[PATCH v2 0/8] additional "ima-measurement" support

[PATCH v2 0/8] additional "ima-measurement" support

[Mimi Zohar]

"evmctl ima_measurement" walks the IMA measurement list re-calculating
the TPM PCR banks.

- Support the original method of extending the TPM 2.0 banks with the
  padded SHA1 digest.
- Instead of reading the hardware or software TPM PCRs, support
  providing the TPM 1.2 PCRs as a file.
- Limit the number of messages being emitted while verifying the
  measurement list.
- Reading the TPM PCRs before walking the measurement list guarantees
  the measurement list contains all the records, maybe too many.
- Rename "--list" to "--verify-sig", and update the README. 

Changelog v2:
- limit number of messages
- read PCRs before walking the measurement list
- and other miscellaneous cleanup

Mimi Zohar (8):
  ima-evm-utils: improve reading TPM 1.2 PCRs
  ima_evm_utils: support extending TPM 2.0 banks w/original SHA1 padded
    digest
  ima-evm-utils: support providing the TPM 1.2 PCRs as a file
  ima-evm-utils: emit "ima_measurement" messages based on log level
  ima-evm-utils: guarantee the measurement list contains all the records
  ima-evm-utils: the IMA measurement list may have too many measurements
  ima-evm-utils: optionally verify the template data file signature
  ima-evm-utils: update README to reflect "--pcrs", "--verify" and
    "--validate"

 README       |   6 ++-
 src/evmctl.c | 172 +++++++++++++++++++++++++++++++++++++++++++----------------
 2 files changed, 132 insertions(+), 46 deletions(-)

-- 
2.7.5

[PATCH v2 1/8] ima-evm-utils: improve reading TPM 1.2 PCRs

[Mimi Zohar]

Instead of reading the TPM 1.2 PCRs one at a time, opening and closing
the securityfs file each time, read all of PCRs at once.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 src/evmctl.c | 39 ++++++++++++++++++---------------------
 1 file changed, 18 insertions(+), 21 deletions(-)

diff --git a/src/evmctl.c b/src/evmctl.c
index 21809b3229e9..0e489e2c7ba6 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -152,6 +152,14 @@ static void print_usage(struct command *cmd);
 static const char *xattr_ima = "security.ima";
 static const char *xattr_evm = "security.evm";
 
+struct tpm_bank_info {
+	int digest_size;
+	int supported;
+	const char *algo_name;
+	uint8_t digest[MAX_DIGEST_SIZE];
+	uint8_t pcr[NUM_PCRS][MAX_DIGEST_SIZE];
+};
+
 static int bin2file(const char *file, const char *ext, const unsigned char *data, int len)
 {
 	FILE *fp;
@@ -1366,13 +1374,13 @@ static int cmd_ima_clear(struct command *cmd)
 static char *pcrs = "/sys/class/tpm/tpm0/device/pcrs";  /* Kernels >= 4.0 */
 static char *misc_pcrs = "/sys/class/misc/tpm0/device/pcrs";
 
-static int tpm_pcr_read(int idx, uint8_t *pcr, int len)
+/* Read all of the TPM 1.2 PCRs */
+static int tpm_pcr_read(struct tpm_bank_info *tpm_banks, int len)
 {
 	FILE *fp;
 	char *p, pcr_str[7], buf[70]; /* length of the TPM string */
 	int result = -1;
-
-	sprintf(pcr_str, "PCR-%2.2d", idx);
+	int i = 0;
 
 	fp = fopen(pcrs, "r");
 	if (!fp)
@@ -1385,11 +1393,10 @@ static int tpm_pcr_read(int idx, uint8_t *pcr, int len)
 		p = fgets(buf, sizeof(buf), fp);
 		if (!p)
 			break;
-		if (!strncmp(p, pcr_str, 6)) {
-			hex2bin(pcr, p + 7, len);
-			result = 0;
-			break;
-		}
+		sprintf(pcr_str, "PCR-%2.2d", i);
+		if (!strncmp(p, pcr_str, 6))
+			hex2bin(tpm_banks[0].pcr[i++], p + 7, len);
+		result = 0;
 	}
 	fclose(fp);
 	return result;
@@ -1571,14 +1578,6 @@ void ima_ng_show(struct template_entry *entry)
 	}
 }
 
