* [ima-evm-utils: PATCH 1/3] Drop the ima_measurement "--verify" option
2020-07-31 14:14 [ima-evm-utils: PATCH 0/3] evmctl option improvements Mimi Zohar
@ 2020-07-31 14:14 ` Mimi Zohar
2020-07-31 15:31 ` Lakshmi Ramasubramanian
2020-07-31 14:14 ` [ima-evm-utils: PATCH 2/3] Rename "--validate" to "--ignore-violations" Mimi Zohar
2020-07-31 14:14 ` [ima-evm-utils: PATCH 3/3] Update the ima_boot_aggregate apsects of the "README" and "help" files Mimi Zohar
2 siblings, 1 reply; 7+ messages in thread
From: Mimi Zohar @ 2020-07-31 14:14 UTC (permalink / raw)
To: linux-integrity; +Cc: Mimi Zohar, Petr Vorel, Vitaly Chikunov, Bruno Meneguele
While walking the IMA measurement list re-calculating the PCRS,
ima_measurement should always re-calculate the template data digest
and verify it against the measurement list value.
This patch removes the "--verify" option.
On success, return 0.
Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
README | 3 +--
src/evmctl.c | 23 ++++++++---------------
2 files changed, 9 insertions(+), 17 deletions(-)
diff --git a/README b/README
index 73b38a1f35ba..d8b8f404534b 100644
--- a/README
+++ b/README
@@ -31,7 +31,7 @@ COMMANDS
ima_sign [--sigfile] [--key key] [--pass password] file
ima_verify file
ima_hash file
- ima_measurement [--validate] [--verify] [--verify-sig [--key "key1, key2, ..."]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
+ ima_measurement [--validate] [--verify-sig [--key "key1, key2, ..."]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
ima_fix [-t fdsxm] path
sign_hash [--key key] [--pass password]
hmac [--imahash | --imasig ] file
@@ -61,7 +61,6 @@ OPTIONS
--engine e preload OpenSSL engine e (such as: gost)
--pcrs file containing TPM pcrs, one per hash-algorithm/bank
--validate ignore ToMToU measurement violations
- --verify verify the template data digest
--verify-sig verify the file signature based on the file hash, both
stored in the template data.
-v increase verbosity level
diff --git a/src/evmctl.c b/src/evmctl.c
index 448e4a9c8d78..b4d2333fb880 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1393,7 +1393,6 @@ struct template_entry {
static uint8_t zero[MAX_DIGEST_SIZE];
static int validate = 0;
-static int verify = 0;
static int ima_verify_template_hash(struct template_entry *entry)
{
@@ -1945,7 +1944,7 @@ static int ima_measurement(const char *file)
struct template_entry entry = { .template = 0 };
FILE *fp;
- int verified_template_digest = 0;
+ int invalid_template_digest = 0;
int err_padded = -1;
int err = -1;
@@ -2075,11 +2074,9 @@ static int ima_measurement(const char *file)
pseudo_padded_banks);
/* Recalculate and verify template data digest */
- if (verify) {
- err = ima_verify_template_hash(&entry);
- if (err)
- verified_template_digest = 1;
- }
+ err = ima_verify_template_hash(&entry);
+ if (err)
+ invalid_template_digest = 1;
if (is_ima_template)
ima_show(&entry);
@@ -2116,7 +2113,7 @@ static int ima_measurement(const char *file)
log_info("Failed to match per TPM bank or SHA1 padded TPM digest(s).\n");
}
- if (verified_template_digest) {
+ if (invalid_template_digest) {
log_info("Failed to verify template data digest.\n");
err = 1;
}
@@ -2486,7 +2483,7 @@ struct command cmds[] = {
{"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"},
{"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"},
{"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
- {"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify] [--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file", "Verify measurement list (experimental).\n"},
+ {"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file", "Verify measurement list (experimental).\n"},
{"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[file]", "Calculate per TPM bank boot_aggregate digests\n"},
{"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
