dh/ima-evm-utils-mirror
1
0
Fork 0
mirror of https://git.code.sf.net/p/linux-ima/ima-evm-utils synced 2025-07-03 06:03:16 +02:00
Code Releases Activity

Compare commits

base: dh:v1.3
Branches Tags
dh:master dh:next dh:next-testing dh:ima-evm-utils-1.3.1-y dh:ima-evm-utils-1.2.y
dh:v1.5 dh:v1.4 dh:v1.3.2 dh:v1.3.1 dh:v1.3 dh:v1.2.1 dh:v1.2 dh:v1.1 dh:v1.0 dh:v0.9 dh:v0.8 dh:v0.7 dh:v0.6 dh:v0.5 dh:v0.4 dh:v0.1.0 dh:v0.2 dh:v0.3 dh:v0.1.1
..
compare: dh:ima-evm-utils-1.3.1-y
Branches Tags
dh:next dh:next-testing dh:master dh:ima-evm-utils-1.3.1-y dh:ima-evm-utils-1.2.y
dh:v1.5 dh:v1.4 dh:v1.3.2 dh:v1.3.1 dh:v1.3 dh:v1.2.1 dh:v1.2 dh:v1.1 dh:v1.0 dh:v0.9 dh:v0.8 dh:v0.7 dh:v0.6 dh:v0.5 dh:v0.4 dh:v0.1.0 dh:v0.2 dh:v0.3 dh:v0.1.1

8 Commits
v1.3 ... ima-evm-ut

Author SHA1 Message Date
Vitaly Chikunov
f27e2f7d99 ima-evm-utils: Fix reading of sigfile 
Fix reading of detached IMA signature (--sigfile). Error message:

  Reading to sha1.txt.sig
  Failed to fread 147 bytes: sha1.txt.sig
  Failed reading: sha1.txt

Reported-by: Mimi Zohar <zohar@linux.ibm.com>
Fixes: 08a51e7460 ("ima-evm-utils: Fix file2bin stat and fopen relations")
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
(cherry picked from commit 19b77c8667)
 2020-10-23 13:59:07 -04:00
Mimi Zohar
97b912a727 Release version 1.3.1 
Releasing v1.3.1 so quickly after v1.3 is to address a couple of distro
build issues.  A few additional changes, that were not quite ready for
the 1.3 release, are included as well.  Refer to "NEWS" for a summary of
these changes.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
 2020-08-11 07:19:04 -04:00
Mimi Zohar
62534f2127 Rename "--validate" to "--ignore-violations" 
IMA records file "Time of Measure, Time of Use (ToMToU)" and "open
writers" integrity violations by adding a record to the measurement
list containing one value (0x00's), but extending the TPM with a
different value (0xFF's).

To avoid known file integrity violations, the builtin "tcb" measurement
policy should be replaced with a custom policy as early as possible.
This patch renames the existing "--validate" option to
"--ignore-violations".

Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
 2020-08-04 08:17:50 -04:00
Mimi Zohar
5b58f47570 Drop the ima_measurement "--verify" option 
While walking the IMA measurement list re-calculating the PCRS,
ima_measurement should always re-calculate the template data digest
and verify it against the measurement list value.

This patch removes the "--verify" option.

On success, return 0.

Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
 2020-08-04 08:17:50 -04:00
Stephen Smalley
8e2738dd44 extend ima_measurement --pcrs option to support per-bank pcr files 
Extend the ima_measurement --pcrs option to support per-bank pcr files.
The extended syntax is "--pcrs algorithm,pathname".  If no algorithm
is specified, it defaults to sha1 as before.  Multiple --pcrs options
are now supported, one per bank of PCRs. The file format remains
unchanged.  If --pcrs is specified, only try to read PCRs from the
specified file(s); do not fall back to trying to read from sysfs
or the TPM itself in this case since the user requested use of
the files.

