ima-evm-utils: Fix reading of sigfile

Fix reading of detached IMA signature (--sigfile). Error message: Reading to sha1.txt.sig Failed to fread 147 bytes: sha1.txt.sig Failed reading: sha1.txt Reported-by: Mimi Zohar <zohar@linux.ibm.com> Fixes: 08a51e7460 ("ima-evm-utils: Fix file2bin stat and fopen relations") Signed-off-by: Vitaly Chikunov <vt@altlinux.org> Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> (cherry picked from commit 19b77c8667)
Release version 1.3.1
2025-07-04 06:25:15 +02:00 · 2020-10-23 13:59:07 -04:00 · 2020-08-11 07:19:04 -04:00 · 2020-08-04 08:17:50 -04:00 · 2020-08-04 08:17:50 -04:00 · 2020-08-04 08:17:32 -04:00
8 changed files with 331 additions and 276 deletions
--- a/184
+++ b/184
@ -1,184 +0,0 @@
 2020-07-21  Mimi Zohar <zohar@linux.ibm.com>
 	version 1.3 new features:
 	* NEW ima-evm-utils regression test infrastructure with two initial
 	  tests:
 	  - ima_hash.test: calculate/verify different crypto hash algorithms
 	  - sign_verify.test: EVM and IMA sign/verify signature tests
 	* TPM 2.0 support
 	  - Calculate the new per TPM 2.0 bank template data digest
 	  - Support original padding the SHA1 template data digest
 	  - Compare ALL the re-calculated TPM 2.0 bank PCRs against the
 	    TPM 2.0 bank PCR values
 	  - Calculate the per TPM bank "boot_aggregate" values, including
 	    PCRs 8 & 9 in calculation
 	  - Support reading the per TPM 2.0 Bank PCRs using Intel's TSS
 	  - boot_aggregate.test: compare the calculated "boot_aggregate"
 	    values with the "boot_aggregate" value included in the IMA
 	    measurement.
 	* TPM 1.2 support
 	  - Additionally support reading the TPM 1.2 PCRs from a supplied file
 	    ("--pcrs" option)
 	* Based on original IMA LTP and standalone version support
 	  - Calculate the TPM 1.2 "boot_aggregate" based on the exported
 	    TPM 1.2 BIOS event log.
 	  - In addition to verifying the IMA measurement list against the
 	    the TPM PCRs, verify the IMA template data digest against the
 	    template data.  (Based on LTP "--verify" option.)
 	  - Ignore file measurement violations while verifying the IMA
 	    measurment list. (Based on LTP "--validate" option.)
 	  - Verify the file data signature included in the measurement list
 	    based on the file hash also included in the measurement list
 	    (--verify-sig)
 	  - Support original "ima" template (mixed templates not supported)
 	* Support "sm3" crypto name
 	Bug fixes and code cleanup:
 	* Don't exit with -1 on failure, exit with 125
 	* On signature verification failure, include pathname.
 	* Provide minimal hash_info.h file in case one doesn't exist, needed
 	  by the ima-evm-utils regression tests.
 	* On systems with TPM 1.2, skip "boot_aggregate.test" using sample logs
 	* Fix hash_algo type comparison mismatch
 	* Simplify/clean up code
 	* Address compiler complaints and failures
 	* Fix memory allocations and leaks
 	* Sanity check provided input files are regular files
 	* Revert making "tsspcrread" a compile build time decision.
 	* Limit additional messages based on log level (-v)
 2019-07-30  Mimi Zohar <zohar@linux.ibm.com>
 	version 1.2.1 Bug fixes:
 	* When verifying multiple file signatures, return correct status
 	* Don't automatically use keys from x509 certs if user supplied "--rsa"
 	* Fix verifying DIGSIG_VERSION_1 signatures
 	* autoconf, openssl fixes
 2019-07-24  Mimi Zohar <zohar@linux.ibm.com>
 	version 1.2 new features:
 	* Generate EVM signatures based on the specified hash algorithm
 	* include "security.apparmor" in EVM signature
 	* Add support for writing & verifying "user.xxxx" xattrs for testing
 	* Support Strebog/Gost hash functions
 	* Add OpenSSL engine support
 	* Use of EVP_PKEY OpenSSL API to generate/verify v2 signatures
 	* Support verifying multiple signatures at once
 	* Support new template "buf" field and warn about other unknown fields
 	* Improve OpenSSL error reporting
 	* Support reading TPM 2.0 PCRs using tsspcrread
 	Bug fixes and code cleanup:
 	* Update manpage stylesheet detection
 	* Fix xattr.h include file
 	* On error when reading TPM PCRs, don't log gargabe
 	* Properly return keyid string to calc_keyid_v1/v2 callers, caused by
 	  limiting keyid output to verbose mode
 	* Fix hash buffer overflow caused by EVM support for larger hashes,
 	  defined MAX_DIGEST_SIZE and MAX_SIGNATURE_SIZE, and added "asserts".
