* [PATCH v2 1/8] ima-evm-utils: improve reading TPM 1.2 PCRs
2020-07-10 16:00 [PATCH v2 0/8] additional "ima-measurement" support Mimi Zohar
@ 2020-07-10 16:00 ` Mimi Zohar
2020-07-10 16:00 ` [PATCH v2 2/8] ima_evm_utils: support extending TPM 2.0 banks w/original SHA1 padded digest Mimi Zohar
` (6 subsequent siblings)
7 siblings, 0 replies; 13+ messages in thread
From: Mimi Zohar @ 2020-07-10 16:00 UTC (permalink / raw)
To: linux-integrity; +Cc: Mimi Zohar, Petr Vorel, Bruno Meneguele
Instead of reading the TPM 1.2 PCRs one at a time, opening and closing
the securityfs file each time, read all of PCRs at once.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
src/evmctl.c | 39 ++++++++++++++++++---------------------
1 file changed, 18 insertions(+), 21 deletions(-)
diff --git a/src/evmctl.c b/src/evmctl.c
index 21809b3229e9..0e489e2c7ba6 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -152,6 +152,14 @@ static void print_usage(struct command *cmd);
static const char *xattr_ima = "security.ima";
static const char *xattr_evm = "security.evm";
+struct tpm_bank_info {
+ int digest_size;
+ int supported;
+ const char *algo_name;
+ uint8_t digest[MAX_DIGEST_SIZE];
+ uint8_t pcr[NUM_PCRS][MAX_DIGEST_SIZE];
+};
+
static int bin2file(const char *file, const char *ext, const unsigned char *data, int len)
{
FILE *fp;
@@ -1366,13 +1374,13 @@ static int cmd_ima_clear(struct command *cmd)
static char *pcrs = "/sys/class/tpm/tpm0/device/pcrs"; /* Kernels >= 4.0 */
static char *misc_pcrs = "/sys/class/misc/tpm0/device/pcrs";
-static int tpm_pcr_read(int idx, uint8_t *pcr, int len)
+/* Read all of the TPM 1.2 PCRs */
+static int tpm_pcr_read(struct tpm_bank_info *tpm_banks, int len)
{
FILE *fp;
char *p, pcr_str[7], buf[70]; /* length of the TPM string */
int result = -1;
-
- sprintf(pcr_str, "PCR-%2.2d", idx);
+ int i = 0;
fp = fopen(pcrs, "r");
if (!fp)
@@ -1385,11 +1393,10 @@ static int tpm_pcr_read(int idx, uint8_t *pcr, int len)
p = fgets(buf, sizeof(buf), fp);
if (!p)
break;
- if (!strncmp(p, pcr_str, 6)) {
- hex2bin(pcr, p + 7, len);
- result = 0;
- break;
- }
+ sprintf(pcr_str, "PCR-%2.2d", i);
+ if (!strncmp(p, pcr_str, 6))
+ hex2bin(tpm_banks[0].pcr[i++], p + 7, len);
+ result = 0;
}
fclose(fp);
return result;
@@ -1571,14 +1578,6 @@ void ima_ng_show(struct template_entry *entry)
}
}
-struct tpm_bank_info {
- int digest_size;
- int supported;
- const char *algo_name;
- uint8_t digest[MAX_DIGEST_SIZE];
- uint8_t pcr[NUM_PCRS][MAX_DIGEST_SIZE];
-};
-
static void set_bank_info(struct tpm_bank_info *bank, const char *algo_name)
{
const EVP_MD *md;
@@ -1771,11 +1770,9 @@ static int read_tpm_pcrs(int num_banks, struct tpm_bank_info *tpm_banks)
{
int i;
- for (i = 0; i < NUM_PCRS; i++) {
- if (tpm_pcr_read(i, tpm_banks[0].pcr[i], SHA_DIGEST_LENGTH)) {
- log_debug("Failed to read TPM 1.2 PCRs.\n");
- return -1;
- }
+ if (tpm_pcr_read(tpm_banks, SHA_DIGEST_LENGTH)) {
+ log_debug("Failed to read TPM 1.2 PCRs.\n");
+ return -1;
}
tpm_banks[0].supported = 1;
--
2.7.5
^ permalink raw reply related [flat|nested] 13+ messages in thread* [PATCH v2 2/8] ima_evm_utils: support extending TPM 2.0 banks w/original SHA1 padded digest
2020-07-10 16:00 [PATCH v2 0/8] additional "ima-measurement" support Mimi Zohar
2020-07-10 16:00 ` [PATCH v2 1/8] ima-evm-utils: improve reading TPM 1.2 PCRs Mimi Zohar
@ 2020-07-10 16:00 ` Mimi Zohar
2020-07-15 18:43 ` Bruno Meneguele
2020-07-10 16:00 ` [PATCH v2 3/8] ima-evm-utils: support providing the TPM 1.2 PCRs as a file Mimi Zohar
` (5 subsequent siblings)
7 siblings, 1 reply; 13+ messages in thread
From: Mimi Zohar @ 2020-07-10 16:00 UTC (permalink / raw)
To: linux-integrity; +Cc: Mimi Zohar, Petr Vorel, Bruno Meneguele
Initially the sha1 digest, including violations, was padded with zeroes
before being extended into the other TPM banks. Support walking the
IMA measurement list, calculating the per TPM bank SHA1 padded
digest(s).