Create per-bank pcr files, depends on "tpm: add sysfs exports for all
banks of PCR registers" kernel patch:
$ cat tpm2pcrread.sh
for alg in sha1 sha256
do
  rm -f pcr-$alg
  pcr=0;
  while [ $pcr -lt 24 ];
  do
    printf "PCR-%02d: " $pcr >> pcr-$alg;
    cat /sys/class/tpm/tpm0/pcr-$alg/$pcr >> pcr-$alg;
    pcr=$[$pcr+1];
  done
done
$ sh ./tpm2pcrread.sh

Pass only the sha1 PCRs to evmctl defaulting to sha1:
$ sudo evmctl ima_measurement --pcrs pcr-sha1 /sys/kernel/security/integrity/ima/binary_runtime_measurements

Pass only the sha1 PCRs to evmctl with explicit selection of sha1:
$ sudo evmctl ima_measurement --pcrs sha1,pcr-sha1 /sys/kernel/security/integrity/ima/binary_runtime_measurements

Pass both sha1 and sha256 PCRs to evmctl:
$ sudo evmctl ima_measurement --pcrs sha1,pcr-sha1 --pcrs sha256,pcr-sha256 /sys/kernel/security/integrity/ima/binary_runtime_measurements

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
[zohar@linux.ibm.com: although support for exporting TPM 2.0 PCRs has
not yet been upstreamed, add support for the file format anyway.]
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
 2020-08-04 08:17:32 -04:00
Mimi Zohar
79ab82f55f Rename "Changelog" to "NEWS" 
autoconfig requires the existence of a "NEWS" file.  "git log" is a better
changelog, and "ChangeLog" is really condensed and suitable to be NEWS.
After renaming ChangeLog to NEWS, autoconfig complains about the missing
"ChangeLog" file.

Replacing the default automake GNU flavor with "foreign" removes the
requirement for defining the NEWS, COPYING, AUTHORS, ChangeLog, and
README files.

Reported-by: Petr Vorel <pvorel@suse.cz>
Suggested-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
 2020-07-22 22:14:11 -04:00
Petr Vorel
7f9a59c6c6 Fix missing {u,g}id_t typedef on musl 
Fixes: 273701a ("evmctl - IMA/EVM control tool")

Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
 2020-07-22 17:20:14 -04:00
Petr Vorel
1f4e423e7c pcr_tss: Fix compilation for old compilers 
pcr_tss.c: In function 'pcr_selections_match':
pcr_tss.c:73:2: error: 'for' loop initial declarations are only allowed in C99 mode
  for (int i = 0; i < a->count; i++) {
  ^
pcr_tss.c:73:2: note: use option -std=c99 or -std=gnu99 to compile your code
pcr_tss.c:78:3: error: 'for' loop initial declarations are only allowed in C99 mode
   for (int j = 0; j < a->pcrSelections[i].sizeofSelect; j++) {
   ^

Fixes: 03f99ea ("ima-evm-utils: Add support for Intel TSS2 for PCR
reading")

Signed-off-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
 2020-07-22 07:01:12 -04:00
8 changed files with 331 additions and 276 deletions
Expand all files Collapse all files

