From patchwork Thu Jul 9 14:36:34 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 11654505 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C115B14DD for ; Thu, 9 Jul 2020 14:36:54 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id B2E2A2074B for ; Thu, 9 Jul 2020 14:36:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727780AbgGIOgy (ORCPT ); Thu, 9 Jul 2020 10:36:54 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:2372 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726410AbgGIOgy (ORCPT ); Thu, 9 Jul 2020 10:36:54 -0400 Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 069EXgPd094461; Thu, 9 Jul 2020 10:36:51 -0400 Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-001b2d01.pphosted.com with ESMTP id 325ktsvu2k-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 09 Jul 2020 10:36:51 -0400 Received: from m0098419.ppops.net (m0098419.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 069EYVRu098613; Thu, 9 Jul 2020 10:36:51 -0400 Received: from ppma02fra.de.ibm.com (47.49.7a9f.ip4.static.sl-reverse.com [159.122.73.71]) by mx0b-001b2d01.pphosted.com with ESMTP id 325ktsvu1s-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 09 Jul 2020 10:36:51 -0400 Received: from pps.filterd (ppma02fra.de.ibm.com [127.0.0.1]) by ppma02fra.de.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 069EUttc003540; Thu, 9 Jul 2020 14:36:49 GMT Received: from b06cxnps4075.portsmouth.uk.ibm.com (d06relay12.portsmouth.uk.ibm.com [9.149.109.197]) by ppma02fra.de.ibm.com with ESMTP id 325mr2ry2q-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 09 Jul 2020 14:36:49 +0000 Received: from b06wcsmtp001.portsmouth.uk.ibm.com (b06wcsmtp001.portsmouth.uk.ibm.com [9.149.105.160]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 069EalT5590124 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 9 Jul 2020 14:36:47 GMT Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 44B82A405F; Thu, 9 Jul 2020 14:36:47 +0000 (GMT) Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 916A7A4054; Thu, 9 Jul 2020 14:36:46 +0000 (GMT) Received: from localhost.localdomain (unknown [9.80.231.222]) by b06wcsmtp001.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 9 Jul 2020 14:36:46 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , Petr Vorel , Bruno Meneguele Subject: [PATCH 1/3] ima-evm-utils: improve reading TPM 1.2 PCRs Date: Thu, 9 Jul 2020 10:36:34 -0400 Message-Id: <1594305396-21280-2-git-send-email-zohar@linux.ibm.com> X-Mailer: git-send-email 2.7.5 In-Reply-To: <1594305396-21280-1-git-send-email-zohar@linux.ibm.com> References: <1594305396-21280-1-git-send-email-zohar@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235,18.0.687 definitions=2020-07-09_08:2020-07-09,2020-07-09 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 adultscore=0 clxscore=1015 bulkscore=0 mlxlogscore=999 phishscore=0 suspectscore=1 impostorscore=0 lowpriorityscore=0 malwarescore=0 priorityscore=1501 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2007090104 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Instead of reading the TPM 1.2 PCRs one at a time, opening and closing the securityfs file each time, read all of PCRs at once. Signed-off-by: Mimi Zohar --- src/evmctl.c | 39 ++++++++++++++++++--------------------- 1 file changed, 18 insertions(+), 21 deletions(-) diff --git a/src/evmctl.c b/src/evmctl.c index 21809b3229e9..0e489e2c7ba6 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -152,6 +152,14 @@ static void print_usage(struct command *cmd); static const char *xattr_ima = "security.ima"; static const char *xattr_evm = "security.evm"; +struct tpm_bank_info { + int digest_size; + int supported; + const char *algo_name; + uint8_t digest[MAX_DIGEST_SIZE]; + uint8_t pcr[NUM_PCRS][MAX_DIGEST_SIZE]; +}; + static int bin2file(const char *file, const char *ext, const unsigned char *data, int len) { FILE *fp; @@ -1366,13 +1374,13 @@ static int cmd_ima_clear(struct command *cmd) static char *pcrs = "/sys/class/tpm/tpm0/device/pcrs"; /* Kernels >= 4.0 */ static char *misc_pcrs = "/sys/class/misc/tpm0/device/pcrs"; -static int tpm_pcr_read(int idx, uint8_t *pcr, int len) +/* Read all of the TPM 1.2 PCRs */ +static int tpm_pcr_read(struct tpm_bank_info *tpm_banks, int len) { FILE *fp; char *p, pcr_str[7], buf[70]; /* length of the TPM string */ int result = -1; - - sprintf(pcr_str, "PCR-%2.2d", idx); + int i = 0; fp = fopen(pcrs, "r"); if (!fp) @@ -1385,11 +1393,10 @@ static int tpm_pcr_read(int idx, uint8_t *pcr, int len) p = fgets(buf, sizeof(buf), fp); if (!p) break; - if (!strncmp(p, pcr_str, 6)) { - hex2bin(pcr, p + 7, len); - result = 0; - break; - } + sprintf(pcr_str, "PCR-%2.2d", i); + if (!strncmp(p, pcr_str, 6)) + hex2bin(tpm_banks[0].pcr[i++], p + 7, len); + result = 0; } fclose(fp); return result; @@ -1571,14 +1578,6 @@ void ima_ng_show(struct template_entry *entry) } } -struct tpm_bank_info { - int digest_size; - int supported; - const char *algo_name; - uint8_t digest[MAX_DIGEST_SIZE]; - uint8_t pcr[NUM_PCRS][MAX_DIGEST_SIZE]; -}; - static void set_bank_info(struct tpm_bank_info *bank, const char *algo_name) { const EVP_MD *md; @@ -1771,11 +1770,9 @@ static int read_tpm_pcrs(int num_banks, struct tpm_bank_info *tpm_banks) { int i; - for (i = 0; i < NUM_PCRS; i++) { - if (tpm_pcr_read(i, tpm_banks[0].pcr[i], SHA_DIGEST_LENGTH)) { - log_debug("Failed to read TPM 1.2 PCRs.\n"); - return -1; - } + if (tpm_pcr_read(tpm_banks, SHA_DIGEST_LENGTH)) { + log_debug("Failed to read TPM 1.2 PCRs.\n"); + return -1; } tpm_banks[0].supported = 1; From patchwork Thu Jul 9 14:36:35 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 11654509 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 19DF26C1 for ; Thu, 9 Jul 2020 14:36:56 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 088352074B for ; Thu, 9 Jul 2020 14:36:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726837AbgGIOgz (ORCPT ); Thu, 9 Jul 2020 10:36:55 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:60936 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726475AbgGIOgz (ORCPT ); Thu, 9 Jul 2020 10:36:55 -0400 Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 069EWBh9106364; Thu, 9 Jul 2020 10:36:52 -0400 Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-001b2d01.pphosted.com with ESMTP id 325s3jvmh9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 09 Jul 2020 10:36:52 -0400 Received: from m0098416.ppops.net (m0098416.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 069EXHJS111250; Thu, 9 Jul 2020 10:36:52 -0400 Received: from ppma05fra.de.ibm.com (6c.4a.5195.ip4.static.sl-reverse.com [149.81.74.108]) by mx0b-001b2d01.pphosted.com with ESMTP id 325s3jvmgf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 09 Jul 2020 10:36:52 -0400 Received: from pps.filterd (ppma05fra.de.ibm.com [127.0.0.1]) by ppma05fra.de.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 069EUWGi012919; Thu, 9 Jul 2020 14:36:50 GMT Received: from b06cxnps4076.portsmouth.uk.ibm.com (d06relay13.portsmouth.uk.ibm.com [9.149.109.198]) by ppma05fra.de.ibm.com with ESMTP id 325k230gtg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 09 Jul 2020 14:36:50 +0000 Received: from b06wcsmtp001.portsmouth.uk.ibm.com (b06wcsmtp001.portsmouth.uk.ibm.com [9.149.105.160]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 069Eamkb53149890 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 9 Jul 2020 14:36:48 GMT Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 26DF9A4064; Thu, 9 Jul 2020 14:36:48 +0000 (GMT) Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 709F9A4054; Thu, 9 Jul 2020 14:36:47 +0000 (GMT) Received: from localhost.localdomain (unknown [9.80.231.222]) by b06wcsmtp001.