ima_evm_utils: emit the per TPM PCR bank "boot_aggregate" values

Commit Message

Mimi Zohar June 15, 2020, 5:58 p.m. UTC

Instead of emitting the per TPM PCR bank "boot_aggregate" values one
at a time, store them in a buffer and emit them all at once.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 src/evmctl.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 53 insertions(+), 2 deletions(-)

Comments

Petr Vorel June 18, 2020, 6:53 p.m. UTC | #1

Hi Mimi,

> Instead of emitting the per TPM PCR bank "boot_aggregate" values one
> at a time, store them in a buffer and emit them all at once.

Thanks for notifying me.

I see you already pushed this commit into next-testing
and I found few problems, thus posted patches to ML: segfault bug on system with
TPM 1.2 only [1], running tsspcrread on system without TPM [2] and logging
problem [3].

I'll move the discussion there.

Kind regards,
Petr

[1] https://patchwork.kernel.org/patch/11612893/
[2] https://patchwork.kernel.org/patch/11612911/
[3] https://patchwork.kernel.org/patch/11612913/

Patch

diff --git a/src/evmctl.c b/src/evmctl.c
index 675980823636..1d065ceed886 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1937,11 +1937,36 @@  static void calc_bootaggr(struct tpm_bank_info *bank)
 	}
 
 out:
-	printf("%s:", bank->algo_name);
-	imaevm_hexdump(bank->digest, bank->digest_size);
 #if OPENSSL_VERSION_NUMBER >= 0x10100000
 	EVP_MD_CTX_free(pctx);
 #endif
+
+}
+
+/*
+ * The "boot_aggregate" format is the TPM PCR bank algorithm, a colon
+ * separator, followed by a per bank TPM PCR bank specific digest.
+ * Store the TPM PCR bank specific "boot_aggregate" value as a newline
+ * terminated string in the provided buffer.
+ */
+static int append_bootaggr(char *bootaggr, struct tpm_bank_info *tpm_banks)
+{
+	uint8_t *buf;
+	int j;
+
+	strcpy(bootaggr, tpm_banks->algo_name);
+	j = strlen(tpm_banks->algo_name);
+	bootaggr[j++] = ':';
+
+	for (buf = tpm_banks->digest;
+	     buf < (tpm_banks->digest + tpm_banks->digest_size);
+	     buf++) {
+		bootaggr[j++] = hex_asc_hi(*buf);
+		bootaggr[j++] = hex_asc_lo(*buf);
+	}
+
+	bootaggr[j++] = '\n';
+	return j;
 }
 
 /*
@@ -1953,7 +1978,10 @@  out:
 static int cmd_ima_bootaggr(struct command *cmd)
 {
 	struct tpm_bank_info *tpm_banks;
+	int bootaggr_len = 0;
+	char *bootaggr;
 	int num_banks = 0;
+	int offset = 0;
 	int i;
 
 	tpm_banks = init_tpm_banks(&num_banks);
@@ -1963,11 +1991,34 @@  static int cmd_ima_bootaggr(struct command *cmd)
 		return -1;
 	}
 
+	/*
+	 * Allocate enough memory for the per TPM 2.0 PCR bank algorithm,
+	 * the colon separator, the boot_aggregate digest and newline.
+	 *
+	 * Format: <hash algorithm name>:<boot_aggregate digest>\n ...
+	 */
+	for (i = 0; i < num_banks; i++) {
+		if (!tpm_banks[i].supported)
+			continue;
+		bootaggr_len += strlen(tpm_banks[i].algo_name) + 1;
+		bootaggr_len += (tpm_banks[i].digest_size * 2) + 1;
+	}
+	bootaggr = malloc(bootaggr_len);
+
+	/*
+	 * Calculate and convert the per TPM 2.0 PCR bank algorithm
+	 * "boot_aggregate" digest from binary to asciihex.  Store the
+	 * "boot_aggregate" values as a list of newline terminated
+	 * strings.
+	 */
 	for (i = 0; i < num_banks; i++) {
 		if (!tpm_banks[i].supported)
 			continue;
 		calc_bootaggr(&tpm_banks[i]);
+		offset += append_bootaggr(bootaggr + offset, tpm_banks + i);
 	}
+	printf("%s", bootaggr);
+	free(bootaggr);
 	return 0;
 }