dh/ima-evm-utils-mirror
1
0
Fork 0
mirror of https://git.code.sf.net/p/linux-ima/ima-evm-utils synced 2025-07-03 22:23:16 +02:00
Code Releases Activity

Compare commits

base: dh:v1.0
Branches Tags
dh:master dh:next dh:next-testing dh:ima-evm-utils-1.3.1-y dh:ima-evm-utils-1.2.y
dh:v1.5 dh:v1.4 dh:v1.3.2 dh:v1.3.1 dh:v1.3 dh:v1.2.1 dh:v1.2 dh:v1.1 dh:v1.0 dh:v0.9 dh:v0.8 dh:v0.7 dh:v0.6 dh:v0.5 dh:v0.4 dh:v0.1.0 dh:v0.2 dh:v0.3 dh:v0.1.1
...
compare: dh:v1.1
Branches Tags
dh:next dh:next-testing dh:master dh:ima-evm-utils-1.3.1-y dh:ima-evm-utils-1.2.y
dh:v1.5 dh:v1.4 dh:v1.3.2 dh:v1.3.1 dh:v1.3 dh:v1.2.1 dh:v1.2 dh:v1.1 dh:v1.0 dh:v0.9 dh:v0.8 dh:v0.7 dh:v0.6 dh:v0.5 dh:v0.4 dh:v0.1.0 dh:v0.2 dh:v0.3 dh:v0.1.1

21 Commits
v1.0 ... v1.1

Author SHA1 Message Date
Mimi Zohar
c860e0d9bb ima-evm-utils: Release version 1.1 
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
 2018-02-15 08:02:19 -05:00
Mimi Zohar
360655f059 Support different levels of output for "ima_measurement" 
Instead of always displaying the entire measurement list, the default
behavior is just to return an error.  Verbose (-v) displays the key ids
used in validating the measurement list, the PCR aggregate and TPM PCR
values.  Verbose+ (-v -v) also displays the measurement list.

Signed-of-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
 2018-02-06 07:50:31 -05:00
Mimi Zohar
057efc397d Include the file name in "ima_measurement" verification result 
When displaying the measurement list, include the filename in the result.

Signed-of-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
 2018-02-06 07:50:01 -05:00
Mimi Zohar
c2ef2aabe2 ima-evm-utils: sysfs pathname change 
Commit 313d21e "tpm: device class for tpm" moved the TPM sysfs location
from /sys/class/misc/tpmX/device/ to /sys/class/tpm/tpmX/device/.

Mimi Zohar <zohar@linux.vnet.ibm.com>
 2018-01-29 14:24:03 -05:00
James Bottomley
81010f0d87 ima-evm-utils: Add backward compatible support for openssl 1.1 
Openssl 1.1 is really annoying in that it made certain objects opaque
and added accessors for the necessary componenets, but these accessors
often don't exist in 1.0 and before, so there's no way to create clean
code that will compile with both 1.0 and 1.1; instead you have to
compiled with both code bases to make sure everything is working).

The other problem is that since the structures are opaque, their size
isn't known, so having a structure declared as a variable is no longer
possible.

This change switches all uses of EVP_MD_CTX to be pointers initialised
with the correct EVP_MD_CTX_new() (not available in 1.0), does the
same for HMAC_CTX, and uses the 1.1 only primitve RSA_get0_key() to
extract the public modulus and exponent from an RSA key.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Tested-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
 2018-01-28 13:47:54 -05:00
Mimi Zohar
6921833477 ima-evm-utils: add support for validating multiple pcrs 
The IMA measurement list may contain records for different PCRs.  This
patch walks the measurement list, calculating a PCR aggregate value for
each PCR.

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
 2018-01-28 10:02:18 -05:00
Mimi Zohar
1a69e42ac1 ima-evm-utils: verify the measurement list signature based on the list digest 
Instead of verifying file signatures included in the measurement list,
by calculating the local file hash, verify the file signature based on the
digest contained in the measurement list.

This patch defines a new option named "--list".

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
 2018-01-28 09:57:34 -05:00
Mimi Zohar
9c79b7de72 ima-evm-utils: support verifying the measurement list using multiple keys 
On a running system, different software packages might be signed by
different parties.  Support verifying signatures in the measurement
list using multiple public keys(eg.  -k "key1, key2, ...").

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
 2018-01-28 09:57:34 -05:00
Mimi Zohar
838b08b449 ima-evm-utils: fix spelling error 
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
 2018-01-28 09:57:34 -05:00
Mimi Zohar
ba92e44719 ima-evm-utils: fix "ima_measurement" template fields length 
The template data field length is uint32_t, not uint8_t.

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
 2018-01-28 08:37:08 -05:00
Matthew Garrett
4928548d9d Add support for portable EVM format 
Add a --portable argument that generates EVM signatures without using
the inode number and generation or fs UUID.

Signed-off-by: Matthew Garrett <mjg59@google.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>

Changelog:
- immutable and portable flags are exclusive, prevent enabling both.
 2017-11-16 15:02:40 -05:00
Mimi Zohar
233dedffe9 Write out .sig file as security.ima xattr 
To write the .sig file as security.ima xattr using setfattr first
requires converting the .sig file from binary to ascii-hex.  Although
this conversion can be done using hexdump, it is unnecessary when
calling setxattr.  This patch defines a new command called
"ima_setxattr", which calls lsetxattr() to write the .sig file as
the security.ima xattr.

Changelog:
- remove unnecessary copy
- fixed --sigfile option

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
 2016-03-06 07:55:04 -05:00
Dmitry Kasatkin
3e2a67bdb0 script to build static evmctl version 
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
 2015-10-01 22:42:45 +03:00
Dmitry Kasatkin
839a674580 Supply file attributes values on command line 
Can be used by Android filesystem image creation tool.

Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
 2015-09-20 23:28:20 +03:00
Dmitry Kasatkin
e55d286ad6 Use single flag to indicate 'no'flag 
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
 2015-09-20 23:15:32 +03:00
Dmitry Kasatkin
28d99354de Use byte range values 
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
 2015-09-20 22:22:06 +03:00
Dmitry Kasatkin
ea5ccdf38f Newer kernels requires at least 64 byte keys 
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
 2015-09-20 22:22:00 +03:00
Patrick Ohly
b0d13ba557 calc_evm_hmac/hash: avoid fd leak when ioctl fails 
When opening the file succeeds but ioctl() then fails, the file must
be closed before returning.

Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
 2015-09-09 23:02:01 +03:00
Patrick Ohly
199311e6a5 ima_verify: ignore -n flag 
"evmutil ima_verify -n <some file>" disabled using xattrs without enabling
using a signature file, resulting in the use of uninitialized memory in
ima_verify_signature() and thus unpredictable results.

Such a mode of operation makes no sense, so interpret -n as
documented ("print result to stdout instead of setting xattr") and ignore it
during ima_verify. Instead, switch between the two verification modes only
via the global sigfile variable.

Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
 2015-09-09 22:50:45 +03:00
Patrick Ohly
453d3db8a5 tpm_pcr_read: close file when returning early 
When return from inside the for() loop, the open file was not
closed.

Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
 2015-09-09 22:50:35 +03:00
Patrick Ohly
fa0b30b15e add_dir_hash: fix DIR leak in case of failure 
When bailing out of the function due to EVP_DigestUpdate()
failing, the DIR resources allocated with opendir() were
not freed.

Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
 2015-09-09 22:50:18 +03:00
8 changed files with 490 additions and 147 deletions
Expand all files Collapse all files

13
ChangeLog
View File

@ -1,3 +1,16 @@
2018-01-28 Mimi Zohar <zohar@us.ibm.com>
version 1.1
* Support the new openssl 1.1 api
* Support for validating multiple pcrs
* Verify the measurement list signature based on the list digest
* Verify the "ima-sig" measurement list using multiple keys
* Fixed parsing the measurement template data field length
* Portable & immutable EVM signatures (new format)
* Multiple fixes that have been lingering in the next branch. Some
are for experimental features that are not yet supported in the
kernel.
2014-07-30 Dmitry Kasatkin <dmitry.kasatkin@huawei.com> 2014-07-30 Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
version 1.0 version 1.0

10
README
View File

@ -26,12 +26,12 @@ COMMANDS
--version --version
help <command> help <command>
import [--rsa] pubkey keyring import [--rsa] pubkey keyring
sign [-r] [--imahash | --imasig ] [--key key] [--pass password] file sign [-r] [--imahash | --imasig ] [--portable] [--key key] [--pass password] file
verify file verify file
ima_sign [--sigfile] [--key key] [--pass password] file ima_sign [--sigfile] [--key key] [--pass password] file
ima_verify file ima_verify file
ima_hash file ima_hash file
ima_measurement file ima_measurement [--key "key1, key2, ..."] [--list] file
ima_fix [-t fdsxm] path ima_fix [-t fdsxm] path
sign_hash [--key key] [--pass password] sign_hash [--key key] [--pass password]
hmac [--imahash | --imasig ] file hmac [--imahash | --imasig ] file
@ -46,6 +46,7 @@ OPTIONS
-f, --sigfile store IMA signature in .sig file instead of xattr -f, --sigfile store IMA signature in .sig file instead of xattr
--rsa use RSA key type and signing scheme v1 --rsa use RSA key type and signing scheme v1
-k, --key path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem) -k, --key path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem)
-o, --portable generate portable EVM signatures
-p, --pass password for encrypted signing key -p, --pass password for encrypted signing key
-r, --recursive recurse into directories (sign) -r, --recursive recurse into directories (sign)
-t, --type file types to fix 'fdsxm' (f: file, d: directory, s: block/char/symlink) -t, --type file types to fix 'fdsxm' (f: file, d: directory, s: block/char/symlink)
@ -95,7 +96,8 @@ Kernel configuration option CONFIG_EVM_ATTR_FSUUID controls whether to include
filesystem UUID into HMAC and enabled by default. Therefore evmctl also includes filesystem UUID into HMAC and enabled by default. Therefore evmctl also includes
fsuuid by default. Providing '--uuid' option without parameter allows to disable fsuuid by default. Providing '--uuid' option without parameter allows to disable
usage of fs uuid. Providing '--uuid=UUID' option with parameter allows to use usage of fs uuid. Providing '--uuid=UUID' option with parameter allows to use
custom UUID. custom UUID. Providing the '--portable' option will disable usage of the fs uuid
and also the inode number and generation.
Kernel configuration option CONFIG_EVM_EXTRA_SMACK_XATTRS controls whether to Kernel configuration option CONFIG_EVM_EXTRA_SMACK_XATTRS controls whether to
include additional SMACK extended attributes into HMAC. They are following: include additional SMACK extended attributes into HMAC. They are following:
@ -142,7 +144,7 @@ EVM encrypted key is used for EVM HMAC calculation:
keyctl pipe `keyctl search @u user kmk` > /etc/keys/kmk keyctl pipe `keyctl search @u user kmk` > /etc/keys/kmk
# create the EVM encrypted key # create the EVM encrypted key
keyctl add encrypted evm-key "new user:kmk 32" @u keyctl add encrypted evm-key "new user:kmk 64" @u
keyctl pipe `keyctl search @u encrypted evm-key` >/etc/keys/evm-key keyctl pipe `keyctl search @u encrypted evm-key` >/etc/keys/evm-key

4
build-static.sh Executable file
View File

@ -0,0 +1,4 @@
#!/bin/sh
gcc -static -o evmctl.static -include config.h src/evmctl.c src/libimaevm.c -lcrypto -lkeyutils -ldl

2
configure.ac
View File

@ -1,7 +1,7 @@
# autoconf script # autoconf script
AC_PREREQ([2.65]) AC_PREREQ([2.65])
AC_INIT(ima-evm-utils, 1.0, dmitry.kasatkin@huawei.com) AC_INIT(ima-evm-utils, 1.1, zohar@linux.vnet.ibm.com)
AM_INIT_AUTOMAKE AM_INIT_AUTOMAKE
AC_CONFIG_HEADERS([config.h]) AC_CONFIG_HEADERS([config.h])
AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_MACRO_DIR([m4])

2
packaging/ima-evm-utils.spec
View File

@ -1,5 +1,5 @@
Name: ima-evm-utils Name: ima-evm-utils
Version: 1.0 Version: 1.1
Release: 1%{?dist} Release: 1%{?dist}
Summary: ima-evm-utils - IMA/EVM control utility Summary: ima-evm-utils - IMA/EVM control utility
Group: System/Libraries Group: System/Libraries