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 9 Jul 2020 14:36:47 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , Petr Vorel , Bruno Meneguele Subject: [PATCH 2/3] ima_evm_utils: support extending TPM 2.0 banks w/original SHA1 padded digest Date: Thu, 9 Jul 2020 10:36:35 -0400 Message-Id: <1594305396-21280-3-git-send-email-zohar@linux.ibm.com> X-Mailer: git-send-email 2.7.5 In-Reply-To: <1594305396-21280-1-git-send-email-zohar@linux.ibm.com> References: <1594305396-21280-1-git-send-email-zohar@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235,18.0.687 definitions=2020-07-09_08:2020-07-09,2020-07-09 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=999 suspectscore=3 malwarescore=0 mlxscore=0 priorityscore=1501 impostorscore=0 spamscore=0 lowpriorityscore=0 clxscore=1015 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2007090104 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Initially the sha1 digest, including violations, was padded with zeroes before being extended into the other TPM banks. Support walking the IMA measurement list, calculating the per TPM bank SHA1 padded digest(s). Signed-off-by: Mimi Zohar --- src/evmctl.c | 73 +++++++++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 58 insertions(+), 15 deletions(-) diff --git a/src/evmctl.c b/src/evmctl.c index 0e489e2c7ba6..814aa6b75571 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -1613,6 +1613,10 @@ static struct tpm_bank_info *init_tpm_banks(int *num_banks) return banks; } +/* + * Compare the calculated TPM PCR banks against the PCR values read. + * On failure to match any TPM bank, fail comparison. + */ static int compare_tpm_banks(int num_banks, struct tpm_bank_info *bank, struct tpm_bank_info *tpm_bank) { @@ -1632,14 +1636,15 @@ static int compare_tpm_banks(int num_banks, struct tpm_bank_info *bank, log_info("%s: TPM PCR-%d: ", tpm_bank[i].algo_name, j); log_dump(tpm_bank[i].pcr[j], tpm_bank[i].digest_size); - ret = memcmp(bank[i].pcr[j], tpm_bank[i].pcr[j], - bank[i].digest_size); - if (!ret) + if (memcmp(bank[i].pcr[j], tpm_bank[i].pcr[j], + bank[i].digest_size) == 0) { log_info("%s PCR-%d: succeed\n", bank[i].algo_name, j); - else + } else { + ret = 1; log_info("%s: PCRAgg %d does not match TPM PCR-%d\n", bank[i].algo_name, j, j); + } } } return ret; @@ -1695,10 +1700,7 @@ static int extend_tpm_bank(EVP_MD_CTX *pctx, const EVP_MD *md, goto out; } - if (validate && !memcmp(entry->header.digest, zero, SHA_DIGEST_LENGTH)) - err = EVP_DigestUpdate(pctx, fox, bank->digest_size); - else - err = EVP_DigestUpdate(pctx, bank->digest, bank->digest_size); + err = EVP_DigestUpdate(pctx, bank->digest, bank->digest_size); if (!err) { printf("EVP_DigestUpdate() failed\n"); goto out; @@ -1716,7 +1718,8 @@ out: /* Calculate and extend the template hash for multiple hash algorithms */ static void extend_tpm_banks(struct template_entry *entry, int num_banks, - struct tpm_bank_info *bank) + struct tpm_bank_info *bank, + struct tpm_bank_info *padded_bank) { EVP_MD_CTX *pctx; const EVP_MD *md; @@ -1741,24 +1744,53 @@ static void extend_tpm_banks(struct template_entry *entry, int num_banks, } /* - * Measurement violations are 0x00 digests. No need to - * calculate the per TPM bank template digests. + * Measurement violations are 0x00 digests, which are extended + * into the TPM as 0xff. Verifying the IMA measurement list + * will fail, unless the 0x00 digests are converted to 0xff's. + * + * Initially the sha1 digest, including violations, was padded + * with zeroes before being extended into the TPM. With the + * per TPM bank digest, violations are the full per bank digest + * size. */ - if (memcmp(entry->header.digest, zero, SHA_DIGEST_LENGTH) == 0) - memset(bank[i].digest, 0x00, bank[i].digest_size); - else { + if (memcmp(entry->header.digest, zero, SHA_DIGEST_LENGTH) == 0) { + if (!validate) { + memset(bank[i].digest, 0x00, bank[i].digest_size); + memset(padded_bank[i].digest, 