 	* Linked with libcrypto instead of OpenSSL
 	* Updated Autotools, replacing INCLUDES with AM_CPPFLAGS
 	* Include new "hash-info.gen" in tar
 	* Log the hash algorithm, not just the hash value
 	* Fixed memory leaks in: EV_MD_CTX, init_public_keys
 	* Fixed other warnings/bugs discovered by clang, coverity
 	* Remove indirect calls in verify_hash() to improve code readability
 	* Don't fallback to using sha1
 	* Namespace some too generic object names
 	* Make functions/arrays static if possible
 2018-01-28  Mimi Zohar <zohar@us.ibm.com>
 	version 1.1
 	* Support the new openssl 1.1 api
 	* Support for validating multiple pcrs
 	* Verify the measurement list signature based on the list digest
 	* Verify the "ima-sig" measurement list using multiple keys
 	* Fixed parsing the measurement template data field length
 	* Portable & immutable EVM signatures (new format)
 	* Multiple fixes that have been lingering in the next branch. Some
 	  are for experimental features that are not yet supported in the
 	  kernel.
 2014-07-30  Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
 	version 1.0
 	* Recursive hashing
 	* Immutable EVM signatures (experimental)
 	* Command 'ima_clear' to remove xattrs
 	* Support for passing password to the library
 	* Support for asking password safely from the user
 2014-09-23  Dmitry Kasatkin <d.kasatkin@samsung.com>
 	version 0.9
 	* Updated README
 	* man page generated and added to the package
 	* Use additional SMACK xattrs for EVM signature generation
 	* Signing functions moved to libimaevm for external use (RPM)
 	* Fixed setting of correct hash header
 2014-05-05  Dmitry Kasatkin <d.kasatkin@samsung.com>
 	version 0.8
 	* Symbilic names for keyrings
 	* Hash list signing
 	* License text fix for using OpenSSL
 	* Help output fix
 2014-02-17  Dmitry Kasatkin <d.kasatkin@samsung.com>
 	version 0.7
 	* Fix symbolic links related bugs
 	* Provide recursive fixing
 	* Provide recursive signing
 	* Move IMA verification to the library (first for LTP use)
 	* Support for target architecture data size
 	* Remove obsolete module signing code
 	* Code cleanup
 2013-08-28  Dmitry Kasatkin <d.kasatkin@samsung.com>
 	version 0.6
 	* support for asymmetric crypto keys and new signature format (v2)
 	* fixes to set correct hash algo for digital signature v1
 	* uuid support for EVM
 	* signature verification support
 	* test scripts removed
 	* README updates
 2012-05-18  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>
 	version 0.3
 	* llistxattr returns 0 if there are no xattrs and it is valid
 	* Added entry type to directory hash calculation
 	* inline block variable renamed
 	* Remove forced tag creation
 	* Use libexec for programs and scripts
 	* Some files updated
 	* Do not search for algorithm as it is known
 	* Refactored to remove redundant hash initialization code
 	* Added hash calculation for special files
 2012-04-05  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>
 	version 0.2
 	* added RPM & TAR building makefile rules
 	* renamed evm-utils to ima-evm-utils
 	* added command options description
 	* updated error handling
 	* refactored redundant code
 2012-04-02  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>
 	version 0.1.0
 	* Fully functional version for lastest 3.x kernels
 2011-08-24  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>
 	version 0.1
 	* Initial public version.
--- a/193
+++ b/193
@ -0,0 +1,193 @@
 2020-08-11  Mimi Zohar <zohar@linux.ibm.com>
 	version 1.3.1:
 	* "--pcrs" support for per crypto algorithm
 	* Drop/rename "ima_measurement" options
 	* Moved this summary from "Changelog" to "NEWS", removing
 	  requirement for GNU empty files
 	* Distro build fixes
 2020-07-21  Mimi Zohar <zohar@linux.ibm.com>
 	version 1.3 new features:
 	* NEW ima-evm-utils regression test infrastructure with two initial
 	  tests:
 	  - ima_hash.test: calculate/verify different crypto hash algorithms
 	  - sign_verify.test: EVM and IMA sign/verify signature tests
 	* TPM 2.0 support
 	  - Calculate the new per TPM 2.0 bank template data digest
 	  - Support original padding the SHA1 template data digest
 	  - Compare ALL the re-calculated TPM 2.0 bank PCRs against the
 	    TPM 2.0 bank PCR values
 	  - Calculate the per TPM bank "boot_aggregate" values, including
 	    PCRs 8 & 9 in calculation
 	  - Support reading the per TPM 2.0 Bank PCRs using Intel's TSS
 	  - boot_aggregate.test: compare the calculated "boot_aggregate"
 	    values with the "boot_aggregate" value included in the IMA
 	    measurement.
