@@ -98,6 +98,12 @@ display_pcrs() {
}
# The first entry in the IMA measuremnet list is the "boot_aggregate".
+# For each kexec, an additional "boot_aggregate" will appear in the
+# measurement list, assuming the previous measurement list is carried
+# across the kexec.
+#
+# Verify that the last "boot_aggregate" record in the IMA measurement
+# list matches.
check() {
echo "INFO: Calculating the boot_aggregate (PCRs 0 - 7) for multiple banks"
bootaggr=$(evmctl ima_boot_aggregate)
@@ -113,7 +119,7 @@ check() {
if [ "$VERBOSE" != "0" ]; then
echo "$hash"
fi
- if grep -q "${hash}" "${ASCII_RUNTIME_MEASUREMENTS}"; then
+ if grep -e "boot_aggregate$" -e "boot_aggregate.$" "${ASCII_RUNTIME_MEASUREMENTS}" | tail -n 1 | grep -q "${hash}"; then
echo "SUCCESS: boot_aggregate ${hash} found"
return $OK
fi
For each kexec, an additional "boot_aggregate" will appear in the measurement list, assuming the previous measurement list is carried across kexec. Verify that the last "boot_aggregate" record in the IMA measurement list matches. The "boot_aggregate" is either the last field (e.g. "ima-ng") or the second to last field (e.g. "ima-sig") in the measurement list record. Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> --- tests/boot_aggregate.test | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)