361
src/evmctl.c
View File

@ -104,15 +104,26 @@ static int digest;
static int digsig; static int digsig;
static int sigfile; static int sigfile;
static char *uuid_str; static char *uuid_str;
static char *ino_str;
static char *uid_str;
static char *gid_str;
static char *mode_str;
static char *generation_str;
static char *caps_str;
static char *ima_str;
static char *selinux_str;
static char *search_type; static char *search_type;
static int measurement_list;
static int recursive; static int recursive;
static int msize; static int msize;
static dev_t fs_dev; static dev_t fs_dev;
static bool evm_immutable; static bool evm_immutable;
static bool evm_portable;
#define HMAC_FLAG_UUID 0x0001 #define HMAC_FLAG_NO_UUID 0x0001
#define HMAC_FLAG_UUID_SET 0x0002 #define HMAC_FLAG_CAPS_SET 0x0002
static unsigned long hmac_flags = HMAC_FLAG_UUID;
static unsigned long hmac_flags;
typedef int (*find_cb_t)(const char *path); typedef int (*find_cb_t)(const char *path);
static int find(const char *path, int dts, find_cb_t func); static int find(const char *path, int dts, find_cb_t func);
@ -200,7 +211,7 @@ static int hex_to_bin(char ch)
return -1; return -1;
} }
static int hex2bin(uint8_t *dst, const char *src, size_t count) static int hex2bin(void *dst, const char *src, size_t count)
{ {
int hi, lo; int hi, lo;
@ -214,7 +225,7 @@ static int hex2bin(uint8_t *dst, const char *src, size_t count)
if ((hi < 0) || (lo < 0)) if ((hi < 0) || (lo < 0))
return -1; return -1;
*dst++ = (hi << 4) | lo; *(uint8_t *)dst++ = (hi << 4) | lo;
} }
return 0; return 0;
} }
@ -275,7 +286,7 @@ static int get_uuid(struct stat *st, char *uuid)
FILE *fp; FILE *fp;
size_t len; size_t len;
if (hmac_flags & HMAC_FLAG_UUID_SET) if (uuid_str)
return pack_uuid(uuid_str, uuid); return pack_uuid(uuid_str, uuid);
dev = st->st_dev; dev = st->st_dev;
@ -305,7 +316,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
struct stat st; struct stat st;
int err; int err;
uint32_t generation = 0; uint32_t generation = 0;
EVP_MD_CTX ctx; EVP_MD_CTX *pctx;
unsigned int mdlen; unsigned int mdlen;
char **xattrname; char **xattrname;
char xattr_value[1024]; char xattr_value[1024];
@ -314,16 +325,33 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
char uuid[16]; char uuid[16];
struct h_misc_64 hmac_misc; struct h_misc_64 hmac_misc;
int hmac_size; int hmac_size;
#if OPENSSL_VERSION_NUMBER < 0x10100000
EVP_MD_CTX ctx;
pctx = &ctx;
#else
pctx = EVP_MD_CTX_new();
#endif
if (lstat(file, &st)) { if (lstat(file, &st)) {
log_err("Failed to stat: %s\n", file); log_err("Failed to stat: %s\n", file);
return -1; return -1;
} }
if (generation_str)
generation = strtoul(generation_str, NULL, 10);
if (ino_str)
st.st_ino = strtoul(ino_str, NULL, 10);
if (uid_str)
st.st_uid = strtoul(uid_str, NULL, 10);
if (gid_str)
st.st_gid = strtoul(gid_str, NULL, 10);
if (mode_str)
st.st_mode = strtoul(mode_str, NULL, 10);
if (!evm_immutable) { if (!evm_immutable) {
if (S_ISREG(st.st_mode) || S_ISDIR(st.st_mode)) { if ((S_ISREG(st.st_mode) || S_ISDIR(st.st_mode)) && !generation_str) {
/* we cannot at the momement to get generation of special files.. /* we cannot at the momement to get generation of
* kernel API does not support it */ special files kernel API does not support it */
int fd = open(file, 0); int fd = open(file, 0);
if (fd < 0) { if (fd < 0) {
@ -332,6 +360,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
} }
if (ioctl(fd, FS_IOC_GETVERSION, &generation)) { if (ioctl(fd, FS_IOC_GETVERSION, &generation)) {
log_err("ioctl() failed\n"); log_err("ioctl() failed\n");
close(fd);
return -1; return -1;
} }
close(fd); close(fd);
@ -345,13 +374,25 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
return -1; return -1;
} }
err = EVP_DigestInit(&ctx, EVP_sha1()); err = EVP_DigestInit(pctx, EVP_sha1());
if (!err) { if (!err) {
log_err("EVP_DigestInit() failed\n"); log_err("EVP_DigestInit() failed\n");
return 1; return 1;
} }
for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) { for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) {
if (!strcmp(*xattrname, XATTR_NAME_SELINUX) && selinux_str) {
strcpy(xattr_value, selinux_str);
err = strlen(selinux_str) + 1;
} else if (!strcmp(*xattrname, XATTR_NAME_IMA) && ima_str) {
hex2bin(xattr_value, ima_str, strlen(ima_str) / 2);
err = strlen(ima_str) / 2;
} else if (!strcmp(*xattrname, XATTR_NAME_CAPS) && (hmac_flags & HMAC_FLAG_CAPS_SET)) {
if (!caps_str)
continue;
strcpy(xattr_value, caps_str);
err = strlen(caps_str);
} else {
err = lgetxattr(file, *xattrname, xattr_value, sizeof(xattr_value)); err = lgetxattr(file, *xattrname, xattr_value, sizeof(xattr_value));
if (err < 0) { if (err < 0) {
log_info("no xattr: %s\n", *xattrname); log_info("no xattr: %s\n", *xattrname);
@ -361,10 +402,11 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
log_info("skipping xattr: %s\n", *xattrname); log_info("skipping xattr: %s\n", *xattrname);
continue; continue;
} }
}
/*log_debug("name: %s, value: %s, size: %d\n", *xattrname, xattr_value, err);*/ /*log_debug("name: %s, value: %s, size: %d\n", *xattrname, xattr_value, err);*/
log_info("name: %s, size: %d\n", *xattrname, err); log_info("name: %s, size: %d\n", *xattrname, err);
log_debug_dump(xattr_value, err); log_debug_dump(xattr_value, err);
err = EVP_DigestUpdate(&ctx, xattr_value, err); err = EVP_DigestUpdate(pctx, xattr_value, err);
if (!err) { if (!err) {
log_err("EVP_DigestUpdate() failed\n"); log_err("EVP_DigestUpdate() failed\n");
return 1; return 1;
@ -384,8 +426,10 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
struct h_misc *hmac = (struct h_misc *)&hmac_misc; struct h_misc *hmac = (struct h_misc *)&hmac_misc;
hmac_size = sizeof(*hmac); hmac_size = sizeof(*hmac);
if (!evm_portable) {
hmac->ino = st.st_ino; hmac->ino = st.st_ino;
hmac->generation = generation; hmac->generation = generation;
}
hmac->uid = st.st_uid; hmac->uid = st.st_uid;
hmac->gid = st.st_gid; hmac->gid = st.st_gid;
hmac->mode = st.st_mode; hmac->mode = st.st_mode;
@ -393,8 +437,10 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
struct h_misc_64 *hmac = (struct h_misc_64 *)&hmac_misc; struct h_misc_64 *hmac = (struct h_misc_64 *)&hmac_misc;
hmac_size = sizeof(*hmac); hmac_size = sizeof(*hmac);
if (!evm_portable) {
hmac->ino = st.st_ino; hmac->ino = st.st_ino;
hmac->generation = generation; hmac->generation = generation;
}
hmac->uid = st.st_uid; hmac->uid = st.st_uid;
hmac->gid = st.st_gid; hmac->gid = st.st_gid;
hmac->mode = st.st_mode; hmac->mode = st.st_mode;
@ -402,8 +448,10 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
struct h_misc_32 *hmac = (struct h_misc_32 *)&hmac_misc; struct h_misc_32 *hmac = (struct h_misc_32 *)&hmac_misc;
hmac_size = sizeof(*hmac); hmac_size = sizeof(*hmac);
if (!evm_portable) {
hmac->ino = st.st_ino; hmac->ino = st.st_ino;
hmac->generation = generation; hmac->generation = generation;