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
src/evmctl.c | 73 +++++++++++++++++++++++++++++++++++++++++++++++-------------
1 file changed, 58 insertions(+), 15 deletions(-)
diff --git a/src/evmctl.c b/src/evmctl.c
index 0e489e2c7ba6..814aa6b75571 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1613,6 +1613,10 @@ static struct tpm_bank_info *init_tpm_banks(int *num_banks)
return banks;
}
+/*
+ * Compare the calculated TPM PCR banks against the PCR values read.
+ * On failure to match any TPM bank, fail comparison.
+ */
static int compare_tpm_banks(int num_banks, struct tpm_bank_info *bank,
struct tpm_bank_info *tpm_bank)
{
@@ -1632,14 +1636,15 @@ static int compare_tpm_banks(int num_banks, struct tpm_bank_info *bank,
log_info("%s: TPM PCR-%d: ", tpm_bank[i].algo_name, j);
log_dump(tpm_bank[i].pcr[j], tpm_bank[i].digest_size);
- ret = memcmp(bank[i].pcr[j], tpm_bank[i].pcr[j],
- bank[i].digest_size);
- if (!ret)
+ if (memcmp(bank[i].pcr[j], tpm_bank[i].pcr[j],
+ bank[i].digest_size) == 0) {
log_info("%s PCR-%d: succeed\n",
bank[i].algo_name, j);
- else
+ } else {
+ ret = 1;
log_info("%s: PCRAgg %d does not match TPM PCR-%d\n",
bank[i].algo_name, j, j);
+ }
}
}
return ret;
@@ -1695,10 +1700,7 @@ static int extend_tpm_bank(EVP_MD_CTX *pctx, const EVP_MD *md,
goto out;
}
- if (validate && !memcmp(entry->header.digest, zero, SHA_DIGEST_LENGTH))
- err = EVP_DigestUpdate(pctx, fox, bank->digest_size);
- else
- err = EVP_DigestUpdate(pctx, bank->digest, bank->digest_size);
+ err = EVP_DigestUpdate(pctx, bank->digest, bank->digest_size);
if (!err) {
printf("EVP_DigestUpdate() failed\n");
goto out;
@@ -1716,7 +1718,8 @@ out:
/* Calculate and extend the template hash for multiple hash algorithms */
static void extend_tpm_banks(struct template_entry *entry, int num_banks,
- struct tpm_bank_info *bank)
+ struct tpm_bank_info *bank,
+ struct tpm_bank_info *padded_bank)
{
EVP_MD_CTX *pctx;
const EVP_MD *md;
@@ -1741,24 +1744,53 @@ static void extend_tpm_banks(struct template_entry *entry, int num_banks,
}
/*
- * Measurement violations are 0x00 digests. No need to
- * calculate the per TPM bank template digests.
+ * Measurement violations are 0x00 digests, which are extended
+ * into the TPM as 0xff. Verifying the IMA measurement list
+ * will fail, unless the 0x00 digests are converted to 0xff's.
+ *
+ * Initially the sha1 digest, including violations, was padded
+ * with zeroes before being extended into the TPM. With the
+ * per TPM bank digest, violations are the full per bank digest
+ * size.
*/
- if (memcmp(entry->header.digest, zero, SHA_DIGEST_LENGTH) == 0)
- memset(bank[i].digest, 0x00, bank[i].digest_size);
- else {
+ if (memcmp(entry->header.digest, zero, SHA_DIGEST_LENGTH) == 0) {
+ if (!validate) {
+ memset(bank[i].digest, 0x00, bank[i].digest_size);
+ memset(padded_bank[i].digest, 0x00, padded_bank[i].digest_size);
+ } else {
+ memset(bank[i].digest, 0xff,
+ bank[i].digest_size);
+
+ memset(padded_bank[i].digest, 0x00,
+ padded_bank[i].digest_size);
+ memset(padded_bank[i].digest, 0xff,
+ SHA_DIGEST_LENGTH);
+ }
+ } else {
err = calculate_template_digest(pctx, md, entry,
&bank[i]);
if (!err) {
bank[i].supported = 0;
continue;
}
+
+ /*
+ * calloc set the memory to zero, so just copy the
+ * sha1 digest.
