All of lore.kernel.org
 help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: Mimi Zohar <zohar@linux.ibm.com>, Petr Vorel <pvorel@suse.cz>,
	Bruno Meneguele <bmeneg@redhat.com>
Subject: [PATCH v2 4/8] ima-evm-utils: emit "ima_measurement" messages based on log level
Date: Fri, 10 Jul 2020 12:00:55 -0400	[thread overview]
Message-ID: <1594396859-9232-5-git-send-email-zohar@linux.ibm.com> (raw)
In-Reply-To: <1594396859-9232-1-git-send-email-zohar@linux.ibm.com>

"ima_measurement" emits quite a few messages.  Only a few messages
belong at the default log level.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 src/evmctl.c | 25 ++++++++++++++++++-------
 1 file changed, 18 insertions(+), 7 deletions(-)

diff --git a/src/evmctl.c b/src/evmctl.c
index 21ae1c7ca5a7..fac6a270794f 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1638,21 +1638,27 @@ static int compare_tpm_banks(int num_banks, struct tpm_bank_info *bank,
 			if (memcmp(bank[i].pcr[j], zero, bank[i].digest_size)
 			    == 0)
 				continue;
+
+			if (memcmp(bank[i].pcr[j], tpm_bank[i].pcr[j],
+				     bank[i].digest_size) != 0)
+				ret = 1;
+
+			if ((!ret && imaevm_params.verbose <= LOG_INFO) ||
+			    (ret && imaevm_params.verbose <= LOG_DEBUG))
+				continue;
+
 			log_info("%s: PCRAgg  %d: ", bank[i].algo_name, j);
 			log_dump(bank[i].pcr[j], bank[i].digest_size);
 
 			log_info("%s: TPM PCR-%d: ", tpm_bank[i].algo_name, j);
 			log_dump(tpm_bank[i].pcr[j], tpm_bank[i].digest_size);
 
-			if (memcmp(bank[i].pcr[j], tpm_bank[i].pcr[j],
-				     bank[i].digest_size) == 0) {
+			if (!ret)
 				log_info("%s PCR-%d: succeed\n",
 					 bank[i].algo_name, j);
-			} else {
-				ret = 1;
+			else
 				log_info("%s: PCRAgg %d does not match TPM PCR-%d\n",
 					 bank[i].algo_name, j, j);
-			}
 		}
 	}
 	return ret;
@@ -1997,15 +2003,20 @@ static int ima_measurement(const char *file)
 		err = 0;
 		log_info("Failed to read any TPM PCRs\n");
 	} else {
-		log_info("Comparing with per TPM digest\n");
 		err = compare_tpm_banks(num_banks, pseudo_banks, tpm_banks);
+		if (!err)
+			log_info("Matched per TPM bank calculated digest(s).\n");
 
 		/* On failure, check older SHA1 zero padded hashes */
 		if (err) {
-			log_info("Comparing with SHA1 padded digest\n");
 			err = compare_tpm_banks(num_banks, pseudo_padded_banks,
 						tpm_banks);
+			if (!err)
+				log_info("Matched SHA1 padded TPM digest(s).\n");
 		}
+
+		if (err)
+			log_info("Failed to match per TPM bank or SHA1 padded TPM digest(s).\n");
 	}
 
 out:
-- 
2.7.5


  parent reply	other threads:[~2020-07-10 16:01 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-10 16:00 [PATCH v2 0/8] additional "ima-measurement" support Mimi Zohar
2020-07-10 16:00 ` [PATCH v2 1/8] ima-evm-utils: improve reading TPM 1.2 PCRs Mimi Zohar
2020-07-10 16:00 ` [PATCH v2 2/8] ima_evm_utils: support extending TPM 2.0 banks w/original SHA1 padded digest Mimi Zohar
2020-07-15 18:43   ` Bruno Meneguele
2020-07-15 19:47     ` Mimi Zohar
2020-07-15 20:11       ` Mimi Zohar
2020-07-15 20:17         ` Bruno Meneguele
2020-07-10 16:00 ` [PATCH v2 3/8] ima-evm-utils: support providing the TPM 1.2 PCRs as a file Mimi Zohar
2020-07-10 16:00 ` Mimi Zohar [this message]
2020-07-10 16:00 ` [PATCH v2 5/8] ima-evm-utils: guarantee the measurement list contains all the records Mimi Zohar
2020-07-10 16:00 ` [PATCH v2 6/8] ima-evm-utils: the IMA measurement list may have too many measurements Mimi Zohar
2020-07-10 16:00 ` [PATCH v2 7/8] ima-evm-utils: optionally verify the template data file signature Mimi Zohar
2020-07-10 16:00 ` [PATCH v2 8/8] ima-evm-utils: update README to reflect "--pcrs", "--verify" and "--validate" Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1594396859-9232-5-git-send-email-zohar@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=bmeneg@redhat.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=pvorel@suse.cz \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.