 	* TPM 1.2 support
 	  - Additionally support reading the TPM 1.2 PCRs from a supplied file
 	    ("--pcrs" option)
 	* Based on original IMA LTP and standalone version support
 	  - Calculate the TPM 1.2 "boot_aggregate" based on the exported
 	    TPM 1.2 BIOS event log.
 	  - In addition to verifying the IMA measurement list against the
 	    the TPM PCRs, verify the IMA template data digest against the
 	    template data.  (Based on LTP "--verify" option.)
 	  - Ignore file measurement violations while verifying the IMA
 	    measurment list. (Based on LTP "--validate" option.)
 	  - Verify the file data signature included in the measurement list
 	    based on the file hash also included in the measurement list
 	    (--verify-sig)
 	  - Support original "ima" template (mixed templates not supported)
 	* Support "sm3" crypto name
 	Bug fixes and code cleanup:
 	* Don't exit with -1 on failure, exit with 125
 	* On signature verification failure, include pathname.
 	* Provide minimal hash_info.h file in case one doesn't exist, needed
 	  by the ima-evm-utils regression tests.
 	* On systems with TPM 1.2, skip "boot_aggregate.test" using sample logs
 	* Fix hash_algo type comparison mismatch
 	* Simplify/clean up code
 	* Address compiler complaints and failures
 	* Fix memory allocations and leaks
 	* Sanity check provided input files are regular files
 	* Revert making "tsspcrread" a compile build time decision.
 	* Limit additional messages based on log level (-v)
 2019-07-30  Mimi Zohar <zohar@linux.ibm.com>
 	version 1.2.1 Bug fixes:
 	* When verifying multiple file signatures, return correct status
 	* Don't automatically use keys from x509 certs if user supplied "--rsa"
 	* Fix verifying DIGSIG_VERSION_1 signatures
 	* autoconf, openssl fixes
 2019-07-24  Mimi Zohar <zohar@linux.ibm.com>
 	version 1.2 new features:
 	* Generate EVM signatures based on the specified hash algorithm
 	* include "security.apparmor" in EVM signature
 	* Add support for writing & verifying "user.xxxx" xattrs for testing
 	* Support Strebog/Gost hash functions
 	* Add OpenSSL engine support
 	* Use of EVP_PKEY OpenSSL API to generate/verify v2 signatures
 	* Support verifying multiple signatures at once
 	* Support new template "buf" field and warn about other unknown fields
 	* Improve OpenSSL error reporting
 	* Support reading TPM 2.0 PCRs using tsspcrread
 	Bug fixes and code cleanup:
 	* Update manpage stylesheet detection
 	* Fix xattr.h include file
 	* On error when reading TPM PCRs, don't log gargabe
 	* Properly return keyid string to calc_keyid_v1/v2 callers, caused by
 	  limiting keyid output to verbose mode
 	* Fix hash buffer overflow caused by EVM support for larger hashes,
 	  defined MAX_DIGEST_SIZE and MAX_SIGNATURE_SIZE, and added "asserts".
 	* Linked with libcrypto instead of OpenSSL
 	* Updated Autotools, replacing INCLUDES with AM_CPPFLAGS
 	* Include new "hash-info.gen" in tar
 	* Log the hash algorithm, not just the hash value
 	* Fixed memory leaks in: EV_MD_CTX, init_public_keys
 	* Fixed other warnings/bugs discovered by clang, coverity
 	* Remove indirect calls in verify_hash() to improve code readability
 	* Don't fallback to using sha1
 	* Namespace some too generic object names
 	* Make functions/arrays static if possible
 2018-01-28  Mimi Zohar <zohar@us.ibm.com>
 	version 1.1
 	* Support the new openssl 1.1 api
 	* Support for validating multiple pcrs
 	* Verify the measurement list signature based on the list digest
 	* Verify the "ima-sig" measurement list using multiple keys
 	* Fixed parsing the measurement template data field length
 	* Portable & immutable EVM signatures (new format)
 	* Multiple fixes that have been lingering in the next branch. Some
 	  are for experimental features that are not yet supported in the
 	  kernel.