+ */
+ memcpy(padded_bank[i].digest, entry->header.digest,
+ SHA_DIGEST_LENGTH);
}
/* extend TPM BANK with template digest */
err = extend_tpm_bank(pctx, md, entry, &bank[i]);
if (!err)
bank[i].supported = 0;
+
+ /* extend TPM BANK with zero padded sha1 template digest */
+ err = extend_tpm_bank(pctx, md, entry, &padded_bank[i]);
+ if (!err)
+ padded_bank[i].supported = 0;
}
#if OPENSSL_VERSION_NUMBER >= 0x10100000
EVP_MD_CTX_free(pctx);
@@ -1825,6 +1857,7 @@ static int read_tpm_banks(int num_banks, struct tpm_bank_info *bank)
static int ima_measurement(const char *file)
{
+ struct tpm_bank_info *pseudo_padded_banks;
struct tpm_bank_info *pseudo_banks;
struct tpm_bank_info *tpm_banks;
int is_ima_template, cur_template_fmt;
@@ -1839,6 +1872,7 @@ static int ima_measurement(const char *file)
memset(zero, 0, MAX_DIGEST_SIZE);
memset(fox, 0xff, MAX_DIGEST_SIZE);
+ pseudo_padded_banks = init_tpm_banks(&num_banks);
pseudo_banks = init_tpm_banks(&num_banks);
tpm_banks = init_tpm_banks(&num_banks);
@@ -1939,7 +1973,8 @@ static int ima_measurement(const char *file)
entry.template_buf_len - len);
}
- extend_tpm_banks(&entry, num_banks, pseudo_banks);
+ extend_tpm_banks(&entry, num_banks, pseudo_banks,
+ pseudo_padded_banks);
if (verify)
ima_verify_template_hash(&entry);
@@ -1954,7 +1989,15 @@ static int ima_measurement(const char *file)
err = 0;
log_info("Failed to read any TPM PCRs\n");
} else {
+ log_info("Comparing with per TPM digest\n");
err = compare_tpm_banks(num_banks, pseudo_banks, tpm_banks);
+
+ /* On failure, check older SHA1 zero padded hashes */
+ if (err) {
+ log_info("Comparing with SHA1 padded digest\n");
+ err = compare_tpm_banks(num_banks, pseudo_padded_banks,
+ tpm_banks);
+ }
}
out:
--
2.7.5
^ permalink raw reply related [flat|nested] 13+ messages in thread* Re: [PATCH v2 2/8] ima_evm_utils: support extending TPM 2.0 banks w/original SHA1 padded digest
2020-07-10 16:00 ` [PATCH v2 2/8] ima_evm_utils: support extending TPM 2.0 banks w/original SHA1 padded digest Mimi Zohar
@ 2020-07-15 18:43 ` Bruno Meneguele
2020-07-15 19:47 ` Mimi Zohar
0 siblings, 1 reply; 13+ messages in thread
From: Bruno Meneguele @ 2020-07-15 18:43 UTC (permalink / raw)
To: Mimi Zohar; +Cc: linux-integrity, Petr Vorel
[-- Attachment #1: Type: text/plain, Size: 2702 bytes --]
Hi Mimi,
On Fri, Jul 10, 2020 at 12:00:53PM -0400, Mimi Zohar wrote:
> Initially the sha1 digest, including violations, was padded with zeroes
> before being extended into the other TPM banks. Support walking the
> IMA measurement list, calculating the per TPM bank SHA1 padded
> digest(s).
>
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
> src/evmctl.c | 73 +++++++++++++++++++++++++++++++++++++++++++++++-------------
> 1 file changed, 58 insertions(+), 15 deletions(-)
>
> diff --git a/src/evmctl.c b/src/evmctl.c
> index 0e489e2c7ba6..814aa6b75571 100644
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -1613,6 +1613,10 @@ static struct tpm_bank_info *init_tpm_banks(int *num_banks)
> return banks;
> }
>
> +/*
> + * Compare the calculated TPM PCR banks against the PCR values read.
> + * On failure to match any TPM bank, fail comparison.
> + */
> static int compare_tpm_banks(int num_banks, struct tpm_bank_info *bank,
> struct tpm_bank_info *tpm_bank)
> {
> @@ -1632,14 +1636,15 @@ static int compare_tpm_banks(int num_banks, struct tpm_bank_info *bank,
> log_info("%s: TPM PCR-%d: ", tpm_bank[i].algo_name, j);
> log_dump(tpm_bank[i].pcr[j], tpm_bank[i].digest_size);
>
> - ret = memcmp(bank[i].pcr[j], tpm_bank[i].pcr[j],
> - bank[i].digest_size);
> - if (!ret)
> + if (memcmp(bank[i].pcr[j], tpm_bank[i].pcr[j],
> + bank[i].digest_size) == 0) {
> log_info("%s PCR-%d: succeed\n",
> bank[i].algo_name, j);
> - else
> + } else {
> + ret = 1;
> log_info("%s: PCRAgg %d does not match TPM PCR-%d\n",
> bank[i].algo_name, j, j);
> + }
> }
> }
> return ret;
> @@ -1695,10 +1700,7 @@ static int extend_tpm_bank(EVP_MD_CTX *pctx, const EVP_MD *md,
> goto out;
> }
>
> - if (validate && !memcmp(entry->header.digest, zero, SHA_DIGEST_LENGTH))
> - err = EVP_DigestUpdate(pctx, fox, bank->digest_size);
'fox' is not being used in the code anymore. It could be totally removed
afaics.
