| Message ID | 1595174524-4976-2-git-send-email-zohar@linux.ibm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [1/3] ima-evm-utils: similarly add sanity check for file parameter of TPM 1.2 PCRs | expand |
Hi Mimi, > When the IMA measurement list contains file signatures, the file > signatures are verified either by calculating the local file data hash > or based on the file hash contained in the measurement list. In either > case a list of trusted public keys needs to be provided. > In addition to the list of known/unknown public keys needed to verify > the measurement list being output, the specific files signed by an > unknown public key are output as well. > Output the individual "unknown keyid" file messages based on log level. > Example 1: "ima_measurement" list of known/unknown public keys Reviewed-by: Petr Vorel <pvorel@suse.cz> Kind regards, Petr
Hi Mimi, > - log_info("%s: verification failed: unknown keyid %x\n", > - file, __be32_to_cpup(&keyid)); > + if (imaevm_params.verbose > LOG_INFO) > + log_info("%s: verification failed: unknown keyid %x\n", BTW, I was thinking to add more macros which would handle if (imaevm_params.verbose > LOG_INFO), something like: +#define log_dump_verbose(p, len) if (imaevm_params.verbose > LOG_INFO) do_dump(p, len, true) +#define log_verbose(fmt, args...) if (imaevm_params.verbose > LOG_INFO) log_info(fmt, ##args) But in the end I didn't post it, because: 1) imaevm_params.verbose is sometimes used for other purpose: src/evmctl.c: if (sigdump || imaevm_params.verbose >= LOG_INFO) imaevm_hexdump(sig, len); ... if (imaevm_params.verbose > LOG_INFO) { log_info("%d ", entry->header.pcr); log_dump_n(entry->header.digest, sizeof(entry->header.digest)); log_info(" %s %s", entry->name, algo); log_dump_n(digest, digest_len); log_info(" %s", path); if (fbuf) { log_info(" "); log_dump_n(fbuf, fbuf_len); } } ... if (imaevm_params.verbose <= LOG_INFO) return; 2) code sometimes compares: imaevm_params.verbose >= LOG_INFO (i.e. >= vs >; is that intentional?) Kind regards, Petr
diff --git a/src/libimaevm.c b/src/libimaevm.c index 16e07e82b9e3..fa6c27858d0f 100644 --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -512,8 +512,9 @@ static int verify_hash_v2(const char *file, const unsigned char *hash, int size, if (!pkey) { uint32_t keyid = hdr->keyid; - log_info("%s: verification failed: unknown keyid %x\n", - file, __be32_to_cpup(&keyid)); + if (imaevm_params.verbose > LOG_INFO) + log_info("%s: verification failed: unknown keyid %x\n", + file, __be32_to_cpup(&keyid)); return -1; }
When the IMA measurement list contains file signatures, the file signatures are verified either by calculating the local file data hash or based on the file hash contained in the measurement list. In either case a list of trusted public keys needs to be provided. In addition to the list of known/unknown public keys needed to verify the measurement list being output, the specific files signed by an unknown public key are output as well. Output the individual "unknown keyid" file messages based on log level. Example 1: "ima_measurement" list of known/unknown public keys Verify the provided IMA measurement list against the provided TPM 1.2 PCRs. --validate: ignore measurement violations. --verify: calculate and verify the template digest against the template data. --verify-sig: verify the file signature against the file hash stored in the template data. $ evmctl ima_measurement /tmp/local_binary_runtime_measurements --pcrs /tmp/local_pcrs_new --validate --verify --verify-sig key 1: 14c2d147 /etc/keys/x509_evm.der key 2: 6e6c1046 (unknown keyid) key 3: c4e2426e (unknown keyid) Matched per TPM bank calculated digest(s). Example 2: verbose mode (-v) includes specific unknown files. /usr/bin/evmctl: verification failed: unknown keyid 6e6c1046 Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> --- src/libimaevm.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)