linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 1/2] ima-evm-utils: limit "remain unprocessed data" messages
@ 2019-07-08 13:15 Mimi Zohar
  2019-07-08 13:15 ` [PATCH 2/2] ima-evm-utils: support template "buf" field Mimi Zohar
  0 siblings, 1 reply; 2+ messages in thread
From: Mimi Zohar @ 2019-07-08 13:15 UTC (permalink / raw)
  To: linux-integrity; +Cc: Vitaly Chikunov, Roberto Sassu, Mimi Zohar

New, unknown template formats containing unknown fields are not
processed, resulting in "remain unprocessed data" messages.  Processing
these unknown fields is unnecessary for walking the measurement list to
re-calculate the PCRs.

The "remain unproccessed data" may also be emitted for malformed, known
template records.

This patch limits the number of messages emitted to once per template
format and includes the template name in the message.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 src/evmctl.c | 37 +++++++++++++++++++++++++++++++++++--
 1 file changed, 35 insertions(+), 2 deletions(-)

diff --git a/src/evmctl.c b/src/evmctl.c
index 7ce20225c89d..f6046637d8f6 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1411,6 +1411,34 @@ void ima_show(struct template_entry *entry)
 	log_debug_dump(entry->header.digest, sizeof(entry->header.digest));
 }
 
+/*
+ * Keep track of unknown or malformed template names.
+ *
+ * Return 1 for found, return 0 for not found.
+ */
+static int lookup_template_name_entry(char *template_name)
+{
+	struct template_name_entry {
+		struct template_name_entry *next;
+		char name[];
+	} *entry;
+	static struct template_name_entry *template_names = NULL;
+
+	for (entry = template_names; entry != NULL; entry = entry->next) {
+		if (strcmp(entry->name, template_name) == 0)
+			return 1;
+	}
+
+	entry = malloc(sizeof(struct template_name_entry) +
+			strlen(template_name) + 1);
+	if (entry) {
+		strcpy(entry->name, template_name);
+		entry->next = template_names;
+		template_names = entry;
+	}
+	return 0;
+}
+
 void ima_ng_show(struct template_entry *entry)
 {
 	uint8_t *fieldp = entry->template;
@@ -1418,6 +1446,7 @@ void ima_ng_show(struct template_entry *entry)
 	int total_len = entry->template_len, digest_len, len, sig_len;
 	uint8_t *digest, *sig = NULL;
 	char *algo, *path;
+	int found;
 	int err;
 
 	/* get binary digest */
@@ -1487,8 +1516,12 @@ void ima_ng_show(struct template_entry *entry)
 			log_info("\n");
 	}
 
-	if (total_len)
-		log_err("Remain unprocessed data: %d\n", total_len);
+	if (total_len) {
+		found = lookup_template_name_entry(entry->name);
+		if (!found)
+			log_err("Template \"%s\" contains unprocessed data: "
+				 "%d bytes\n", entry->name, total_len);
+	}
 }
 
 static int ima_measurement(const char *file)
-- 
2.7.5


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* [PATCH 2/2] ima-evm-utils: support template "buf" field
  2019-07-08 13:15 [PATCH 1/2] ima-evm-utils: limit "remain unprocessed data" messages Mimi Zohar
@ 2019-07-08 13:15 ` Mimi Zohar
  0 siblings, 0 replies; 2+ messages in thread
From: Mimi Zohar @ 2019-07-08 13:15 UTC (permalink / raw)
  To: linux-integrity; +Cc: Vitaly Chikunov, Roberto Sassu, Mimi Zohar

Other than the "boot-aggregate" measurement entry in the IMA
measuremeent list, all other measurements are of file data.  Kernel
support was recently added to support measuring the kexec boot command
line buffer, which is stored in a new template field named 'buf'.

This patch adds support for a new template named "ima-buf", defined as
"d-ng|n-ng|buf".

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 src/evmctl.c | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/src/evmctl.c b/src/evmctl.c
index f6046637d8f6..a6d07c981453 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1443,8 +1443,8 @@ void ima_ng_show(struct template_entry *entry)
 {
 	uint8_t *fieldp = entry->template;
 	uint32_t field_len;
-	int total_len = entry->template_len, digest_len, len, sig_len;
-	uint8_t *digest, *sig = NULL;
+	int total_len = entry->template_len, digest_len, len, sig_len, fbuf_len;
+	uint8_t *digest, *sig = NULL, *fbuf = NULL;
 	char *algo, *path;
 	int found;
 	int err;
@@ -1488,6 +1488,18 @@ void ima_ng_show(struct template_entry *entry)
 			fieldp += field_len;
 			total_len -= field_len;
 		}
+	} else if (!strcmp(entry->name, "ima-buf")) {
+		field_len = *(uint32_t *)fieldp;
+		fieldp += sizeof(field_len);
+		total_len -= sizeof(field_len);
+		if (field_len) {
+			fbuf = fieldp;
+			fbuf_len = field_len;
+
+			/* move to next field */
+			fieldp += field_len;
+			total_len -= field_len;
+		}
 	}
 
 	/* ascii_runtime_measurements */
@@ -1497,6 +1509,10 @@ void ima_ng_show(struct template_entry *entry)
 		log_info(" %s %s", entry->name, algo);
 		log_dump_n(digest, digest_len);
 		log_info(" %s", path);
+		if (fbuf) {
+			log_info(" ");
+			log_dump_n(fbuf, fbuf_len);
+		}
 	}
 
 	if (sig) {
-- 
2.7.5


^ permalink raw reply related	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-07-08 13:16 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-08 13:15 [PATCH 1/2] ima-evm-utils: limit "remain unprocessed data" messages Mimi Zohar
2019-07-08 13:15 ` [PATCH 2/2] ima-evm-utils: support template "buf" field Mimi Zohar

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).