diff --git a/src/evmctl.c b/src/evmctl.c
index 90a3eeb..ae513b0 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1425,7 +1425,6 @@ struct template_entry {
};
static uint8_t zero[MAX_DIGEST_SIZE];
-static uint8_t fox[MAX_DIGEST_SIZE];
static int validate = 0;
static int verify = 0;
@@ -1886,7 +1885,6 @@ static int ima_measurement(const char *file)
errno = 0;
memset(zero, 0, MAX_DIGEST_SIZE);
- memset(fox, 0xff, MAX_DIGEST_SIZE);
pseudo_padded_banks = init_tpm_banks(&num_banks);
pseudo_banks = init_tpm_banks(&num_banks);
--
bmeneg
PGP Key: http://bmeneg.com/pubkey.txt
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply related [flat|nested] 13+ messages in thread* Re: [PATCH v2 2/8] ima_evm_utils: support extending TPM 2.0 banks w/original SHA1 padded digest
2020-07-15 18:43 ` Bruno Meneguele
@ 2020-07-15 19:47 ` Mimi Zohar
2020-07-15 20:11 ` Mimi Zohar
0 siblings, 1 reply; 13+ messages in thread
From: Mimi Zohar @ 2020-07-15 19:47 UTC (permalink / raw)
To: Bruno Meneguele; +Cc: linux-integrity, Petr Vorel
Hi Bruno,
On Wed, 2020-07-15 at 15:43 -0300, Bruno Meneguele wrote:
<snip>
If this patch was in next-testing, I could simply update it. Please
send a new patch to remove fox.
thanks,
Mimi
> 'fox' is not being used in the code anymore. It could be totally removed
> afaics.
>
> diff --git a/src/evmctl.c b/src/evmctl.c
> index 90a3eeb..ae513b0 100644
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -1425,7 +1425,6 @@ struct template_entry {
> };
>
> static uint8_t zero[MAX_DIGEST_SIZE];
> -static uint8_t fox[MAX_DIGEST_SIZE];
>
> static int validate = 0;
> static int verify = 0;
> @@ -1886,7 +1885,6 @@ static int ima_measurement(const char *file)
>
> errno = 0;
> memset(zero, 0, MAX_DIGEST_SIZE);
> - memset(fox, 0xff, MAX_DIGEST_SIZE);
>
> pseudo_padded_banks = init_tpm_banks(&num_banks);
> pseudo_banks = init_tpm_banks(&num_banks);
>
>
^ permalink raw reply [flat|nested] 13+ messages in thread* Re: [PATCH v2 2/8] ima_evm_utils: support extending TPM 2.0 banks w/original SHA1 padded digest
2020-07-15 19:47 ` Mimi Zohar
@ 2020-07-15 20:11 ` Mimi Zohar
2020-07-15 20:17 ` Bruno Meneguele
0 siblings, 1 reply; 13+ messages in thread
From: Mimi Zohar @ 2020-07-15 20:11 UTC (permalink / raw)
To: Bruno Meneguele; +Cc: linux-integrity, Petr Vorel
On Wed, 2020-07-15 at 15:47 -0400, Mimi Zohar wrote:
> Hi Bruno,
>
> On Wed, 2020-07-15 at 15:43 -0300, Bruno Meneguele wrote:
> <snip>
>
> If this patch was in next-testing, I could simply update it. Please
> send a new patch to remove fox.
Oh, it is in next-testing. I'll fix it up.
thanks!
Mimi
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH v2 2/8] ima_evm_utils: support extending TPM 2.0 banks w/original SHA1 padded digest
2020-07-15 20:11 ` Mimi Zohar
@ 2020-07-15 20:17 ` Bruno Meneguele
0 siblings, 0 replies; 13+ messages in thread
From: Bruno Meneguele @ 2020-07-15 20:17 UTC (permalink / raw)
To: Mimi Zohar; +Cc: linux-integrity, Petr Vorel
[-- Attachment #1: Type: text/plain, Size: 490 bytes --]
On Wed, Jul 15, 2020 at 04:11:03PM -0400, Mimi Zohar wrote:
> On Wed, 2020-07-15 at 15:47 -0400, Mimi Zohar wrote:
> > Hi Bruno,
> >
> > On Wed, 2020-07-15 at 15:43 -0300, Bruno Meneguele wrote:
> > <snip>
> >
> > If this patch was in next-testing, I could simply update it. Please
> > send a new patch to remove fox.
>
> Oh, it is in next-testing. I'll fix it up.
>
Yes :)
Thanks.