}
hmac->uid = st.st_uid; hmac->uid = st.st_uid;
hmac->gid = st.st_gid; hmac->gid = st.st_gid;
hmac->mode = st.st_mode; hmac->mode = st.st_mode;
@ -412,25 +460,26 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
log_debug("hmac_misc (%d): ", hmac_size); log_debug("hmac_misc (%d): ", hmac_size);
log_debug_dump(&hmac_misc, hmac_size); log_debug_dump(&hmac_misc, hmac_size);
err = EVP_DigestUpdate(&ctx, &hmac_misc, hmac_size); err = EVP_DigestUpdate(pctx, &hmac_misc, hmac_size);
if (!err) { if (!err) {
log_err("EVP_DigestUpdate() failed\n"); log_err("EVP_DigestUpdate() failed\n");
return 1; return 1;
} }
if (!evm_immutable && (hmac_flags & HMAC_FLAG_UUID)) { if (!evm_immutable && !evm_portable &&
!(hmac_flags & HMAC_FLAG_NO_UUID)) {
err = get_uuid(&st, uuid); err = get_uuid(&st, uuid);
if (err) if (err)
return -1; return -1;
err = EVP_DigestUpdate(&ctx, (const unsigned char *)uuid, sizeof(uuid)); err = EVP_DigestUpdate(pctx, (const unsigned char *)uuid, sizeof(uuid));
if (!err) { if (!err) {
log_err("EVP_DigestUpdate() failed\n"); log_err("EVP_DigestUpdate() failed\n");
return 1; return 1;
} }
} }
err = EVP_DigestFinal(&ctx, hash, &mdlen); err = EVP_DigestFinal(pctx, hash, &mdlen);
if (!err) { if (!err) {
log_err("EVP_DigestFinal() failed\n"); log_err("EVP_DigestFinal() failed\n");
return 1; return 1;
@ -455,6 +504,9 @@ static int sign_evm(const char *file, const char *key)
/* add header */ /* add header */
len++; len++;
if (evm_portable)
sig[0] = EVM_XATTR_PORTABLE_DIGSIG;
else
sig[0] = EVM_IMA_XATTR_DIGSIG; sig[0] = EVM_IMA_XATTR_DIGSIG;
if (evm_immutable) if (evm_immutable)
@ -713,12 +765,13 @@ static int verify_evm(const char *file)
return -1; return -1;
} }
return verify_hash(hash, sizeof(hash), sig + 1, len - 1); return verify_hash(file, hash, sizeof(hash), sig + 1, len - 1);
} }
static int cmd_verify_evm(struct command *cmd) static int cmd_verify_evm(struct command *cmd)
{ {
char *file = g_argv[optind++]; char *file = g_argv[optind++];
int err;
if (!file) { if (!file) {
log_err("Parameters missing\n"); log_err("Parameters missing\n");
@ -726,7 +779,10 @@ static int cmd_verify_evm(struct command *cmd)
return -1; return -1;
} }
return verify_evm(file); err = verify_evm(file);
if (!err && params.verbose >= LOG_INFO)
log_info("%s: verification is OK\n", file);
return err;
} }
static int verify_ima(const char *file) static int verify_ima(const char *file)
@ -734,7 +790,12 @@ static int verify_ima(const char *file)
unsigned char sig[1024]; unsigned char sig[1024];
int len; int len;
if (xattr) { if (sigfile) {
void *tmp = file2bin(file, "sig", &len);
memcpy(sig, tmp, len);
free(tmp);
} else {
len = lgetxattr(file, "security.ima", sig, sizeof(sig)); len = lgetxattr(file, "security.ima", sig, sizeof(sig));
if (len < 0) { if (len < 0) {
log_err("getxattr failed: %s\n", file); log_err("getxattr failed: %s\n", file);
@ -742,27 +803,56 @@ static int verify_ima(const char *file)
} }
} }
if (sigfile) { return ima_verify_signature(file, sig, len, NULL, 0);
void *tmp = file2bin(file, "sig", &len);
memcpy(sig, tmp, len);
free(tmp);
}
return ima_verify_signature(file, sig, len);
} }
static int cmd_verify_ima(struct command *cmd) static int cmd_verify_ima(struct command *cmd)
{ {
char *file = g_argv[optind++]; char *file = g_argv[optind++];
int err;
errno = 0;
if (!file) { if (!file) {
log_err("Parameters missing\n"); log_err("Parameters missing\n");
print_usage(cmd); print_usage(cmd);
return -1; return -1;
} }
return verify_ima(file); err = verify_ima(file);
if (!err && params.verbose >= LOG_INFO)
log_info("%s: verification is OK\n", file);
return err;
}
static int cmd_convert(struct command *cmd)
{
char *inkey;
unsigned char _pub[1024], *pub = _pub;
int len, err = 0;
char name[20];
uint8_t keyid[8];
RSA *key;
params.x509 = 0;
inkey = g_argv[optind++];
if (!inkey) {
inkey = params.x509 ? "/etc/keys/x509_evm.der" :
"/etc/keys/pubkey_evm.pem";
}
key = read_pub_key(inkey, params.x509);
if (!key)
return 1;
len = key2bin(key, pub);
calc_keyid_v1(keyid, name, pub, len);
bin2file(inkey, "bin", pub, len);
bin2file(inkey, "keyid", (const unsigned char *)name, strlen(name));
RSA_free(key);
return err;
} }
static int cmd_import(struct command *cmd) static int cmd_import(struct command *cmd)
@ -837,6 +927,42 @@ out:
return err; return err;
} }
static int setxattr_ima(const char *file, char *sig_file)
{
unsigned char *sig;
int len, err;
if (sig_file)
sig = file2bin(sig_file, NULL, &len);
else
sig = file2bin(file, "sig", &len);
if (!sig)
return 0;
err = lsetxattr(file, "security.ima", sig, len, 0);
if (err < 0)
log_err("setxattr failed: %s\n", file);
free(sig);
return err;
}
static int cmd_setxattr_ima(struct command *cmd)
{
char *file, *sig = NULL;
if (sigfile)
sig = g_argv[optind++];
file = g_argv[optind++];
if (!file) {
log_err("Parameters missing\n");
print_usage(cmd);
return -1;
}
return setxattr_ima(file, sig);
}
#define MAX_KEY_SIZE 128 #define MAX_KEY_SIZE 128
static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *hash) static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *hash)
@ -844,7 +970,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
struct stat st; struct stat st;
int err = -1; int err = -1;
uint32_t generation = 0; uint32_t generation = 0;
HMAC_CTX ctx; HMAC_CTX *pctx;
unsigned int mdlen; unsigned int mdlen;
char **xattrname; char **xattrname;
unsigned char xattr_value[1024]; unsigned char xattr_value[1024];
@ -855,6 +981,12 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
ssize_t list_size; ssize_t list_size;
struct h_misc_64 hmac_misc; struct h_misc_64 hmac_misc;
int hmac_size; int hmac_size;
#if OPENSSL_VERSION_NUMBER < 0x10100000
HMAC_CTX ctx;
pctx = &ctx;
#else
pctx = HMAC_CTX_new();
#endif
key = file2bin(keyfile, NULL, &keylen); key = file2bin(keyfile, NULL, &keylen);
if (!key) { if (!key) {
@ -887,6 +1019,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
} }
if (ioctl(fd, FS_IOC_GETVERSION, &generation)) { if (ioctl(fd, FS_IOC_GETVERSION, &generation)) {
log_err("ioctl() failed\n"); log_err("ioctl() failed\n");
close(fd);
goto out; goto out;
} }
close(fd); close(fd);
@ -900,7 +1033,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
goto out; goto out;
} }
err = !HMAC_Init(&ctx, evmkey, sizeof(evmkey), EVP_sha1()); err = !HMAC_Init_ex(pctx, evmkey, sizeof(evmkey), EVP_sha1(), NULL);
if (err) { if (err) {
log_err("HMAC_Init() failed\n"); log_err("HMAC_Init() failed\n");
goto out; goto out;
@ -919,7 +1052,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
/*log_debug("name: %s, value: %s, size: %d\n", *xattrname, xattr_value, err);*/ /*log_debug("name: %s, value: %s, size: %d\n", *xattrname, xattr_value, err);*/
log_info("name: %s, size: %d\n", *xattrname, err); log_info("name: %s, size: %d\n", *xattrname, err);
log_debug_dump(xattr_value, err); log_debug_dump(xattr_value, err);