-struct tpm_bank_info {
-	int digest_size;
-	int supported;
-	const char *algo_name;
-	uint8_t digest[MAX_DIGEST_SIZE];
-	uint8_t pcr[NUM_PCRS][MAX_DIGEST_SIZE];
-};
-
 static void set_bank_info(struct tpm_bank_info *bank, const char *algo_name)
 {
 	const EVP_MD *md;
@@ -1771,11 +1770,9 @@ static int read_tpm_pcrs(int num_banks, struct tpm_bank_info *tpm_banks)
 {
 	int i;
 
-	for (i = 0; i < NUM_PCRS; i++) {
-		if (tpm_pcr_read(i, tpm_banks[0].pcr[i], SHA_DIGEST_LENGTH)) {
-			log_debug("Failed to read TPM 1.2 PCRs.\n");
-			return -1;
-		}
+	if (tpm_pcr_read(tpm_banks, SHA_DIGEST_LENGTH)) {
+		log_debug("Failed to read TPM 1.2 PCRs.\n");
+		return -1;
 	}
 
 	tpm_banks[0].supported = 1;
-- 
2.7.5

[PATCH v2 2/8] ima_evm_utils: support extending TPM 2.0 banks w/original SHA1 padded digest

[Mimi Zohar]

Initially the sha1 digest, including violations, was padded with zeroes
before being extended into the other TPM banks.  Support walking the
IMA measurement list, calculating the per TPM bank SHA1 padded
digest(s).

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 src/evmctl.c | 73 +++++++++++++++++++++++++++++++++++++++++++++++-------------
 1 file changed, 58 insertions(+), 15 deletions(-)

diff --git a/src/evmctl.c b/src/evmctl.c
index 0e489e2c7ba6..814aa6b75571 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1613,6 +1613,10 @@ static struct tpm_bank_info *init_tpm_banks(int *num_banks)
 	return banks;
 }
 
+/*
+ * Compare the calculated TPM PCR banks against the PCR values read.
+ * On failure to match any TPM bank, fail comparison.
+ */
 static int compare_tpm_banks(int num_banks, struct tpm_bank_info *bank,
 			     struct tpm_bank_info *tpm_bank)
 {
@@ -1632,14 +1636,15 @@ static int compare_tpm_banks(int num_banks, struct tpm_bank_info *bank,
 			log_info("%s: TPM PCR-%d: ", tpm_bank[i].algo_name, j);
 			log_dump(tpm_bank[i].pcr[j], tpm_bank[i].digest_size);
 
-			ret = memcmp(bank[i].pcr[j], tpm_bank[i].pcr[j],
-				     bank[i].digest_size);
-			if (!ret)
+			if (memcmp(bank[i].pcr[j], tpm_bank[i].pcr[j],
+				     bank[i].digest_size) == 0) {
 				log_info("%s PCR-%d: succeed\n",
 					 bank[i].algo_name, j);
-			else
+			} else {
+				ret = 1;
 				log_info("%s: PCRAgg %d does not match TPM PCR-%d\n",
 					 bank[i].algo_name, j, j);
+			}
 		}
 	}
 	return ret;
@@ -1695,10 +1700,7 @@ static int extend_tpm_bank(EVP_MD_CTX *pctx, const EVP_MD *md,
 		goto out;
 	}
 
-	if (validate && !memcmp(entry->header.digest, zero, SHA_DIGEST_LENGTH))
-		err = EVP_DigestUpdate(pctx, fox, bank->digest_size);
-	else
-		err = EVP_DigestUpdate(pctx, bank->digest, bank->digest_size);
+	err = EVP_DigestUpdate(pctx, bank->digest, bank->digest_size);
 	if (!err) {
 		printf("EVP_DigestUpdate() failed\n");
 		goto out;
@@ -1716,7 +1718,8 @@ out:
 
 /* Calculate and extend the template hash for multiple hash algorithms */
 static void extend_tpm_banks(struct template_entry *entry, int num_banks,
-			     struct tpm_bank_info *bank)
+			     struct tpm_bank_info *bank,
+			     struct tpm_bank_info *padded_bank)
 {
 	EVP_MD_CTX *pctx;
 	const EVP_MD *md;
@@ -1741,24 +1744,53 @@ static void extend_tpm_banks(struct template_entry *entry, int num_banks,
 		}
 