> thanks!
>
> Mimi
>
--
bmeneg
PGP Key: http://bmeneg.com/pubkey.txt
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* [PATCH v2 3/8] ima-evm-utils: support providing the TPM 1.2 PCRs as a file
2020-07-10 16:00 [PATCH v2 0/8] additional "ima-measurement" support Mimi Zohar
2020-07-10 16:00 ` [PATCH v2 1/8] ima-evm-utils: improve reading TPM 1.2 PCRs Mimi Zohar
2020-07-10 16:00 ` [PATCH v2 2/8] ima_evm_utils: support extending TPM 2.0 banks w/original SHA1 padded digest Mimi Zohar
@ 2020-07-10 16:00 ` Mimi Zohar
2020-07-10 16:00 ` [PATCH v2 4/8] ima-evm-utils: emit "ima_measurement" messages based on log level Mimi Zohar
` (4 subsequent siblings)
7 siblings, 0 replies; 13+ messages in thread
From: Mimi Zohar @ 2020-07-10 16:00 UTC (permalink / raw)
To: linux-integrity; +Cc: Mimi Zohar, Petr Vorel, Bruno Meneguele
"evmctl ima_measurement" walks the IMA measurement list calculating the
PCRs and verifies the calculated values against the system's PCRs.
Instead of reading the system's PCRs, provide the PCRs as a file. For
TPM 1.2 the PCRs are exported via a securityfs file.
Verifying the IMA measurement list against the exported TPM 1.2 PCRs
file may be used remotely for regression testing. If used in a
production environment, the provided TPM PCRs must be compared with
those included in the TPM 1.2 quote as well.
This patch defines an evmctl ima_measurement "--pcrs <filename>" option.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
src/evmctl.c | 18 +++++++++++++++---
1 file changed, 15 insertions(+), 3 deletions(-)
diff --git a/src/evmctl.c b/src/evmctl.c
index 814aa6b75571..21ae1c7ca5a7 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -160,6 +160,8 @@ struct tpm_bank_info {
uint8_t pcr[NUM_PCRS][MAX_DIGEST_SIZE];
};
+static char *pcrfile;
+
static int bin2file(const char *file, const char *ext, const unsigned char *data, int len)
{
FILE *fp;
@@ -1377,12 +1379,18 @@ static char *misc_pcrs = "/sys/class/misc/tpm0/device/pcrs";
/* Read all of the TPM 1.2 PCRs */
static int tpm_pcr_read(struct tpm_bank_info *tpm_banks, int len)
{
- FILE *fp;
+ FILE *fp = NULL;
char *p, pcr_str[7], buf[70]; /* length of the TPM string */
int result = -1;
int i = 0;
- fp = fopen(pcrs, "r");
+ /* Use the provided TPM 1.2 pcrs file */
+ if (pcrfile)
+ fp = fopen(pcrfile, "r");
+
+ if (!fp)
+ fp = fopen(pcrs, "r");
+
if (!fp)
fp = fopen(misc_pcrs, "r");
@@ -2347,7 +2355,7 @@ struct command cmds[] = {
{"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"},
{"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"},
{"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
- {"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify] file", "Verify measurement list (experimental).\n"},
+ {"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify] [--pcrs file] file", "Verify measurement list (experimental).\n"},
{"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[file]", "Calculate per TPM bank boot_aggregate digests\n"},
{"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
@@ -2388,6 +2396,7 @@ static struct option opts[] = {
{"xattr-user", 0, 0, 140},
{"validate", 0, 0, 141},
{"verify", 0, 0, 142},
+ {"pcrs", 1, 0, 143},
{}
};
@@ -2572,6 +2581,9 @@ int main(int argc, char *argv[])
case 142: /* --verify */
verify = 1;
break;
+ case 143:
+ pcrfile = optarg;
+ break;
case '?':
exit(1);
break;
--
2.7.5
^ permalink raw reply related [flat|nested] 13+ messages in thread* [PATCH v2 4/8] ima-evm-utils: emit "ima_measurement" messages based on log level
2020-07-10 16:00 [PATCH v2 0/8] additional "ima-measurement" support Mimi Zohar
` (2 preceding siblings ...)