@@ -2526,8 +2523,7 @@ static struct option opts[] = {
{"engine", 1, 0, 139},
{"xattr-user", 0, 0, 140},
{"validate", 0, 0, 141},
- {"verify", 0, 0, 142},
- {"pcrs", 1, 0, 143},
+ {"pcrs", 1, 0, 142},
{}
};
@@ -2709,10 +2705,7 @@ int main(int argc, char *argv[])
case 141: /* --validate */
validate = 1;
break;
- case 142: /* --verify */
- verify = 1;
- break;
- case 143:
+ case 142:
if (npcrfile >= MAX_PCRFILE) {
log_err("too many --pcrfile options\n");
exit(1);
--
2.18.4
^ permalink raw reply related [flat|nested] 7+ messages in thread* Re: [ima-evm-utils: PATCH 1/3] Drop the ima_measurement "--verify" option
2020-07-31 14:14 ` [ima-evm-utils: PATCH 1/3] Drop the ima_measurement "--verify" option Mimi Zohar
@ 2020-07-31 15:31 ` Lakshmi Ramasubramanian
0 siblings, 0 replies; 7+ messages in thread
From: Lakshmi Ramasubramanian @ 2020-07-31 15:31 UTC (permalink / raw)
To: Mimi Zohar, linux-integrity; +Cc: Petr Vorel, Vitaly Chikunov, Bruno Meneguele
On 7/31/20 7:14 AM, Mimi Zohar wrote:
> While walking the IMA measurement list re-calculating the PCRS,
> ima_measurement should always re-calculate the template data digest
> and verify it against the measurement list value.
>
> This patch removes the "--verify" option.
>
> On success, return 0.
>
> Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
> README | 3 +--
> src/evmctl.c | 23 ++++++++---------------
> 2 files changed, 9 insertions(+), 17 deletions(-)
>
Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
> diff --git a/README b/README
> index 73b38a1f35ba..d8b8f404534b 100644
> --- a/README
> +++ b/README
> @@ -31,7 +31,7 @@ COMMANDS
> ima_sign [--sigfile] [--key key] [--pass password] file
> ima_verify file
> ima_hash file
> - ima_measurement [--validate] [--verify] [--verify-sig [--key "key1, key2, ..."]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
> + ima_measurement [--validate] [--verify-sig [--key "key1, key2, ..."]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
> ima_fix [-t fdsxm] path
> sign_hash [--key key] [--pass password]
> hmac [--imahash | --imasig ] file
> @@ -61,7 +61,6 @@ OPTIONS
> --engine e preload OpenSSL engine e (such as: gost)
> --pcrs file containing TPM pcrs, one per hash-algorithm/bank
> --validate ignore ToMToU measurement violations
> - --verify verify the template data digest
> --verify-sig verify the file signature based on the file hash, both
> stored in the template data.
> -v increase verbosity level
> diff --git a/src/evmctl.c b/src/evmctl.c
> index 448e4a9c8d78..b4d2333fb880 100644
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -1393,7 +1393,6 @@ struct template_entry {
> static uint8_t zero[MAX_DIGEST_SIZE];
>
> static int validate = 0;
> -static int verify = 0;
>
> static int ima_verify_template_hash(struct template_entry *entry)
> {
> @@ -1945,7 +1944,7 @@ static int ima_measurement(const char *file)
>
> struct template_entry entry = { .template = 0 };
> FILE *fp;
> - int verified_template_digest = 0;
> + int invalid_template_digest = 0;
> int err_padded = -1;
> int err = -1;
>
> @@ -2075,11 +2074,9 @@ static int ima_measurement(const char *file)
> pseudo_padded_banks);
>
> /* Recalculate and verify template data digest */
> - if (verify) {
> - err = ima_verify_template_hash(&entry);
> - if (err)
> - verified_template_digest = 1;
> - }
> + err = ima_verify_template_hash(&entry);
> + if (err)
> + invalid_template_digest = 1;
>
> if (is_ima_template)
> ima_show(&entry);
> @@ -2116,7 +2113,7 @@ static int ima_measurement(const char *file)
> log_info("Failed to match per TPM bank or SHA1 padded TPM digest(s).\n");
> }
>
> - if (verified_template_digest) {
> + if (invalid_template_digest) {
> log_info("Failed to verify template data digest.\n");
> err = 1;
> }
> @@ -2486,7 +2483,7 @@ struct command cmds[] = {
> {"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"},
