ima-evm-utils: version 1.4 released

ima-evm-utils: version 1.4 released

[Mimi Zohar]

Please refer to the NEWS file for the short summary and the git history
for details of the ima-evm-utils v1.4 release.

thanks,

Mimi

Re: ima-evm-utils: version 1.4 released

[Petr Vorel]

Hi Mimi,

> Please refer to the NEWS file for the short summary and the git history
> for details of the ima-evm-utils v1.4 release.
Thanks for info, congrats!
Going to update openSUSE.

Kind regards,
Petr

> thanks,

> Mimi

Re: ima-evm-utils: version 1.4 released

[Lakshmi Ramasubramanian]

On 11/5/2021 1:15 AM, Petr Vorel wrote:
> Hi Mimi,
> 
>> Please refer to the NEWS file for the short summary and the git history
>> for details of the ima-evm-utils v1.4 release.

Thanks for the info Mimi.

I checked both "master" and "next-testing" branches in the following, 
and I still see 1.3.2 version only.

	https://github.com/pevik/ima-evm-utils

Is there a different github url for the latest ima-evm-utils source?

I am seeing the following errors when trying to validate IMA measurement 
using the util. I'd like to try the latest (v1.4).

sudo ./evmctl ima_measurement
/sys/kernel/security/ima/binary_runtime_measurements  -vv

Error messages for the above command
------------------------------------
Using tsspcrread to read PCRs.

tpm2_pcr_supported:67 Found 'tsspcrread' in $PATHread_tpm_banks:1923
Failed to read sha1 PCRs: (TSS_Socket_Open: Error on connect to
localhost:2321)

read_tpm_banks:1923 Failed to read sha256 PCRs: (TSS_Socket_Open: Error
on connect to localhost:2321)

Failed to read any TPM PCRs

thanks,
  -lakshmi

Re: ima-evm-utils: version 1.4 released

[Mimi Zohar]

On Fri, 2021-11-05 at 09:21 -0700, Lakshmi Ramasubramanian wrote:
> On 11/5/2021 1:15 AM, Petr Vorel wrote:
> > Hi Mimi,
> > 
> >> Please refer to the NEWS file for the short summary and the git history
> >> for details of the ima-evm-utils v1.4 release.
> 
> Thanks for the info Mimi.
> 
> I checked both "master" and "next-testing" branches in the following, 
> and I still see 1.3.2 version only.
> 
> 	https://github.com/pevik/ima-evm-utils
> 
> Is there a different github url for the latest ima-evm-utils source?

The original sf git repo https://sourceforge.net/projects/linux-ima/
and the new github https://github.com/mimizohar/ima-evm-utils.

Mimi

Re: ima-evm-utils: version 1.4 released

[Petr Vorel]

Hi Lakshmi, all,

> On 11/5/2021 1:15 AM, Petr Vorel wrote:
> > Hi Mimi,

> > > Please refer to the NEWS file for the short summary and the git history
> > > for details of the ima-evm-utils v1.4 release.

> Thanks for the info Mimi.

> I checked both "master" and "next-testing" branches in the following, and I
> still see 1.3.2 version only.

> 	https://github.com/pevik/ima-evm-utils
FYI this is my unofficial fork which I used for Travis testing, now used for
GitHub actions testing. I stated it's unofficial since it's creation in About
section.

Kind regards,
Petr

> Is there a different github url for the latest ima-evm-utils source?

> I am seeing the following errors when trying to validate IMA measurement
> using the util. I'd like to try the latest (v1.4).

> sudo ./evmctl ima_measurement
> /sys/kernel/security/ima/binary_runtime_measurements  -vv

> Error messages for the above command
> ------------------------------------
> Using tsspcrread to read PCRs.