 		/*
-		 * Measurement violations are 0x00 digests.  No need to
-		 * calculate the per TPM bank template digests.
+		 * Measurement violations are 0x00 digests, which are extended
+		 * into the TPM as 0xff.  Verifying the IMA measurement list
+		 * will fail, unless the 0x00 digests are converted to 0xff's.
+		 *
+		 * Initially the sha1 digest, including violations, was padded
+		 * with zeroes before being extended into the TPM.  With the
+		 * per TPM bank digest, violations are the full per bank digest
+		 * size.
 		 */
-		if (memcmp(entry->header.digest, zero, SHA_DIGEST_LENGTH) == 0)
-			memset(bank[i].digest, 0x00, bank[i].digest_size);
-		else {
+		if (memcmp(entry->header.digest, zero, SHA_DIGEST_LENGTH) == 0) {
+			if (!validate) {
+				memset(bank[i].digest, 0x00, bank[i].digest_size);
+				memset(padded_bank[i].digest, 0x00, padded_bank[i].digest_size);
+			} else {
+				memset(bank[i].digest, 0xff,
+				       bank[i].digest_size);
+
+				memset(padded_bank[i].digest, 0x00,
+				       padded_bank[i].digest_size);
+				memset(padded_bank[i].digest, 0xff,
+				       SHA_DIGEST_LENGTH);
+			}
+		} else {
 			err = calculate_template_digest(pctx, md, entry,
 							&bank[i]);
 			if (!err) {
 				bank[i].supported = 0;
 				continue;
 			}
+
+			/*
+			 * calloc set the memory to zero, so just copy the
+			 * sha1 digest.
+			 */
+			memcpy(padded_bank[i].digest, entry->header.digest,
+			       SHA_DIGEST_LENGTH);
 		}
 
 		/* extend TPM BANK with template digest */
 		err = extend_tpm_bank(pctx, md, entry, &bank[i]);
 		if (!err)
 			bank[i].supported = 0;
+
+		/* extend TPM BANK with zero padded sha1 template digest */
+		err = extend_tpm_bank(pctx, md, entry, &padded_bank[i]);
+		if (!err)
+			padded_bank[i].supported = 0;
 	}
 #if OPENSSL_VERSION_NUMBER >= 0x10100000
 	EVP_MD_CTX_free(pctx);
@@ -1825,6 +1857,7 @@ static int read_tpm_banks(int num_banks, struct tpm_bank_info *bank)
 
 static int ima_measurement(const char *file)
 {
+	struct tpm_bank_info *pseudo_padded_banks;
 	struct tpm_bank_info *pseudo_banks;
 	struct tpm_bank_info *tpm_banks;
 	int is_ima_template, cur_template_fmt;
@@ -1839,6 +1872,7 @@ static int ima_measurement(const char *file)
 	memset(zero, 0, MAX_DIGEST_SIZE);
 	memset(fox, 0xff, MAX_DIGEST_SIZE);
 
+	pseudo_padded_banks = init_tpm_banks(&num_banks);
 	pseudo_banks = init_tpm_banks(&num_banks);
 	tpm_banks = init_tpm_banks(&num_banks);
 
@@ -1939,7 +1973,8 @@ static int ima_measurement(const char *file)
 			       entry.template_buf_len - len);
 		}
 
-		extend_tpm_banks(&entry, num_banks, pseudo_banks);
+		extend_tpm_banks(&entry, num_banks, pseudo_banks,
+				 pseudo_padded_banks);
 
 		if (verify)
 			ima_verify_template_hash(&entry);
@@ -1954,7 +1989,15 @@ static int ima_measurement(const char *file)
 		err = 0;
 		log_info("Failed to read any TPM PCRs\n");
 	} else {
+		log_info("Comparing with per TPM digest\n");
 		err = compare_tpm_banks(num_banks, pseudo_banks, tpm_banks);
+
+		/* On failure, check older SHA1 zero padded hashes */
+		if (err) {
+			log_info("Comparing with SHA1 padded digest\n");
+			err = compare_tpm_banks(num_banks, pseudo_padded_banks,
+						tpm_banks);
+		}
 	}
 
 out:
-- 
2.7.5

[PATCH v2 3/8] ima-evm-utils: support providing the TPM 1.2 PCRs as a file

[Mimi Zohar]

"evmctl ima_measurement" walks the IMA measurement list calculating the
PCRs and verifies the calculated values against the system's PCRs.
Instead of reading the system's PCRs, provide the PCRs as a file.  For
TPM 1.2 the PCRs are exported via a securityfs file.