 2014-07-30  Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
 	version 1.0
 	* Recursive hashing
 	* Immutable EVM signatures (experimental)
 	* Command 'ima_clear' to remove xattrs
 	* Support for passing password to the library
 	* Support for asking password safely from the user
 2014-09-23  Dmitry Kasatkin <d.kasatkin@samsung.com>
 	version 0.9
 	* Updated README
 	* man page generated and added to the package
 	* Use additional SMACK xattrs for EVM signature generation
 	* Signing functions moved to libimaevm for external use (RPM)
 	* Fixed setting of correct hash header
 2014-05-05  Dmitry Kasatkin <d.kasatkin@samsung.com>
 	version 0.8
 	* Symbilic names for keyrings
 	* Hash list signing
 	* License text fix for using OpenSSL
 	* Help output fix
 2014-02-17  Dmitry Kasatkin <d.kasatkin@samsung.com>
 	version 0.7
 	* Fix symbolic links related bugs
 	* Provide recursive fixing
 	* Provide recursive signing
 	* Move IMA verification to the library (first for LTP use)
 	* Support for target architecture data size
 	* Remove obsolete module signing code
 	* Code cleanup
 2013-08-28  Dmitry Kasatkin <d.kasatkin@samsung.com>
 	version 0.6
 	* support for asymmetric crypto keys and new signature format (v2)
 	* fixes to set correct hash algo for digital signature v1
 	* uuid support for EVM
 	* signature verification support
 	* test scripts removed
 	* README updates
 2012-05-18  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>
 	version 0.3
 	* llistxattr returns 0 if there are no xattrs and it is valid
 	* Added entry type to directory hash calculation
 	* inline block variable renamed
 	* Remove forced tag creation
 	* Use libexec for programs and scripts
 	* Some files updated
 	* Do not search for algorithm as it is known
 	* Refactored to remove redundant hash initialization code
 	* Added hash calculation for special files
 2012-04-05  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>
 	version 0.2
 	* added RPM & TAR building makefile rules
 	* renamed evm-utils to ima-evm-utils
 	* added command options description
 	* updated error handling
 	* refactored redundant code
 2012-04-02  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>
 	version 0.1.0
 	* Fully functional version for lastest 3.x kernels
 2011-08-24  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>
 	version 0.1
 	* Initial public version.
--- a/7
+++ b/7
@ -31,7 +31,7 @@ COMMANDS
 ima_sign [--sigfile] [--key key] [--pass password] file
 ima_verify file
 ima_hash file
- ima_measurement [--validate] [--verify] [--verify-sig [--key "key1, key2, ..."]]  [--pcrs file] file
+ ima_measurement [--ignore-violations] [--verify-sig [--key "key1, key2, ..."]]  [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
 ima_fix [-t fdsxm] path
 sign_hash [--key key] [--pass password]
 hmac [--imahash | --imasig ] file
@ -59,9 +59,8 @@ OPTIONS
      --m32          force EVM hmac/signature for 32 bit target system
      --m64          force EVM hmac/signature for 64 bit target system
      --engine e     preload OpenSSL engine e (such as: gost)
-      --pcrs         file containing TPM 1.2 pcrs
+      --pcrs         file containing TPM pcrs, one per hash-algorithm/bank
-      --validate     ignore ToMToU measurement violations
+      --ignore-violations ignore ToMToU measurement violations
      --verify       verify the template data digest
      --verify-sig   verify the file signature based on the file hash, both
                     stored in the template data.
