT_READ).
expect_fail_if '1' check_mmap "MMAP_CHECK_REQPROT" ""
expect_pass_if '1' check_mmap "MMAP_CHECK_REQPROT" "exec"
expect_fail_if '1' check_mmap "MMAP_CHECK_REQPROT" "read_implies_exec"
# Ensure that IMA refuses an mprotect() with PROT_EXEC on a memory area
# obtained with an mmap() with PROT_READ. This is due to the inability of IMA
# to measure/appraise the file for which mmap() was called (locking issue).
expect_pass check_deny "MMAP_CHECK" "mprotect"
# Ensure that MMAP_CHECK_REQPROT has the same behavior of MMAP_CHECK for the
# previous test.
expect_pass_if '1' check_deny "MMAP_CHECK_REQPROT" "mprotect"
# Ensure that there cannot be an mmap() with PROT_EXEC on a file with writable
# mappings, due to the inability of IMA to make a reliable measurement of that
# file.
expect_pass check_deny "MMAP_CHECK" "exec_on_writable"
# Ensure that MMAP_CHECK_REQPROT has the same behavior of MMAP_CHECK for the
# previous test.
expect_pass_if '1' check_deny "MMAP_CHECK_REQPROT" "exec_on_writable"

1122
tests/portable_signatures.test
View File

File diff suppressed because it is too large Load Diff

1
tests/sample-ascii_runtime_measurements-pcrs-8-9
View File

@ -1 +0,0 @@
10 2e03b3fdb0014fc8bae2a07ca33ae67125b290f3 ima-ng sha256:83d19723ef3b3c05bb8ae70d86b3886c158f2408f1b71ed265886a7b79eb700e boot_aggregate

BIN
tests/sample-binary_bios_measurements-pcrs-8-9
View File

Binary file not shown.

25
tests/sample-tpm-2.0-pcrs-8-9
View File

@ -1,25 +0,0 @@
pcrread: tsspcrread -halg sha1
0: 92c1850372e9493929aa9a2e9ea953e21ff1be45
1: 41c54039ca2750ea60d8ab7c48b142b10aba5667
2: b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236
3: b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236
4: 4c1a19aad90f770956ff5ee00334a2d548b1a350
5: a1444a8a9904666165730168b3ae489447d3cef7
6: b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236
7: 5c6327a67ff36f138e0b7bb1d2eafbf8a6e52ebf
8: fed489d2e5f9f85136e5ff53553d5f8b978dbe1a
9: a2fa191f2622bb014702013bfebfca9fe210d9e5
10: 3134641a3e8a1f5f75fa850bb21c3104d6ab863b
11: 0000000000000000000000000000000000000000
12: 0000000000000000000000000000000000000000
13: 0000000000000000000000000000000000000000
14: 71161a5707051fa7d6f584d812240b2e80f61942
15: 0000000000000000000000000000000000000000
16: 0000000000000000000000000000000000000000
17: ffffffffffffffffffffffffffffffffffffffff
18: ffffffffffffffffffffffffffffffffffffffff
19: ffffffffffffffffffffffffffffffffffffffff
20: ffffffffffffffffffffffffffffffffffffffff
21: ffffffffffffffffffffffffffffffffffffffff
22: ffffffffffffffffffffffffffffffffffffffff
23: 0000000000000000000000000000000000000000