Verifying the IMA measurement list against the exported TPM 1.2 PCRs
file may be used remotely for regression testing.  If used in a
production environment, the provided TPM PCRs must be compared with
those included in the TPM 1.2 quote as well.

This patch defines an evmctl ima_measurement "--pcrs <filename>" option.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 src/evmctl.c | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/src/evmctl.c b/src/evmctl.c
index 814aa6b75571..21ae1c7ca5a7 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -160,6 +160,8 @@ struct tpm_bank_info {
 	uint8_t pcr[NUM_PCRS][MAX_DIGEST_SIZE];
 };
 
+static char *pcrfile;
+
 static int bin2file(const char *file, const char *ext, const unsigned char *data, int len)
 {
 	FILE *fp;
@@ -1377,12 +1379,18 @@ static char *misc_pcrs = "/sys/class/misc/tpm0/device/pcrs";
 /* Read all of the TPM 1.2 PCRs */
 static int tpm_pcr_read(struct tpm_bank_info *tpm_banks, int len)
 {
-	FILE *fp;
+	FILE *fp = NULL;
 	char *p, pcr_str[7], buf[70]; /* length of the TPM string */
 	int result = -1;
 	int i = 0;
 
-	fp = fopen(pcrs, "r");
+	/* Use the provided TPM 1.2 pcrs file */
+	if (pcrfile)
+		fp = fopen(pcrfile, "r");
+
+	if (!fp)
+		fp = fopen(pcrs, "r");
+
 	if (!fp)
 		fp = fopen(misc_pcrs, "r");
 
@@ -2347,7 +2355,7 @@ struct command cmds[] = {
 	{"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"},
 	{"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"},
 	{"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
-	{"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify] file", "Verify measurement list (experimental).\n"},
+	{"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify] [--pcrs file] file", "Verify measurement list (experimental).\n"},
 	{"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[file]", "Calculate per TPM bank boot_aggregate digests\n"},
 	{"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
 	{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
@@ -2388,6 +2396,7 @@ static struct option opts[] = {
 	{"xattr-user", 0, 0, 140},
 	{"validate", 0, 0, 141},
 	{"verify", 0, 0, 142},
+	{"pcrs", 1, 0, 143},
 	{}
 
 };
@@ -2572,6 +2581,9 @@ int main(int argc, char *argv[])
 		case 142: /* --verify */
 			verify = 1;
 			break;
+		case 143:
+			pcrfile = optarg;
+			break;
 		case '?':
 			exit(1);
 			break;
-- 
2.7.5

[PATCH v2 4/8] ima-evm-utils: emit "ima_measurement" messages based on log level

[Mimi Zohar]

"ima_measurement" emits quite a few messages.  Only a few messages
belong at the default log level.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 src/evmctl.c | 25 ++++++++++++++++++-------
 1 file changed, 18 insertions(+), 7 deletions(-)

diff --git a/src/evmctl.c b/src/evmctl.c
index 21ae1c7ca5a7..fac6a270794f 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1638,21 +1638,27 @@ static int compare_tpm_banks(int num_banks, struct tpm_bank_info *bank,
 			if (memcmp(bank[i].pcr[j], zero, bank[i].digest_size)
 			    == 0)
 				continue;
+
+			if (memcmp(bank[i].pcr[j], tpm_bank[i].pcr[j],
+				     bank[i].digest_size) != 0)
+				ret = 1;
+
+			if ((!ret && imaevm_params.verbose <= LOG_INFO) ||
+			    (ret && imaevm_params.verbose <= LOG_DEBUG))
+				continue;
+
 			log_info("%s: PCRAgg  %d: ", bank[i].algo_name, j);
 			log_dump(bank[i].pcr[j], bank[i].digest_size);
 
 			log_info("%s: TPM PCR-%d: ", tpm_bank[i].algo_name, j);
 			log_dump(tpm_bank[i].pcr[j], tpm_bank[i].digest_size);
 