184
ChangeLog
View File

@ -1,184 +0,0 @@
2020-07-21 Mimi Zohar <zohar@linux.ibm.com>
version 1.3 new features:
* NEW ima-evm-utils regression test infrastructure with two initial
tests:
- ima_hash.test: calculate/verify different crypto hash algorithms
- sign_verify.test: EVM and IMA sign/verify signature tests
* TPM 2.0 support
- Calculate the new per TPM 2.0 bank template data digest
- Support original padding the SHA1 template data digest
- Compare ALL the re-calculated TPM 2.0 bank PCRs against the
TPM 2.0 bank PCR values
- Calculate the per TPM bank "boot_aggregate" values, including
PCRs 8 & 9 in calculation
- Support reading the per TPM 2.0 Bank PCRs using Intel's TSS
- boot_aggregate.test: compare the calculated "boot_aggregate"
values with the "boot_aggregate" value included in the IMA
measurement.
* TPM 1.2 support
- Additionally support reading the TPM 1.2 PCRs from a supplied file
("--pcrs" option)
* Based on original IMA LTP and standalone version support
- Calculate the TPM 1.2 "boot_aggregate" based on the exported
TPM 1.2 BIOS event log.
- In addition to verifying the IMA measurement list against the
the TPM PCRs, verify the IMA template data digest against the
template data. (Based on LTP "--verify" option.)
- Ignore file measurement violations while verifying the IMA
measurment list. (Based on LTP "--validate" option.)
- Verify the file data signature included in the measurement list
based on the file hash also included in the measurement list
(--verify-sig)
- Support original "ima" template (mixed templates not supported)
* Support "sm3" crypto name
Bug fixes and code cleanup:
* Don't exit with -1 on failure, exit with 125
* On signature verification failure, include pathname.
* Provide minimal hash_info.h file in case one doesn't exist, needed
by the ima-evm-utils regression tests.
* On systems with TPM 1.2, skip "boot_aggregate.test" using sample logs
* Fix hash_algo type comparison mismatch
* Simplify/clean up code
* Address compiler complaints and failures
* Fix memory allocations and leaks
* Sanity check provided input files are regular files
* Revert making "tsspcrread" a compile build time decision.
* Limit additional messages based on log level (-v)
2019-07-30 Mimi Zohar <zohar@linux.ibm.com>
version 1.2.1 Bug fixes:
* When verifying multiple file signatures, return correct status
* Don't automatically use keys from x509 certs if user supplied "--rsa"
* Fix verifying DIGSIG_VERSION_1 signatures
* autoconf, openssl fixes
2019-07-24 Mimi Zohar <zohar@linux.ibm.com>
version 1.2 new features:
* Generate EVM signatures based on the specified hash algorithm
* include "security.apparmor" in EVM signature
* Add support for writing & verifying "user.xxxx" xattrs for testing
* Support Strebog/Gost hash functions
* Add OpenSSL engine support
* Use of EVP_PKEY OpenSSL API to generate/verify v2 signatures
* Support verifying multiple signatures at once
* Support new template "buf" field and warn about other unknown fields
* Improve OpenSSL error reporting
* Support reading TPM 2.0 PCRs using tsspcrread
Bug fixes and code cleanup:
* Update manpage stylesheet detection
* Fix xattr.h include file
* On error when reading TPM PCRs, don't log gargabe
* Properly return keyid string to calc_keyid_v1/v2 callers, caused by
limiting keyid output to verbose mode
* Fix hash buffer overflow caused by EVM support for larger hashes,
defined MAX_DIGEST_SIZE and MAX_SIGNATURE_SIZE, and added "asserts".
* Linked with libcrypto instead of OpenSSL
* Updated Autotools, replacing INCLUDES with AM_CPPFLAGS
* Include new "hash-info.gen" in tar
* Log the hash algorithm, not just the hash value
* Fixed memory leaks in: EV_MD_CTX, init_public_keys
* Fixed other warnings/bugs discovered by clang, coverity
* Remove indirect calls in verify_hash() to improve code readability
* Don't fallback to using sha1
* Namespace some too generic object names
* Make functions/arrays static if possible
2018-01-28 Mimi Zohar <zohar@us.ibm.com>
version 1.1
* Support the new openssl 1.1 api
* Support for validating multiple pcrs
* Verify the measurement list signature based on the list digest
* Verify the "ima-sig" measurement list using multiple keys
* Fixed parsing the measurement template data field length
* Portable & immutable EVM signatures (new format)
* Multiple fixes that have been lingering in the next branch. Some
are for experimental features that are not yet supported in the
kernel.
2014-07-30 Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
version 1.0
* Recursive hashing
* Immutable EVM signatures (experimental)
* Command 'ima_clear' to remove xattrs
* Support for passing password to the library
* Support for asking password safely from the user
2014-09-23 Dmitry Kasatkin <d.kasatkin@samsung.com>
version 0.9
* Updated README
* man page generated and added to the package
* Use additional SMACK xattrs for EVM signature generation
* Signing functions moved to libimaevm for external use (RPM)
* Fixed setting of correct hash header
2014-05-05 Dmitry Kasatkin <d.kasatkin@samsung.com>
version 0.8
* Symbilic names for keyrings
* Hash list signing
* License text fix for using OpenSSL
* Help output fix
2014-02-17 Dmitry Kasatkin <d.kasatkin@samsung.com>
version 0.7
* Fix symbolic links related bugs
* Provide recursive fixing
* Provide recursive signing
* Move IMA verification to the library (first for LTP use)
* Support for target architecture data size
* Remove obsolete module signing code
* Code cleanup
2013-08-28 Dmitry Kasatkin <d.kasatkin@samsung.com>
version 0.6
* support for asymmetric crypto keys and new signature format (v2)
* fixes to set correct hash algo for digital signature v1
* uuid support for EVM
* signature verification support
* test scripts removed
* README updates
2012-05-18 Dmitry Kasatkin <dmitry.kasatkin@intel.com>
version 0.3
* llistxattr returns 0 if there are no xattrs and it is valid
* Added entry type to directory hash calculation
* inline block variable renamed
* Remove forced tag creation
* Use libexec for programs and scripts
* Some files updated
* Do not search for algorithm as it is known
* Refactored to remove redundant hash initialization code
* Added hash calculation for special files
2012-04-05 Dmitry Kasatkin <dmitry.kasatkin@intel.com>
version 0.2
* added RPM & TAR building makefile rules
* renamed evm-utils to ima-evm-utils
* added command options description
* updated error handling
* refactored redundant code
2012-04-02 Dmitry Kasatkin <dmitry.kasatkin@intel.com>
version 0.1.0
* Fully functional version for lastest 3.x kernels
2011-08-24 Dmitry Kasatkin <dmitry.kasatkin@intel.com>
version 0.1
* Initial public version.