2020-07-10 16:00 ` [PATCH v2 3/8] ima-evm-utils: support providing the TPM 1.2 PCRs as a file Mimi Zohar
@ 2020-07-10 16:00 ` Mimi Zohar
2020-07-10 16:00 ` [PATCH v2 5/8] ima-evm-utils: guarantee the measurement list contains all the records Mimi Zohar
` (3 subsequent siblings)
7 siblings, 0 replies; 13+ messages in thread
From: Mimi Zohar @ 2020-07-10 16:00 UTC (permalink / raw)
To: linux-integrity; +Cc: Mimi Zohar, Petr Vorel, Bruno Meneguele
"ima_measurement" emits quite a few messages. Only a few messages
belong at the default log level.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
src/evmctl.c | 25 ++++++++++++++++++-------
1 file changed, 18 insertions(+), 7 deletions(-)
diff --git a/src/evmctl.c b/src/evmctl.c
index 21ae1c7ca5a7..fac6a270794f 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1638,21 +1638,27 @@ static int compare_tpm_banks(int num_banks, struct tpm_bank_info *bank,
if (memcmp(bank[i].pcr[j], zero, bank[i].digest_size)
== 0)
continue;
+
+ if (memcmp(bank[i].pcr[j], tpm_bank[i].pcr[j],
+ bank[i].digest_size) != 0)
+ ret = 1;
+
+ if ((!ret && imaevm_params.verbose <= LOG_INFO) ||
+ (ret && imaevm_params.verbose <= LOG_DEBUG))
+ continue;
+
log_info("%s: PCRAgg %d: ", bank[i].algo_name, j);
log_dump(bank[i].pcr[j], bank[i].digest_size);
log_info("%s: TPM PCR-%d: ", tpm_bank[i].algo_name, j);
log_dump(tpm_bank[i].pcr[j], tpm_bank[i].digest_size);
- if (memcmp(bank[i].pcr[j], tpm_bank[i].pcr[j],
- bank[i].digest_size) == 0) {
+ if (!ret)
log_info("%s PCR-%d: succeed\n",
bank[i].algo_name, j);
- } else {
- ret = 1;
+ else
log_info("%s: PCRAgg %d does not match TPM PCR-%d\n",
bank[i].algo_name, j, j);
- }
}
}
return ret;
@@ -1997,15 +2003,20 @@ static int ima_measurement(const char *file)
err = 0;
log_info("Failed to read any TPM PCRs\n");
} else {
- log_info("Comparing with per TPM digest\n");
err = compare_tpm_banks(num_banks, pseudo_banks, tpm_banks);
+ if (!err)
+ log_info("Matched per TPM bank calculated digest(s).\n");
/* On failure, check older SHA1 zero padded hashes */
if (err) {
- log_info("Comparing with SHA1 padded digest\n");
err = compare_tpm_banks(num_banks, pseudo_padded_banks,
tpm_banks);
+ if (!err)
+ log_info("Matched SHA1 padded TPM digest(s).\n");
}
+
+ if (err)
+ log_info("Failed to match per TPM bank or SHA1 padded TPM digest(s).\n");
}
out:
--
2.7.5
^ permalink raw reply related [flat|nested] 13+ messages in thread* [PATCH v2 5/8] ima-evm-utils: guarantee the measurement list contains all the records
2020-07-10 16:00 [PATCH v2 0/8] additional "ima-measurement" support Mimi Zohar
` (3 preceding siblings ...)
2020-07-10 16:00 ` [PATCH v2 4/8] ima-evm-utils: emit "ima_measurement" messages based on log level Mimi Zohar
@ 2020-07-10 16:00 ` Mimi Zohar
2020-07-10 16:00 ` [PATCH v2 6/8] ima-evm-utils: the IMA measurement list may have too many measurements Mimi Zohar
` (2 subsequent siblings)
7 siblings, 0 replies; 13+ messages in thread
From: Mimi Zohar @ 2020-07-10 16:00 UTC (permalink / raw)
To: linux-integrity; +Cc: Mimi Zohar, Petr Vorel, Bruno Meneguele
Reading the TPM PCRs before walking the measurement list guarantees
the measurement list contains all the records.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
src/evmctl.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/src/evmctl.c b/src/evmctl.c
index fac6a270794f..5787887882b4 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1876,6 +1876,7 @@ static int ima_measurement(const char *file)
struct tpm_bank_info *tpm_banks;
int is_ima_template, cur_template_fmt;
int num_banks = 0;
+ int tpmbanks = 1;
int first_record = 1;
struct template_entry entry = { .template = 0 };
@@ -1901,6 +1902,14 @@ static int ima_measurement(const char *file)
else /* assume read pubkey from x509 cert */
init_public_keys("/etc/keys/x509_evm.der");
+ /*
+ * Reading the PCRs before walking the IMA measurement list
+ * guarantees that all of the measurements are included in
+ * the PCRs.
+ */
+ if (read_tpm_banks(num_banks, tpm_banks) != 0)
+ tpmbanks = 0;
+
while (fread(&entry.header, sizeof(entry.header), 1, fp)) {
if (entry.header.name_len > TCG_EVENT_NAME_LEN_MAX) {
log_err("%d ERROR: event name too long!\n",
@@ -1999,10 +2008,9 @@ static int ima_measurement(const char *file)
ima_ng_show(&entry);
}
- if (read_tpm_banks(num_banks, tpm_banks) != 0) {
- err = 0;
+ if (tpmbanks == 0)
log_info("Failed to read any TPM PCRs\n");
- } else {
+ else {
err = compare_tpm_banks(num_banks, pseudo_banks, tpm_banks);
if (!err)
log_info("Matched per TPM bank calculated digest(s).\n");
--
2.7.5
^ permalink raw reply related [flat|nested] 13+ messages in thread* [PATCH v2 6/8] ima-evm-utils: the IMA measurement list may have too many measurements
2020-07-10 16:00 [PATCH v2 0/8] additional "ima-measurement" support Mimi Zohar
` (4 preceding siblings ...)
