| Message ID | 20200731141432.668318-3-zohar@linux.ibm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | evmctl option improvements | expand |
On 7/31/20 7:14 AM, Mimi Zohar wrote: > IMA records file "Time of Measure, Time of Use (ToMToU)" and "open > writers" integrity violations by adding a record to the measurement > list containing one value (0x00's), but extending the TPM with a > different value (0xFF's). > > To avoid known file integrity violations, the builtin "tcb" measurement > policy should be replaced with a custom policy as early as possible. > This patch renames the existing "--validate" option to > "--ignore-violations". > > Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com> > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > --- > README | 4 ++-- > src/evmctl.c | 13 +++++++------ > 2 files changed, 9 insertions(+), 8 deletions(-) Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> > > diff --git a/README b/README > index d8b8f404534b..b37325f31802 100644 > --- a/README > +++ b/README > @@ -31,7 +31,7 @@ COMMANDS > ima_sign [--sigfile] [--key key] [--pass password] file > ima_verify file > ima_hash file > - ima_measurement [--validate] [--verify-sig [--key "key1, key2, ..."]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file > + ima_measurement [--ignore-violations] [--verify-sig [--key "key1, key2, ..."]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file > ima_fix [-t fdsxm] path > sign_hash [--key key] [--pass password] > hmac [--imahash | --imasig ] file > @@ -60,7 +60,7 @@ OPTIONS > --m64 force EVM hmac/signature for 64 bit target system > --engine e preload OpenSSL engine e (such as: gost) > --pcrs file containing TPM pcrs, one per hash-algorithm/bank > - --validate ignore ToMToU measurement violations > + --ignore-violations ignore ToMToU measurement violations > --verify-sig verify the file signature based on the file hash, both > stored in the template data. > -v increase verbosity level > diff --git a/src/evmctl.c b/src/evmctl.c > index b4d2333fb880..7ad11507487f 100644 > --- a/src/evmctl.c > +++ b/src/evmctl.c > @@ -1392,7 +1392,7 @@ struct template_entry { > > static uint8_t zero[MAX_DIGEST_SIZE]; > > -static int validate = 0; > +static int ignore_violations = 0; > > static int ima_verify_template_hash(struct template_entry *entry) > { > @@ -1739,7 +1739,7 @@ static void extend_tpm_banks(struct template_entry *entry, int num_banks, > * size. > */ > if (memcmp(entry->header.digest, zero, SHA_DIGEST_LENGTH) == 0) { > - if (!validate) { > + if (!ignore_violations) { > memset(bank[i].digest, 0x00, bank[i].digest_size); > memset(padded_bank[i].digest, 0x00, padded_bank[i].digest_size); > } else { > @@ -2467,6 +2467,7 @@ static void usage(void) > " --caps use custom Capabilities for EVM(unspecified: from FS, empty: do not use)\n" > " --verify-sig verify measurement list signatures\n" > " --engine e preload OpenSSL engine e (such as: gost)\n" > + " --ignore-violations ignore ToMToU measurement violations" > " -v increase verbosity level\n" > " -h, --help display this help and exit\n" > "\n"); > @@ -2483,7 +2484,7 @@ struct command cmds[] = { > {"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"}, > {"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"}, > {"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"}, > - {"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file", "Verify measurement list (experimental).\n"}, > + {"ima_measurement", cmd_ima_measurement, 0, "[--ignore-violations] [--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file", "Verify measurement list (experimental).\n"}, > {"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[file]", "Calculate per TPM bank boot_aggregate digests\n"}, > {"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"}, > {"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"}, > @@ -2522,7 +2523,7 @@ static struct option opts[] = { > {"verify-sig", 0, 0, 138}, > {"engine", 1, 0, 139}, > {"xattr-user", 0, 0, 140}, > - {"validate", 0, 0, 141}, > + {"ignore-violations", 0, 0, 141}, > {"pcrs", 1, 0, 142}, > {} > > @@ -2702,8 +2703,8 @@ int main(int argc, char *argv[]) > xattr_ima = "user.ima"; > xattr_evm = "user.evm"; > break; > - case 141: /* --validate */ > - validate = 1; > + case 141: /* --ignore-violations */ > + ignore_violations = 1; > break; > case 142: > if (npcrfile >= MAX_PCRFILE) { >