451
tests/sign_verify.test
View File

@ -1,451 +0,0 @@
#!/bin/bash
# SPDX-License-Identifier: GPL-2.0
#
# evmctl {,ima_}{sign,verify} tests
#
# Copyright (C) 2020 Vitaly Chikunov <vt@altlinux.org>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
cd "$(dirname "$0")" || exit 1
PATH=../src:$PATH
# set the env SIGV1=1 to execute the signature v1 tests
SIGV1=${SIGV1:-0}
source ./functions.sh
_require cmp evmctl getfattr openssl xxd
if cmp -b 2>&1 | grep -q "invalid option"; then
echo "cmp does not support -b (cmp from busybox?) Use cmp from diffutils"
exit "$HARDFAIL"
fi
./gen-keys.sh >/dev/null 2>&1
trap _report_exit_and_cleanup EXIT
WORKDIR=$(mktemp -d)
set -f # disable globbing
# Determine keyid from a cert
_keyid_from_cert() {
local cer=${1%.*}.cer cmd
local tmp
cer=test-${cer#test-}
# shellcheck disable=SC2086
cmd="openssl x509 $OPENSSL_ENGINE \
-in $cer -inform DER -pubkey -noout"
id=$($cmd 2>/dev/null \
| openssl asn1parse \
| grep BIT.STRING \
| tail -n1 \
| cut -d: -f1)
if [ -z "$id" ]; then
echo - "$cmd" >&2
echo "Cannot asn1parse $cer to determine keyid" >&2
exit 1
fi
tmp=$(mktemp)
# shellcheck disable=SC2086
openssl x509 $OPENSSL_ENGINE \
-in "$cer" -inform DER -pubkey -noout 2>/dev/null \
| openssl asn1parse -strparse "$id" -out "$tmp" -noout
# shellcheck disable=SC2002
cat "$tmp" \
| openssl dgst -c -sha1 \
| cut -d' ' -f2 \
| grep -o ":..:..:..:..$" \
| tr -d :
rm -f "$tmp"
}
# Convert test $type into evmctl op prefix
_op() {
if [ "$1" = ima ]; then
echo ima_
fi
}
# Convert test $type into xattr name
_xattr() {
if [ "$1" = ima ]; then
echo user.ima
else
echo user.evm
fi
}
# Check that detached signature matches xattr signature
_test_sigfile() {
local file=$1 attr=$2 file_sig=$3 file_sig2=$4
if [ ! -e "$file_sig" ]; then
color_red
echo "evmctl ima_sign: no detached signature $file_sig"
color_restore
rm "$file"
return "$FAIL"
fi
_extract_xattr "$file" "$attr" "$file_sig2"
if ! cmp -bl "$file_sig" "$file_sig2"; then
color_red
echo "evmctl ima_sign: xattr signature on $file differ from detached $file_sig"
color_restore
rm "$file" "$file_sig" "$file_sig2"
return "$FAIL"
fi
# Leave '$file_sig' for ima_verify --sigfile test.
rm "$file_sig2"
}
# Run single sign command
_evmctl_sign() {
local type=$1 key=$2 alg=$3 file=$4 opts=$5
# Can check --sigfile for ima_sign
[ "$type" = ima ] && opts+=" --sigfile"
# shellcheck disable=SC2086
ADD_TEXT_FOR="$alg ($key)" ADD_DEL=$file \
_evmctl_run "$(_op "$type")sign" $opts \
--hashalgo "$alg" --key "$key" --xattr-user "$file" || return
if [ "$type" = ima ]; then
_test_sigfile "$file" "$(_xattr "$type")" "$file.sig" "$file.sig2"
fi
}
# Run and test {ima_,}sign operation
check_sign() {
# Arguments are passed via global vars:
# TYPE (ima or evm),
# KEY,
# ALG (hash algo),
# PREFIX (signature header prefix in hex),
# OPTS (additional options for evmctl),
# FILE (working file to sign).
local "$@"
local key verifykey
local FILE=${FILE:-$ALG.txt}
# Normalize key filename if it's not a pkcs11 URI
if [ ${KEY:0:7} != pkcs11: ]; then