2020-07-10 16:00 ` [PATCH v2 5/8] ima-evm-utils: guarantee the measurement list contains all the records Mimi Zohar
@ 2020-07-10 16:00 ` Mimi Zohar
2020-07-10 16:00 ` [PATCH v2 7/8] ima-evm-utils: optionally verify the template data file signature Mimi Zohar
2020-07-10 16:00 ` [PATCH v2 8/8] ima-evm-utils: update README to reflect "--pcrs", "--verify" and "--validate" Mimi Zohar
7 siblings, 0 replies; 13+ messages in thread
From: Mimi Zohar @ 2020-07-10 16:00 UTC (permalink / raw)
To: linux-integrity; +Cc: Mimi Zohar, Petr Vorel, Bruno Meneguele
Reading the TPM PCRs before walking the measurement list guarantees
the measurement list contains all the records, possibly too many records.
Compare the re-calculated hash after each extend with both the per bank
TPM PCR digests and the SHA1 paddeded TPM PCR digests.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
src/evmctl.c | 33 ++++++++++++++++++++++-----------
1 file changed, 22 insertions(+), 11 deletions(-)
diff --git a/src/evmctl.c b/src/evmctl.c
index 5787887882b4..88fd8e4c31f0 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1881,6 +1881,7 @@ static int ima_measurement(const char *file)
struct template_entry entry = { .template = 0 };
FILE *fp;
+ int err_padded = -1;
int err = -1;
errno = 0;
@@ -2006,24 +2007,34 @@ static int ima_measurement(const char *file)
ima_show(&entry);
else
ima_ng_show(&entry);
+
+ if (!tpmbanks)
+ continue;
+
+ /* The measurement list might contain too many entries,
+ * compare the re-calculated TPM PCR values after each
+ * extend.
+ */
+ err = compare_tpm_banks(num_banks, pseudo_banks, tpm_banks);
+ if (!err)
+ break;
+
+ /* Compare against original SHA1 zero padded TPM PCR values */
+ err_padded = compare_tpm_banks(num_banks, pseudo_padded_banks,
+ tpm_banks);
+ if (!err_padded)
+ break;
}
if (tpmbanks == 0)
log_info("Failed to read any TPM PCRs\n");
else {
- err = compare_tpm_banks(num_banks, pseudo_banks, tpm_banks);
if (!err)
log_info("Matched per TPM bank calculated digest(s).\n");
-
- /* On failure, check older SHA1 zero padded hashes */
- if (err) {
- err = compare_tpm_banks(num_banks, pseudo_padded_banks,
- tpm_banks);
- if (!err)
- log_info("Matched SHA1 padded TPM digest(s).\n");
- }
-
- if (err)
+ else if (!err_padded) {
+ log_info("Matched SHA1 padded TPM digest(s).\n");
+ err = 0;
+ } else
log_info("Failed to match per TPM bank or SHA1 padded TPM digest(s).\n");
}
--
2.7.5
^ permalink raw reply related [flat|nested] 13+ messages in thread* [PATCH v2 7/8] ima-evm-utils: optionally verify the template data file signature
2020-07-10 16:00 [PATCH v2 0/8] additional "ima-measurement" support Mimi Zohar
` (5 preceding siblings ...)