193
NEWS
View File

@ -0,0 +1,193 @@
2020-08-11 Mimi Zohar <zohar@linux.ibm.com>
version 1.3.1:
* "--pcrs" support for per crypto algorithm
* Drop/rename "ima_measurement" options
* Moved this summary from "Changelog" to "NEWS", removing
requirement for GNU empty files
* Distro build fixes
2020-07-21 Mimi Zohar <zohar@linux.ibm.com>
version 1.3 new features:
* NEW ima-evm-utils regression test infrastructure with two initial
tests:
- ima_hash.test: calculate/verify different crypto hash algorithms
- sign_verify.test: EVM and IMA sign/verify signature tests
* TPM 2.0 support
- Calculate the new per TPM 2.0 bank template data digest
- Support original padding the SHA1 template data digest
- Compare ALL the re-calculated TPM 2.0 bank PCRs against the
TPM 2.0 bank PCR values
- Calculate the per TPM bank "boot_aggregate" values, including
PCRs 8 & 9 in calculation
- Support reading the per TPM 2.0 Bank PCRs using Intel's TSS
- boot_aggregate.test: compare the calculated "boot_aggregate"
values with the "boot_aggregate" value included in the IMA
measurement.
* TPM 1.2 support
- Additionally support reading the TPM 1.2 PCRs from a supplied file
("--pcrs" option)
* Based on original IMA LTP and standalone version support
- Calculate the TPM 1.2 "boot_aggregate" based on the exported
TPM 1.2 BIOS event log.
- In addition to verifying the IMA measurement list against the
the TPM PCRs, verify the IMA template data digest against the
template data. (Based on LTP "--verify" option.)
- Ignore file measurement violations while verifying the IMA
measurment list. (Based on LTP "--validate" option.)
- Verify the file data signature included in the measurement list
based on the file hash also included in the measurement list
(--verify-sig)
- Support original "ima" template (mixed templates not supported)
* Support "sm3" crypto name
Bug fixes and code cleanup:
* Don't exit with -1 on failure, exit with 125
* On signature verification failure, include pathname.
* Provide minimal hash_info.h file in case one doesn't exist, needed
by the ima-evm-utils regression tests.
* On systems with TPM 1.2, skip "boot_aggregate.test" using sample logs
* Fix hash_algo type comparison mismatch
* Simplify/clean up code
* Address compiler complaints and failures
* Fix memory allocations and leaks
* Sanity check provided input files are regular files
* Revert making "tsspcrread" a compile build time decision.
* Limit additional messages based on log level (-v)
2019-07-30 Mimi Zohar <zohar@linux.ibm.com>
version 1.2.1 Bug fixes:
* When verifying multiple file signatures, return correct status
* Don't automatically use keys from x509 certs if user supplied "--rsa"
* Fix verifying DIGSIG_VERSION_1 signatures
* autoconf, openssl fixes
2019-07-24 Mimi Zohar <zohar@linux.ibm.com>
version 1.2 new features:
* Generate EVM signatures based on the specified hash algorithm
* include "security.apparmor" in EVM signature
* Add support for writing & verifying "user.xxxx" xattrs for testing
* Support Strebog/Gost hash functions
* Add OpenSSL engine support
* Use of EVP_PKEY OpenSSL API to generate/verify v2 signatures
* Support verifying multiple signatures at once
* Support new template "buf" field and warn about other unknown fields
* Improve OpenSSL error reporting
* Support reading TPM 2.0 PCRs using tsspcrread
Bug fixes and code cleanup:
* Update manpage stylesheet detection
* Fix xattr.h include file
* On error when reading TPM PCRs, don't log gargabe
* Properly return keyid string to calc_keyid_v1/v2 callers, caused by
limiting keyid output to verbose mode
* Fix hash buffer overflow caused by EVM support for larger hashes,
defined MAX_DIGEST_SIZE and MAX_SIGNATURE_SIZE, and added "asserts".
* Linked with libcrypto instead of OpenSSL
* Updated Autotools, replacing INCLUDES with AM_CPPFLAGS
* Include new "hash-info.gen" in tar
* Log the hash algorithm, not just the hash value
* Fixed memory leaks in: EV_MD_CTX, init_public_keys
* Fixed other warnings/bugs discovered by clang, coverity
* Remove indirect calls in verify_hash() to improve code readability
* Don't fallback to using sha1
* Namespace some too generic object names
* Make functions/arrays static if possible
2018-01-28 Mimi Zohar <zohar@us.ibm.com>
version 1.1
* Support the new openssl 1.1 api
* Support for validating multiple pcrs
* Verify the measurement list signature based on the list digest
* Verify the "ima-sig" measurement list using multiple keys
* Fixed parsing the measurement template data field length
* Portable & immutable EVM signatures (new format)
* Multiple fixes that have been lingering in the next branch. Some
are for experimental features that are not yet supported in the
kernel.
2014-07-30 Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
version 1.0
* Recursive hashing
* Immutable EVM signatures (experimental)
* Command 'ima_clear' to remove xattrs
* Support for passing password to the library
* Support for asking password safely from the user
2014-09-23 Dmitry Kasatkin <d.kasatkin@samsung.com>
version 0.9
* Updated README
* man page generated and added to the package
* Use additional SMACK xattrs for EVM signature generation
* Signing functions moved to libimaevm for external use (RPM)
* Fixed setting of correct hash header
2014-05-05 Dmitry Kasatkin <d.kasatkin@samsung.com>
version 0.8
* Symbilic names for keyrings
* Hash list signing
* License text fix for using OpenSSL
* Help output fix
2014-02-17 Dmitry Kasatkin <d.kasatkin@samsung.com>
version 0.7
* Fix symbolic links related bugs
* Provide recursive fixing
* Provide recursive signing
* Move IMA verification to the library (first for LTP use)
* Support for target architecture data size
* Remove obsolete module signing code
* Code cleanup
2013-08-28 Dmitry Kasatkin <d.kasatkin@samsung.com>
version 0.6
* support for asymmetric crypto keys and new signature format (v2)
* fixes to set correct hash algo for digital signature v1
* uuid support for EVM
* signature verification support
* test scripts removed
* README updates
2012-05-18 Dmitry Kasatkin <dmitry.kasatkin@intel.com>
version 0.3
* llistxattr returns 0 if there are no xattrs and it is valid
* Added entry type to directory hash calculation
* inline block variable renamed
* Remove forced tag creation
* Use libexec for programs and scripts
* Some files updated
* Do not search for algorithm as it is known
* Refactored to remove redundant hash initialization code
* Added hash calculation for special files
2012-04-05 Dmitry Kasatkin <dmitry.kasatkin@intel.com>
version 0.2
* added RPM & TAR building makefile rules
* renamed evm-utils to ima-evm-utils
* added command options description
* updated error handling
* refactored redundant code
2012-04-02 Dmitry Kasatkin <dmitry.kasatkin@intel.com>
version 0.1.0
* Fully functional version for lastest 3.x kernels
2011-08-24 Dmitry Kasatkin <dmitry.kasatkin@intel.com>
version 0.1
* Initial public version.