  -v                 increase verbosity level
--- a/configure.ac
+++ b/configure.ac
@ -1,8 +1,8 @@
 # autoconf script
 AC_PREREQ([2.65])
-AC_INIT(ima-evm-utils, 1.3, zohar@linux.ibm.com)
+AC_INIT(ima-evm-utils, 1.3.1, zohar@linux.ibm.com)
-AM_INIT_AUTOMAKE
+AM_INIT_AUTOMAKE([foreign])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
--- a/packaging/ima-evm-utils.spec
+++ b/packaging/ima-evm-utils.spec
@ -1,5 +1,5 @@
 Name:		ima-evm-utils
-Version:	1.3
+Version:	1.3.1
 Release:	1%{?dist}
 Summary:	ima-evm-utils - IMA/EVM control utility
 Group:		System/Libraries
--- a/src/evmctl.c
+++ b/src/evmctl.c
@ -160,7 +160,10 @@ struct tpm_bank_info {
 	uint8_t pcr[NUM_PCRS][MAX_DIGEST_SIZE];
 };
-static char *pcrfile;
+/* One --pcrs file per hash-algorithm/bank */
 #define MAX_PCRFILE 2
 static char *pcrfile[MAX_PCRFILE];
 static unsigned npcrfile;
 static int bin2file(const char *file, const char *ext, const unsigned char *data, int len)
 {
@ -218,7 +221,7 @@ static unsigned char *file2bin(const char *file, const char *ext, int *size)
 		fclose(fp);
 		return NULL;
 	}
-	if (fread(data, len, 1, fp) != len) {
+	if (fread(data, len, 1, fp) != 1) {
 		log_err("Failed to fread %zu bytes: %s\n", len, name);
 		fclose(fp);
 		free(data);
@ -1373,55 +1376,6 @@ static int cmd_ima_clear(struct command *cmd)
 	return do_cmd(cmd, ima_clear);
 }
 static char *pcrs = "/sys/class/tpm/tpm0/device/pcrs";  /* Kernels >= 4.0 */
 static char *misc_pcrs = "/sys/class/misc/tpm0/device/pcrs";
 /* Read all of the TPM 1.2 PCRs */
 static int tpm_pcr_read(struct tpm_bank_info *tpm_banks, int len)
 {
 	struct stat s;
 	FILE *fp = NULL;
 	char *p, pcr_str[8], buf[70]; /* length of the TPM string */
 	int result = -1;
 	int i = 0;
 	/* Use the provided TPM 1.2 pcrs file */
 	if (pcrfile) {
 		if (stat(pcrfile, &s) == -1) {
 			errno = 0;
 			return 1;
 		}
 		if (!S_ISREG(s.st_mode)) {
 			log_info("TPM 1.2 PCR file: not a regular file or link to regular file\n");
 			return 1;
 		}
 		fp = fopen(pcrfile, "r");
 	}
 	if (!fp)
 		fp = fopen(pcrs, "r");
 	if (!fp)
 		fp = fopen(misc_pcrs, "r");
 	if (!fp)
 		return -1;
 	for (;;) {
 		p = fgets(buf, sizeof(buf), fp);
 		if (!p || i > 99)
 			break;
 		sprintf(pcr_str, "PCR-%2.2d", i);
 		if (!strncmp(p, pcr_str, 6))
 			hex2bin(tpm_banks[0].pcr[i++], p + 7, len);
 		result = 0;
 	}
 	fclose(fp);
 	return result;
 }
 #define TCG_EVENT_NAME_LEN_MAX	255
 struct template_entry {
@ -1438,8 +1392,7 @@ struct template_entry {
 static uint8_t zero[MAX_DIGEST_SIZE];
-static int validate = 0;
+static int ignore_violations = 0;
 static int verify = 0;
 static int ima_verify_template_hash(struct template_entry *entry)
 {
@ -1786,7 +1739,7 @@ static void extend_tpm_banks(struct template_entry *entry, int num_banks,
 		 * size.
 		 */
 		if (memcmp(entry->header.digest, zero, SHA_DIGEST_LENGTH) == 0) {
-			if (!validate) {
+			if (!ignore_violations) {
 				memset(bank[i].digest, 0x00, bank[i].digest_size);
 				memset(padded_bank[i].digest, 0x00, padded_bank[i].digest_size);
 			} else {
@ -1829,20 +1782,108 @@ static void extend_tpm_banks(struct template_entry *entry, int num_banks,
 #endif
 }
-/* Read TPM 1.2 PCRs */
+static int read_one_bank(struct tpm_bank_info *tpm_bank, FILE *fp)
 static int read_tpm_pcrs(int num_banks, struct tpm_bank_info *tpm_banks)
 {
-	int i;
+	char *p, pcr_str[8], buf[MAX_DIGEST_SIZE * 2 + 8];
-
+	int i = 0;
-	if (tpm_pcr_read(tpm_banks, SHA_DIGEST_LENGTH)) {
+	int result = -1;
-		log_debug("Failed to read TPM 1.2 PCRs.\n");
+	for (;;) {
-		return -1;
+		p = fgets(buf, sizeof(buf), fp);
 		if (!p || i >= NUM_PCRS)
 			break;
 		sprintf(pcr_str, "PCR-%2.2d", i);
 		if (!strncmp(p, pcr_str, 6))
 			hex2bin(tpm_bank->pcr[i++], p + 7, tpm_bank->digest_size);
 		result = 0;
 	}
 	return result;
 }