> {"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"},
> {"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
> - {"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify] [--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file", "Verify measurement list (experimental).\n"},
> + {"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file", "Verify measurement list (experimental).\n"},
> {"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[file]", "Calculate per TPM bank boot_aggregate digests\n"},
> {"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
> {"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
> @@ -2526,8 +2523,7 @@ static struct option opts[] = {
> {"engine", 1, 0, 139},
> {"xattr-user", 0, 0, 140},
> {"validate", 0, 0, 141},
> - {"verify", 0, 0, 142},
> - {"pcrs", 1, 0, 143},
> + {"pcrs", 1, 0, 142},
> {}
>
> };
> @@ -2709,10 +2705,7 @@ int main(int argc, char *argv[])
> case 141: /* --validate */
> validate = 1;
> break;
> - case 142: /* --verify */
> - verify = 1;
> - break;
> - case 143:
> + case 142:
> if (npcrfile >= MAX_PCRFILE) {
> log_err("too many --pcrfile options\n");
> exit(1);
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* [ima-evm-utils: PATCH 2/3] Rename "--validate" to "--ignore-violations"
2020-07-31 14:14 [ima-evm-utils: PATCH 0/3] evmctl option improvements Mimi Zohar
2020-07-31 14:14 ` [ima-evm-utils: PATCH 1/3] Drop the ima_measurement "--verify" option Mimi Zohar
@ 2020-07-31 14:14 ` Mimi Zohar
2020-08-01 0:46 ` Lakshmi Ramasubramanian
2020-07-31 14:14 ` [ima-evm-utils: PATCH 3/3] Update the ima_boot_aggregate apsects of the "README" and "help" files Mimi Zohar
2 siblings, 1 reply; 7+ messages in thread
From: Mimi Zohar @ 2020-07-31 14:14 UTC (permalink / raw)
To: linux-integrity; +Cc: Mimi Zohar, Petr Vorel, Vitaly Chikunov, Bruno Meneguele
IMA records file "Time of Measure, Time of Use (ToMToU)" and "open
writers" integrity violations by adding a record to the measurement
list containing one value (0x00's), but extending the TPM with a
different value (0xFF's).
To avoid known file integrity violations, the builtin "tcb" measurement
policy should be replaced with a custom policy as early as possible.
This patch renames the existing "--validate" option to
"--ignore-violations".
Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
README | 4 ++--
src/evmctl.c | 13 +++++++------
2 files changed, 9 insertions(+), 8 deletions(-)
diff --git a/README b/README
index d8b8f404534b..b37325f31802 100644
--- a/README
+++ b/README
@@ -31,7 +31,7 @@ COMMANDS
ima_sign [--sigfile] [--key key] [--pass password] file
ima_verify file
ima_hash file
- ima_measurement [--validate] [--verify-sig [--key "key1, key2, ..."]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
+ ima_measurement [--ignore-violations] [--verify-sig [--key "key1, key2, ..."]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
ima_fix [-t fdsxm] path
sign_hash [--key key] [--pass password]
hmac [--imahash | --imasig ] file
@@ -60,7 +60,7 @@ OPTIONS
--m64 force EVM hmac/signature for 64 bit target system
--engine e preload OpenSSL engine e (such as: gost)
--pcrs file containing TPM pcrs, one per hash-algorithm/bank
- --validate ignore ToMToU measurement violations
+ --ignore-violations ignore ToMToU measurement violations
--verify-sig verify the file signature based on the file hash, both
stored in the template data.
-v increase verbosity level
diff --git a/src/evmctl.c b/src/evmctl.c
index b4d2333fb880..7ad11507487f 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1392,7 +1392,7 @@ struct template_entry {
static uint8_t zero[MAX_DIGEST_SIZE];
-static int validate = 0;
+static int ignore_violations = 0;
static int ima_verify_template_hash(struct template_entry *entry)
{
@@ -1739,7 +1739,7 @@ static void extend_tpm_banks(struct template_entry *entry, int num_banks,
* size.