7
README
View File

@ -31,7 +31,7 @@ COMMANDS
ima_sign [--sigfile] [--key key] [--pass password] file
ima_verify file
ima_hash file
ima_measurement [--validate] [--verify] [--verify-sig [--key "key1, key2, ..."]] [--pcrs file] file
ima_measurement [--ignore-violations] [--verify-sig [--key "key1, key2, ..."]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
ima_fix [-t fdsxm] path
sign_hash [--key key] [--pass password]
hmac [--imahash | --imasig ] file
@ -59,9 +59,8 @@ OPTIONS
--m32 force EVM hmac/signature for 32 bit target system
--m64 force EVM hmac/signature for 64 bit target system
--engine e preload OpenSSL engine e (such as: gost)
--pcrs file containing TPM 1.2 pcrs
--validate ignore ToMToU measurement violations
--verify verify the template data digest
--pcrs file containing TPM pcrs, one per hash-algorithm/bank
--ignore-violations ignore ToMToU measurement violations
--verify-sig verify the file signature based on the file hash, both
stored in the template data.
-v increase verbosity level

4
configure.ac
View File

@ -1,8 +1,8 @@
# autoconf script
AC_PREREQ([2.65])
AC_INIT(ima-evm-utils, 1.3, zohar@linux.ibm.com)
AM_INIT_AUTOMAKE
AC_INIT(ima-evm-utils, 1.3.1, zohar@linux.ibm.com)
AM_INIT_AUTOMAKE([foreign])
AC_CONFIG_HEADERS([config.h])
AC_CONFIG_MACRO_DIR([m4])

2
packaging/ima-evm-utils.spec
View File

@ -1,5 +1,5 @@
Name: ima-evm-utils
Version: 1.3
Version: 1.3.1
Release: 1%{?dist}
Summary: ima-evm-utils - IMA/EVM control utility
Group: System/Libraries