err = !HMAC_Update(&ctx, xattr_value, err); err = !HMAC_Update(pctx, xattr_value, err);
if (err) { if (err) {
log_err("HMAC_Update() failed\n"); log_err("HMAC_Update() failed\n");
goto out_ctx_cleanup; goto out_ctx_cleanup;
@ -960,16 +1093,20 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
log_debug("hmac_misc (%d): ", hmac_size); log_debug("hmac_misc (%d): ", hmac_size);
log_debug_dump(&hmac_misc, hmac_size); log_debug_dump(&hmac_misc, hmac_size);
err = !HMAC_Update(&ctx, (const unsigned char *)&hmac_misc, hmac_size); err = !HMAC_Update(pctx, (const unsigned char *)&hmac_misc, hmac_size);
if (err) { if (err) {
log_err("HMAC_Update() failed\n"); log_err("HMAC_Update() failed\n");
goto out_ctx_cleanup; goto out_ctx_cleanup;
} }
err = !HMAC_Final(&ctx, hash, &mdlen); err = !HMAC_Final(pctx, hash, &mdlen);
if (err) if (err)
log_err("HMAC_Final() failed\n"); log_err("HMAC_Final() failed\n");
out_ctx_cleanup: out_ctx_cleanup:
HMAC_CTX_cleanup(&ctx); #if OPENSSL_VERSION_NUMBER < 0x10100000
HMAC_CTX_cleanup(pctx);
#else
HMAC_CTX_free(pctx);
#endif
out: out:
free(key); free(key);
return err ?: mdlen; return err ?: mdlen;
@ -1137,18 +1274,23 @@ static int cmd_ima_clear(struct command *cmd)
return do_cmd(cmd, ima_clear); return do_cmd(cmd, ima_clear);
} }
static char *pcrs = "/sys/class/misc/tpm0/device/pcrs"; static char *pcrs = "/sys/class/tpm/tpm0/device/pcrs"; /* Kernels >= 4.0 */
static char *misc_pcrs = "/sys/class/misc/tpm0/device/pcrs";
static int tpm_pcr_read(int idx, uint8_t *pcr, int len) static int tpm_pcr_read(int idx, uint8_t *pcr, int len)
{ {
FILE *fp; FILE *fp;
char *p, pcr_str[7], buf[70]; /* length of the TPM string */ char *p, pcr_str[7], buf[70]; /* length of the TPM string */
int result = -1;
sprintf(pcr_str, "PCR-%d", idx); sprintf(pcr_str, "PCR-%d", idx);
fp = fopen(pcrs, "r"); fp = fopen(pcrs, "r");
if (!fp)
fp = fopen(misc_pcrs, "r");
if (!fp) { if (!fp) {
log_err("Unable to open %s\n", pcrs); log_err("Unable to open %s or %s\n", pcrs, misc_pcrs);
return -1; return -1;
} }
@ -1158,11 +1300,12 @@ static int tpm_pcr_read(int idx, uint8_t *pcr, int len)
break; break;
if (!strncmp(p, pcr_str, 6)) { if (!strncmp(p, pcr_str, 6)) {
hex2bin(pcr, p + 7, len); hex2bin(pcr, p + 7, len);
return 0; result = 0;
break;
} }
} }
fclose(fp); fclose(fp);
return -1; return result;
} }
#define TCG_EVENT_NAME_LEN_MAX 255 #define TCG_EVENT_NAME_LEN_MAX 255
@ -1197,7 +1340,7 @@ void ima_extend_pcr(uint8_t *pcr, uint8_t *digest, int length)
SHA1_Final(pcr, &ctx); SHA1_Final(pcr, &ctx);
} }
static int ima_verify_tamplate_hash(struct template_entry *entry) static int ima_verify_template_hash(struct template_entry *entry)
{ {
uint8_t digest[SHA_DIGEST_LENGTH]; uint8_t digest[SHA_DIGEST_LENGTH];
@ -1227,9 +1370,10 @@ void ima_ng_show(struct template_entry *entry)
int total_len = entry->template_len, digest_len, len, sig_len; int total_len = entry->template_len, digest_len, len, sig_len;
uint8_t *digest, *sig = NULL; uint8_t *digest, *sig = NULL;
char *algo, *path; char *algo, *path;
int err;
/* get binary digest */ /* get binary digest */
field_len = *(uint8_t *)fieldp; field_len = *(uint32_t *)fieldp;
fieldp += sizeof(field_len); fieldp += sizeof(field_len);
total_len -= sizeof(field_len); total_len -= sizeof(field_len);
@ -1243,7 +1387,7 @@ void ima_ng_show(struct template_entry *entry)
total_len -= field_len; total_len -= field_len;
/* get path */ /* get path */
field_len = *(uint8_t *)fieldp; field_len = *(uint32_t *)fieldp;
fieldp += sizeof(field_len); fieldp += sizeof(field_len);
total_len -= sizeof(field_len); total_len -= sizeof(field_len);
@ -1255,7 +1399,7 @@ void ima_ng_show(struct template_entry *entry)
if (!strcmp(entry->name, "ima-sig")) { if (!strcmp(entry->name, "ima-sig")) {
/* get signature */ /* get signature */
field_len = *(uint8_t *)fieldp; field_len = *(uint32_t *)fieldp;
fieldp += sizeof(field_len); fieldp += sizeof(field_len);
total_len -= sizeof(field_len); total_len -= sizeof(field_len);
@ -1270,18 +1414,30 @@ void ima_ng_show(struct template_entry *entry)
} }
/* ascii_runtime_measurements */ /* ascii_runtime_measurements */
if (params.verbose > LOG_INFO) {
log_info("%d ", entry->header.pcr); log_info("%d ", entry->header.pcr);
log_dump_n(entry->header.digest, sizeof(entry->header.digest)); log_dump_n(entry->header.digest, sizeof(entry->header.digest));
log_info(" %s %s", entry->name, algo); log_info(" %s %s", entry->name, algo);
log_dump_n(digest, digest_len); log_dump_n(digest, digest_len);
log_info(" %s", path); log_info(" %s", path);
}
if (sig) { if (sig) {
if (params.verbose > LOG_INFO) {
log_info(" "); log_info(" ");
log_dump(sig, sig_len); log_dump(sig, sig_len);
ima_verify_signature(path, sig, sig_len); }
} else if (measurement_list)
err = ima_verify_signature(path, sig, sig_len,
digest, digest_len);
else
err = ima_verify_signature(path, sig, sig_len, NULL, 0);
if (!err && params.verbose > LOG_INFO)
log_info("%s: verification is OK\n", path);
} else {
if (params.verbose > LOG_INFO)
log_info("\n"); log_info("\n");
}
if (total_len) if (total_len)
log_err("Remain unprocessed data: %d\n", total_len); log_err("Remain unprocessed data: %d\n", total_len);
@ -1289,12 +1445,16 @@ void ima_ng_show(struct template_entry *entry)
static int ima_measurement(const char *file) static int ima_measurement(const char *file)
{ {
uint8_t pcr[SHA_DIGEST_LENGTH] = {0,}; uint8_t pcr[NUM_PCRS][SHA_DIGEST_LENGTH] = {{0}};
uint8_t pcr10[SHA_DIGEST_LENGTH]; uint8_t hwpcr[SHA_DIGEST_LENGTH];
struct template_entry entry = { .template = 0 }; struct template_entry entry = { .template = 0 };
FILE *fp; FILE *fp;
int err = -1; int err = -1;
bool verify_failed = false;
int i;
errno = 0;
memset(zero, 0, SHA_DIGEST_LENGTH);
memset(fox, 0xff, SHA_DIGEST_LENGTH); memset(fox, 0xff, SHA_DIGEST_LENGTH);
log_debug("Initial PCR value: "); log_debug("Initial PCR value: ");
@ -1306,8 +1466,13 @@ static int ima_measurement(const char *file)
return -1; return -1;
} }
/* Support multiple public keys */
if (params.keyfile)
init_public_keys(params.keyfile);
while (fread(&entry.header, sizeof(entry.header), 1, fp)) { while (fread(&entry.header, sizeof(entry.header), 1, fp)) {
ima_extend_pcr(pcr, entry.header.digest, SHA_DIGEST_LENGTH); ima_extend_pcr(pcr[entry.header.pcr], entry.header.digest,
SHA_DIGEST_LENGTH);
if (!fread(entry.name, entry.header.name_len, 1, fp)) { if (!fread(entry.name, entry.header.name_len, 1, fp)) {
log_err("Unable to read template name\n"); log_err("Unable to read template name\n");
@ -1333,7 +1498,7 @@ static int ima_measurement(const char *file)
} }
if (validate) if (validate)
ima_verify_tamplate_hash(&entry); ima_verify_template_hash(&entry);
if (!strcmp(entry.name, "ima")) if (!strcmp(entry.name, "ima"))
ima_show(&entry); ima_show(&entry);
@ -1341,23 +1506,29 @@ static int ima_measurement(const char *file)