*/
if (memcmp(entry->header.digest, zero, SHA_DIGEST_LENGTH) == 0) {
- if (!validate) {
+ if (!ignore_violations) {
memset(bank[i].digest, 0x00, bank[i].digest_size);
memset(padded_bank[i].digest, 0x00, padded_bank[i].digest_size);
} else {
@@ -2467,6 +2467,7 @@ static void usage(void)
" --caps use custom Capabilities for EVM(unspecified: from FS, empty: do not use)\n"
" --verify-sig verify measurement list signatures\n"
" --engine e preload OpenSSL engine e (such as: gost)\n"
+ " --ignore-violations ignore ToMToU measurement violations"
" -v increase verbosity level\n"
" -h, --help display this help and exit\n"
"\n");
@@ -2483,7 +2484,7 @@ struct command cmds[] = {
{"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"},
{"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"},
{"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
- {"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file", "Verify measurement list (experimental).\n"},
+ {"ima_measurement", cmd_ima_measurement, 0, "[--ignore-violations] [--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file", "Verify measurement list (experimental).\n"},
{"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[file]", "Calculate per TPM bank boot_aggregate digests\n"},
{"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
@@ -2522,7 +2523,7 @@ static struct option opts[] = {
{"verify-sig", 0, 0, 138},
{"engine", 1, 0, 139},
{"xattr-user", 0, 0, 140},
- {"validate", 0, 0, 141},
+ {"ignore-violations", 0, 0, 141},
{"pcrs", 1, 0, 142},
{}
@@ -2702,8 +2703,8 @@ int main(int argc, char *argv[])
xattr_ima = "user.ima";
xattr_evm = "user.evm";
break;
- case 141: /* --validate */
- validate = 1;
+ case 141: /* --ignore-violations */
+ ignore_violations = 1;
break;
case 142:
if (npcrfile >= MAX_PCRFILE) {
--
2.18.4
^ permalink raw reply related [flat|nested] 7+ messages in thread* Re: [ima-evm-utils: PATCH 2/3] Rename "--validate" to "--ignore-violations"
2020-07-31 14:14 ` [ima-evm-utils: PATCH 2/3] Rename "--validate" to "--ignore-violations" Mimi Zohar
@ 2020-08-01 0:46 ` Lakshmi Ramasubramanian
0 siblings, 0 replies; 7+ messages in thread
From: Lakshmi Ramasubramanian @ 2020-08-01 0:46 UTC (permalink / raw)
To: Mimi Zohar, linux-integrity; +Cc: Petr Vorel, Vitaly Chikunov, Bruno Meneguele
On 7/31/20 7:14 AM, Mimi Zohar wrote:
> IMA records file "Time of Measure, Time of Use (ToMToU)" and "open
> writers" integrity violations by adding a record to the measurement
> list containing one value (0x00's), but extending the TPM with a
> different value (0xFF's).
>
> To avoid known file integrity violations, the builtin "tcb" measurement
> policy should be replaced with a custom policy as early as possible.
> This patch renames the existing "--validate" option to
> "--ignore-violations".
>
> Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
> README | 4 ++--
> src/evmctl.c | 13 +++++++------
> 2 files changed, 9 insertions(+), 8 deletions(-)
Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
>
> diff --git a/README b/README
> index d8b8f404534b..b37325f31802 100644
> --- a/README
> +++ b/README
> @@ -31,7 +31,7 @@ COMMANDS
> ima_sign [--sigfile] [--key key] [--pass password] file
> ima_verify file
> ima_hash file
> - ima_measurement [--validate] [--verify-sig [--key "key1, key2, ..."]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
> + ima_measurement [--ignore-violations] [--verify-sig [--key "key1, key2, ..."]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
> ima_fix [-t fdsxm] path
> sign_hash [--key key] [--pass password]
> hmac [--imahash | --imasig ] file
> @@ -60,7 +60,7 @@ OPTIONS
> --m64 force EVM hmac/signature for 64 bit target system
> --engine e preload OpenSSL engine e (such as: gost)
> --pcrs file containing TPM pcrs, one per hash-algorithm/bank
> - --validate ignore ToMToU measurement violations
> + --ignore-violations ignore ToMToU measurement violations
> --verify-sig verify the file signature based on the file hash, both
> stored in the template data.