key=${KEY%.*}.key
key=test-${key#test-}
else
key=${KEY}
fi
# Append suffix to files for negative tests, because we may
# leave only good files for verify tests.
_test_expected_to_fail && FILE+='~'
rm -f $FILE
if ! touch $FILE; then
color_red
echo "Can't create test file: $FILE"
color_restore
return "$HARDFAIL"
fi
if _test_expected_to_pass; then
# Can openssl work with this digest?
cmd="openssl dgst $OPENSSL_ENGINE $OPENSSL_KEYFORM -$ALG $FILE"
echo - "$cmd"
if ! $cmd >/dev/null; then
echo "${CYAN}$ALG ($key) test is skipped (openssl is unable to digest)$NORM"
return "$SKIP"
fi
if [ "${key:0:7}" != pkcs11: ] && [ ! -e "$key" ]; then
echo "${CYAN}$ALG ($key) test is skipped (key file not found)$NORM"
return "$SKIP"
fi
# Can openssl sign with this digest and key?
cmd="openssl dgst $OPENSSL_ENGINE $OPENSSL_KEYFORM -$ALG -sign $key -hex $FILE"
echo - "$cmd"
if ! $cmd >/dev/null; then
echo "${CYAN}$ALG ($key) test is skipped (openssl is unable to sign)$NORM"
return "$SKIP"
fi
fi
# Insert keyid from cert into PREFIX in-place of marker `:K:'
if [[ $PREFIX =~ :K: ]]; then
keyid=$(_keyid_from_cert "$key")
if [ $? -ne 0 ]; then
color_red
echo "Unable to determine keyid for $key"
color_restore
return "$HARDFAIL"
fi
[ "$VERBOSE" -gt 2 ] && echo " Expected keyid: $keyid"
PREFIX=${PREFIX/:K:/$keyid}
fi
# Perform signing by evmctl
_evmctl_sign "$TYPE" "$key" "$ALG" "$FILE" "$OPTS" || return
# First simple pattern match the signature.
ADD_TEXT_FOR=$ALG \
_test_xattr "$FILE" "$(_xattr "$TYPE")" "$PREFIX.*" || return
# This is all we can do for v1 signatures.
[[ "$OPTS" =~ --rsa ]] && return "$OK"
# This is all we can do for evm.
[[ "$TYPE" =~ evm ]] && return "$OK"
# When using the SM2/3 algorithm, the openssl tool uses USERID for verify,
# which is incompatible with calling API directly, so skip it.
[[ "$ALG" == sm3 ]] && return "$OK"
# Extract signature to a file
_extract_xattr "$FILE" "$(_xattr "$TYPE")" "$FILE.sig2" "$PREFIX"
# Verify extracted signature with openssl
if [ "${key:0:7}" != pkcs11: ]; then
verifykey=${key%.*}.pub
else
verifykey=${key}
fi
cmd="openssl dgst $OPENSSL_ENGINE $OPENSSL_KEYFORM -$ALG -verify ${verifykey} \
-signature $FILE.sig2 $FILE"
echo - "$cmd"
if ! $cmd; then
color_red_on_failure
echo "Signature v2 verification with openssl is failed."
color_restore
rm "$FILE.sig2"
return "$FAIL"
fi
rm "$FILE.sig2"
return "$OK"
}
# Test verify operation
check_verify() {
# Arguments are passed via global vars:
# TYPE (ima or evm),
# KEY,
# ALG (hash algo),
# OPTS (additional options for evmctl),
# FILE (filename to verify).
local "$@"
# shellcheck disable=SC2086
if ! openssl dgst $OPENSSL_ENGINE -"$ALG" /dev/null >/dev/null 2>&1; then
echo $CYAN"$ALG ($KEY) test is skipped (openssl does not support $ALG)"$NORM
return $SKIP
fi
# shellcheck disable=SC2086
ADD_TEXT_FOR="$FILE ($KEY)" \
_evmctl_run "$(_op "$TYPE")verify" --key "$KEY" --xattr-user $OPTS "$FILE"
}
# Test runners
# Perform sign and verify ima and evm testing
sign_verify() {