ima_ng_show(&entry); ima_ng_show(&entry);
} }
tpm_pcr_read(10, pcr10, sizeof(pcr10));
log_info("PCRAgg: "); for (i = 0; i < NUM_PCRS; i++) {
log_dump(pcr, sizeof(pcr)); if (memcmp(pcr[i], zero, SHA_DIGEST_LENGTH) == 0)
continue;
log_info("PCR-10: "); log_info("PCRAgg %.2d: ", i);
log_dump(pcr10, sizeof(pcr10)); log_dump(pcr[i], SHA_DIGEST_LENGTH);
if (memcmp(pcr, pcr10, sizeof(pcr))) { tpm_pcr_read(i, hwpcr, sizeof(hwpcr));
log_err("PCRAgg does not match PCR-10\n"); log_info("HW PCR-%d: ", i);
goto out; log_dump(hwpcr, sizeof(hwpcr));
if (memcmp(pcr[i], hwpcr, sizeof(SHA_DIGEST_LENGTH)) != 0) {
log_err("PCRAgg %d does not match HW PCR-%d\n", i, i);
verify_failed = true;
}
} }
if (!verify_failed)
err = 0; err = 0;
out: out:
fclose(fp); fclose(fp);
return err; return err;
} }
@ -1450,6 +1621,7 @@ static void usage(void)
" -f, --sigfile store IMA signature in .sig file instead of xattr\n" " -f, --sigfile store IMA signature in .sig file instead of xattr\n"
" --rsa use RSA key type and signing scheme v1\n" " --rsa use RSA key type and signing scheme v1\n"
" -k, --key path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem)\n" " -k, --key path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem)\n"
" -o, --portable generate portable EVM signatures\n"
" -p, --pass password for encrypted signing key\n" " -p, --pass password for encrypted signing key\n"
" -r, --recursive recurse into directories (sign)\n" " -r, --recursive recurse into directories (sign)\n"
" -t, --type file types to fix 'fdsxm' (f: file, d: directory, s: block/char/symlink)\n" " -t, --type file types to fix 'fdsxm' (f: file, d: directory, s: block/char/symlink)\n"
@ -1460,6 +1632,15 @@ static void usage(void)
" --smack use extra SMACK xattrs for EVM\n" " --smack use extra SMACK xattrs for EVM\n"
" --m32 force EVM hmac/signature for 32 bit target system\n" " --m32 force EVM hmac/signature for 32 bit target system\n"
" --m64 force EVM hmac/signature for 64 bit target system\n" " --m64 force EVM hmac/signature for 64 bit target system\n"
" --ino use custom inode for EVM\n"
" --uid use custom UID for EVM\n"
" --gid use custom GID for EVM\n"
" --mode use custom Mode for EVM\n"
" --generation use custom Generation for EVM(unspecified: from FS, empty: use 0)\n"
" --ima use custom IMA signature for EVM\n"
" --selinux use custom Selinux label for EVM\n"
" --caps use custom Capabilities for EVM(unspecified: from FS, empty: do not use)\n"
" --list measurement list verification\n"
" -v increase verbosity level\n" " -v increase verbosity level\n"
" -h, --help display this help and exit\n" " -h, --help display this help and exit\n"
"\n"); "\n");
@ -1469,10 +1650,12 @@ struct command cmds[] = {
{"--version", NULL, 0, ""}, {"--version", NULL, 0, ""},
{"help", cmd_help, 0, "<command>"}, {"help", cmd_help, 0, "<command>"},
{"import", cmd_import, 0, "[--rsa] pubkey keyring", "Import public key into the keyring.\n"}, {"import", cmd_import, 0, "[--rsa] pubkey keyring", "Import public key into the keyring.\n"},
{"convert", cmd_convert, 0, "key", "convert public key into the keyring.\n"},
{"sign", cmd_sign_evm, 0, "[-r] [--imahash | --imasig ] [--key key] [--pass [password] file", "Sign file metadata.\n"}, {"sign", cmd_sign_evm, 0, "[-r] [--imahash | --imasig ] [--key key] [--pass [password] file", "Sign file metadata.\n"},
{"verify", cmd_verify_evm, 0, "file", "Verify EVM signature (for debugging).\n"}, {"verify", cmd_verify_evm, 0, "file", "Verify EVM signature (for debugging).\n"},
{"ima_sign", cmd_sign_ima, 0, "[--sigfile] [--key key] [--pass [password] file", "Make file content signature.\n"}, {"ima_sign", cmd_sign_ima, 0, "[--sigfile] [--key key] [--pass [password] file", "Make file content signature.\n"},
{"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"}, {"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"},
{"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"},
{"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"}, {"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
{"ima_measurement", cmd_ima_measurement, 0, "file", "Verify measurement list (experimental).\n"}, {"ima_measurement", cmd_ima_measurement, 0, "file", "Verify measurement list (experimental).\n"},
{"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"}, {"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
@ -1498,8 +1681,18 @@ static struct option opts[] = {
{"recursive", 0, 0, 'r'}, {"recursive", 0, 0, 'r'},
{"m32", 0, 0, '3'}, {"m32", 0, 0, '3'},
{"m64", 0, 0, '6'}, {"m64", 0, 0, '6'},
{"smack", 0, 0, 256}, {"portable", 0, 0, 'o'},
{"version", 0, 0, 257}, {"smack", 0, 0, 128},
{"version", 0, 0, 129},
{"inode", 1, 0, 130},
{"uid", 1, 0, 131},
{"gid", 1, 0, 132},
{"mode", 1, 0, 133},
{"generation", 1, 0, 134},
{"ima", 1, 0, 135},
{"selinux", 1, 0, 136},
{"caps", 2, 0, 137},
{"list", 0, 0, 138},
{} {}
}; };
@ -1546,7 +1739,7 @@ int main(int argc, char *argv[])
g_argc = argc; g_argc = argc;
while (1) { while (1) {
c = getopt_long(argc, argv, "hvnsda:p::fu::k:t:ri", opts, &lind); c = getopt_long(argc, argv, "hvnsda:op::fu::k:t:ri", opts, &lind);
if (c == -1) if (c == -1)
break; break;
@ -1580,14 +1773,11 @@ int main(int argc, char *argv[])
break; break;
case 'f': case 'f':
sigfile = 1; sigfile = 1;
xattr = 0;
break; break;
case 'u': case 'u':
uuid_str = optarg; uuid_str = optarg;
if (uuid_str) if (!uuid_str)
hmac_flags |= HMAC_FLAG_UUID_SET; hmac_flags |= HMAC_FLAG_NO_UUID;
else
hmac_flags &= ~HMAC_FLAG_UUID;
break; break;
case '1': case '1':
params.x509 = 0; params.x509 = 0;
@ -1596,8 +1786,17 @@ int main(int argc, char *argv[])
params.keyfile = optarg; params.keyfile = optarg;
break; break;
case 'i': case 'i':
if (evm_portable)
log_err("Portable and immutable options are exclusive, ignoring immutable option.");
else
evm_immutable = true; evm_immutable = true;
break; break;
case 'o':
if (evm_immutable)
log_err("Portable and immutable options are exclusive, ignoring portable option.");
else
evm_portable = true;
break;
case 't': case 't':
search_type = optarg; search_type = optarg;
break; break;
@ -1610,13 +1809,41 @@ int main(int argc, char *argv[])
case '6': case '6':
msize = 64; msize = 64;
break; break;
case 256: case 128:
evm_config_xattrnames = evm_extra_smack_xattrs; evm_config_xattrnames = evm_extra_smack_xattrs;
break; break;
case 257: case 129:
printf("evmctl %s\n", VERSION); printf("evmctl %s\n", VERSION);
exit(0); exit(0);
break; break;
case 130:
ino_str = optarg;
break;
case 131:
uid_str = optarg;
break;
case 132:
gid_str = optarg;
break;
case 133:
mode_str = optarg;
break;
case 134:
generation_str = optarg;
break;
case 135:
ima_str = optarg;
break;
case 136:
selinux_str = optarg;
break;
case 137:
caps_str = optarg;
hmac_flags |= HMAC_FLAG_CAPS_SET;
break;
case 138:
measurement_list = 1;
break;
case '?': case '?':
exit(1); exit(1);
break; break;

