Linux-Integrity Archive on lore.kernel.org
 help / color / Atom feed
* [ima-evm-utils: PATCH 0/3] evmctl option improvements
@ 2020-07-31 14:14 Mimi Zohar
  2020-07-31 14:14 ` [ima-evm-utils: PATCH 1/3] Drop the ima_measurement "--verify" option Mimi Zohar
                   ` (2 more replies)
  0 siblings, 3 replies; 7+ messages in thread
From: Mimi Zohar @ 2020-07-31 14:14 UTC (permalink / raw)
  To: linux-integrity; +Cc: Mimi Zohar, Petr Vorel, Vitaly Chikunov, Bruno Meneguele

Support for the original IMA LTP "--verify" and "--validate" options was
just added in version 1.3.0.

- Verifying the template data digest against the value stored in the
  IMA measurement list should not be optional.  Drop "--verify".
- Walking the IMA measurement list to validate the PCRs should not by
  default "fix" the file integrity violations.  Rename the "--validate"
  option to "--ignore-violations", clafifying its purpose.

Mimi Zohar (3):
  Drop the ima_measurement "--verify" option
  Rename "--validate" to "--ignore-violations"
  Update the ima_boot_aggregate apsects of the "README" and "help" files

 README       |  6 +++---
 src/evmctl.c | 36 +++++++++++++++---------------------
 2 files changed, 18 insertions(+), 24 deletions(-)

-- 
2.18.4


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [ima-evm-utils: PATCH 1/3] Drop the ima_measurement "--verify" option
  2020-07-31 14:14 [ima-evm-utils: PATCH 0/3] evmctl option improvements Mimi Zohar
@ 2020-07-31 14:14 ` Mimi Zohar
  2020-07-31 15:31   ` Lakshmi Ramasubramanian
  2020-07-31 14:14 ` [ima-evm-utils: PATCH 2/3] Rename "--validate" to "--ignore-violations" Mimi Zohar
  2020-07-31 14:14 ` [ima-evm-utils: PATCH 3/3] Update the ima_boot_aggregate apsects of the "README" and "help" files Mimi Zohar
  2 siblings, 1 reply; 7+ messages in thread
From: Mimi Zohar @ 2020-07-31 14:14 UTC (permalink / raw)
  To: linux-integrity; +Cc: Mimi Zohar, Petr Vorel, Vitaly Chikunov, Bruno Meneguele

While walking the IMA measurement list re-calculating the PCRS,
ima_measurement should always re-calculate the template data digest
and verify it against the measurement list value.

This patch removes the "--verify" option.

On success, return 0.

Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 README       |  3 +--
 src/evmctl.c | 23 ++++++++---------------
 2 files changed, 9 insertions(+), 17 deletions(-)

diff --git a/README b/README
index 73b38a1f35ba..d8b8f404534b 100644
--- a/README
+++ b/README
@@ -31,7 +31,7 @@ COMMANDS
  ima_sign [--sigfile] [--key key] [--pass password] file
  ima_verify file
  ima_hash file
- ima_measurement [--validate] [--verify] [--verify-sig [--key "key1, key2, ..."]]  [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
+ ima_measurement [--validate] [--verify-sig [--key "key1, key2, ..."]]  [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
  ima_fix [-t fdsxm] path
  sign_hash [--key key] [--pass password]
  hmac [--imahash | --imasig ] file
@@ -61,7 +61,6 @@ OPTIONS
       --engine e     preload OpenSSL engine e (such as: gost)
       --pcrs         file containing TPM pcrs, one per hash-algorithm/bank
       --validate     ignore ToMToU measurement violations
-      --verify       verify the template data digest
       --verify-sig   verify the file signature based on the file hash, both
                      stored in the template data.
   -v                 increase verbosity level
diff --git a/src/evmctl.c b/src/evmctl.c
index 448e4a9c8d78..b4d2333fb880 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1393,7 +1393,6 @@ struct template_entry {
 static uint8_t zero[MAX_DIGEST_SIZE];
 
 static int validate = 0;
-static int verify = 0;
 
 static int ima_verify_template_hash(struct template_entry *entry)
 {
@@ -1945,7 +1944,7 @@ static int ima_measurement(const char *file)
 
 	struct template_entry entry = { .template = 0 };
 	FILE *fp;
-	int verified_template_digest = 0;
+	int invalid_template_digest = 0;
 	int err_padded = -1;
 	int err = -1;
 