diff --git a/README b/README index d8b8f404534b..b37325f31802 100644 --- a/README +++ b/README @@ -31,7 +31,7 @@ COMMANDS ima_sign [--sigfile] [--key key] [--pass password] file ima_verify file ima_hash file - ima_measurement [--validate] [--verify-sig [--key "key1, key2, ..."]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file + ima_measurement [--ignore-violations] [--verify-sig [--key "key1, key2, ..."]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file ima_fix [-t fdsxm] path sign_hash [--key key] [--pass password] hmac [--imahash | --imasig ] file @@ -60,7 +60,7 @@ OPTIONS --m64 force EVM hmac/signature for 64 bit target system --engine e preload OpenSSL engine e (such as: gost) --pcrs file containing TPM pcrs, one per hash-algorithm/bank - --validate ignore ToMToU measurement violations + --ignore-violations ignore ToMToU measurement violations --verify-sig verify the file signature based on the file hash, both stored in the template data. -v increase verbosity level diff --git a/src/evmctl.c b/src/evmctl.c index b4d2333fb880..7ad11507487f 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -1392,7 +1392,7 @@ struct template_entry { static uint8_t zero[MAX_DIGEST_SIZE]; -static int validate = 0; +static int ignore_violations = 0; static int ima_verify_template_hash(struct template_entry *entry) { @@ -1739,7 +1739,7 @@ static void extend_tpm_banks(struct template_entry *entry, int num_banks, * size. */ if (memcmp(entry->header.digest, zero, SHA_DIGEST_LENGTH) == 0) { - if (!validate) { + if (!ignore_violations) { memset(bank[i].digest, 0x00, bank[i].digest_size); memset(padded_bank[i].digest, 0x00, padded_bank[i].digest_size); } else { @@ -2467,6 +2467,7 @@ static void usage(void) " --caps use custom Capabilities for EVM(unspecified: from FS, empty: do not use)\n" " --verify-sig verify measurement list signatures\n" " --engine e preload OpenSSL engine e (such as: gost)\n" + " --ignore-violations ignore ToMToU measurement violations" " -v increase verbosity level\n" " -h, --help display this help and exit\n" "\n"); @@ -2483,7 +2484,7 @@ struct command cmds[] = { {"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"}, {"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"}, {"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"}, - {"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file", "Verify measurement list (experimental).\n"}, + {"ima_measurement", cmd_ima_measurement, 0, "[--ignore-violations] [--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file", "Verify measurement list (experimental).\n"}, {"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[file]", "Calculate per TPM bank boot_aggregate digests\n"}, {"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"}, {"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"}, @@ -2522,7 +2523,7 @@ static struct option opts[] = { {"verify-sig", 0, 0, 138}, {"engine", 1, 0, 139}, {"xattr-user", 0, 0, 140}, - {"validate", 0, 0, 141}, + {"ignore-violations", 0, 0, 141}, {"pcrs", 1, 0, 142}, {} @@ -2702,8 +2703,8 @@ int main(int argc, char *argv[]) xattr_ima = "user.ima"; xattr_evm = "user.evm"; break; - case 141: /* --validate */ - validate = 1; + case 141: /* --ignore-violations */ + ignore_violations = 1; break; case 142: if (npcrfile >= MAX_PCRFILE) {
IMA records file "Time of Measure, Time of Use (ToMToU)" and "open writers" integrity violations by adding a record to the measurement list containing one value (0x00's), but extending the TPM with a different value (0xFF's). To avoid known file integrity violations, the builtin "tcb" measurement policy should be replaced with a custom policy as early as possible. This patch renames the existing "--validate" option to "--ignore-violations". Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> --- README | 4 ++-- src/evmctl.c | 13 +++++++------ 2 files changed, 9 insertions(+), 8 deletions(-)