 static char *pcrs = "/sys/class/tpm/tpm0/device/pcrs";  /* Kernels >= 4.0 */
 static char *misc_pcrs = "/sys/class/misc/tpm0/device/pcrs";
 /* Read one of the TPM 1.2 sysfs files if present */
 static int read_sysfs_pcrs(int num_banks, struct tpm_bank_info *tpm_banks)
 {
 	FILE *fp;
 	int i, result;
 	fp = fopen(pcrs, "r");
 	if (!fp)
 		fp = fopen(misc_pcrs, "r");
 	if (!fp)
 		return -1;
 	result = read_one_bank(&tpm_banks[0], fp);
 	fclose(fp);
 	if (result < 0)
 		return result;
 	tpm_banks[0].supported = 1;
 	for (i = 1; i < num_banks; i++)
 		tpm_banks[i].supported = 0;
 	return 0;
 }
 /* Read PCRs from per-bank file(s) specified via --pcrs */
 static int read_file_pcrs(int num_banks, struct tpm_bank_info *tpm_banks)
 {
 	struct stat s;
 	FILE *fp;
 	char *p;
 	const char *alg, *path;
 	int i, j, bank, result;
 	for (i = 0; i < num_banks; i++)
 		tpm_banks[i].supported = 0;
 	for (i = 0; i < npcrfile; i++) {
 		p = strchr(pcrfile[i], ',');
 		if (p) {
 			*p = 0;
 			alg = pcrfile[i];
 			path = ++p;
 		} else {
 			alg = "sha1";
 			path = pcrfile[i];
 		}
 		bank = -1;
 		for (j = 0; j < num_banks; j++) {
 			if (!strcmp(tpm_banks[j].algo_name, alg)) {
 				bank = j;
 				break;
 			}
 		}
 		if (bank < 0) {
 			log_err("Unknown algorithm '%s'\n", alg);
 			return -1;
 		}
 		if (stat(path, &s) == -1) {
 			log_err("Could not stat '%s'\n", path);
 			return -1;
 		}
 		if (!S_ISREG(s.st_mode)) {
 			log_err("PCR file: not a regular file or link to regular file\n");
 			return -1;
 		}
 		fp = fopen(path, "r");
 		if (!fp) {
 			log_err("Could not open '%s'\n", path);
 			return -1;
 		}
 		result = read_one_bank(&tpm_banks[bank], fp);
 		fclose(fp);
 		if (result < 0)
 			return result;
 		tpm_banks[bank].supported = 1;
 	}
 	return 0;
 }
 /*
@ -1857,8 +1898,12 @@ static int read_tpm_banks(int num_banks, struct tpm_bank_info *bank)
 	int i, j;
 	int err;
-	/* First try reading PCRs from exported TPM 1.2 sysfs file */
+	/* If --pcrs was specified, read only from the specified file(s) */
-	if (read_tpm_pcrs(num_banks, bank) == 0)
+	if (npcrfile)
 		return read_file_pcrs(num_banks, bank);
 	/* Else try reading PCRs from the sysfs file if present */
 	if (read_sysfs_pcrs(num_banks, bank) == 0)
 		return 0;
 	/* Any userspace applications available for reading TPM 2.0 PCRs? */
@ -1899,7 +1944,7 @@ static int ima_measurement(const char *file)
 	struct template_entry entry = { .template = 0 };
 	FILE *fp;
-	int verified_template_digest = 0;
+	int invalid_template_digest = 0;
 	int err_padded = -1;
 	int err = -1;
@ -2029,11 +2074,9 @@ static int ima_measurement(const char *file)
 				 pseudo_padded_banks);
 		/* Recalculate and verify template data digest */
 		if (verify) {
 		err = ima_verify_template_hash(&entry);
 		if (err)
-				verified_template_digest = 1;
+			invalid_template_digest = 1;
 		}
 		if (is_ima_template)
 			ima_show(&entry);
@ -2070,7 +2113,7 @@ static int ima_measurement(const char *file)
 			log_info("Failed to match per TPM bank or SHA1 padded TPM digest(s).\n");
 	}
-	if (verified_template_digest) {
+	if (invalid_template_digest) {
 		log_info("Failed to verify template data digest.\n");
 		err = 1;
 	}
@ -2424,6 +2467,7 @@ static void usage(void)
 		"      --caps         use custom Capabilities for EVM(unspecified: from FS, empty: do not use)\n"
 		"      --verify-sig   verify measurement list signatures\n"
 		"      --engine e     preload OpenSSL engine e (such as: gost)\n"
 		"      --ignore-violations ignore ToMToU measurement violations"
 		"  -v                 increase verbosity level\n"
 		"  -h, --help         display this help and exit\n"
 		"\n");
@ -2440,7 +2484,7 @@ struct command cmds[] = {
 	{"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"},
 	{"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"},