@@ -2075,11 +2074,9 @@ static int ima_measurement(const char *file)
 				 pseudo_padded_banks);
 
 		/* Recalculate and verify template data digest */
-		if (verify) {
-			err = ima_verify_template_hash(&entry);
-			if (err)
-				verified_template_digest = 1;
-		}
+		err = ima_verify_template_hash(&entry);
+		if (err)
+			invalid_template_digest = 1;
 
 		if (is_ima_template)
 			ima_show(&entry);
@@ -2116,7 +2113,7 @@ static int ima_measurement(const char *file)
 			log_info("Failed to match per TPM bank or SHA1 padded TPM digest(s).\n");
 	}
 
-	if (verified_template_digest) {
+	if (invalid_template_digest) {
 		log_info("Failed to verify template data digest.\n");
 		err = 1;
 	}
@@ -2486,7 +2483,7 @@ struct command cmds[] = {
 	{"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"},
 	{"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"},
 	{"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
-	{"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify] [--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file", "Verify measurement list (experimental).\n"},
+	{"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file", "Verify measurement list (experimental).\n"},
 	{"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[file]", "Calculate per TPM bank boot_aggregate digests\n"},
 	{"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
 	{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
@@ -2526,8 +2523,7 @@ static struct option opts[] = {
 	{"engine", 1, 0, 139},
 	{"xattr-user", 0, 0, 140},
 	{"validate", 0, 0, 141},
-	{"verify", 0, 0, 142},
-	{"pcrs", 1, 0, 143},
+	{"pcrs", 1, 0, 142},
 	{}
 
 };
@@ -2709,10 +2705,7 @@ int main(int argc, char *argv[])
 		case 141: /* --validate */
 			validate = 1;
 			break;
-		case 142: /* --verify */
-			verify = 1;
-			break;
-		case 143:
+		case 142:
 			if (npcrfile >= MAX_PCRFILE) {
 				log_err("too many --pcrfile options\n");
 				exit(1);
-- 
2.18.4


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [ima-evm-utils: PATCH 2/3] Rename "--validate" to "--ignore-violations"
  2020-07-31 14:14 [ima-evm-utils: PATCH 0/3] evmctl option improvements Mimi Zohar
  2020-07-31 14:14 ` [ima-evm-utils: PATCH 1/3] Drop the ima_measurement "--verify" option Mimi Zohar
@ 2020-07-31 14:14 ` Mimi Zohar
  2020-08-01  0:46   ` Lakshmi Ramasubramanian
  2020-07-31 14:14 ` [ima-evm-utils: PATCH 3/3] Update the ima_boot_aggregate apsects of the "README" and "help" files Mimi Zohar
  2 siblings, 1 reply; 7+ messages in thread
From: Mimi Zohar @ 2020-07-31 14:14 UTC (permalink / raw)
  To: linux-integrity; +Cc: Mimi Zohar, Petr Vorel, Vitaly Chikunov, Bruno Meneguele

IMA records file "Time of Measure, Time of Use (ToMToU)" and "open
writers" integrity violations by adding a record to the measurement
list containing one value (0x00's), but extending the TPM with a
different value (0xFF's).

To avoid known file integrity violations, the builtin "tcb" measurement
policy should be replaced with a custom policy as early as possible.
This patch renames the existing "--validate" option to
"--ignore-violations".

Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 README       |  4 ++--
 src/evmctl.c | 13 +++++++------
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/README b/README
index d8b8f404534b..b37325f31802 100644
--- a/README
+++ b/README
@@ -31,7 +31,7 @@ COMMANDS
  ima_sign [--sigfile] [--key key] [--pass password] file
  ima_verify file
  ima_hash file
- ima_measurement [--validate] [--verify-sig [--key "key1, key2, ..."]]  [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
+ ima_measurement [--ignore-violations] [--verify-sig [--key "key1, key2, ..."]]  [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
  ima_fix [-t fdsxm] path
  sign_hash [--key key] [--pass password]
  hmac [--imahash | --imasig ] file
@@ -60,7 +60,7 @@ OPTIONS
       --m64          force EVM hmac/signature for 64 bit target system
       --engine e     preload OpenSSL engine e (such as: gost)
       --pcrs         file containing TPM pcrs, one per hash-algorithm/bank
-      --validate     ignore ToMToU measurement violations
+      --ignore-violations ignore ToMToU measurement violations
       --verify-sig   verify the file signature based on the file hash, both
                      stored in the template data.
   -v                 increase verbosity level
diff --git a/src/evmctl.c b/src/evmctl.c
index b4d2333fb880..7ad11507487f 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1392,7 +1392,7 @@ struct template_entry {
 
 static uint8_t zero[MAX_DIGEST_SIZE];
 
-static int validate = 0;
+static int ignore_violations = 0;
 
 static int ima_verify_template_hash(struct template_entry *entry)
 {
@@ -1739,7 +1739,7 @@ static void extend_tpm_banks(struct template_entry *entry, int num_banks,
 		 * size.
 		 */
 		if (memcmp(entry->header.digest, zero, SHA_DIGEST_LENGTH) == 0) {
-			if (!validate) {
+			if (!ignore_violations) {
 				memset(bank[i].digest, 0x00, bank[i].digest_size);
 				memset(padded_bank[i].digest, 0x00, padded_bank[i].digest_size);
 			} else {
@@ -2467,6 +2467,7 @@ static void usage(void)
 		"      --caps         use custom Capabilities for EVM(unspecified: from FS, empty: do not use)\n"
 		"      --verify-sig   verify measurement list signatures\n"
 		"      --engine e     preload OpenSSL engine e (such as: gost)\n"
+		"      --ignore-violations ignore ToMToU measurement violations"
 		"  -v                 increase verbosity level\n"
 		"  -h, --help         display this help and exit\n"
 		"\n");
@@ -2483,7 +2484,7 @@ struct command cmds[] = {
 	{"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"},
 	{"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"},
 	{"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
-	{"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file", "Verify measurement list (experimental).\n"},
+	{"ima_measurement", cmd_ima_measurement, 0, "[--ignore-violations] [--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file", "Verify measurement list (experimental).\n"},
 	{"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[file]", "Calculate per TPM bank boot_aggregate digests\n"},
 	{"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
 	{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
@@ -2522,7 +2523,7 @@ static struct option opts[] = {
 	{"verify-sig", 0, 0, 138},
 	{"engine", 1, 0, 139},
 	{"xattr-user", 0, 0, 140},
-	{"validate", 0, 0, 141},
+	{"ignore-violations", 0, 0, 141},
 	{"pcrs", 1, 0, 142},
 	{}
 
@@ -2702,8 +2703,8 @@ int main(int argc, char *argv[])
 			xattr_ima = "user.ima";
 			xattr_evm = "user.evm";
 			break;
-		case 141: /* --validate */
-			validate = 1;
+		case 141: /* --ignore-violations */
+			ignore_violations = 1;
 			break;
 		case 142:
 			if (npcrfile >= MAX_PCRFILE) {
-- 
2.18.4


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [ima-evm-utils: PATCH 3/3] Update the ima_boot_aggregate apsects of the "README" and "help" files
  2020-07-31 14:14 [ima-evm-utils: PATCH 0/3] evmctl option improvements Mimi Zohar
  2020-07-31 14:14 ` [ima-evm-utils: PATCH 1/3] Drop the ima_measurement "--verify" option Mimi Zohar
  2020-07-31 14:14 ` [ima-evm-utils: PATCH 2/3] Rename "--validate" to "--ignore-violations" Mimi Zohar
@ 2020-07-31 14:14 ` Mimi Zohar
  2020-07-31 15:33   ` Lakshmi Ramasubramanian
  2 siblings, 1 reply; 7+ messages in thread
From: Mimi Zohar @ 2020-07-31 14:14 UTC (permalink / raw)
  To: linux-integrity; +Cc: Mimi Zohar, Petr Vorel, Vitaly Chikunov, Bruno Meneguele

Add the missing "evmctl ima_boot_aggregate" info to the README.  Update
the "help" to include the new "--pcrs" option.  In addition, replace
the "file" option with "TPM 1.2 BIOS event log".  The new format is:

ima_boot_aggregate [--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log]

Reminder: calculating the TPM PCRs based on the BIOS event log and
comparing them with the TPM PCRs should be done prior to calculating the
possible boot_aggregate value(s).

