[2/6] ima-evm-utils: fix measurement violation checking

Message ID	1594088791-27370-3-git-send-email-zohar@linux.ibm.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=Ev+g=AS=vger.kernel.org=linux-integrity-owner@kernel.org> From: Mimi Zohar <zohar@linux.ibm.com> To: linux-integrity@vger.kernel.org Cc: Mimi Zohar <zohar@linux.ibm.com>, Petr Vorel <pvorel@suse.cz>, Bruno Meneguele <bmeneg@redhat.com>, Vitaly Chikunov <vt@altlinux.org> Subject: [PATCH 2/6] ima-evm-utils: fix measurement violation checking Date: Mon, 6 Jul 2020 22:26:27 -0400 Message-Id: <1594088791-27370-3-git-send-email-zohar@linux.ibm.com> In-Reply-To: <1594088791-27370-1-git-send-email-zohar@linux.ibm.com> References: <1594088791-27370-1-git-send-email-zohar@linux.ibm.com> Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk
Series	ima-evm-utils: miscellanous code clean up and bug fixes \| expand [0/6] ima-evm-utils: miscellanous code clean up and bug fixes [1/6] ima-evm-utils: fix PCRAggr error message [2/6] ima-evm-utils: fix measurement violation checking [3/6] ima-evm-utils: don't hardcode validating the IMA measurement list [4/6] ima-evm-utils: calculate and verify the template data digest [5/6] ima-evm-utils: use uint32_t for template length [6/6] ima-evm-utils: define a basic hash_info.h file

Message ID

1594088791-27370-3-git-send-email-zohar@linux.ibm.com (mailing list archive)

State

New, archived

Headers

From: Mimi Zohar <zohar@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: Mimi Zohar <zohar@linux.ibm.com>, Petr Vorel <pvorel@suse.cz>,
        Bruno Meneguele <bmeneg@redhat.com>,
        Vitaly Chikunov <vt@altlinux.org>
Subject: [PATCH 2/6] ima-evm-utils: fix measurement violation checking
Date: Mon,  6 Jul 2020 22:26:27 -0400
Message-Id: <1594088791-27370-3-git-send-email-zohar@linux.ibm.com>
In-Reply-To: <1594088791-27370-1-git-send-email-zohar@linux.ibm.com>
References: <1594088791-27370-1-git-send-email-zohar@linux.ibm.com>
Sender: linux-integrity-owner@vger.kernel.org
Precedence: bulk

Series

ima-evm-utils: miscellanous code clean up and bug fixes | expand

Commit Message

Mimi Zohar July 7, 2020, 2:26 a.m. UTC

The template data digest for file measurement time of measure, time of
use (ToMToU) violations is zero.  Don't calculate the template data
digest for the different banks.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 src/evmctl.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/src/evmctl.c b/src/evmctl.c
index 1a5f3545d844..71712d91703a 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1736,10 +1736,19 @@  static void extend_tpm_banks(struct template_entry *entry, int num_banks,
 			continue;
 		}
 
-		err = calculate_template_digest(pctx, md, entry, &bank[i]);
-		if (!err) {
-			bank[i].supported = 0;
-			continue;
+		/*
+		 * Measurement violations are 0x00 digests.  No need to
+		 * calculate the per TPM bank template digests.
+		 */
+		if (memcmp(entry->header.digest, zero, SHA_DIGEST_LENGTH) == 0)
+			memset(bank[i].digest, 0x00, bank[i].digest_size);
+		else {
+			err = calculate_template_digest(pctx, md, entry,
+							&bank[i]);
+			if (!err) {
+				bank[i].supported = 0;
+				continue;
+			}
 		}
 
 		/* extend TPM BANK with template digest */

[2/6] ima-evm-utils: fix measurement violation checking

Commit Message

Patch