0x00, padded_bank[i].digest_size); + } else { + memset(bank[i].digest, 0xff, + bank[i].digest_size); + + memset(padded_bank[i].digest, 0x00, + padded_bank[i].digest_size); + memset(padded_bank[i].digest, 0xff, + SHA_DIGEST_LENGTH); + } + } else { err = calculate_template_digest(pctx, md, entry, &bank[i]); if (!err) { bank[i].supported = 0; continue; } + + /* + * calloc set the memory to zero, so just copy the + * sha1 digest. + */ + memcpy(padded_bank[i].digest, entry->header.digest, + SHA_DIGEST_LENGTH); } /* extend TPM BANK with template digest */ err = extend_tpm_bank(pctx, md, entry, &bank[i]); if (!err) bank[i].supported = 0; + + /* extend TPM BANK with zero padded sha1 template digest */ + err = extend_tpm_bank(pctx, md, entry, &padded_bank[i]); + if (!err) + padded_bank[i].supported = 0; } #if OPENSSL_VERSION_NUMBER >= 0x10100000 EVP_MD_CTX_free(pctx); @@ -1825,6 +1857,7 @@ static int read_tpm_banks(int num_banks, struct tpm_bank_info *bank) static int ima_measurement(const char *file) { + struct tpm_bank_info *pseudo_padded_banks; struct tpm_bank_info *pseudo_banks; struct tpm_bank_info *tpm_banks; int is_ima_template, cur_template_fmt; @@ -1839,6 +1872,7 @@ static int ima_measurement(const char *file) memset(zero, 0, MAX_DIGEST_SIZE); memset(fox, 0xff, MAX_DIGEST_SIZE); + pseudo_padded_banks = init_tpm_banks(&num_banks); pseudo_banks = init_tpm_banks(&num_banks); tpm_banks = init_tpm_banks(&num_banks); @@ -1939,7 +1973,8 @@ static int ima_measurement(const char *file) entry.template_buf_len - len); } - extend_tpm_banks(&entry, num_banks, pseudo_banks); + extend_tpm_banks(&entry, num_banks, pseudo_banks, + pseudo_padded_banks); if (verify) ima_verify_template_hash(&entry); @@ -1954,7 +1989,15 @@ static int ima_measurement(const char *file) err = 0; log_info("Failed to read any TPM PCRs\n"); } else { + log_info("Comparing with per TPM digest\n"); err = compare_tpm_banks(num_banks, pseudo_banks, tpm_banks); + + /* On failure, check older SHA1 zero padded hashes */ + if (err) { + log_info("Comparing with SHA1 padded digest\n"); + err = compare_tpm_banks(num_banks, pseudo_padded_banks, + tpm_banks); + } } out: From patchwork Thu Jul 9 14:36:36 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 11654511 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2989A6C1 for ; Thu, 9 Jul 2020 14:36:57 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 1C5E22077D for ; Thu, 9 Jul 2020 14:36:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727864AbgGIOg4 (ORCPT ); Thu, 9 Jul 2020 10:36:56 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:11704 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726475AbgGIOg4 (ORCPT ); Thu, 9 Jul 2020 10:36:56 -0400 Received: from pps.filterd (m0098410.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 069EWbvp029313; Thu, 9 Jul 2020 10:36:54 -0400 Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 32637wc4sr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 09 Jul 2020 10:36:54 -0400 Received: from m0098410.ppops.net (m0098410.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 069EWdXT029426; Thu, 9 Jul 2020 10:36:53 -0400 Received: from ppma06fra.de.ibm.com (48.49.7a9f.ip4.static.sl-reverse.com [159.122.73.72]) by mx0a-001b2d01.pphosted.com with ESMTP id 32637wc4r9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 09 Jul 2020 10:36:53 -0400 Received: from pps.filterd (ppma06fra.de.ibm.com [127.0.0.1]) by ppma06fra.de.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 069EWbco029964; Thu, 9 Jul 2020 14:36:51 GMT Received: from b06avi18878370.portsmouth.uk.ibm.com (b06avi18878370.portsmouth.uk.ibm.com [9.149.26.194]) by ppma06fra.de.ibm.com with ESMTP id 325k2qrfs1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 09 Jul 2020 14:36:51 +0000 Received: from b06wcsmtp001.portsmouth.uk.ibm.com (b06wcsmtp001.portsmouth.uk.ibm.com [9.149.105.160]) by b06avi18878370.