local key=$1 alg=$2 prefix="$3" opts="$4"
local file=$alg.txt
# Set defaults:
# Public key is different for v1 and v2 (where x509 cert is used).
if [[ $opts =~ --rsa ]]; then
KEY=test-$key.pub
else
KEY=test-$key.cer
fi
ALG=$alg
PREFIX=$prefix
OPTS=$opts
FILE=$file
TYPE=ima
if expect_pass check_sign; then
# Normal verify with proper key should pass
expect_pass check_verify
expect_pass check_verify OPTS="--sigfile"
# Multiple files and some don't verify
expect_fail check_verify FILE="/dev/null $file"
rm "$FILE.sig"
fi
TYPE=evm
# Avoid running blkid for evm tests which may require root
# No generation on overlayfs:
# ioctl(3, FS_IOC_GETVERSION, 0x7ffd8e0bd628) = -1 ENOTTY (Inappropriate ioctl for device)
OPTS="$opts --uuid --generation 0"
if expect_pass check_sign; then
# Normal verify with proper key
expect_pass check_verify
# Verify with wrong key
expect_fail check_verify KEY=rsa2048
fi
# Note: Leaving TYPE=evm and file is evm signed
}
# Test --keys
try_different_keys() {
# This run after sign_verify which leaves
# TYPE=evm and file is evm signed
# v2 signing can work with multiple keys in --key option
if [[ ! $OPTS =~ --rsa ]]; then
# Have correct key in the key list
expect_pass check_verify KEY="test-rsa2048.cer,$KEY"
expect_pass check_verify KEY="/dev/null,$KEY,"
fi
# Try key that is not used for signing
expect_fail check_verify KEY=rsa2048
# Try completely wrong key files
expect_fail check_verify KEY=/dev/null
expect_fail check_verify KEY=/dev/zero
}
try_different_sigs() {
# TYPE=evm and file is evm signed
# Test --imasig
if expect_pass check_sign OPTS="$OPTS --imasig"; then
# Verify both evm and ima sigs
expect_pass check_verify
expect_pass check_verify TYPE=ima
fi
# Test --imahash
if expect_pass check_sign OPTS="$OPTS --imahash"; then
expect_pass check_verify
# IMA hash is not verifiable by ima_verify
expect_fail check_verify TYPE=ima
fi
# Test --portable (only supported for V2 signatures)
if expect_pass check_sign OPTS="$OPTS --portable --imahash" PREFIX=0x05; then
if [[ "$OPTS" =~ --rsa ]]; then
expect_fail check_verify
else
expect_pass check_verify
fi
fi
# Test -i (immutable)
expect_pass check_sign OPTS="$OPTS -i" PREFIX=0x0303
# Cannot be verified for now
}
# Single test args: type key hash signature-prefix "evmctl-options"
# sign_verify args: key hash signature-prefix "evmctl-options"
# Only single test can be prefixed with expect_{fail,pass}
# `sign_verify' can not be prefixed with expect_{fail,pass} because
# it runs multiple tests inside. See more tests there.
# signature-prefix can contain `:K:' which will be resolved to keyid (v2 only)
## Test v1 signatures
# Signature v1 only supports sha1 and sha256 so any other should fail
if [ $SIGV1 -eq 0 ]; then
__skip() { echo "IMA signature v1 tests are skipped: not supported"; return $SKIP; }
expect_pass __skip
else
expect_fail \
check_sign TYPE=ima KEY=rsa1024 ALG=md5 PREFIX=0x0301 OPTS=--rsa
sign_verify rsa1024 sha1 0x0301 --rsa
sign_verify rsa1024 sha256 0x0301 --rsa