 	{"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
-	{"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify] [--verify-sig [--key key1, key2, ...]] [--pcrs file] file", "Verify measurement list (experimental).\n"},
+	{"ima_measurement", cmd_ima_measurement, 0, "[--ignore-violations] [--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file", "Verify measurement list (experimental).\n"},
 	{"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[file]", "Calculate per TPM bank boot_aggregate digests\n"},
 	{"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
 	{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
@ -2479,9 +2523,8 @@ static struct option opts[] = {
 	{"verify-sig", 0, 0, 138},
 	{"engine", 1, 0, 139},
 	{"xattr-user", 0, 0, 140},
-	{"validate", 0, 0, 141},
+	{"ignore-violations", 0, 0, 141},
-	{"verify", 0, 0, 142},
+	{"pcrs", 1, 0, 142},
 	{"pcrs", 1, 0, 143},
 	{}
 };
@ -2660,14 +2703,15 @@ int main(int argc, char *argv[])
 			xattr_ima = "user.ima";
 			xattr_evm = "user.evm";
 			break;
-		case 141: /* --validate */
+		case 141: /* --ignore-violations */
-			validate = 1;
+			ignore_violations = 1;
 			break;
-		case 142: /* --verify */
+		case 142:
-			verify = 1;
+			if (npcrfile >= MAX_PCRFILE) {
-			break;
+				log_err("too many --pcrfile options\n");
-		case 143:
+				exit(1);
-			pcrfile = optarg;
+			}
 			pcrfile[npcrfile++] = optarg;
 			break;
 		case '?':
 			exit(1);
--- a/src/imaevm.h
+++ b/src/imaevm.h
@ -46,7 +46,7 @@
 #include <syslog.h>
 #include <stdbool.h>
 #include <errno.h>
-
+#include <sys/types.h>
 #include <openssl/rsa.h>
 #ifdef USE_FPRINTF
@ -203,7 +203,7 @@ struct RSA_ASN1_template {
 	size_t size;
 };
-#define	NUM_PCRS 20
+#define	NUM_PCRS 24
 #define DEFAULT_PCR 10
 extern struct libimaevm_params imaevm_params;
--- a/src/pcr_tss.c
+++ b/src/pcr_tss.c
@ -68,14 +68,17 @@ int tpm2_pcr_supported(void)
 static int pcr_selections_match(TPML_PCR_SELECTION *a, TPML_PCR_SELECTION *b)
 {
 	int i, j;
 	if (a->count != b->count)
 		return 0;
-	for (int i = 0; i < a->count; i++) {
+
 	for (i = 0; i < a->count; i++) {
 		if (a->pcrSelections[i].hash != b->pcrSelections[i].hash)
 			return 0;
 		if (a->pcrSelections[i].sizeofSelect != b->pcrSelections[i].sizeofSelect)
 			return 0;
-		for (int j = 0; j < a->pcrSelections[i].sizeofSelect; j++) {
+		for (j = 0; j < a->pcrSelections[i].sizeofSelect; j++) {
 			if (a->pcrSelections[i].pcrSelect[j] != b->pcrSelections[i].pcrSelect[j])
 				return 0;
 		}
Author	SHA1	Message	Date
Vitaly Chikunov	f27e2f7d99	ima-evm-utils: Fix reading of sigfile Fix reading of detached IMA signature (--sigfile). Error message: Reading to sha1.txt.sig Failed to fread 147 bytes: sha1.txt.sig Failed reading: sha1.txt Reported-by: Mimi Zohar <zohar@linux.ibm.com> Fixes: `08a51e7460` ("ima-evm-utils: Fix file2bin stat and fopen relations") Signed-off-by: Vitaly Chikunov <vt@altlinux.org> Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> (cherry picked from commit `19b77c8667`)	2020-10-23 13:59:07 -04:00
Mimi Zohar	97b912a727	Release version 1.3.1 Releasing v1.3.1 so quickly after v1.3 is to address a couple of distro build issues. A few additional changes, that were not quite ready for the 1.3 release, are included as well. Refer to "NEWS" for a summary of these changes. Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>	2020-08-11 07:19:04 -04:00
Mimi Zohar	62534f2127	Rename "--validate" to "--ignore-violations" IMA records file "Time of Measure, Time of Use (ToMToU)" and "open writers" integrity violations by adding a record to the measurement list containing one value (0x00's), but extending the TPM with a different value (0xFF's). To avoid known file integrity violations, the builtin "tcb" measurement policy should be replaced with a custom policy as early as possible. This patch renames the existing "--validate" option to "--ignore-violations". Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>	2020-08-04 08:17:50 -04:00
