From: Mimi Zohar <zohar@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: Mimi Zohar <zohar@linux.ibm.com>, Petr Vorel <pvorel@suse.cz>,
Bruno Meneguele <bmeneg@redhat.com>
Subject: [PATCH 2/3] ima-evm-utils: read the TPM 1.2 binary_bios_measurements
Date: Mon, 6 Jul 2020 22:27:16 -0400 [thread overview]
Message-ID: <1594088837-27526-3-git-send-email-zohar@linux.ibm.com> (raw)
In-Reply-To: <1594088837-27526-1-git-send-email-zohar@linux.ibm.com>
Instead of just calculating the "boot_aggregate" based on the current
TPM PCRs, the original LTP and standalone ima_boot_aggregate test walked
the TPM 1.2 event log, calculating the PCRs.
If the TPM 1.2 event log is provided as an option on the "evmctl
ima_boot_aggregate" command, read the event log, calculate the sha1
PCRs, and calculate the "boot_aggregate" based on these PCRs.
The code for walking the IMA measurement list is based on the LTP and
standalone ima_boot_aggregate tests. Similar support for reading the
TPM 2.0 event log to calculate the PCRs requires the TPM 2.0 event log
to be exported or a TSS to read the event log. Parsing the TPM 2.0
event log is not supported here.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
src/evmctl.c | 92 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++----
1 file changed, 87 insertions(+), 5 deletions(-)
diff --git a/src/evmctl.c b/src/evmctl.c
index b157c452839b..9ee440f6a50a 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1963,6 +1963,67 @@ static int cmd_ima_measurement(struct command *cmd)
return ima_measurement(file);
}
+#define MAX_EVENT_DATA_SIZE 200000
+static int read_binary_bios_measurements(char *file, struct tpm_bank_info *bank)
+{
+ struct {
+ struct {
+ uint32_t pcr;
+ int type;
+ unsigned char digest[SHA_DIGEST_LENGTH];
+ uint32_t len;
+ } header;
+ unsigned char data[MAX_EVENT_DATA_SIZE];
+ } event;
+ FILE *fp;
+ SHA_CTX c;
+ int err = 0;
+ int i;
+
+ fp = fopen(file, "r");
+ if (!fp) {
+ log_errno("Failed to open TPM 1.2 event log.\n");
+ return 1;
+ }
+
+ if (imaevm_params.verbose > LOG_INFO)
+ log_info("Reading the TPM 1.2 event log %s.\n", file);
+
+ /* Extend the pseudo TPM PCRs with the event digest */
+ while (fread(&event, sizeof(event.header), 1, fp)) {
+ if (imaevm_params.verbose > LOG_INFO) {
+ log_info("%02u ", event.header.pcr);
+ log_dump(event.header.digest, SHA_DIGEST_LENGTH);
+ }
+ if (event.header.pcr > NUM_PCRS) {
+ log_err("Invalid PCR %d.\n", event.header.pcr);
+ err = 1;
+ break;
+ }
+ SHA1_Init(&c);
+ SHA1_Update(&c, bank->pcr[event.header.pcr], 20);
+ SHA1_Update(&c, event.header.digest, 20);
+ SHA1_Final(bank->pcr[event.header.pcr], &c);
+ if (event.header.len > MAX_EVENT_DATA_SIZE) {
+ log_err("Event data event too long.\n");
+ err = 1;
+ break;
+ }
+ fread(event.data, event.header.len, 1, fp);
+ }
+ fclose(fp);
+
+ if (imaevm_params.verbose <= LOG_INFO)
+ return err;
+
+ for (i = 0; i < NUM_PCRS; i++) {
+ log_info("PCR-%2.2x ", i);
+ log_dump(bank->pcr[i], SHA_DIGEST_LENGTH);
+
+ }
+ return err;
+}
+
static void calc_bootaggr(struct tpm_bank_info *bank)
{
EVP_MD_CTX *pctx;
@@ -2056,13 +2117,34 @@ static int cmd_ima_bootaggr(struct command *cmd)
char *bootaggr;
int num_banks = 0;
int offset = 0;
+ int err = 0;
int i;
- tpm_banks = init_tpm_banks(&num_banks);
+ char *file = g_argv[optind++];
- if (read_tpm_banks(num_banks, tpm_banks) != 0) {
- log_info("Failed to read any TPM PCRs\n");
- return -1;
+ /*
+ * Instead of just reading the TPM 1.2 PCRs, walk the exported
+ * TPM 1.2 SHA1 event log, calculating the PCRs.
+ */
+ if (file) {
+ tpm_banks = init_tpm_banks(&num_banks);
+
+ /* TPM 1.2 only supports SHA1.*/
+ for (i = 1; i < num_banks; i++)
+ tpm_banks[i].supported = 0;
+
+ err = read_binary_bios_measurements(file, tpm_banks);
+ if (err) {
+ log_info("Failed reading the TPM 1.2 event log %s.\n",
+ file);
+ return -1;
+ }
+ } else {
+ tpm_banks = init_tpm_banks(&num_banks);
+ if (read_tpm_banks(num_banks, tpm_banks) != 0) {
+ log_info("Failed to read any TPM PCRs\n");
+ return -1;
+ }
}
/*
@@ -2211,7 +2293,7 @@ struct command cmds[] = {
{"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"},
{"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
{"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify] file", "Verify measurement list (experimental).\n"},
- {"ima_boot_aggregate", cmd_ima_bootaggr, 0, "", "Calculate per TPM bank boot_aggregate digests\n"},
+ {"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[file]", "Calculate per TPM bank boot_aggregate digests\n"},
{"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
{"sign_hash", cmd_sign_hash, 0, "[--key key] [--pass [password]", "Sign hashes from shaXsum output.\n"},
--
2.7.5
next prev parent reply other threads:[~2020-07-07 2:27 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-07 2:27 [PATCH 0/3] ima-evm-utils: original "ima" template support Mimi Zohar
2020-07-07 2:27 ` [PATCH 1/3] ima-evm-utils: support the original "ima" template Mimi Zohar
2020-07-07 2:27 ` Mimi Zohar [this message]
2020-07-07 2:27 ` [PATCH 3/3] ima-evm-utils: mixed "ima" and other template formats not supported Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1594088837-27526-3-git-send-email-zohar@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=bmeneg@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=pvorel@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.