try_different_keys
try_different_sigs
fi
## Test v2 signatures with RSA PKCS#1
# List of allowed hashes much greater but not all are supported.
sign_verify rsa1024 md5 0x030201:K:0080
sign_verify rsa1024 sha1 0x030202:K:0080
sign_verify rsa1024 sha224 0x030207:K:0080
expect_pass check_sign TYPE=ima KEY=rsa1024 ALG=sha256 PREFIX=0x030204aabbccdd0080 OPTS=--keyid=aabbccdd
expect_pass check_sign TYPE=ima KEY=rsa1024 ALG=sha256 PREFIX=0x030204:K:0080 OPTS=--keyid-from-cert=test-rsa1024.cer
expect_pass check_sign TYPE=ima KEY=rsa1024_skid ALG=sha256 PREFIX=0x030204123456780080
sign_verify rsa1024 sha256 0x030204:K:0080
try_different_keys
try_different_sigs
sign_verify rsa1024 sha384 0x030205:K:0080
sign_verify rsa1024 sha512 0x030206:K:0080
sign_verify rsa1024 rmd160 0x030203:K:0080
# Test v2 signatures with ECDSA
# Signature length is typically 0x34-0x38 bytes long, very rarely 0x33
sign_verify prime192v1 sha1 0x030202:K:003[345678]
sign_verify prime192v1 sha224 0x030207:K:003[345678]
sign_verify prime192v1 sha256 0x030204:K:003[345678]
sign_verify prime192v1 sha384 0x030205:K:003[345678]
sign_verify prime192v1 sha512 0x030206:K:003[345678]
# Signature length is typically 0x44-0x48 bytes long, very rarely 0x43
sign_verify prime256v1 sha1 0x030202:K:004[345678]
sign_verify prime256v1 sha224 0x030207:K:004[345678]
sign_verify prime256v1 sha256 0x030204:K:004[345678]
sign_verify prime256v1 sha384 0x030205:K:004[345678]
sign_verify prime256v1 sha512 0x030206:K:004[345678]
# If openssl 3.0 is installed, test the SM2/3 algorithm combination
ssl_major_version=$(openssl version | sed -n 's/^OpenSSL \([^\.]\).*/\1/p')
if [ "${ssl_major_version}" = 3 ]; then
sign_verify sm2 sm3 0x030211:K:004[345678]
else
__skip() { echo "sm2/sm3 tests are skipped (ssl version)"; return $SKIP; }
expect_pass __skip
fi
# Test v2 signatures with EC-RDSA
_enable_gost_engine
sign_verify gost2012_256-A md_gost12_256 0x030212:K:0040
sign_verify gost2012_256-B md_gost12_256 0x030212:K:0040
sign_verify gost2012_256-C md_gost12_256 0x030212:K:0040
sign_verify gost2012_512-A md_gost12_512 0x030213:K:0080
sign_verify gost2012_512-B md_gost12_512 0x030213:K:0080
# Test if signing with wrong key length does not work.
expect_fail \
check_sign TYPE=ima KEY=gost2012_512-B ALG=md_gost12_256 PREFIX=0x0302 OPTS=
expect_fail \
check_sign TYPE=ima KEY=gost2012_256-B ALG=md_gost12_512 PREFIX=0x0302 OPTS=
# Test signing with key described by pkcs11 URI
_softhsm_setup "${WORKDIR}"
if [ -n "${PKCS11_KEYURI}" ]; then
expect_pass check_sign FILE=pkcs11test TYPE=ima KEY=${PKCS11_KEYURI} ALG=sha256 PREFIX=0x030204aabbccdd0100 OPTS=--keyid=aabbccdd
expect_pass check_sign FILE=pkcs11test TYPE=ima KEY=${PKCS11_KEYURI} ALG=sha1 PREFIX=0x030202aabbccdd0100 OPTS=--keyid=aabbccdd
else
# to have a constant number of tests, skip these two tests
__skip() { echo "pkcs11 test is skipped: could not setup softhsm"; return $SKIP; }
expect_pass __skip
expect_pass __skip
fi
_softhsm_teardown "${WORKDIR}"