For TPM 1.2, the TPM 1.2 BIOS event log may be provided as an option
when calculating the ima_boot_aggregate.  For TPM 2.0, "tsseventextend
-sim -if <binary_bios_measurements> -ns -v", may be used to validate
the TPM 2.0 event log.

(Note: some TPM 2.0's export the BIOS event log in the TPM 1.2 format.)

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 README       | 1 +
 src/evmctl.c | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/README b/README
index b37325f31802..321045d9d52b 100644
--- a/README
+++ b/README
@@ -28,6 +28,7 @@ COMMANDS
  import [--rsa] pubkey keyring
  sign [-r] [--imahash | --imasig ] [--portable] [--key key] [--pass password] file
  verify file
+ ima_boot_aggregate [--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log]
  ima_sign [--sigfile] [--key key] [--pass password] file
  ima_verify file
  ima_hash file
diff --git a/src/evmctl.c b/src/evmctl.c
index 7ad11507487f..de7299d41b2c 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -2485,7 +2485,7 @@ struct command cmds[] = {
 	{"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"},
 	{"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
 	{"ima_measurement", cmd_ima_measurement, 0, "[--ignore-violations] [--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file", "Verify measurement list (experimental).\n"},
-	{"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[file]", "Calculate per TPM bank boot_aggregate digests\n"},
+	{"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log]", "Calculate per TPM bank boot_aggregate digests\n"},
 	{"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
 	{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
 	{"sign_hash", cmd_sign_hash, 0, "[--key key] [--pass [password]", "Sign hashes from shaXsum output.\n"},
-- 
2.18.4


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [ima-evm-utils: PATCH 1/3] Drop the ima_measurement "--verify" option
  2020-07-31 14:14 ` [ima-evm-utils: PATCH 1/3] Drop the ima_measurement "--verify" option Mimi Zohar
@ 2020-07-31 15:31   ` Lakshmi Ramasubramanian
  0 siblings, 0 replies; 7+ messages in thread
From: Lakshmi Ramasubramanian @ 2020-07-31 15:31 UTC (permalink / raw)
  To: Mimi Zohar, linux-integrity; +Cc: Petr Vorel, Vitaly Chikunov, Bruno Meneguele

On 7/31/20 7:14 AM, Mimi Zohar wrote:
> While walking the IMA measurement list re-calculating the PCRS,
> ima_measurement should always re-calculate the template data digest
> and verify it against the measurement list value.
> 
> This patch removes the "--verify" option.
> 
> On success, return 0.
> 
> Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
>   README       |  3 +--
>   src/evmctl.c | 23 ++++++++---------------
>   2 files changed, 9 insertions(+), 17 deletions(-)
> 

Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>

> diff --git a/README b/README
> index 73b38a1f35ba..d8b8f404534b 100644
> --- a/README
> +++ b/README
> @@ -31,7 +31,7 @@ COMMANDS
>    ima_sign [--sigfile] [--key key] [--pass password] file
>    ima_verify file
>    ima_hash file
> - ima_measurement [--validate] [--verify] [--verify-sig [--key "key1, key2, ..."]]  [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
> + ima_measurement [--validate] [--verify-sig [--key "key1, key2, ..."]]  [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
>    ima_fix [-t fdsxm] path
>    sign_hash [--key key] [--pass password]
>    hmac [--imahash | --imasig ] file
> @@ -61,7 +61,6 @@ OPTIONS
>         --engine e     preload OpenSSL engine e (such as: gost)
>         --pcrs         file containing TPM pcrs, one per hash-algorithm/bank
>         --validate     ignore ToMToU measurement violations
> -      --verify       verify the template data digest
>         --verify-sig   verify the file signature based on the file hash, both
>                        stored in the template data.
>     -v                 increase verbosity level
> diff --git a/src/evmctl.c b/src/evmctl.c
> index 448e4a9c8d78..b4d2333fb880 100644
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -1393,7 +1393,6 @@ struct template_entry {
>   static uint8_t zero[MAX_DIGEST_SIZE];
>   
>   static int validate = 0;
> -static int verify = 0;
>   
>   static int ima_verify_template_hash(struct template_entry *entry)
>   {
> @@ -1945,7 +1944,7 @@ static int ima_measurement(const char *file)
>   
>   	struct template_entry entry = { .template = 0 };
>   	FILE *fp;
> -	int verified_template_digest = 0;
> +	int invalid_template_digest = 0;
>   	int err_padded = -1;
>   	int err = -1;
>   
> @@ -2075,11 +2074,9 @@ static int ima_measurement(const char *file)
>   				 pseudo_padded_banks);
>   
>   		/* Recalculate and verify template data digest */
> -		if (verify) {
> -			err = ima_verify_template_hash(&entry);
> -			if (err)
> -				verified_template_digest = 1;
> -		}
> +		err = ima_verify_template_hash(&entry);
> +		if (err)
> +			invalid_template_digest = 1;
>   
>   		if (is_ima_template)
>   			ima_show(&entry);
> @@ -2116,7 +2113,7 @@ static int ima_measurement(const char *file)
>   			log_info("Failed to match per TPM bank or SHA1 padded TPM digest(s).\n");
>   	}
>   
> -	if (verified_template_digest) {
> +	if (invalid_template_digest) {
>   		log_info("Failed to verify template data digest.\n");
>   		err = 1;
>   	}
> @@ -2486,7 +2483,7 @@ struct command cmds[] = {
>   	{"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"},
>   	{"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"},
>   	{"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
> -	{"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify] [--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file", "Verify measurement list (experimental).\n"},
> +	{"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file", "Verify measurement list (experimental).\n"},
>   	{"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[file]", "Calculate per TPM bank boot_aggregate digests\n"},
>   	{"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
>   	{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
> @@ -2526,8 +2523,7 @@ static struct option opts[] = {
>   	{"engine", 1, 0, 139},
>   	{"xattr-user", 0, 0, 140},
>   	{"validate", 0, 0, 141},
> -	{"verify", 0, 0, 142},
> -	{"pcrs", 1, 0, 143},
> +	{"pcrs", 1, 0, 142},
>   	{}
>   
>   };
> @@ -2709,10 +2705,7 @@ int main(int argc, char *argv[])
>   		case 141: /* --validate */
>   			validate = 1;
>   			break;
> -		case 142: /* --verify */
> -			verify = 1;
> -			break;
> -		case 143:
> +		case 142:
>   			if (npcrfile >= MAX_PCRFILE) {
>   				log_err("too many --pcrfile options\n");
>   				exit(1);
> 


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [ima-evm-utils: PATCH 3/3] Update the ima_boot_aggregate apsects of the "README" and "help" files
  2020-07-31 14:14 ` [ima-evm-utils: PATCH 3/3] Update the ima_boot_aggregate apsects of the "README" and "help" files Mimi Zohar
@ 2020-07-31 15:33   ` Lakshmi Ramasubramanian
  0 siblings, 0 replies; 7+ messages in thread
From: Lakshmi Ramasubramanian @ 2020-07-31 15:33 UTC (permalink / raw)
  To: Mimi Zohar, linux-integrity; +Cc: Petr Vorel, Vitaly Chikunov, Bruno Meneguele