206
src/evmctl.c
View File

@ -160,7 +160,10 @@ struct tpm_bank_info {
uint8_t pcr[NUM_PCRS][MAX_DIGEST_SIZE];
};
static char *pcrfile;
/* One --pcrs file per hash-algorithm/bank */
#define MAX_PCRFILE 2
static char *pcrfile[MAX_PCRFILE];
static unsigned npcrfile;
static int bin2file(const char *file, const char *ext, const unsigned char *data, int len)
{
@ -218,7 +221,7 @@ static unsigned char *file2bin(const char *file, const char *ext, int *size)
fclose(fp);
return NULL;
}
if (fread(data, len, 1, fp) != len) {
if (fread(data, len, 1, fp) != 1) {
log_err("Failed to fread %zu bytes: %s\n", len, name);
fclose(fp);
free(data);
@ -1373,55 +1376,6 @@ static int cmd_ima_clear(struct command *cmd)
return do_cmd(cmd, ima_clear);
}
static char *pcrs = "/sys/class/tpm/tpm0/device/pcrs"; /* Kernels >= 4.0 */
static char *misc_pcrs = "/sys/class/misc/tpm0/device/pcrs";
/* Read all of the TPM 1.2 PCRs */
static int tpm_pcr_read(struct tpm_bank_info *tpm_banks, int len)
{
struct stat s;
FILE *fp = NULL;
char *p, pcr_str[8], buf[70]; /* length of the TPM string */
int result = -1;
int i = 0;
/* Use the provided TPM 1.2 pcrs file */
if (pcrfile) {
if (stat(pcrfile, &s) == -1) {
errno = 0;
return 1;
}
if (!S_ISREG(s.st_mode)) {
log_info("TPM 1.2 PCR file: not a regular file or link to regular file\n");
return 1;
}
fp = fopen(pcrfile, "r");
}
if (!fp)
fp = fopen(pcrs, "r");
if (!fp)
fp = fopen(misc_pcrs, "r");
if (!fp)
return -1;
for (;;) {
p = fgets(buf, sizeof(buf), fp);
if (!p || i > 99)
break;
sprintf(pcr_str, "PCR-%2.2d", i);
if (!strncmp(p, pcr_str, 6))
hex2bin(tpm_banks[0].pcr[i++], p + 7, len);
result = 0;
}
fclose(fp);
return result;
}
#define TCG_EVENT_NAME_LEN_MAX 255
struct template_entry {
@ -1438,8 +1392,7 @@ struct template_entry {
static uint8_t zero[MAX_DIGEST_SIZE];
static int validate = 0;
static int verify = 0;
static int ignore_violations = 0;
static int ima_verify_template_hash(struct template_entry *entry)
{
@ -1786,7 +1739,7 @@ static void extend_tpm_banks(struct template_entry *entry, int num_banks,
* size.
*/
if (memcmp(entry->header.digest, zero, SHA_DIGEST_LENGTH) == 0) {
if (!validate) {
if (!ignore_violations) {
memset(bank[i].digest, 0x00, bank[i].digest_size);
memset(padded_bank[i].digest, 0x00, padded_bank[i].digest_size);
} else {
@ -1829,20 +1782,108 @@ static void extend_tpm_banks(struct template_entry *entry, int num_banks,
#endif
}
/* Read TPM 1.2 PCRs */
static int read_tpm_pcrs(int num_banks, struct tpm_bank_info *tpm_banks)
static int read_one_bank(struct tpm_bank_info *tpm_bank, FILE *fp)
{
int i;
if (tpm_pcr_read(tpm_banks, SHA_DIGEST_LENGTH)) {
log_debug("Failed to read TPM 1.2 PCRs.\n");
return -1;
char *p, pcr_str[8], buf[MAX_DIGEST_SIZE * 2 + 8];
int i = 0;
int result = -1;
for (;;) {
p = fgets(buf, sizeof(buf), fp);
if (!p || i >= NUM_PCRS)
break;
sprintf(pcr_str, "PCR-%2.2d", i);
if (!strncmp(p, pcr_str, 6))
hex2bin(tpm_bank->pcr[i++], p + 7, tpm_bank->digest_size);
result = 0;
}
return result;
}
static char *pcrs = "/sys/class/tpm/tpm0/device/pcrs"; /* Kernels >= 4.0 */
static char *misc_pcrs = "/sys/class/misc/tpm0/device/pcrs";
/* Read one of the TPM 1.2 sysfs files if present */
static int read_sysfs_pcrs(int num_banks, struct tpm_bank_info *tpm_banks)
{
FILE *fp;
int i, result;
fp = fopen(pcrs, "r");
if (!fp)
fp = fopen(misc_pcrs, "r");
if (!fp)
return -1;
result = read_one_bank(&tpm_banks[0], fp);
fclose(fp);
if (result < 0)
return result;
tpm_banks[0].supported = 1;
for (i = 1; i < num_banks; i++)
tpm_banks[i].supported = 0;
return 0;
}
/* Read PCRs from per-bank file(s) specified via --pcrs */
static int read_file_pcrs(int num_banks, struct tpm_bank_info *tpm_banks)
{
struct stat s;
FILE *fp;
char *p;
const char *alg, *path;
int i, j, bank, result;
for (i = 0; i < num_banks; i++)
tpm_banks[i].supported = 0;
for (i = 0; i < npcrfile; i++) {
p = strchr(pcrfile[i], ',');
