diff mbox series

[v2,2/8] ima_evm_utils: support extending TPM 2.0 banks w/original SHA1 padded digest

Message ID 1594396859-9232-3-git-send-email-zohar@linux.ibm.com (mailing list archive)
State New, archived
Headers show
Series additional "ima-measurement" support | expand

Commit Message

Mimi Zohar July 10, 2020, 4 p.m. UTC
Initially the sha1 digest, including violations, was padded with zeroes
before being extended into the other TPM banks.  Support walking the
IMA measurement list, calculating the per TPM bank SHA1 padded
digest(s).

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 src/evmctl.c | 73 +++++++++++++++++++++++++++++++++++++++++++++++-------------
 1 file changed, 58 insertions(+), 15 deletions(-)

Comments

Bruno Meneguele July 15, 2020, 6:43 p.m. UTC | #1
Hi Mimi,

On Fri, Jul 10, 2020 at 12:00:53PM -0400, Mimi Zohar wrote:
> Initially the sha1 digest, including violations, was padded with zeroes
> before being extended into the other TPM banks.  Support walking the
> IMA measurement list, calculating the per TPM bank SHA1 padded
> digest(s).
> 
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
>  src/evmctl.c | 73 +++++++++++++++++++++++++++++++++++++++++++++++-------------
>  1 file changed, 58 insertions(+), 15 deletions(-)
> 
> diff --git a/src/evmctl.c b/src/evmctl.c
> index 0e489e2c7ba6..814aa6b75571 100644
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -1613,6 +1613,10 @@ static struct tpm_bank_info *init_tpm_banks(int *num_banks)
>  	return banks;
>  }
>  
> +/*
> + * Compare the calculated TPM PCR banks against the PCR values read.
> + * On failure to match any TPM bank, fail comparison.
> + */
>  static int compare_tpm_banks(int num_banks, struct tpm_bank_info *bank,
>  			     struct tpm_bank_info *tpm_bank)
>  {
> @@ -1632,14 +1636,15 @@ static int compare_tpm_banks(int num_banks, struct tpm_bank_info *bank,
>  			log_info("%s: TPM PCR-%d: ", tpm_bank[i].algo_name, j);
>  			log_dump(tpm_bank[i].pcr[j], tpm_bank[i].digest_size);
>  
> -			ret = memcmp(bank[i].pcr[j], tpm_bank[i].pcr[j],
> -				     bank[i].digest_size);
> -			if (!ret)
> +			if (memcmp(bank[i].pcr[j], tpm_bank[i].pcr[j],
> +				     bank[i].digest_size) == 0) {
>  				log_info("%s PCR-%d: succeed\n",
>  					 bank[i].algo_name, j);
> -			else
> +			} else {
> +				ret = 1;
>  				log_info("%s: PCRAgg %d does not match TPM PCR-%d\n",
>  					 bank[i].algo_name, j, j);
> +			}
>  		}
>  	}
>  	return ret;
> @@ -1695,10 +1700,7 @@ static int extend_tpm_bank(EVP_MD_CTX *pctx, const EVP_MD *md,
>  		goto out;
>  	}
>  
> -	if (validate && !memcmp(entry->header.digest, zero, SHA_DIGEST_LENGTH))
> -		err = EVP_DigestUpdate(pctx, fox, bank->digest_size);

'fox' is not being used in the code anymore. It could be totally removed
afaics.

diff --git a/src/evmctl.c b/src/evmctl.c
index 90a3eeb..ae513b0 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1425,7 +1425,6 @@ struct template_entry {
 };

 static uint8_t zero[MAX_DIGEST_SIZE];
-static uint8_t fox[MAX_DIGEST_SIZE];

 static int validate = 0;
 static int verify = 0;
@@ -1886,7 +1885,6 @@ static int ima_measurement(const char *file)

        errno = 0;
        memset(zero, 0, MAX_DIGEST_SIZE);
-       memset(fox, 0xff, MAX_DIGEST_SIZE);

        pseudo_padded_banks = init_tpm_banks(&num_banks);
        pseudo_banks = init_tpm_banks(&num_banks);
Mimi Zohar July 15, 2020, 7:47 p.m. UTC | #2
Hi Bruno,

On Wed, 2020-07-15 at 15:43 -0300, Bruno Meneguele wrote:
<snip>

If this patch was in next-testing, I could simply update it.  Please
send a new patch to remove fox.

thanks,

Mimi

> 'fox' is not being used in the code anymore. It could be totally removed
> afaics.
> 
> diff --git a/src/evmctl.c b/src/evmctl.c
> index 90a3eeb..ae513b0 100644
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -1425,7 +1425,6 @@ struct template_entry {
>  };
> 
>  static uint8_t zero[MAX_DIGEST_SIZE];
> -static uint8_t fox[MAX_DIGEST_SIZE];
> 
>  static int validate = 0;
>  static int verify = 0;
> @@ -1886,7 +1885,6 @@ static int ima_measurement(const char *file)
> 
>         errno = 0;
>         memset(zero, 0, MAX_DIGEST_SIZE);
> -       memset(fox, 0xff, MAX_DIGEST_SIZE);
> 
>         pseudo_padded_banks = init_tpm_banks(&num_banks);
>         pseudo_banks = init_tpm_banks(&num_banks);
> 
>
Mimi Zohar July 15, 2020, 8:11 p.m. UTC | #3
On Wed, 2020-07-15 at 15:47 -0400, Mimi Zohar wrote:
> Hi Bruno,
> 
> On Wed, 2020-07-15 at 15:43 -0300, Bruno Meneguele wrote:
> <snip>
> 
> If this patch was in next-testing, I could simply update it.  Please
> send a new patch to remove fox.