2020-07-10 16:00 ` [PATCH v2 6/8] ima-evm-utils: the IMA measurement list may have too many measurements Mimi Zohar
@ 2020-07-10 16:00 ` Mimi Zohar
2020-07-10 16:00 ` [PATCH v2 8/8] ima-evm-utils: update README to reflect "--pcrs", "--verify" and "--validate" Mimi Zohar
7 siblings, 0 replies; 13+ messages in thread
From: Mimi Zohar @ 2020-07-10 16:00 UTC (permalink / raw)
To: linux-integrity; +Cc: Mimi Zohar, Petr Vorel, Bruno Meneguele
Rename "--list" to "verify-sig" to optionally verify the file signature
contained in the template data based on the supplied set of keys.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
README | 3 ++-
src/evmctl.c | 12 ++++++------
2 files changed, 8 insertions(+), 7 deletions(-)
diff --git a/README b/README
index 3603ae8a6084..374b748c59bf 100644
--- a/README
+++ b/README
@@ -31,7 +31,7 @@ COMMANDS
ima_sign [--sigfile] [--key key] [--pass password] file
ima_verify file
ima_hash file
- ima_measurement [--key "key1, key2, ..."] [--list] file
+ ima_measurement [--verify-sig [--key "key1, key2, ..."]] file
ima_fix [-t fdsxm] path
sign_hash [--key key] [--pass password]
hmac [--imahash | --imasig ] file
@@ -59,6 +59,7 @@ OPTIONS
--m32 force EVM hmac/signature for 32 bit target system
--m64 force EVM hmac/signature for 64 bit target system
--engine e preload OpenSSL engine e (such as: gost)
+ --verify-sig verify the template data file signature
-v increase verbosity level
-h, --help display this help and exit
diff --git a/src/evmctl.c b/src/evmctl.c
index 88fd8e4c31f0..90a3eebc4431 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -125,7 +125,7 @@ static char *caps_str;
static char *ima_str;
static char *selinux_str;
static char *search_type;
-static int measurement_list;
+static int verify_list_sig;
static int recursive;
static int msize;
static dev_t fs_dev;
@@ -1566,7 +1566,7 @@ void ima_ng_show(struct template_entry *entry)
log_info(" ");
log_dump(sig, sig_len);
}
- if (measurement_list)
+ if (verify_list_sig)
err = ima_verify_signature(path, sig, sig_len,
digest, digest_len);
else
@@ -2367,7 +2367,7 @@ static void usage(void)
" --ima use custom IMA signature for EVM\n"
" --selinux use custom Selinux label for EVM\n"
" --caps use custom Capabilities for EVM(unspecified: from FS, empty: do not use)\n"
- " --list measurement list verification\n"
+ " --verify-sig verify measurement list signatures\n"
" --engine e preload OpenSSL engine e (such as: gost)\n"
" -v increase verbosity level\n"
" -h, --help display this help and exit\n"
@@ -2385,7 +2385,7 @@ struct command cmds[] = {
{"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"},
{"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"},
{"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
- {"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify] [--pcrs file] file", "Verify measurement list (experimental).\n"},
+ {"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify] [--verify-sig [--key key1, key2, ...]] [--pcrs file] file", "Verify measurement list (experimental).\n"},
{"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[file]", "Calculate per TPM bank boot_aggregate digests\n"},
{"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
@@ -2421,7 +2421,7 @@ static struct option opts[] = {
{"ima", 1, 0, 135},
{"selinux", 1, 0, 136},
{"caps", 2, 0, 137},
- {"list", 0, 0, 138},
+ {"verify-sig", 0, 0, 138},
{"engine", 1, 0, 139},
{"xattr-user", 0, 0, 140},
{"validate", 0, 0, 141},
@@ -2586,7 +2586,7 @@ int main(int argc, char *argv[])
hmac_flags |= HMAC_FLAG_CAPS_SET;
break;
case 138:
- measurement_list = 1;
+ verify_list_sig = 1;
break;
case 139: /* --engine e */
eng = ENGINE_by_id(optarg);
--
2.7.5
^ permalink raw reply related [flat|nested] 13+ messages in thread* [PATCH v2 8/8] ima-evm-utils: update README to reflect "--pcrs", "--verify" and "--validate"
2020-07-10 16:00 [PATCH v2 0/8] additional "ima-measurement" support Mimi Zohar
` (6 preceding siblings ...)
2020-07-10 16:00 ` [PATCH v2 7/8] ima-evm-utils: optionally verify the template data file signature Mimi Zohar
@ 2020-07-10 16:00 ` Mimi Zohar
7 siblings, 0 replies; 13+ messages in thread
From: Mimi Zohar @ 2020-07-10 16:00 UTC (permalink / raw)
To: linux-integrity; +Cc: Mimi Zohar, Petr Vorel, Bruno Meneguele
"--pcrs" compares the re-calculate PCRs against a file containing TPM 1.2 pcrs.
"--validate" ignores ToMToU measurement violations.
"--verify" verifies the template data digest based on the template data.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
README | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/README b/README
index 374b748c59bf..64b9da508d8d 100644
--- a/README
+++ b/README
@@ -31,7 +31,7 @@ COMMANDS
ima_sign [--sigfile] [--key key] [--pass password] file
ima_verify file
ima_hash file
- ima_measurement [--verify-sig [--key "key1, key2, ..."]] file
+ ima_measurement [--validate] [--verify] [--verify-sig [--key "key1, key2, ..."]] [--pcrs file] file
ima_fix [-t fdsxm] path
sign_hash [--key key] [--pass password]
hmac [--imahash | --imasig ] file
@@ -59,6 +59,9 @@ OPTIONS
--m32 force EVM hmac/signature for 32 bit target system
--m64 force EVM hmac/signature for 64 bit target system
--engine e preload OpenSSL engine e (such as: gost)
+ --pcrs file containing TPM 1.2 pcrs
+ --validate ignore ToMToU measurement violations
+ --verify verify the template data digest
--verify-sig verify the template data file signature
-v increase verbosity level
-h, --help display this help and exit
--
2.7.5
^ permalink raw reply related [flat|nested] 13+ messages in thread