11
src/imaevm.h
View File

@ -82,6 +82,7 @@ enum evm_ima_xattr_type {
EVM_XATTR_HMAC, EVM_XATTR_HMAC,
EVM_IMA_XATTR_DIGSIG, EVM_IMA_XATTR_DIGSIG,
IMA_XATTR_DIGEST_NG, IMA_XATTR_DIGEST_NG,
EVM_XATTR_PORTABLE_DIGSIG,
}; };
struct h_misc { struct h_misc {
@ -172,7 +173,7 @@ struct signature_v2_hdr {
} __packed; } __packed;
typedef int (*verify_hash_fn_t)(const unsigned char *hash, int size, unsigned char *sig, int siglen, const char *keyfile); typedef int (*verify_hash_fn_t)(const char *file, const unsigned char *hash, int size, unsigned char *sig, int siglen, const char *keyfile);
struct libevm_params { struct libevm_params {
int verbose; int verbose;
@ -187,6 +188,9 @@ struct RSA_ASN1_template {
size_t size; size_t size;
}; };
#define NUM_PCRS 20
#define DEFAULT_PCR 10
extern const struct RSA_ASN1_template RSA_ASN1_templates[PKEY_HASH__LAST]; extern const struct RSA_ASN1_template RSA_ASN1_templates[PKEY_HASH__LAST];
extern struct libevm_params params; extern struct libevm_params params;
@ -202,7 +206,8 @@ void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key);
int key2bin(RSA *key, unsigned char *pub); int key2bin(RSA *key, unsigned char *pub);
int sign_hash(const char *algo, const unsigned char *hash, int size, const char *keyfile, const char *keypass, unsigned char *sig); int sign_hash(const char *algo, const unsigned char *hash, int size, const char *keyfile, const char *keypass, unsigned char *sig);
int verify_hash(const unsigned char *hash, int size, unsigned char *sig, int siglen); int verify_hash(const char *file, const unsigned char *hash, int size, unsigned char *sig, int siglen);
int ima_verify_signature(const char *file, unsigned char *sig, int siglen); int ima_verify_signature(const char *file, unsigned char *sig, int siglen, unsigned char *digest, int digestlen);
void init_public_keys(const char *keyfiles);
#endif #endif