if (p) {
*p = 0;
alg = pcrfile[i];
path = ++p;
} else {
alg = "sha1";
path = pcrfile[i];
}
bank = -1;
for (j = 0; j < num_banks; j++) {
if (!strcmp(tpm_banks[j].algo_name, alg)) {
bank = j;
break;
}
}
if (bank < 0) {
log_err("Unknown algorithm '%s'\n", alg);
return -1;
}
if (stat(path, &s) == -1) {
log_err("Could not stat '%s'\n", path);
return -1;
}
if (!S_ISREG(s.st_mode)) {
log_err("PCR file: not a regular file or link to regular file\n");
return -1;
}
fp = fopen(path, "r");
if (!fp) {
log_err("Could not open '%s'\n", path);
return -1;
}
result = read_one_bank(&tpm_banks[bank], fp);
fclose(fp);
if (result < 0)
return result;
tpm_banks[bank].supported = 1;
}
return 0;
}
/*
@ -1857,8 +1898,12 @@ static int read_tpm_banks(int num_banks, struct tpm_bank_info *bank)
int i, j;
int err;
/* First try reading PCRs from exported TPM 1.2 sysfs file */
if (read_tpm_pcrs(num_banks, bank) == 0)
/* If --pcrs was specified, read only from the specified file(s) */
if (npcrfile)
return read_file_pcrs(num_banks, bank);
/* Else try reading PCRs from the sysfs file if present */
if (read_sysfs_pcrs(num_banks, bank) == 0)
return 0;
/* Any userspace applications available for reading TPM 2.0 PCRs? */
@ -1899,7 +1944,7 @@ static int ima_measurement(const char *file)
struct template_entry entry = { .template = 0 };
FILE *fp;
int verified_template_digest = 0;
int invalid_template_digest = 0;
int err_padded = -1;
int err = -1;
@ -2029,11 +2074,9 @@ static int ima_measurement(const char *file)
pseudo_padded_banks);
/* Recalculate and verify template data digest */
if (verify) {
err = ima_verify_template_hash(&entry);
if (err)
verified_template_digest = 1;
}
err = ima_verify_template_hash(&entry);
if (err)
invalid_template_digest = 1;
if (is_ima_template)
ima_show(&entry);
@ -2070,7 +2113,7 @@ static int ima_measurement(const char *file)
log_info("Failed to match per TPM bank or SHA1 padded TPM digest(s).\n");
}
if (verified_template_digest) {
if (invalid_template_digest) {
log_info("Failed to verify template data digest.\n");
err = 1;
}
@ -2424,6 +2467,7 @@ static void usage(void)
" --caps use custom Capabilities for EVM(unspecified: from FS, empty: do not use)\n"
" --verify-sig verify measurement list signatures\n"
" --engine e preload OpenSSL engine e (such as: gost)\n"
" --ignore-violations ignore ToMToU measurement violations"
" -v increase verbosity level\n"
" -h, --help display this help and exit\n"
"\n");
@ -2440,7 +2484,7 @@ struct command cmds[] = {
{"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"},
{"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"},
{"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
{"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify] [--verify-sig [--key key1, key2, ...]] [--pcrs file] file", "Verify measurement list (experimental).\n"},
{"ima_measurement", cmd_ima_measurement, 0, "[--ignore-violations] [--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file", "Verify measurement list (experimental).\n"},
{"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[file]", "Calculate per TPM bank boot_aggregate digests\n"},
{"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
@ -2479,9 +2523,8 @@ static struct option opts[] = {
{"verify-sig", 0, 0, 138},
{"engine", 1, 0, 139},
{"xattr-user", 0, 0, 140},
{"validate", 0, 0, 141},
{"verify", 0, 0, 142},
{"pcrs", 1, 0, 143},
{"ignore-violations", 0, 0, 141},
{"pcrs", 1, 0, 142},
{}
};
@ -2660,14 +2703,15 @@ int main(int argc, char *argv[])
xattr_ima = "user.ima";
xattr_evm = "user.evm";
break;
case 141: /* --validate */
validate = 1;
case 141: /* --ignore-violations */
ignore_violations = 1;
break;
case 142: /* --verify */
verify = 1;
break;
case 143:
pcrfile = optarg;
case 142:
if (npcrfile >= MAX_PCRFILE) {
log_err("too many --pcrfile options\n");
exit(1);
}
pcrfile[npcrfile++] = optarg;
break;
case '?':
exit(1);