293
tests/softhsm_setup
View File

@ -1,293 +0,0 @@
#!/usr/bin/env bash
# SPDX-License-Identifier: GPL-2.0 and BSD-3-clause
# This program originates from 'swtpm' project (https://github.com/stefanberger/swtpm/)
if [ -z "$(type -P p11tool)" ]; then
echo "Need p11tool from gnutls"
exit 77
fi
if [ -z "$(type -P softhsm2-util)" ]; then
echo "Need softhsm2-util from softhsm2 package"
exit 77
fi
MAJOR=$(softhsm2-util -v | cut -d '.' -f1)
MINOR=$(softhsm2-util -v | cut -d '.' -f2)
if [ ${MAJOR} -lt 2 ] || [ ${MAJOR} -eq 2 -a ${MINOR} -lt 2 ]; then
echo "Need softhsm v2.2.0 or later"
exit 77
fi
NAME=swtpm-test
PIN=${PIN:-1234}
SO_PIN=${SO_PIN:-1234}
SOFTHSM_SETUP_CONFIGDIR=${SOFTHSM_SETUP_CONFIGDIR:-~/.config/softhsm2}
export SOFTHSM2_CONF=${SOFTHSM_SETUP_CONFIGDIR}/softhsm2.conf
UNAME_S="$(uname -s)"
case "${UNAME_S}" in
Darwin)
msg=$(sudo -v -n)
if [ $? -ne 0 ]; then
echo "Need password-less sudo rights on OS X to change /etc/gnutls/pkcs11.conf"
exit 1
fi
;;
esac
teardown_softhsm() {
local configdir=${SOFTHSM_SETUP_CONFIGDIR}
local configfile=${SOFTHSM2_CONF}
local bakconfigfile=${configfile}.bak
local tokendir=${configdir}/tokens
softhsm2-util --token "${NAME}" --delete-token &>/dev/null
case "${UNAME_S}" in
Darwin*)
if [ -f /etc/gnutls/pkcs11.conf.bak ]; then
sudo rm -f /etc/gnutls/pkcs11.conf
sudo mv /etc/gnutls/pkcs11.conf.bak \
/etc/gnutls/pkcs11.conf &>/dev/null
fi
;;
esac
if [ -f "$bakconfigfile" ]; then
mv "$bakconfigfile" "$configfile"
else
rm -f "$configfile"
fi
if [ -d "$tokendir" ]; then
rm -rf "${tokendir}"
fi
return 0
}
setup_softhsm() {
local msg tokenuri keyuri
local configdir=${SOFTHSM_SETUP_CONFIGDIR}
local configfile=${SOFTHSM2_CONF}
local bakconfigfile=${configfile}.bak
local tokendir=${configdir}/tokens
local rc
case "${UNAME_S}" in
Darwin*)
if [ -f /etc/gnutls/pkcs11.conf.bak ]; then
echo "/etc/gnutls/pkcs11.conf.bak already exists; need to 'teardown' first"
return 1
fi
sudo mv /etc/gnutls/pkcs11.conf \
/etc/gnutls/pkcs11.conf.bak &>/dev/null
if [ $(id -u) -eq 0 ]; then
SONAME="$(sudo -u nobody brew ls --verbose softhsm | \
grep -E "\.so$")"
else
SONAME="$(brew ls --verbose softhsm | \
grep -E "\.so$")"
fi
sudo mkdir -p /etc/gnutls &>/dev/null
sudo bash -c "echo "load=${SONAME}" > /etc/gnutls/pkcs11.conf"
;;
esac
if ! [ -d $configdir ]; then
mkdir -p $configdir
fi
mkdir -p ${tokendir}
if [ -f $configfile ]; then
mv "$configfile" "$bakconfigfile"
fi
if ! [ -f $configfile ]; then
cat <<_EOF_ > $configfile
directories.tokendir = ${tokendir}
objectstore.backend = file
log.level = DEBUG
slots.removable = false
_EOF_
fi
msg=$(p11tool --list-tokens 2>&1 | grep "token=${NAME}" | tail -n1)
if [ $? -ne 0 ]; then
echo "Could not list existing tokens"
echo "$msg"
fi
tokenuri=$(echo "$msg" | sed -n 's/.*URL: \([[:print:]*]\)/\1/p')
if [ -z "$tokenuri" ]; then
msg=$(softhsm2-util \
--init-token --pin ${PIN} --so-pin ${SO_PIN} \
--free --label ${NAME} 2>&1)
if [ $? -ne 0 ]; then