> tpm2_pcr_supported:67 Found 'tsspcrread' in $PATHread_tpm_banks:1923
> Failed to read sha1 PCRs: (TSS_Socket_Open: Error on connect to
> localhost:2321)

> read_tpm_banks:1923 Failed to read sha256 PCRs: (TSS_Socket_Open: Error
> on connect to localhost:2321)

> Failed to read any TPM PCRs

> thanks,
>  -lakshmi

Re: ima-evm-utils: version 1.4 released

[Ken Goldman]

[-- Attachment #1: Type: text/plain, Size: 1256 bytes --]

On 11/5/2021 12:21 PM, Lakshmi Ramasubramanian wrote:
> 
> On 11/5/2021 1:15 AM, Petr Vorel wrote:
>> Hi Mimi,
>>
>>> Please refer to the NEWS file for the short summary and the git history
>>> for details of the ima-evm-utils v1.4 release.
> 
> Thanks for the info Mimi.
> 
> I checked both "master" and "next-testing" branches in the following, and I still see 1.3.2 version only.
> 
>      https://github.com/pevik/ima-evm-utils
> 
> Is there a different github url for the latest ima-evm-utils source?
> 
> I am seeing the following errors when trying to validate IMA measurement using the util. I'd like to try the latest (v1.4).
> 
> sudo ./evmctl ima_measurement
> /sys/kernel/security/ima/binary_runtime_measurements  -vv
> 
> Error messages for the above command
> ------------------------------------
> Using tsspcrread to read PCRs.
> 
> tpm2_pcr_supported:67 Found 'tsspcrread' in $PATHread_tpm_banks:1923
> Failed to read sha1 PCRs: (TSS_Socket_Open: Error on connect to
> localhost:2321)
> 
> read_tpm_banks:1923 Failed to read sha256 PCRs: (TSS_Socket_Open: Error
> on connect to localhost:2321)
> 
> Failed to read any TPM PCRs
>

This sounds like your program is trying to connect to a SW TPM,
and the SW TPM process is not running.


[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4490 bytes --]

Re: ima-evm-utils: version 1.4 released

[Petr Vorel]

Hi Mimi,

> On Fri, 2021-11-05 at 09:21 -0700, Lakshmi Ramasubramanian wrote:
> > On 11/5/2021 1:15 AM, Petr Vorel wrote:
> > > Hi Mimi,

> > >> Please refer to the NEWS file for the short summary and the git history
> > >> for details of the ima-evm-utils v1.4 release.

> > Thanks for the info Mimi.

> > I checked both "master" and "next-testing" branches in the following, 
> > and I still see 1.3.2 version only.

> > 	https://github.com/pevik/ima-evm-utils

> > Is there a different github url for the latest ima-evm-utils source?

> The original sf git repo https://sourceforge.net/projects/linux-ima/
> and the new github https://github.com/mimizohar/ima-evm-utils.

Github repository is marked as primary. How about moving releases also to
GitHub?

Kind regards,
Petr

> Mimi

Re: ima-evm-utils: version 1.4 released

[Lakshmi Ramasubramanian]

Thanks for the response Ken.

>> I am seeing the following errors when trying to validate IMA 
>> measurement using the util. I'd like to try the latest (v1.4).
>>
>> sudo ./evmctl ima_measurement
>> /sys/kernel/security/ima/binary_runtime_measurements  -vv
>>
>> Error messages for the above command
>> ------------------------------------
>> Using tsspcrread to read PCRs.
>>
>> tpm2_pcr_supported:67 Found 'tsspcrread' in $PATHread_tpm_banks:1923
>> Failed to read sha1 PCRs: (TSS_Socket_Open: Error on connect to
>> localhost:2321)
>>
>> read_tpm_banks:1923 Failed to read sha256 PCRs: (TSS_Socket_Open: Error
>> on connect to localhost:2321)
>>
>> Failed to read any TPM PCRs
>>
> 
> This sounds like your program is trying to connect to a SW TPM,
> and the SW TPM process is not running.
> 

There is a physical TPM on the machine where I am running ima-evm-utils 
to verify IMA measurements. I want to use that physical TPM and not a 
software TPM.

I am seeing the error with v1.4 sources as well.

I will review ima-evm-utils code and check how to get it to use the 
physical TPM for validating the IMA measurements.