Mimi Zohar	5b58f47570	Drop the ima_measurement "--verify" option While walking the IMA measurement list re-calculating the PCRS, ima_measurement should always re-calculate the template data digest and verify it against the measurement list value. This patch removes the "--verify" option. On success, return 0. Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>	2020-08-04 08:17:50 -04:00
Stephen Smalley	8e2738dd44	extend ima_measurement --pcrs option to support per-bank pcr files Extend the ima_measurement --pcrs option to support per-bank pcr files. The extended syntax is "--pcrs algorithm,pathname". If no algorithm is specified, it defaults to sha1 as before. Multiple --pcrs options are now supported, one per bank of PCRs. The file format remains unchanged. If --pcrs is specified, only try to read PCRs from the specified file(s); do not fall back to trying to read from sysfs or the TPM itself in this case since the user requested use of the files. Create per-bank pcr files, depends on "tpm: add sysfs exports for all banks of PCR registers" kernel patch: $ cat tpm2pcrread.sh for alg in sha1 sha256 do rm -f pcr-$alg pcr=0; while [ $pcr -lt 24 ]; do printf "PCR-%02d: " $pcr >> pcr-$alg; cat /sys/class/tpm/tpm0/pcr-$alg/$pcr >> pcr-$alg; pcr=$[$pcr+1]; done done $ sh ./tpm2pcrread.sh Pass only the sha1 PCRs to evmctl defaulting to sha1: $ sudo evmctl ima_measurement --pcrs pcr-sha1 /sys/kernel/security/integrity/ima/binary_runtime_measurements Pass only the sha1 PCRs to evmctl with explicit selection of sha1: $ sudo evmctl ima_measurement --pcrs sha1,pcr-sha1 /sys/kernel/security/integrity/ima/binary_runtime_measurements Pass both sha1 and sha256 PCRs to evmctl: $ sudo evmctl ima_measurement --pcrs sha1,pcr-sha1 --pcrs sha256,pcr-sha256 /sys/kernel/security/integrity/ima/binary_runtime_measurements Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> [zohar@linux.ibm.com: although support for exporting TPM 2.0 PCRs has not yet been upstreamed, add support for the file format anyway.] Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>	2020-08-04 08:17:32 -04:00
Mimi Zohar	79ab82f55f	Rename "Changelog" to "NEWS" autoconfig requires the existence of a "NEWS" file. "git log" is a better changelog, and "ChangeLog" is really condensed and suitable to be NEWS. After renaming ChangeLog to NEWS, autoconfig complains about the missing "ChangeLog" file. Replacing the default automake GNU flavor with "foreign" removes the requirement for defining the NEWS, COPYING, AUTHORS, ChangeLog, and README files. Reported-by: Petr Vorel <pvorel@suse.cz> Suggested-by: Vitaly Chikunov <vt@altlinux.org> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>	2020-07-22 22:14:11 -04:00
Petr Vorel	7f9a59c6c6	Fix missing {u,g}id_t typedef on musl Fixes: `273701a` ("evmctl - IMA/EVM control tool") Signed-off-by: Petr Vorel <petr.vorel@gmail.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>	2020-07-22 17:20:14 -04:00
Petr Vorel	1f4e423e7c	pcr_tss: Fix compilation for old compilers pcr_tss.c: In function 'pcr_selections_match': pcr_tss.c:73:2: error: 'for' loop initial declarations are only allowed in C99 mode for (int i = 0; i < a->count; i++) { ^ pcr_tss.c:73:2: note: use option -std=c99 or -std=gnu99 to compile your code pcr_tss.c:78:3: error: 'for' loop initial declarations are only allowed in C99 mode for (int j = 0; j < a->pcrSelections[i].sizeofSelect; j++) { ^ Fixes: `03f99ea` ("ima-evm-utils: Add support for Intel TSS2 for PCR reading") Signed-off-by: Petr Vorel <pvorel@suse.cz> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>	2020-07-22 07:01:12 -04:00