On 7/31/20 7:14 AM, Mimi Zohar wrote:
> Add the missing "evmctl ima_boot_aggregate" info to the README.  Update
> the "help" to include the new "--pcrs" option.  In addition, replace
> the "file" option with "TPM 1.2 BIOS event log".  The new format is:
> 
> ima_boot_aggregate [--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log]
> 
> Reminder: calculating the TPM PCRs based on the BIOS event log and
> comparing them with the TPM PCRs should be done prior to calculating the
> possible boot_aggregate value(s).
> 
> For TPM 1.2, the TPM 1.2 BIOS event log may be provided as an option
> when calculating the ima_boot_aggregate.  For TPM 2.0, "tsseventextend
> -sim -if <binary_bios_measurements> -ns -v", may be used to validate
> the TPM 2.0 event log.
> 
> (Note: some TPM 2.0's export the BIOS event log in the TPM 1.2 format.)
> 
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
>   README       | 1 +
>   src/evmctl.c | 2 +-
>   2 files changed, 2 insertions(+), 1 deletion(-)
> 

Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>

> diff --git a/README b/README
> index b37325f31802..321045d9d52b 100644
> --- a/README
> +++ b/README
> @@ -28,6 +28,7 @@ COMMANDS
>    import [--rsa] pubkey keyring
>    sign [-r] [--imahash | --imasig ] [--portable] [--key key] [--pass password] file
>    verify file
> + ima_boot_aggregate [--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log]
>    ima_sign [--sigfile] [--key key] [--pass password] file
>    ima_verify file
>    ima_hash file
> diff --git a/src/evmctl.c b/src/evmctl.c
> index 7ad11507487f..de7299d41b2c 100644
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -2485,7 +2485,7 @@ struct command cmds[] = {
>   	{"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"},
>   	{"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
>   	{"ima_measurement", cmd_ima_measurement, 0, "[--ignore-violations] [--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file", "Verify measurement list (experimental).\n"},
> -	{"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[file]", "Calculate per TPM bank boot_aggregate digests\n"},
> +	{"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log]", "Calculate per TPM bank boot_aggregate digests\n"},
>   	{"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
>   	{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
>   	{"sign_hash", cmd_sign_hash, 0, "[--key key] [--pass [password]", "Sign hashes from shaXsum output.\n"},
> 


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [ima-evm-utils: PATCH 2/3] Rename "--validate" to "--ignore-violations"
  2020-07-31 14:14 ` [ima-evm-utils: PATCH 2/3] Rename "--validate" to "--ignore-violations" Mimi Zohar
@ 2020-08-01  0:46   ` Lakshmi Ramasubramanian
  0 siblings, 0 replies; 7+ messages in thread
From: Lakshmi Ramasubramanian @ 2020-08-01  0:46 UTC (permalink / raw)
  To: Mimi Zohar, linux-integrity; +Cc: Petr Vorel, Vitaly Chikunov, Bruno Meneguele

On 7/31/20 7:14 AM, Mimi Zohar wrote:
> IMA records file "Time of Measure, Time of Use (ToMToU)" and "open
> writers" integrity violations by adding a record to the measurement
> list containing one value (0x00's), but extending the TPM with a
> different value (0xFF's).
> 
> To avoid known file integrity violations, the builtin "tcb" measurement
> policy should be replaced with a custom policy as early as possible.
> This patch renames the existing "--validate" option to
> "--ignore-violations".
> 
> Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
>   README       |  4 ++--
>   src/evmctl.c | 13 +++++++------
>   2 files changed, 9 insertions(+), 8 deletions(-)

Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>

> 
> diff --git a/README b/README
> index d8b8f404534b..b37325f31802 100644
> --- a/README
> +++ b/README
> @@ -31,7 +31,7 @@ COMMANDS
>    ima_sign [--sigfile] [--key key] [--pass password] file
>    ima_verify file
>    ima_hash file
> - ima_measurement [--validate] [--verify-sig [--key "key1, key2, ..."]]  [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
> + ima_measurement [--ignore-violations] [--verify-sig [--key "key1, key2, ..."]]  [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
>    ima_fix [-t fdsxm] path
>    sign_hash [--key key] [--pass password]
>    hmac [--imahash | --imasig ] file
> @@ -60,7 +60,7 @@ OPTIONS
>         --m64          force EVM hmac/signature for 64 bit target system
>         --engine e     preload OpenSSL engine e (such as: gost)
>         --pcrs         file containing TPM pcrs, one per hash-algorithm/bank
> -      --validate     ignore ToMToU measurement violations
> +      --ignore-violations ignore ToMToU measurement violations
>         --verify-sig   verify the file signature based on the file hash, both
>                        stored in the template data.
>     -v                 increase verbosity level
> diff --git a/src/evmctl.c b/src/evmctl.c
> index b4d2333fb880..7ad11507487f 100644
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -1392,7 +1392,7 @@ struct template_entry {
>   
>   static uint8_t zero[MAX_DIGEST_SIZE];
>   
> -static int validate = 0;
> +static int ignore_violations = 0;
>   
>   static int ima_verify_template_hash(struct template_entry *entry)
>   {
> @@ -1739,7 +1739,7 @@ static void extend_tpm_banks(struct template_entry *entry, int num_banks,
>   		 * size.
>   		 */
>   		if (memcmp(entry->header.digest, zero, SHA_DIGEST_LENGTH) == 0) {
> -			if (!validate) {
> +			if (!ignore_violations) {
>   				memset(bank[i].digest, 0x00, bank[i].digest_size);
>   				memset(padded_bank[i].digest, 0x00, padded_bank[i].digest_size);
>   			} else {
> @@ -2467,6 +2467,7 @@ static void usage(void)
>   		"      --caps         use custom Capabilities for EVM(unspecified: from FS, empty: do not use)\n"
>   		"      --verify-sig   verify measurement list signatures\n"
>   		"      --engine e     preload OpenSSL engine e (such as: gost)\n"
> +		"      --ignore-violations ignore ToMToU measurement violations"
>   		"  -v                 increase verbosity level\n"
>   		"  -h, --help         display this help and exit\n"
>   		"\n");
> @@ -2483,7 +2484,7 @@ struct command cmds[] = {
>   	{"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"},
>   	{"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"},
>   	{"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
> -	{"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file", "Verify measurement list (experimental).\n"},
> +	{"ima_measurement", cmd_ima_measurement, 0, "[--ignore-violations] [--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file", "Verify measurement list (experimental).\n"},
>   	{"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[file]", "Calculate per TPM bank boot_aggregate digests\n"},
>   	{"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
>   	{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
> @@ -2522,7 +2523,7 @@ static struct option opts[] = {
>   	{"verify-sig", 0, 0, 138},
>   	{"engine", 1, 0, 139},
>   	{"xattr-user", 0, 0, 140},
> -	{"validate", 0, 0, 141},
> +	{"ignore-violations", 0, 0, 141},
>   	{"pcrs", 1, 0, 142},
>   	{}
>   
> @@ -2702,8 +2703,8 @@ int main(int argc, char *argv[])
>   			xattr_ima = "user.ima";
>   			xattr_evm = "user.evm";
>   			break;
> -		case 141: /* --validate */
> -			validate = 1;
> +		case 141: /* --ignore-violations */
> +			ignore_violations = 1;
>   			break;
>   		case 142:
>   			if (npcrfile >= MAX_PCRFILE) {
> 


^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, back to index

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-31 14:14 [ima-evm-utils: PATCH 0/3] evmctl option improvements Mimi Zohar
2020-07-31 14:14 ` [ima-evm-utils: PATCH 1/3] Drop the ima_measurement "--verify" option Mimi Zohar
2020-07-31 15:31   ` Lakshmi Ramasubramanian
2020-07-31 14:14 ` [ima-evm-utils: PATCH 2/3] Rename "--validate" to "--ignore-violations" Mimi Zohar
2020-08-01  0:46   ` Lakshmi Ramasubramanian
2020-07-31 14:14 ` [ima-evm-utils: PATCH 3/3] Update the ima_boot_aggregate apsects of the "README" and "help" files Mimi Zohar
2020-07-31 15:33   ` Lakshmi Ramasubramanian

Linux-Integrity Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-integrity/0 linux-integrity/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-integrity linux-integrity/ https://lore.kernel.org/linux-integrity \
		linux-integrity@vger.kernel.org
	public-inbox-index linux-integrity

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-integrity


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git