  -lakshmi

Re: ima-evm-utils: version 1.4 released

[Mimi Zohar]

On Mon, 2021-11-08 at 12:46 -0800, Lakshmi Ramasubramanian wrote:
> Thanks for the response Ken.
> 
> >> I am seeing the following errors when trying to validate IMA 
> >> measurement using the util. I'd like to try the latest (v1.4).
> >>
> >> sudo ./evmctl ima_measurement
> >> /sys/kernel/security/ima/binary_runtime_measurements  -vv
> >>
> >> Error messages for the above command
> >> ------------------------------------
> >> Using tsspcrread to read PCRs.
> >>
> >> tpm2_pcr_supported:67 Found 'tsspcrread' in $PATHread_tpm_banks:1923
> >> Failed to read sha1 PCRs: (TSS_Socket_Open: Error on connect to
> >> localhost:2321)
> >>
> >> read_tpm_banks:1923 Failed to read sha256 PCRs: (TSS_Socket_Open: Error
> >> on connect to localhost:2321)
> >>
> >> Failed to read any TPM PCRs
> >>
> > 
> > This sounds like your program is trying to connect to a SW TPM,
> > and the SW TPM process is not running.
> > 
> 
> There is a physical TPM on the machine where I am running ima-evm-utils 
> to verify IMA measurements. I want to use that physical TPM and not a 
> software TPM.
> 
> I am seeing the error with v1.4 sources as well.
> 
> I will review ima-evm-utils code and check how to get it to use the 
> physical TPM for validating the IMA measurements.

This release has support for linking with "-libmtss", in addition to
calling the command line tools.  Check the configure output to see
which TSS you're using.

If you're using the IBM TSS, first make sure that "tsspcrread -halg
sha256 -ha 10 -ns", for example, is actually working.

thanks,

Mimi

Re: ima-evm-utils: version 1.4 released

[Mimi Zohar]

Hi Petr,

On Mon, 2021-11-08 at 21:40 +0100, Petr Vorel wrote:
> Github repository is marked as primary. How about moving releases also to
> GitHub?

Done.

thanks,

Mimi

Re: ima-evm-utils: version 1.4 released

[Petr Vorel]

Hi Mimi,

> Hi Petr,

> On Mon, 2021-11-08 at 21:40 +0100, Petr Vorel wrote:
> > Github repository is marked as primary. How about moving releases also to
> > GitHub?

> Done.
Great, thank you! Also, when you have time, could you please put there
checksums? (ideally sha256/sha512) or even signed checksum file).

Kind regards,
Petr

> thanks,

> Mimi

Re: ima-evm-utils: version 1.4 released

[Mimi Zohar]

Hi Petr,

On Tue, 2021-11-16 at 10:45 +0100, Petr Vorel wrote:
> Hi Mimi,
> 
> Great, thank you! Also, when you have time, could you please put there
> checksums? (ideally sha256/sha512) or even signed checksum file).

The github documentation is lacking as to where to put the release
checksums or signed checksum file.  All I've found is that it isn't
supported.  Here are the hashes:

sha256:fcf85b31d6292051b3679e5f17ffa7f89b6898957aad0f59aa4e9878884b27d1
 
sha512:2fdf41470d88608162a084c4877ba17d531941b744bcb44dd4913e48ab2c2d13
1e0af3e3ead74c18748a5d46aced51213ebd7c13a5ee19050c28d54a26c011a3

thanks,

Mimi

Re: ima-evm-utils: version 1.4 released

[Petr Vorel]

Hi Mimi,

> Hi Petr,

> On Tue, 2021-11-16 at 10:45 +0100, Petr Vorel wrote:
> > Hi Mimi,

> > Great, thank you! Also, when you have time, could you please put there
> > checksums? (ideally sha256/sha512) or even signed checksum file).

> The github documentation is lacking as to where to put the release
> checksums or signed checksum file.  All I've found is that it isn't
> supported.  Here are the hashes:

> sha256:fcf85b31d6292051b3679e5f17ffa7f89b6898957aad0f59aa4e9878884b27d1

> sha512:2fdf41470d88608162a084c4877ba17d531941b744bcb44dd4913e48ab2c2d13
> 1e0af3e3ead74c18748a5d46aced51213ebd7c13a5ee19050c28d54a26c011a3

You can just generate files and checksum and upload them to the release, like
Cyril does for LTP [1]. iputils just creates checksums file and upload it's sign
[2] (having also signed is obviously better).

Kind regards,
Petr

[1] https://github.com/linux-test-project/ltp/releases/tag/20210927
[2] https://github.com/iputils/iputils/releases/tag/20210722

> thanks,

> Mimi