echo "Could not initialize token"
echo "$msg"
return 2
fi
slot=$(echo "$msg" | \
sed -n 's/.* reassigned to slot \([0-9]*\)$/\1/p')
if [ -z "$slot" ]; then
slot=$(softhsm2-util --show-slots | \
grep -E "^Slot " | head -n1 |
sed -n 's/Slot \([0-9]*\)/\1/p')
if [ -z "$slot" ]; then
echo "Could not parse slot number from output."
echo "$msg"
return 3
fi
fi
msg=$(p11tool --list-tokens 2>&1 | \
grep "token=${NAME}" | tail -n1)
if [ $? -ne 0 ]; then
echo "Could not list existing tokens"
echo "$msg"
fi
tokenuri=$(echo "$msg" | sed -n 's/.*URL: \([[:print:]*]\)/\1/p')
if [ -z "${tokenuri}" ]; then
echo "Could not get tokenuri!"
return 4
fi
# more recent versions of p11tool have --generate-privkey ...
msg=$(GNUTLS_PIN=$PIN p11tool \
--generate-privkey=rsa --bits 2048 --label mykey --login \
"${tokenuri}" 2>&1)
if [ $? -ne 0 ]; then
# ... older versions have --generate-rsa
msg=$(GNUTLS_PIN=$PIN p11tool \
--generate-rsa --bits 2048 --label mykey --login \
"${tokenuri}" 2>&1)
if [ $? -ne 0 ]; then
echo "Could not create RSA key!"
echo "$msg"
return 5
fi
fi
fi
getkeyuri_softhsm $slot
rc=$?
if [ $rc -ne 0 ]; then
teardown_softhsm
fi
return $rc
}
_getkeyuri_softhsm() {
local msg tokenuri keyuri
msg=$(p11tool --list-tokens 2>&1 | grep "token=${NAME}")
if [ $? -ne 0 ]; then
echo "Could not list existing tokens"
echo "$msg"
return 5
fi
tokenuri=$(echo "$msg" | sed -n 's/.*URL: \([[:print:]*]\)/\1/p')
if [ -z "$tokenuri" ]; then
echo "Could not get token URL"
echo "$msg"
return 6
fi
msg=$(p11tool --list-all ${tokenuri} 2>&1)
if [ $? -ne 0 ]; then
echo "Could not list object under token $tokenuri"
echo "$msg"
softhsm2-util --show-slots
return 7
fi
keyuri=$(echo "$msg" | sed -n 's/.*URL: \([[:print:]*]\)/\1/p')
if [ -z "$keyuri" ]; then
echo "Could not get key URL"
echo "$msg"
return 8
fi
echo "$keyuri"
return 0
}
getkeyuri_softhsm() {
local keyuri rc
keyuri=$(_getkeyuri_softhsm)
rc=$?
if [ $rc -ne 0 ]; then
return $rc
fi
echo "keyuri: $keyuri?pin-value=${PIN}" #&module-name=softhsm2"
return 0
}
getpubkey_softhsm() {
local keyuri rc
keyuri=$(_getkeyuri_softhsm)
rc=$?
if [ $rc -ne 0 ]; then
return $rc
fi
GNUTLS_PIN=${PIN} p11tool --export-pubkey "${keyuri}" --login 2>/dev/null
return $?
}
usage() {
cat <<_EOF_
Usage: $0 [command]
Supported commands are:
setup : Setup the user's account for softhsm and create a
token and key with a test configuration
getkeyuri : Get the key's URI; may only be called after setup
getpubkey : Get the public key in PEM format; may only be called after setup
teardown : Remove the temporary softhsm test configuration
_EOF_
}
main() {
local ret
if [ $# -lt 1 ]; then
usage $0
echo -e "Missing command.\n\n"
return 1
fi
case "$1" in
setup)
setup_softhsm
ret=$?
;;
getkeyuri)
getkeyuri_softhsm
ret=$?
;;
getpubkey)
getpubkey_softhsm
ret=$?
;;
teardown)
teardown_softhsm
ret=$?
;;
*)
echo -e "Unsupported command: $1\n\n"
usage $0
ret=1
esac
return $ret
}
main "$@"
exit $?

