[PATCH] Fix reading the TPM 2.0 PCRs

[Mimi Zohar <zohar@linux.ibm.com>]

Prior to the support for reading the TPM 2.0 PCRs via the sysfs
interface, based on environment variables the userspace application read
either the physical or software TPM's PCRs.

With the support for reading the exported TPM 2.0 PCRs via the sysfs
interface, the physical TPM's PCRs are always read.  Define a new evmctl
option named '--hwtpm' to limit reading the TPM 2.0 PCRs via the sysfs
interface.

Fixes: a141bd594263 ("add support for reading per bank TPM 2.0 PCRs via sysfs")
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 src/evmctl.c              | 9 +++++++--
 tests/boot_aggregate.test | 7 +++++--
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/src/evmctl.c b/src/evmctl.c
index 91b531c9e01e..95281df08051 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -139,6 +139,7 @@ static dev_t fs_dev;
 static bool evm_immutable;
 static bool evm_portable;
 static bool veritysig;
+static bool hwtpm;
 
 #define HMAC_FLAG_NO_UUID	0x0001
 #define HMAC_FLAG_CAPS_SET	0x0002
@@ -2152,7 +2153,7 @@ static int read_tpm_banks(int num_banks, struct tpm_bank_info *bank)
 	if (read_sysfs_pcrs(num_banks, bank) == 0)
 		return 0;
 
-	if (read_sysfs_tpm2_pcrs(num_banks, bank) == 0)
+	if (hwtpm && read_sysfs_tpm2_pcrs(num_banks, bank) == 0)
 		return 0;
 
 	/* Any userspace applications available for reading TPM 2.0 PCRs? */
@@ -2878,7 +2879,7 @@ struct command cmds[] = {
 	{"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"},
 	{"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
 	{"ima_measurement", cmd_ima_measurement, 0, "[--ignore-violations] [--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] [--verify-bank hash-algorithm] file", "Verify measurement list (experimental).\n"},
-	{"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log]", "Calculate per TPM bank boot_aggregate digests\n"},
+	{"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log] [--hwtpm]", "Calculate per TPM bank boot_aggregate digests\n"},
 	{"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
 	{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
 	{"sign_hash", cmd_sign_hash, 0, "[--veritysig] [--key key] [--pass password]", "Sign hashes from either shaXsum or \"fsverity digest\" output.\n"},
@@ -2924,6 +2925,7 @@ static struct option opts[] = {
 	{"keyid", 1, 0, 144},
 	{"keyid-from-cert", 1, 0, 145},
 	{"veritysig", 0, 0, 146},
+	{"hwtpm", 0, 0, 147},
 	{}
 
 };
@@ -3166,6 +3168,9 @@ int main(int argc, char *argv[])
 		case 146:
 			veritysig = 1;
 			break;
+		case 147:
+			hwtpm = 1;
+			break;
 		case '?':
 			exit(1);
 			break;
diff --git a/tests/boot_aggregate.test b/tests/boot_aggregate.test
index ca5faf9cd97d..b0b2db41f4c1 100755
--- a/tests/boot_aggregate.test
+++ b/tests/boot_aggregate.test
@@ -126,8 +126,10 @@ display_pcrs() {
 # Verify that the last "boot_aggregate" record in the IMA measurement
 # list matches.
 check() {
+	local options=$1
+
 	echo "INFO: Calculating the boot_aggregate (PCRs 0 - 9) for multiple banks"
-	bootaggr=$(evmctl ima_boot_aggregate)
+	bootaggr=$(evmctl ima_boot_aggregate ${options})
 	if [ $? -ne 0 ]; then
 		echo "${CYAN}SKIP: evmctl ima_boot_aggregate: $bootaggr${NORM}"
 		exit "$SKIP"
@@ -151,6 +153,7 @@ check() {
 }
 
 if [ "$(id -u)" = 0 ] && [ -c "/dev/tpm0" ]; then
+	BOOTAGGR_OPTIONS="--hwtpm"
 	ASCII_RUNTIME_MEASUREMENTS="/sys/kernel/security/ima/ascii_runtime_measurements"
 	if [ ! -d "/sys/kernel/security/ima" ]; then
 		echo "${CYAN}SKIP: CONFIG_IMA not enabled${NORM}"
@@ -194,4 +197,4 @@ if [ "$(id -u)" != 0 ] || [ ! -c "/dev/tpm0" ]; then
 	fi
 fi
 
-expect_pass check
+expect_pass check $BOOTAGGR_OPTIONS
-- 
2.31.1