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 069EanQu66191798 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 9 Jul 2020 14:36:49 GMT Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 04219A405B; Thu, 9 Jul 2020 14:36:49 +0000 (GMT) Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 51E21A4054; Thu, 9 Jul 2020 14:36:48 +0000 (GMT) Received: from localhost.localdomain (unknown [9.80.231.222]) by b06wcsmtp001.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 9 Jul 2020 14:36:48 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , Petr Vorel , Bruno Meneguele Subject: [PATCH 3/3] ima-evm-utils: support providing the TPM 1.2 PCRs as a file Date: Thu, 9 Jul 2020 10:36:36 -0400 Message-Id: <1594305396-21280-4-git-send-email-zohar@linux.ibm.com> X-Mailer: git-send-email 2.7.5 In-Reply-To: <1594305396-21280-1-git-send-email-zohar@linux.ibm.com> References: <1594305396-21280-1-git-send-email-zohar@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235,18.0.687 definitions=2020-07-09_08:2020-07-09,2020-07-09 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 adultscore=0 mlxlogscore=999 clxscore=1015 malwarescore=0 priorityscore=1501 spamscore=0 suspectscore=1 phishscore=0 mlxscore=0 impostorscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2007090104 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org "evmctl ima_measurement" walks the IMA measurement list calculating the PCRs and verifies the calculated values against the system's PCRs. Instead of reading the system's PCRs, provide the PCRs as a file. For TPM 1.2 the PCRs are exported via a securityfs file. Verifying the IMA measurement list against the exported TPM 1.2 PCRs file may be used remotely for regression testing. If used in a production environment, the provided TPM PCRs must be compared with those included in the TPM 1.2 quote as well. This patch defines an evmctl ima_measurement "--pcrs " option. Signed-off-by: Mimi Zohar --- src/evmctl.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/src/evmctl.c b/src/evmctl.c index 814aa6b75571..21ae1c7ca5a7 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -160,6 +160,8 @@ struct tpm_bank_info { uint8_t pcr[NUM_PCRS][MAX_DIGEST_SIZE]; }; +static char *pcrfile; + static int bin2file(const char *file, const char *ext, const unsigned char *data, int len) { FILE *fp; @@ -1377,12 +1379,18 @@ static char *misc_pcrs = "/sys/class/misc/tpm0/device/pcrs"; /* Read all of the TPM 1.2 PCRs */ static int tpm_pcr_read(struct tpm_bank_info *tpm_banks, int len) { - FILE *fp; + FILE *fp = NULL; char *p, pcr_str[7], buf[70]; /* length of the TPM string */ int result = -1; int i = 0; - fp = fopen(pcrs, "r"); + /* Use the provided TPM 1.2 pcrs file */ + if (pcrfile) + fp = fopen(pcrfile, "r"); + + if (!fp) + fp = fopen(pcrs, "r"); + if (!fp) fp = fopen(misc_pcrs, "r"); @@ -2347,7 +2355,7 @@ struct command cmds[] = { {"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"}, {"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"}, {"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"}, - {"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify] file", "Verify measurement list (experimental).\n"}, + {"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify] [--pcrs file] file", "Verify measurement list (experimental).\n"}, {"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[file]", "Calculate per TPM bank boot_aggregate digests\n"}, {"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"}, {"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"}, @@ -2388,6 +2396,7 @@ static struct option opts[] = { {"xattr-user", 0, 0, 140}, {"validate", 0, 0, 141}, {"verify", 0, 0, 142}, + {"pcrs", 1, 0, 143}, {} }; @@ -2572,6 +2581,9 @@ int main(int argc, char *argv[]) case 142: /* --verify */ verify = 1; break; + case 143: + pcrfile = optarg; + break; case '?': exit(1); break;