Linux-Integrity Archive on lore.kernel.org
 help / color / Atom feed
From: Mimi Zohar <zohar@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: Mimi Zohar <zohar@linux.ibm.com>, Petr Vorel <pvorel@suse.cz>,
	Bruno Meneguele <bmeneg@redhat.com>
Subject: [PATCH 2/3] ima-evm-utils: output specific "unknown keyid" file msg based on log level
Date: Sun, 19 Jul 2020 12:02:03 -0400
Message-ID: <1595174524-4976-2-git-send-email-zohar@linux.ibm.com> (raw)
In-Reply-To: <1595174524-4976-1-git-send-email-zohar@linux.ibm.com>

When the IMA measurement list contains file signatures, the file
signatures are verified either by calculating the local file data hash
or based on the file hash contained in the measurement list.  In either
case a list of trusted public keys needs to be provided.

In addition to the list of known/unknown public keys needed to verify
the measurement list being output, the specific files signed by an
unknown public key are output as well.

Output the individual "unknown keyid" file messages based on log level.

Example 1: "ima_measurement" list of known/unknown public keys

Verify the provided IMA measurement list against the provided TPM 1.2
PCRs.
--validate: ignore measurement violations.
--verify: calculate and verify the template digest against the template
data.
--verify-sig: verify the file signature against the file hash stored
in the template data.

$ evmctl ima_measurement /tmp/local_binary_runtime_measurements --pcrs
/tmp/local_pcrs_new --validate --verify --verify-sig
key 1: 14c2d147 /etc/keys/x509_evm.der
key 2: 6e6c1046 (unknown keyid)
key 3: c4e2426e (unknown keyid)
Matched per TPM bank calculated digest(s).

Example 2: verbose mode (-v) includes specific unknown files.

/usr/bin/evmctl: verification failed: unknown keyid 6e6c1046

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 src/libimaevm.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/libimaevm.c b/src/libimaevm.c
index 16e07e82b9e3..fa6c27858d0f 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -512,8 +512,9 @@ static int verify_hash_v2(const char *file, const unsigned char *hash, int size,
 	if (!pkey) {
 		uint32_t keyid = hdr->keyid;
 
-		log_info("%s: verification failed: unknown keyid %x\n",
-			 file, __be32_to_cpup(&keyid));
+		if (imaevm_params.verbose > LOG_INFO)
+			log_info("%s: verification failed: unknown keyid %x\n",
+				 file, __be32_to_cpup(&keyid));
 		return -1;
 	}
 
-- 
2.7.5


  reply index

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-19 16:02 [PATCH 1/3] ima-evm-utils: similarly add sanity check for file parameter of TPM 1.2 PCRs Mimi Zohar
2020-07-19 16:02 ` Mimi Zohar [this message]
2020-07-20  8:13   ` [PATCH 2/3] ima-evm-utils: output specific "unknown keyid" file msg based on log level Petr Vorel
2020-07-20  8:33   ` Petr Vorel
2020-07-19 16:02 ` [PATCH 3/3] ima_evm_utils: indicate "--verify" template data digest failures Mimi Zohar
2020-07-20  8:18   ` Petr Vorel
2020-07-20  8:04 ` [PATCH 1/3] ima-evm-utils: similarly add sanity check for file parameter of TPM 1.2 PCRs Petr Vorel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1595174524-4976-2-git-send-email-zohar@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=bmeneg@redhat.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=pvorel@suse.cz \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Integrity Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-integrity/0 linux-integrity/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-integrity linux-integrity/ https://lore.kernel.org/linux-integrity \
		linux-integrity@vger.kernel.org
	public-inbox-index linux-integrity

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-integrity


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git