[v2,5/8] ima-evm-utils: guarantee the measurement list contains all the records

Commit Message

Mimi Zohar July 10, 2020, 4 p.m. UTC

Reading the TPM PCRs before walking the measurement list guarantees
the measurement list contains all the records.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 src/evmctl.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

Patch

diff --git a/src/evmctl.c b/src/evmctl.c
index fac6a270794f..5787887882b4 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1876,6 +1876,7 @@  static int ima_measurement(const char *file)
 	struct tpm_bank_info *tpm_banks;
 	int is_ima_template, cur_template_fmt;
 	int num_banks = 0;
+	int tpmbanks = 1;
 	int first_record = 1;
 
 	struct template_entry entry = { .template = 0 };
@@ -1901,6 +1902,14 @@  static int ima_measurement(const char *file)
 	else				/* assume read pubkey from x509 cert */
 		init_public_keys("/etc/keys/x509_evm.der");
 
+	/*
+	 * Reading the PCRs before walking the IMA measurement list
+	 * guarantees that all of the measurements are included in
+	 * the PCRs.
+	 */
+	if (read_tpm_banks(num_banks, tpm_banks) != 0)
+		tpmbanks = 0;
+
 	while (fread(&entry.header, sizeof(entry.header), 1, fp)) {
 		if (entry.header.name_len > TCG_EVENT_NAME_LEN_MAX) {
 			log_err("%d ERROR: event name too long!\n",
@@ -1999,10 +2008,9 @@  static int ima_measurement(const char *file)
 			ima_ng_show(&entry);
 	}
 
-	if (read_tpm_banks(num_banks, tpm_banks) != 0) {
-		err = 0;
+	if (tpmbanks == 0)
 		log_info("Failed to read any TPM PCRs\n");
-	} else {
+	else {
 		err = compare_tpm_banks(num_banks, pseudo_banks, tpm_banks);
 		if (!err)
 			log_info("Matched per TPM bank calculated digest(s).\n");