-			if (memcmp(bank[i].pcr[j], tpm_bank[i].pcr[j],
-				     bank[i].digest_size) == 0) {
+			if (!ret)
 				log_info("%s PCR-%d: succeed\n",
 					 bank[i].algo_name, j);
-			} else {
-				ret = 1;
+			else
 				log_info("%s: PCRAgg %d does not match TPM PCR-%d\n",
 					 bank[i].algo_name, j, j);
-			}
 		}
 	}
 	return ret;
@@ -1997,15 +2003,20 @@ static int ima_measurement(const char *file)
 		err = 0;
 		log_info("Failed to read any TPM PCRs\n");
 	} else {
-		log_info("Comparing with per TPM digest\n");
 		err = compare_tpm_banks(num_banks, pseudo_banks, tpm_banks);
+		if (!err)
+			log_info("Matched per TPM bank calculated digest(s).\n");
 
 		/* On failure, check older SHA1 zero padded hashes */
 		if (err) {
-			log_info("Comparing with SHA1 padded digest\n");
 			err = compare_tpm_banks(num_banks, pseudo_padded_banks,
 						tpm_banks);
+			if (!err)
+				log_info("Matched SHA1 padded TPM digest(s).\n");
 		}
+
+		if (err)
+			log_info("Failed to match per TPM bank or SHA1 padded TPM digest(s).\n");
 	}
 
 out:
-- 
2.7.5

[PATCH v2 5/8] ima-evm-utils: guarantee the measurement list contains all the records

[Mimi Zohar]

Reading the TPM PCRs before walking the measurement list guarantees
the measurement list contains all the records.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 src/evmctl.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/evmctl.c b/src/evmctl.c
index fac6a270794f..5787887882b4 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1876,6 +1876,7 @@ static int ima_measurement(const char *file)
 	struct tpm_bank_info *tpm_banks;
 	int is_ima_template, cur_template_fmt;
 	int num_banks = 0;
+	int tpmbanks = 1;
 	int first_record = 1;
 
 	struct template_entry entry = { .template = 0 };
@@ -1901,6 +1902,14 @@ static int ima_measurement(const char *file)
 	else				/* assume read pubkey from x509 cert */
 		init_public_keys("/etc/keys/x509_evm.der");
 
+	/*
+	 * Reading the PCRs before walking the IMA measurement list
+	 * guarantees that all of the measurements are included in
+	 * the PCRs.
+	 */
+	if (read_tpm_banks(num_banks, tpm_banks) != 0)
+		tpmbanks = 0;
+
 	while (fread(&entry.header, sizeof(entry.header), 1, fp)) {
 		if (entry.header.name_len > TCG_EVENT_NAME_LEN_MAX) {
 			log_err("%d ERROR: event name too long!\n",
@@ -1999,10 +2008,9 @@ static int ima_measurement(const char *file)
 			ima_ng_show(&entry);
 	}
 
-	if (read_tpm_banks(num_banks, tpm_banks) != 0) {
-		err = 0;
+	if (tpmbanks == 0)
 		log_info("Failed to read any TPM PCRs\n");
-	} else {
+	else {
 		err = compare_tpm_banks(num_banks, pseudo_banks, tpm_banks);
 		if (!err)
 			log_info("Matched per TPM bank calculated digest(s).\n");
-- 
2.7.5

[PATCH v2 6/8] ima-evm-utils: the IMA measurement list may have too many measurements

[Mimi Zohar]

Reading the TPM PCRs before walking the measurement list guarantees
the measurement list contains all the records, possibly too many records.
Compare the re-calculated hash after each extend with both the per bank
TPM PCR digests and the SHA1 paddeded TPM PCR digests.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 src/evmctl.c | 33 ++++++++++++++++++++++-----------
 1 file changed, 22 insertions(+), 11 deletions(-)

diff --git a/src/evmctl.c b/src/evmctl.c
index 5787887882b4..88fd8e4c31f0 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1881,6 +1881,7 @@ static int ima_measurement(const char *file)
 
 	struct template_entry entry = { .template = 0 };
 	FILE *fp;
+	int err_padded = -1;
 	int err = -1;
 