166
src/libimaevm.c
View File

@ -214,6 +214,7 @@ static int add_dir_hash(const char *file, EVP_MD_CTX *ctx)
DIR *dir; DIR *dir;
unsigned long long ino, off; unsigned long long ino, off;
unsigned int type; unsigned int type;
int result = 0;
dir = opendir(file); dir = opendir(file);
if (!dir) { if (!dir) {
@ -233,13 +234,14 @@ static int add_dir_hash(const char *file, EVP_MD_CTX *ctx)
err |= EVP_DigestUpdate(ctx, &type, sizeof(type)); err |= EVP_DigestUpdate(ctx, &type, sizeof(type));
if (!err) { if (!err) {
log_err("EVP_DigestUpdate() failed\n"); log_err("EVP_DigestUpdate() failed\n");
return 1; result = 1;
break;
} }
} }
closedir(dir); closedir(dir);
return 0; return result;
} }
static int add_link_hash(const char *path, EVP_MD_CTX *ctx) static int add_link_hash(const char *path, EVP_MD_CTX *ctx)
@ -269,9 +271,15 @@ int ima_calc_hash(const char *file, uint8_t *hash)
{ {
const EVP_MD *md; const EVP_MD *md;
struct stat st; struct stat st;
EVP_MD_CTX ctx; EVP_MD_CTX *pctx;
unsigned int mdlen; unsigned int mdlen;
int err; int err;
#if OPENSSL_VERSION_NUMBER < 0x10100000
EVP_MD_CTX ctx;
pctx = &ctx;
#else
pctx = EVP_MD_CTX_new();
#endif
/* Need to know the file length */ /* Need to know the file length */
err = lstat(file, &st); err = lstat(file, &st);
@ -286,7 +294,7 @@ int ima_calc_hash(const char *file, uint8_t *hash)
return 1; return 1;
} }
err = EVP_DigestInit(&ctx, md); err = EVP_DigestInit(pctx, md);
if (!err) { if (!err) {
log_err("EVP_DigestInit() failed\n"); log_err("EVP_DigestInit() failed\n");
return 1; return 1;
@ -294,17 +302,17 @@ int ima_calc_hash(const char *file, uint8_t *hash)
switch (st.st_mode & S_IFMT) { switch (st.st_mode & S_IFMT) {
case S_IFREG: case S_IFREG:
err = add_file_hash(file, &ctx); err = add_file_hash(file, pctx);
break; break;
case S_IFDIR: case S_IFDIR:
err = add_dir_hash(file, &ctx); err = add_dir_hash(file, pctx);
break; break;
case S_IFLNK: case S_IFLNK:
err = add_link_hash(file, &ctx); err = add_link_hash(file, pctx);
break; break;
case S_IFIFO: case S_IFSOCK: case S_IFIFO: case S_IFSOCK:
case S_IFCHR: case S_IFBLK: case S_IFCHR: case S_IFBLK:
err = add_dev_hash(&st, &ctx); err = add_dev_hash(&st, pctx);
break; break;
default: default:
log_errno("Unsupported file type"); log_errno("Unsupported file type");
@ -314,7 +322,7 @@ int ima_calc_hash(const char *file, uint8_t *hash)
if (err) if (err)
return err; return err;
err = EVP_DigestFinal(&ctx, hash, &mdlen); err = EVP_DigestFinal(pctx, hash, &mdlen);
if (!err) { if (!err) {
log_err("EVP_DigestFinal() failed\n"); log_err("EVP_DigestFinal() failed\n");
return 1; return 1;
@ -364,7 +372,8 @@ out:
return key; return key;
} }
int verify_hash_v1(const unsigned char *hash, int size, unsigned char *sig, int siglen, const char *keyfile) int verify_hash_v1(const char *file, const unsigned char *hash, int size,
unsigned char *sig, int siglen, const char *keyfile)
{ {
int err, len; int err, len;
SHA_CTX ctx; SHA_CTX ctx;
@ -373,7 +382,7 @@ int verify_hash_v1(const unsigned char *hash, int size, unsigned char *sig, int
unsigned char sighash[20]; unsigned char sighash[20];
struct signature_hdr *hdr = (struct signature_hdr *)sig; struct signature_hdr *hdr = (struct signature_hdr *)sig;
log_info("hash: "); log_info("hash-v1: ");
log_dump(hash, size); log_dump(hash, size);
key = read_pub_key(keyfile, 0); key = read_pub_key(keyfile, 0);
@ -390,24 +399,77 @@ int verify_hash_v1(const unsigned char *hash, int size, unsigned char *sig, int
err = RSA_public_decrypt(siglen - sizeof(*hdr) - 2, sig + sizeof(*hdr) + 2, out, key, RSA_PKCS1_PADDING); err = RSA_public_decrypt(siglen - sizeof(*hdr) - 2, sig + sizeof(*hdr) + 2, out, key, RSA_PKCS1_PADDING);
RSA_free(key); RSA_free(key);
if (err < 0) { if (err < 0) {
log_err("RSA_public_decrypt() failed: %d\n", err); log_err("%s: RSA_public_decrypt() failed: %d\n", file, err);
return 1; return 1;
} }
len = err; len = err;
if (len != sizeof(sighash) || memcmp(out, sighash, len) != 0) { if (len != sizeof(sighash) || memcmp(out, sighash, len) != 0) {
log_err("Verification failed: %d\n", err); log_err("%s: verification failed: %d\n", file, err);
return -1; return -1;
} else {
/*log_info("Verification is OK\n");*/
printf("Verification is OK\n");
} }
return 0; return 0;
} }
int verify_hash_v2(const unsigned char *hash, int size, unsigned char *sig, int siglen, const char *keyfile) struct public_key_entry {
struct public_key_entry *next;
uint32_t keyid;
char name[9];
RSA *key;
};
static struct public_key_entry *public_keys = NULL;
static RSA *find_keyid(uint32_t keyid)
{
struct public_key_entry *entry;
for (entry = public_keys; entry != NULL; entry = entry->next) {
if (entry->keyid == keyid)
return entry->key;
}
return NULL;
}
void init_public_keys(const char *keyfiles)
{
struct public_key_entry *entry;
char *tmp_keyfiles;
char *keyfile;
int i = 1;
tmp_keyfiles = strdup(keyfiles);
while ((keyfile = strsep(&tmp_keyfiles, ", \t")) != NULL) {
if (!keyfile)
break;
if ((*keyfile == '\0') || (*keyfile == ' ') ||
(*keyfile == '\t'))
continue;
entry = malloc(sizeof(struct public_key_entry));
if (!entry) {
perror("malloc");
break;
}
entry->key = read_pub_key(keyfile, 1);
if (!entry->key) {
free(entry);
continue;
}
calc_keyid_v2(&entry->keyid, entry->name, entry->key);
sprintf(entry->name, "%x", __be32_to_cpup(&entry->keyid));
log_info("key %d: %s %s\n", i++, entry->name, keyfile);
entry->next = public_keys;
public_keys = entry;
}
}
int verify_hash_v2(const char *file, const unsigned char *hash, int size,
unsigned char *sig, int siglen, const char *keyfile)
{ {
int err, len; int err, len;
unsigned char out[1024]; unsigned char out[1024];
@ -415,17 +477,29 @@ int verify_hash_v2(const unsigned char *hash, int size, unsigned char *sig, int
struct signature_v2_hdr *hdr = (struct signature_v2_hdr *)sig; struct signature_v2_hdr *hdr = (struct signature_v2_hdr *)sig;
const struct RSA_ASN1_template *asn1; const struct RSA_ASN1_template *asn1;
if (params.verbose > LOG_INFO) {
log_info("hash: "); log_info("hash: ");
log_dump(hash, size); log_dump(hash, size);
}
if (public_keys) {
key = find_keyid(hdr->keyid);
if (!key) {
log_err("%s: unknown keyid: %x\n", file,
__be32_to_cpup(&hdr->keyid));
return -1;
}
} else {
key = read_pub_key(keyfile, 1); key = read_pub_key(keyfile, 1);
if (!key) if (!key)
return 1; return 1;
}
err = RSA_public_decrypt(siglen - sizeof(*hdr), sig + sizeof(*hdr), out, key, RSA_PKCS1_PADDING);
RSA_free(key); err = RSA_public_decrypt(siglen - sizeof(*hdr), sig + sizeof(*hdr),
out, key, RSA_PKCS1_PADDING);
if (err < 0) { if (err < 0) {
log_err("RSA_public_decrypt() failed: %d\n", err); log_err("%s: RSA_public_decrypt() failed: %d\n", file, err);
return 1; return 1;
} }
@ -434,20 +508,17 @@ int verify_hash_v2(const unsigned char *hash, int size, unsigned char *sig, int
asn1 = &RSA_ASN1_templates[hdr->hash_algo]; asn1 = &RSA_ASN1_templates[hdr->hash_algo];
if (len < asn1->size || memcmp(out, asn1->data, asn1->size)) { if (len < asn1->size || memcmp(out, asn1->data, asn1->size)) {
log_err("Verification failed: %d\n", err); log_err("%s: verification failed: %d\n", file, err);
return -1; return -1;
} }
len -= asn1->size; len -= asn1->size;
if (len != size || memcmp(out + asn1->size, hash, len)) { if (len != size || memcmp(out + asn1->size, hash, len)) {
log_err("Verification failed: %d\n", err); log_err("%s: verification failed: %d\n", file, err);
return -1; return -1;
} }
/*log_info("Verification is OK\n");*/
printf("Verification is OK\n");
return 0; return 0;
} }
@ -489,7 +560,8 @@ static int get_hash_algo_from_sig(unsigned char *sig)
return -1; return -1;
} }
int verify_hash(const unsigned char *hash, int size, unsigned char *sig, int siglen) int verify_hash(const char *file, const unsigned char *hash, int size, unsigned char *sig,
int siglen)
{ {
const char *key; const char *key;
int x509; int x509;
@ -512,10 +584,11 @@ int verify_hash(const unsigned char *hash, int size, unsigned char *sig, int sig
"/etc/keys/x509_evm.der" : "/etc/keys/x509_evm.der" :
"/etc/keys/pubkey_evm.pem"; "/etc/keys/pubkey_evm.pem";
return verify_hash(hash, size, sig, siglen, key); return verify_hash(file, hash, size, sig, siglen, key);
} }
int ima_verify_signature(const char *file, unsigned char *sig, int siglen) int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
unsigned char *digest, int digestlen)
{ {
unsigned char hash[64]; unsigned char hash[64];
int hashlen, sig_hash_algo; int hashlen, sig_hash_algo;
@ -533,11 +606,18 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen)
/* Use hash algorithm as retrieved from signature */ /* Use hash algorithm as retrieved from signature */
params.hash_algo = pkey_hash_algo[sig_hash_algo]; params.hash_algo = pkey_hash_algo[sig_hash_algo];
/*
* Validate the signature based on the digest included in the
* measurement list, not by calculating the local file digest.
*/
if (digestlen > 0)
return verify_hash(file, digest, digestlen, sig + 1, siglen - 1);
hashlen = ima_calc_hash(file, hash); hashlen = ima_calc_hash(file, hash);
if (hashlen <= 1) if (hashlen <= 1)
return hashlen; return hashlen;
return verify_hash(hash, hashlen, sig + 1, siglen - 1); return verify_hash(file, hash, hashlen, sig + 1, siglen - 1);
} }
/* /*
@ -547,6 +627,14 @@ int key2bin(RSA *key, unsigned char *pub)
{ {
int len, b, offset = 0; int len, b, offset = 0;
struct pubkey_hdr *pkh = (struct pubkey_hdr *)pub; struct pubkey_hdr *pkh = (struct pubkey_hdr *)pub;
const BIGNUM *n, *e;
#if OPENSSL_VERSION_NUMBER < 0x10100000
n = key->n;
e = key->e;
#else
RSA_get0_key(key, &n, &e, NULL);
#endif
/* add key header */ /* add key header */
pkh->version = 1; pkh->version = 1;
@ -556,18 +644,18 @@ int key2bin(RSA *key, unsigned char *pub)
offset += sizeof(*pkh); offset += sizeof(*pkh);
len = BN_num_bytes(key->n); len = BN_num_bytes(n);
b = BN_num_bits(key->n); b = BN_num_bits(n);
pub[offset++] = b >> 8; pub[offset++] = b >> 8;
pub[offset++] = b & 0xff; pub[offset++] = b & 0xff;
BN_bn2bin(key->n, &pub[offset]); BN_bn2bin(n, &pub[offset]);
offset += len; offset += len;
len = BN_num_bytes(key->e); len = BN_num_bytes(e);
b = BN_num_bits(key->e); b = BN_num_bits(e);
pub[offset++] = b >> 8; pub[offset++] = b >> 8;
pub[offset++] = b & 0xff; pub[offset++] = b & 0xff;
BN_bn2bin(key->e, &pub[offset]); BN_bn2bin(e, &pub[offset]);
offset += len; offset += len;
return offset; return offset;
@ -585,9 +673,11 @@ void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len
log_debug("keyid: "); log_debug("keyid: ");
log_debug_dump(keyid, 8); log_debug_dump(keyid, 8);
if (params.verbose > LOG_INFO) {
id = __be64_to_cpup((__be64 *) keyid); id = __be64_to_cpup((__be64 *) keyid);
sprintf(str, "%llX", (unsigned long long)id); sprintf(str, "%llX", (unsigned long long)id);
log_info("keyid: %s\n", str); log_info("keyid-v1: %s\n", str);
}
} }
void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key) void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key)
@ -605,8 +695,10 @@ void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key)
log_debug("keyid: "); log_debug("keyid: ");
log_debug_dump(keyid, 4); log_debug_dump(keyid, 4);
if (params.verbose > LOG_INFO) {
sprintf(str, "%x", __be32_to_cpup(keyid)); sprintf(str, "%x", __be32_to_cpup(keyid));
log_info("keyid: %s\n", str); log_info("keyid: %s\n", str);
}
free(pkey); free(pkey);
} }
@ -719,7 +811,7 @@ int sign_hash_v1(const char *hashalgo, const unsigned char *hash, int size, cons
blen = (uint16_t *) (sig + sizeof(*hdr)); blen = (uint16_t *) (sig + sizeof(*hdr));
*blen = __cpu_to_be16(len << 3); *blen = __cpu_to_be16(len << 3);
len += sizeof(*hdr) + 2; len += sizeof(*hdr) + 2;
log_info("evm/ima signature: %d bytes\n", len); log_info("evm/ima signature-v1: %d bytes\n", len);
out: out:
RSA_free(key); RSA_free(key);
return len; return len;