> -v increase verbosity level
> diff --git a/src/evmctl.c b/src/evmctl.c
> index b4d2333fb880..7ad11507487f 100644
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -1392,7 +1392,7 @@ struct template_entry {
>
> static uint8_t zero[MAX_DIGEST_SIZE];
>
> -static int validate = 0;
> +static int ignore_violations = 0;
>
> static int ima_verify_template_hash(struct template_entry *entry)
> {
> @@ -1739,7 +1739,7 @@ static void extend_tpm_banks(struct template_entry *entry, int num_banks,
> * size.
> */
> if (memcmp(entry->header.digest, zero, SHA_DIGEST_LENGTH) == 0) {
> - if (!validate) {
> + if (!ignore_violations) {
> memset(bank[i].digest, 0x00, bank[i].digest_size);
> memset(padded_bank[i].digest, 0x00, padded_bank[i].digest_size);
> } else {
> @@ -2467,6 +2467,7 @@ static void usage(void)
> " --caps use custom Capabilities for EVM(unspecified: from FS, empty: do not use)\n"
> " --verify-sig verify measurement list signatures\n"
> " --engine e preload OpenSSL engine e (such as: gost)\n"
> + " --ignore-violations ignore ToMToU measurement violations"
> " -v increase verbosity level\n"
> " -h, --help display this help and exit\n"
> "\n");
> @@ -2483,7 +2484,7 @@ struct command cmds[] = {
> {"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"},
> {"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"},
> {"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
> - {"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file", "Verify measurement list (experimental).\n"},
> + {"ima_measurement", cmd_ima_measurement, 0, "[--ignore-violations] [--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file", "Verify measurement list (experimental).\n"},
> {"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[file]", "Calculate per TPM bank boot_aggregate digests\n"},
> {"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
> {"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
> @@ -2522,7 +2523,7 @@ static struct option opts[] = {
> {"verify-sig", 0, 0, 138},
> {"engine", 1, 0, 139},
> {"xattr-user", 0, 0, 140},
> - {"validate", 0, 0, 141},
> + {"ignore-violations", 0, 0, 141},
> {"pcrs", 1, 0, 142},
> {}
>
> @@ -2702,8 +2703,8 @@ int main(int argc, char *argv[])
> xattr_ima = "user.ima";
> xattr_evm = "user.evm";
> break;
> - case 141: /* --validate */
> - validate = 1;
> + case 141: /* --ignore-violations */
> + ignore_violations = 1;
> break;
> case 142:
> if (npcrfile >= MAX_PCRFILE) {
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* [ima-evm-utils: PATCH 3/3] Update the ima_boot_aggregate apsects of the "README" and "help" files
2020-07-31 14:14 [ima-evm-utils: PATCH 0/3] evmctl option improvements Mimi Zohar
2020-07-31 14:14 ` [ima-evm-utils: PATCH 1/3] Drop the ima_measurement "--verify" option Mimi Zohar
2020-07-31 14:14 ` [ima-evm-utils: PATCH 2/3] Rename "--validate" to "--ignore-violations" Mimi Zohar
@ 2020-07-31 14:14 ` Mimi Zohar
2020-07-31 15:33 ` Lakshmi Ramasubramanian
2 siblings, 1 reply; 7+ messages in thread
From: Mimi Zohar @ 2020-07-31 14:14 UTC (permalink / raw)
To: linux-integrity; +Cc: Mimi Zohar, Petr Vorel, Vitaly Chikunov, Bruno Meneguele
Add the missing "evmctl ima_boot_aggregate" info to the README. Update
the "help" to include the new "--pcrs" option. In addition, replace
the "file" option with "TPM 1.2 BIOS event log". The new format is:
ima_boot_aggregate [--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log]
Reminder: calculating the TPM PCRs based on the BIOS event log and
comparing them with the TPM PCRs should be done prior to calculating the
possible boot_aggregate value(s).
For TPM 1.2, the TPM 1.2 BIOS event log may be provided as an option
when calculating the ima_boot_aggregate. For TPM 2.0, "tsseventextend
-sim -if <binary_bios_measurements> -ns -v", may be used to validate
the TPM 2.0 event log.
(Note: some TPM 2.0's export the BIOS event log in the TPM 1.2 format.)