3
tests/test_ascii_runtime_measurements
View File

@ -1,3 +0,0 @@
10 cf41b43c4031672fcc2bd358b309ad33b977424f ima-ng sha256:f1b4c7c9b27e94569f4c2b64051c452bc609c3cb891dd7fae06b758f8bc83d14 boot_aggregate
10 983dcd8e6f7c84a1a5f10e762d1850623966ceab ima-ng sha256:ae06e032a65fed8102aff5f8f31c678dcf2eb25b826f77ecb699faa0411f89e0 /init
10 b6e4d01c73f6e4b698eaf48e7d76a2bae0c02514 ima-ng sha256:4b1764ee112aa8b2a6ae9a3a2f1e272b6601681f610708497673cd49e5bd2f5c /bin/sh

BIN
tests/test_binary_bios_measurements
View File

Binary file not shown.

128
tests/test_mmap.c
View File

@ -1,128 +0,0 @@
// SPDX-License-Identifier: GPL-2.0
/*
* Copyright (C) 2023 Huawei Technologies Duesseldorf GmbH
*
* Tool to test IMA MMAP_CHECK and MMAP_CHECK_REQPROT hooks.
*/
#include <stdio.h>
#include <errno.h>
#include <fcntl.h>
#include <string.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <sys/personality.h>
/*
* Convention: return 1 for errors that should not occur, as they are
* setup-related, return 2 for errors that might occur due to testing
* conditions.
*/
#define ERR_SETUP 1
#define ERR_TEST 2
int main(int argc, char *argv[])
{
struct stat st;
void *ptr, *ptr_write = NULL;
int ret, fd, fd_write, prot = PROT_READ;
if (!argv[1]) {
printf("Missing file parameter\n");
return ERR_SETUP;
}
if (argv[2] && !strcmp(argv[2], "read_implies_exec")) {
ret = personality(READ_IMPLIES_EXEC);
if (ret == -1) {
printf("Failed to set personality, err: %d (%s)\n",
-errno, strerror(errno));
return ERR_SETUP;
}
}
if (stat(argv[1], &st) == -1) {
printf("Failed to access %s, err: %d (%s)\n", argv[1], -errno,
strerror(errno));
return ERR_SETUP;
}
if (argv[2] && !strcmp(argv[2], "exec_on_writable")) {
fd_write = open(argv[1], O_RDWR);
if (fd_write == -1) {
printf("Failed to open %s in r/w, err: %d (%s)\n",
argv[1], -errno, strerror(errno));
return ERR_SETUP;
}
ptr_write = mmap(0, st.st_size, PROT_WRITE, MAP_SHARED,
fd_write, 0);
close(fd_write);
if (ptr_write == MAP_FAILED) {
printf("Failed mmap() with PROT_WRITE on %s, err: %d (%s)\n",
argv[1], -errno, strerror(errno));
return ERR_SETUP;
}
}
fd = open(argv[1], O_RDONLY);
if (fd == -1) {
printf("Failed to open %s in ro, err: %d (%s)\n", argv[1],
-errno, strerror(errno));
if (ptr_write && munmap(ptr_write, st.st_size) == -1)
printf("Failed munmap() of writable mapping on %s, err: %d (%s)\n",
argv[1], -errno, strerror(errno));
return ERR_SETUP;
}
if (argv[2] && !strncmp(argv[2], "exec", 4))
prot |= PROT_EXEC;
ptr = mmap(0, st.st_size, prot, MAP_PRIVATE, fd, 0);
close(fd);
if (ptr_write && munmap(ptr_write, st.st_size) == -1) {
printf("Failed munmap() of writable mapping on %s, err: %d (%s)\n",
argv[1], -errno, strerror(errno));
return ERR_SETUP;
}
if (ptr == MAP_FAILED) {
ret = ERR_SETUP;
if (argv[2] && !strcmp(argv[2], "exec_on_writable") &&
errno == EACCES)
ret = ERR_TEST;
else
printf("Failed mmap() with PROT_READ%s on %s, err: %d (%s)\n",
(prot & PROT_EXEC) ? " | PROT_EXEC" : "",
argv[1], -errno, strerror(errno));
return ret;
}
ret = 0;
if (argv[2] && !strcmp(argv[2], "mprotect")) {
ret = mprotect(ptr, st.st_size, PROT_EXEC);
if (ret == -1) {
ret = ERR_SETUP;
if (errno == EPERM)
ret = ERR_TEST;
else
printf("Unexpected mprotect() error on %s, err: %d (%s)\n",
argv[1], -errno, strerror(errno));
}
}
if (munmap(ptr, st.st_size) == -1) {
printf("Failed munmap() of mapping on %s, err: %d (%s)\n",
argv[1], -errno, strerror(errno));
return ERR_SETUP;
}
return ret;
}