 	errno = 0;
@@ -2006,24 +2007,34 @@ static int ima_measurement(const char *file)
 			ima_show(&entry);
 		else
 			ima_ng_show(&entry);
+
+		if (!tpmbanks)
+			continue;
+
+		/* The measurement list might contain too many entries,
+		 * compare the re-calculated TPM PCR values after each
+		 * extend.
+		 */
+		err = compare_tpm_banks(num_banks, pseudo_banks, tpm_banks);
+		if (!err)
+			break;
+
+		/* Compare against original SHA1 zero padded TPM PCR values */
+		err_padded = compare_tpm_banks(num_banks, pseudo_padded_banks,
+					       tpm_banks);
+		if (!err_padded)
+			break;
 	}
 
 	if (tpmbanks == 0)
 		log_info("Failed to read any TPM PCRs\n");
 	else {
-		err = compare_tpm_banks(num_banks, pseudo_banks, tpm_banks);
 		if (!err)
 			log_info("Matched per TPM bank calculated digest(s).\n");
-
-		/* On failure, check older SHA1 zero padded hashes */
-		if (err) {
-			err = compare_tpm_banks(num_banks, pseudo_padded_banks,
-						tpm_banks);
-			if (!err)
-				log_info("Matched SHA1 padded TPM digest(s).\n");
-		}
-
-		if (err)
+		else if (!err_padded) {
+			log_info("Matched SHA1 padded TPM digest(s).\n");
+			err = 0;
+		} else
 			log_info("Failed to match per TPM bank or SHA1 padded TPM digest(s).\n");
 	}
 
-- 
2.7.5

[PATCH v2 7/8] ima-evm-utils: optionally verify the template data file signature

[Mimi Zohar]

Rename "--list" to "verify-sig" to optionally verify the file signature
contained in the template data based on the supplied set of keys.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 README       |  3 ++-
 src/evmctl.c | 12 ++++++------
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/README b/README
index 3603ae8a6084..374b748c59bf 100644
--- a/README
+++ b/README
@@ -31,7 +31,7 @@ COMMANDS
  ima_sign [--sigfile] [--key key] [--pass password] file
  ima_verify file
  ima_hash file
- ima_measurement [--key "key1, key2, ..."] [--list] file
+ ima_measurement [--verify-sig [--key "key1, key2, ..."]] file
  ima_fix [-t fdsxm] path
  sign_hash [--key key] [--pass password]
  hmac [--imahash | --imasig ] file
@@ -59,6 +59,7 @@ OPTIONS
       --m32          force EVM hmac/signature for 32 bit target system
       --m64          force EVM hmac/signature for 64 bit target system
       --engine e     preload OpenSSL engine e (such as: gost)
+      --verify-sig   verify the template data file signature
   -v                 increase verbosity level
   -h, --help         display this help and exit
 
diff --git a/src/evmctl.c b/src/evmctl.c
index 88fd8e4c31f0..90a3eebc4431 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -125,7 +125,7 @@ static char *caps_str;
 static char *ima_str;
 static char *selinux_str;
 static char *search_type;
-static int measurement_list;
+static int verify_list_sig;
 static int recursive;
 static int msize;
 static dev_t fs_dev;
@@ -1566,7 +1566,7 @@ void ima_ng_show(struct template_entry *entry)
 			log_info(" ");
 			log_dump(sig, sig_len);
 		}
-		if (measurement_list)
+		if (verify_list_sig)
 			err = ima_verify_signature(path, sig, sig_len,
 						   digest, digest_len);
 		else
@@ -2367,7 +2367,7 @@ static void usage(void)
 		"      --ima          use custom IMA signature for EVM\n"
 		"      --selinux      use custom Selinux label for EVM\n"
 		"      --caps         use custom Capabilities for EVM(unspecified: from FS, empty: do not use)\n"
-		"      --list         measurement list verification\n"
+		"      --verify-sig   verify measurement list signatures\n"
 		"      --engine e     preload OpenSSL engine e (such as: gost)\n"
 		"  -v                 increase verbosity level\n"
 		"  -h, --help         display this help and exit\n"
@@ -2385,7 +2385,7 @@ struct command cmds[] = {
 	{"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"},
 	{"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"},
 	{"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
-	{"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify] [--pcrs file] file", "Verify measurement list (experimental).\n"},
+	{"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify] [--verify-sig [--key key1, key2, ...]] [--pcrs file] file", "Verify measurement list (experimental).\n"},
 	{"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[file]", "Calculate per TPM bank boot_aggregate digests\n"},
 	{"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
 	{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
@@ -2421,7 +2421,7 @@ static struct option opts[] = {
 	{"ima", 1, 0, 135},
 	{"selinux", 1, 0, 136},
 	{"caps", 2, 0, 137},
-	{"list", 0, 0, 138},
+	{"verify-sig", 0, 0, 138},
 	{"engine", 1, 0, 139},
 	{"xattr-user", 0, 0, 140},
 	{"validate", 0, 0, 141},
@@ -2586,7 +2586,7 @@ int main(int argc, char *argv[])
 			hmac_flags |= HMAC_FLAG_CAPS_SET;
 			break;
 		case 138:
-			measurement_list = 1;
+			verify_list_sig = 1;
 			break;
 		case 139: /* --engine e */
 			eng = ENGINE_by_id(optarg);
-- 
2.7.5