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
README | 1 +
src/evmctl.c | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/README b/README
index b37325f31802..321045d9d52b 100644
--- a/README
+++ b/README
@@ -28,6 +28,7 @@ COMMANDS
import [--rsa] pubkey keyring
sign [-r] [--imahash | --imasig ] [--portable] [--key key] [--pass password] file
verify file
+ ima_boot_aggregate [--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log]
ima_sign [--sigfile] [--key key] [--pass password] file
ima_verify file
ima_hash file
diff --git a/src/evmctl.c b/src/evmctl.c
index 7ad11507487f..de7299d41b2c 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -2485,7 +2485,7 @@ struct command cmds[] = {
{"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"},
{"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
{"ima_measurement", cmd_ima_measurement, 0, "[--ignore-violations] [--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file", "Verify measurement list (experimental).\n"},
- {"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[file]", "Calculate per TPM bank boot_aggregate digests\n"},
+ {"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log]", "Calculate per TPM bank boot_aggregate digests\n"},
{"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
{"sign_hash", cmd_sign_hash, 0, "[--key key] [--pass [password]", "Sign hashes from shaXsum output.\n"},
--
2.18.4
^ permalink raw reply related [flat|nested] 7+ messages in thread* Re: [ima-evm-utils: PATCH 3/3] Update the ima_boot_aggregate apsects of the "README" and "help" files
2020-07-31 14:14 ` [ima-evm-utils: PATCH 3/3] Update the ima_boot_aggregate apsects of the "README" and "help" files Mimi Zohar
@ 2020-07-31 15:33 ` Lakshmi Ramasubramanian
0 siblings, 0 replies; 7+ messages in thread
From: Lakshmi Ramasubramanian @ 2020-07-31 15:33 UTC (permalink / raw)
To: Mimi Zohar, linux-integrity; +Cc: Petr Vorel, Vitaly Chikunov, Bruno Meneguele
On 7/31/20 7:14 AM, Mimi Zohar wrote:
> Add the missing "evmctl ima_boot_aggregate" info to the README. Update
> the "help" to include the new "--pcrs" option. In addition, replace
> the "file" option with "TPM 1.2 BIOS event log". The new format is:
>
> ima_boot_aggregate [--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log]
>
> Reminder: calculating the TPM PCRs based on the BIOS event log and
> comparing them with the TPM PCRs should be done prior to calculating the
> possible boot_aggregate value(s).
>
> For TPM 1.2, the TPM 1.2 BIOS event log may be provided as an option
> when calculating the ima_boot_aggregate. For TPM 2.0, "tsseventextend
> -sim -if <binary_bios_measurements> -ns -v", may be used to validate
> the TPM 2.0 event log.
>
> (Note: some TPM 2.0's export the BIOS event log in the TPM 1.2 format.)
>
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
> README | 1 +
> src/evmctl.c | 2 +-
> 2 files changed, 2 insertions(+), 1 deletion(-)
>
Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
> diff --git a/README b/README
> index b37325f31802..321045d9d52b 100644
> --- a/README
> +++ b/README
> @@ -28,6 +28,7 @@ COMMANDS
> import [--rsa] pubkey keyring
> sign [-r] [--imahash | --imasig ] [--portable] [--key key] [--pass password] file
> verify file
> + ima_boot_aggregate [--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log]
> ima_sign [--sigfile] [--key key] [--pass password] file
> ima_verify file
> ima_hash file
> diff --git a/src/evmctl.c b/src/evmctl.c
> index 7ad11507487f..de7299d41b2c 100644
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -2485,7 +2485,7 @@ struct command cmds[] = {
> {"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"},
> {"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
> {"ima_measurement", cmd_ima_measurement, 0, "[--ignore-violations] [--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file", "Verify measurement list (experimental).\n"},
> - {"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[file]", "Calculate per TPM bank boot_aggregate digests\n"},
> + {"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log]", "Calculate per TPM bank boot_aggregate digests\n"},
> {"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
> {"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
> {"sign_hash", cmd_sign_hash, 0, "[--key key] [--pass [password]", "Sign hashes from shaXsum output.\n"},
>
^ permalink raw reply [flat|nested] 7+ messages in thread