4
src/imaevm.h
View File

@ -46,7 +46,7 @@
#include <syslog.h>
#include <stdbool.h>
#include <errno.h>
#include <sys/types.h>
#include <openssl/rsa.h>
#ifdef USE_FPRINTF
@ -203,7 +203,7 @@ struct RSA_ASN1_template {
size_t size;
};
#define NUM_PCRS 20
#define NUM_PCRS 24
#define DEFAULT_PCR 10
extern struct libimaevm_params imaevm_params;

7
src/pcr_tss.c
View File

@ -68,14 +68,17 @@ int tpm2_pcr_supported(void)
static int pcr_selections_match(TPML_PCR_SELECTION *a, TPML_PCR_SELECTION *b)
{
int i, j;
if (a->count != b->count)
return 0;
for (int i = 0; i < a->count; i++) {
for (i = 0; i < a->count; i++) {
if (a->pcrSelections[i].hash != b->pcrSelections[i].hash)
return 0;
if (a->pcrSelections[i].sizeofSelect != b->pcrSelections[i].sizeofSelect)
return 0;
for (int j = 0; j < a->pcrSelections[i].sizeofSelect; j++) {
for (j = 0; j < a->pcrSelections[i].sizeofSelect; j++) {
if (a->pcrSelections[i].pcrSelect[j] != b->pcrSelections[i].pcrSelect[j])
return 0;
}