[PATCH v2 8/8] ima-evm-utils: update README to reflect "--pcrs", "--verify" and "--validate"

[Mimi Zohar]

"--pcrs" compares the re-calculate PCRs against a file containing TPM 1.2 pcrs.
"--validate" ignores ToMToU measurement violations.
"--verify" verifies the template data digest based on the template data.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 README | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/README b/README
index 374b748c59bf..64b9da508d8d 100644
--- a/README
+++ b/README
@@ -31,7 +31,7 @@ COMMANDS
  ima_sign [--sigfile] [--key key] [--pass password] file
  ima_verify file
  ima_hash file
- ima_measurement [--verify-sig [--key "key1, key2, ..."]] file
+ ima_measurement [--validate] [--verify] [--verify-sig [--key "key1, key2, ..."]]  [--pcrs file] file
  ima_fix [-t fdsxm] path
  sign_hash [--key key] [--pass password]
  hmac [--imahash | --imasig ] file
@@ -59,6 +59,9 @@ OPTIONS
       --m32          force EVM hmac/signature for 32 bit target system
       --m64          force EVM hmac/signature for 64 bit target system
       --engine e     preload OpenSSL engine e (such as: gost)
+      --pcrs         file containing TPM 1.2 pcrs
+      --validate     ignore ToMToU measurement violations
+      --verify       verify the template data digest
       --verify-sig   verify the template data file signature
   -v                 increase verbosity level
   -h, --help         display this help and exit
-- 
2.7.5

Re: [PATCH v2 2/8] ima_evm_utils: support extending TPM 2.0 banks w/original SHA1 padded digest

[Bruno Meneguele]

[-- Attachment #1: Type: text/plain, Size: 2702 bytes --]

Hi Mimi,

On Fri, Jul 10, 2020 at 12:00:53PM -0400, Mimi Zohar wrote:
> Initially the sha1 digest, including violations, was padded with zeroes
> before being extended into the other TPM banks.  Support walking the
> IMA measurement list, calculating the per TPM bank SHA1 padded
> digest(s).
> 
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
>  src/evmctl.c | 73 +++++++++++++++++++++++++++++++++++++++++++++++-------------
>  1 file changed, 58 insertions(+), 15 deletions(-)
> 
> diff --git a/src/evmctl.c b/src/evmctl.c
> index 0e489e2c7ba6..814aa6b75571 100644
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -1613,6 +1613,10 @@ static struct tpm_bank_info *init_tpm_banks(int *num_banks)
>  	return banks;
>  }
>  
> +/*
> + * Compare the calculated TPM PCR banks against the PCR values read.
> + * On failure to match any TPM bank, fail comparison.
> + */
>  static int compare_tpm_banks(int num_banks, struct tpm_bank_info *bank,
>  			     struct tpm_bank_info *tpm_bank)
>  {
> @@ -1632,14 +1636,15 @@ static int compare_tpm_banks(int num_banks, struct tpm_bank_info *bank,
>  			log_info("%s: TPM PCR-%d: ", tpm_bank[i].algo_name, j);
>  			log_dump(tpm_bank[i].pcr[j], tpm_bank[i].digest_size);
>  
> -			ret = memcmp(bank[i].pcr[j], tpm_bank[i].pcr[j],
> -				     bank[i].digest_size);
> -			if (!ret)
> +			if (memcmp(bank[i].pcr[j], tpm_bank[i].pcr[j],
> +				     bank[i].digest_size) == 0) {
>  				log_info("%s PCR-%d: succeed\n",
>  					 bank[i].algo_name, j);
> -			else
> +			} else {
> +				ret = 1;
>  				log_info("%s: PCRAgg %d does not match TPM PCR-%d\n",
>  					 bank[i].algo_name, j, j);
> +			}
>  		}
>  	}
>  	return ret;
> @@ -1695,10 +1700,7 @@ static int extend_tpm_bank(EVP_MD_CTX *pctx, const EVP_MD *md,
>  		goto out;
>  	}
>  
> -	if (validate && !memcmp(entry->header.digest, zero, SHA_DIGEST_LENGTH))
> -		err = EVP_DigestUpdate(pctx, fox, bank->digest_size);

