Re: [ima-evm-utils: PATCH 2/3] Rename "--validate" to "--ignore-violations"

From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
To: Mimi Zohar <zohar@linux.ibm.com>, linux-integrity@vger.kernel.org
Cc: Petr Vorel <pvorel@suse.cz>, Vitaly Chikunov <vt@altlinux.org>,
	Bruno Meneguele <bmeneg@redhat.com>
Subject: Re: [ima-evm-utils: PATCH 2/3] Rename "--validate" to "--ignore-violations"
Date: Fri, 31 Jul 2020 17:46:16 -0700	[thread overview]
Message-ID: <5ada1cee-e2ae-5a7e-8cf3-a538a5037b29@linux.microsoft.com> (raw)
In-Reply-To: <20200731141432.668318-3-zohar@linux.ibm.com>

On 7/31/20 7:14 AM, Mimi Zohar wrote:
> IMA records file "Time of Measure, Time of Use (ToMToU)" and "open
> writers" integrity violations by adding a record to the measurement
> list containing one value (0x00's), but extending the TPM with a
> different value (0xFF's).
> 
> To avoid known file integrity violations, the builtin "tcb" measurement
> policy should be replaced with a custom policy as early as possible.
> This patch renames the existing "--validate" option to
> "--ignore-violations".
> 
> Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
>   README       |  4 ++--
>   src/evmctl.c | 13 +++++++------
>   2 files changed, 9 insertions(+), 8 deletions(-)

Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>

> 
> diff --git a/README b/README
> index d8b8f404534b..b37325f31802 100644
> --- a/README
> +++ b/README
> @@ -31,7 +31,7 @@ COMMANDS
>    ima_sign [--sigfile] [--key key] [--pass password] file
>    ima_verify file
>    ima_hash file
> - ima_measurement [--validate] [--verify-sig [--key "key1, key2, ..."]]  [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
> + ima_measurement [--ignore-violations] [--verify-sig [--key "key1, key2, ..."]]  [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
>    ima_fix [-t fdsxm] path
>    sign_hash [--key key] [--pass password]
>    hmac [--imahash | --imasig ] file
> @@ -60,7 +60,7 @@ OPTIONS
>         --m64          force EVM hmac/signature for 64 bit target system
>         --engine e     preload OpenSSL engine e (such as: gost)
>         --pcrs         file containing TPM pcrs, one per hash-algorithm/bank
> -      --validate     ignore ToMToU measurement violations
> +      --ignore-violations ignore ToMToU measurement violations
>         --verify-sig   verify the file signature based on the file hash, both
>                        stored in the template data.
>     -v                 increase verbosity level
> diff --git a/src/evmctl.c b/src/evmctl.c
> index b4d2333fb880..7ad11507487f 100644
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -1392,7 +1392,7 @@ struct template_entry {
>   
>   static uint8_t zero[MAX_DIGEST_SIZE];
>   
> -static int validate = 0;
> +static int ignore_violations = 0;
>   
>   static int ima_verify_template_hash(struct template_entry *entry)
>   {
> @@ -1739,7 +1739,7 @@ static void extend_tpm_banks(struct template_entry *entry, int num_banks,
>   		 * size.
>   		 */
>   		if (memcmp(entry->header.digest, zero, SHA_DIGEST_LENGTH) == 0) {
> -			if (!validate) {
> +			if (!ignore_violations) {
>   				memset(bank[i].digest, 0x00, bank[i].digest_size);
>   				memset(padded_bank[i].digest, 0x00, padded_bank[i].digest_size);
>   			} else {
> @@ -2467,6 +2467,7 @@ static void usage(void)
>   		"      --caps         use custom Capabilities for EVM(unspecified: from FS, empty: do not use)\n"
>   		"      --verify-sig   verify measurement list signatures\n"
>   		"      --engine e     preload OpenSSL engine e (such as: gost)\n"
> +		"      --ignore-violations ignore ToMToU measurement violations"
>   		"  -v                 increase verbosity level\n"
>   		"  -h, --help         display this help and exit\n"
>   		"\n");
> @@ -2483,7 +2484,7 @@ struct command cmds[] = {
>   	{"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"},
>   	{"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"},
>   	{"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
> -	{"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file", "Verify measurement list (experimental).\n"},
> +	{"ima_measurement", cmd_ima_measurement, 0, "[--ignore-violations] [--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file", "Verify measurement list (experimental).\n"},
>   	{"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[file]", "Calculate per TPM bank boot_aggregate digests\n"},
>   	{"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
>   	{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
> @@ -2522,7 +2523,7 @@ static struct option opts[] = {
>   	{"verify-sig", 0, 0, 138},
>   	{"engine", 1, 0, 139},
>   	{"xattr-user", 0, 0, 140},
> -	{"validate", 0, 0, 141},
> +	{"ignore-violations", 0, 0, 141},
>   	{"pcrs", 1, 0, 142},
>   	{}
>   
> @@ -2702,8 +2703,8 @@ int main(int argc, char *argv[])
>   			xattr_ima = "user.ima";
>   			xattr_evm = "user.evm";
>   			break;
> -		case 141: /* --validate */
> -			validate = 1;
> +		case 141: /* --ignore-violations */
> +			ignore_violations = 1;
>   			break;
>   		case 142:
>   			if (npcrfile >= MAX_PCRFILE) {
>