'fox' is not being used in the code anymore. It could be totally removed
afaics.

diff --git a/src/evmctl.c b/src/evmctl.c
index 90a3eeb..ae513b0 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1425,7 +1425,6 @@ struct template_entry {
 };

 static uint8_t zero[MAX_DIGEST_SIZE];
-static uint8_t fox[MAX_DIGEST_SIZE];

 static int validate = 0;
 static int verify = 0;
@@ -1886,7 +1885,6 @@ static int ima_measurement(const char *file)

        errno = 0;
        memset(zero, 0, MAX_DIGEST_SIZE);
-       memset(fox, 0xff, MAX_DIGEST_SIZE);

        pseudo_padded_banks = init_tpm_banks(&num_banks);
        pseudo_banks = init_tpm_banks(&num_banks);


-- 
bmeneg 
PGP Key: http://bmeneg.com/pubkey.txt

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [PATCH v2 2/8] ima_evm_utils: support extending TPM 2.0 banks w/original SHA1 padded digest

[Mimi Zohar]

Hi Bruno,

On Wed, 2020-07-15 at 15:43 -0300, Bruno Meneguele wrote:
<snip>

If this patch was in next-testing, I could simply update it.  Please
send a new patch to remove fox.

thanks,

Mimi

> 'fox' is not being used in the code anymore. It could be totally removed
> afaics.
> 
> diff --git a/src/evmctl.c b/src/evmctl.c
> index 90a3eeb..ae513b0 100644
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -1425,7 +1425,6 @@ struct template_entry {
>  };
> 
>  static uint8_t zero[MAX_DIGEST_SIZE];
> -static uint8_t fox[MAX_DIGEST_SIZE];
> 
>  static int validate = 0;
>  static int verify = 0;
> @@ -1886,7 +1885,6 @@ static int ima_measurement(const char *file)
> 
>         errno = 0;
>         memset(zero, 0, MAX_DIGEST_SIZE);
> -       memset(fox, 0xff, MAX_DIGEST_SIZE);
> 
>         pseudo_padded_banks = init_tpm_banks(&num_banks);
>         pseudo_banks = init_tpm_banks(&num_banks);
> 
> 

Re: [PATCH v2 2/8] ima_evm_utils: support extending TPM 2.0 banks w/original SHA1 padded digest

[Mimi Zohar]

On Wed, 2020-07-15 at 15:47 -0400, Mimi Zohar wrote:
> Hi Bruno,
> 
> On Wed, 2020-07-15 at 15:43 -0300, Bruno Meneguele wrote:
> <snip>
> 
> If this patch was in next-testing, I could simply update it.  Please
> send a new patch to remove fox.

Oh, it is in next-testing.  I'll fix it up.

thanks!

Mimi

Re: [PATCH v2 2/8] ima_evm_utils: support extending TPM 2.0 banks w/original SHA1 padded digest

[Bruno Meneguele]

[-- Attachment #1: Type: text/plain, Size: 490 bytes --]

On Wed, Jul 15, 2020 at 04:11:03PM -0400, Mimi Zohar wrote:
> On Wed, 2020-07-15 at 15:47 -0400, Mimi Zohar wrote:
> > Hi Bruno,
> > 
> > On Wed, 2020-07-15 at 15:43 -0300, Bruno Meneguele wrote:
> > <snip>
> > 
> > If this patch was in next-testing, I could simply update it.  Please
> > send a new patch to remove fox.
> 
> Oh, it is in next-testing.  I'll fix it up.
> 

Yes :)

Thanks.

> thanks!
> 
> Mimi
> 

-- 
bmeneg 
PGP Key: http://bmeneg.com/pubkey.txt

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]