Oh, it is in next-testing.  I'll fix it up.

thanks!

Mimi
Bruno Meneguele July 15, 2020, 8:17 p.m. UTC | #4
On Wed, Jul 15, 2020 at 04:11:03PM -0400, Mimi Zohar wrote:
> On Wed, 2020-07-15 at 15:47 -0400, Mimi Zohar wrote:
> > Hi Bruno,
> > 
> > On Wed, 2020-07-15 at 15:43 -0300, Bruno Meneguele wrote:
> > <snip>
> > 
> > If this patch was in next-testing, I could simply update it.  Please
> > send a new patch to remove fox.
> 
> Oh, it is in next-testing.  I'll fix it up.
> 

Yes :)

Thanks.

> thanks!
> 
> Mimi
>
diff mbox series

Patch

diff --git a/src/evmctl.c b/src/evmctl.c
index 0e489e2c7ba6..814aa6b75571 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1613,6 +1613,10 @@  static struct tpm_bank_info *init_tpm_banks(int *num_banks)
 	return banks;
 }
 
+/*
+ * Compare the calculated TPM PCR banks against the PCR values read.
+ * On failure to match any TPM bank, fail comparison.
+ */
 static int compare_tpm_banks(int num_banks, struct tpm_bank_info *bank,
 			     struct tpm_bank_info *tpm_bank)
 {
@@ -1632,14 +1636,15 @@  static int compare_tpm_banks(int num_banks, struct tpm_bank_info *bank,
 			log_info("%s: TPM PCR-%d: ", tpm_bank[i].algo_name, j);
 			log_dump(tpm_bank[i].pcr[j], tpm_bank[i].digest_size);
 
-			ret = memcmp(bank[i].pcr[j], tpm_bank[i].pcr[j],
-				     bank[i].digest_size);
-			if (!ret)
+			if (memcmp(bank[i].pcr[j], tpm_bank[i].pcr[j],
+				     bank[i].digest_size) == 0) {
 				log_info("%s PCR-%d: succeed\n",
 					 bank[i].algo_name, j);
-			else
+			} else {
+				ret = 1;
 				log_info("%s: PCRAgg %d does not match TPM PCR-%d\n",
 					 bank[i].algo_name, j, j);
+			}
 		}
 	}
 	return ret;
@@ -1695,10 +1700,7 @@  static int extend_tpm_bank(EVP_MD_CTX *pctx, const EVP_MD *md,
 		goto out;
 	}
 
-	if (validate && !memcmp(entry->header.digest, zero, SHA_DIGEST_LENGTH))
-		err = EVP_DigestUpdate(pctx, fox, bank->digest_size);
-	else
-		err = EVP_DigestUpdate(pctx, bank->digest, bank->digest_size);
+	err = EVP_DigestUpdate(pctx, bank->digest, bank->digest_size);
 	if (!err) {
 		printf("EVP_DigestUpdate() failed\n");
 		goto out;
@@ -1716,7 +1718,8 @@  out:
 
 /* Calculate and extend the template hash for multiple hash algorithms */
 static void extend_tpm_banks(struct template_entry *entry, int num_banks,
-			     struct tpm_bank_info *bank)
+			     struct tpm_bank_info *bank,
+			     struct tpm_bank_info *padded_bank)
 {
 	EVP_MD_CTX *pctx;
 	const EVP_MD *md;
@@ -1741,24 +1744,53 @@  static void extend_tpm_banks(struct template_entry *entry, int num_banks,
 		}
 
 		/*
-		 * Measurement violations are 0x00 digests.  No need to
-		 * calculate the per TPM bank template digests.
+		 * Measurement violations are 0x00 digests, which are extended
+		 * into the TPM as 0xff.  Verifying the IMA measurement list
+		 * will fail, unless the 0x00 digests are converted to 0xff's.
+		 *
+		 * Initially the sha1 digest, including violations, was padded
+		 * with zeroes before being extended into the TPM.  With the
+		 * per TPM bank digest, violations are the full per bank digest
+		 * size.
 		 */
-		if (memcmp(entry->header.digest, zero, SHA_DIGEST_LENGTH) == 0)
-			memset(bank[i].digest, 0x00, bank[i].digest_size);
-		else {
+		if (memcmp(entry->header.digest, zero, SHA_DIGEST_LENGTH) == 0) {
+			if (!validate) {
+				memset(bank[i].digest, 0x00, bank[i].digest_size);
+				memset(padded_bank[i].digest, 0x00, padded_bank[i].digest_size);
+			} else {
+				memset(bank[i].digest, 0xff,
+				       bank[i].digest_size);
+
+				memset(padded_bank[i].digest, 0x00,
+				       padded_bank[i].digest_size);
+				memset(padded_bank[i].digest, 0xff,
+				       SHA_DIGEST_LENGTH);
+			}
+		} else {
 			err = calculate_template_digest(pctx, md, entry,
 							&bank[i]);
 			if (!err) {
 				bank[i].supported = 0;
 				continue;
 			}
+
+			/*
+			 * calloc set the memory to zero, so just copy the
+			 * sha1 digest.
+			 */
+			memcpy(padded_bank[i].digest, entry->header.digest,
+			       SHA_DIGEST_LENGTH);
 		}
 
 		/* extend TPM BANK with template digest */
 		err = extend_tpm_bank(pctx, md, entry, &bank[i]);
 		if (!err)
 			bank[i].supported = 0;
+
+		/* extend TPM BANK with zero padded sha1 template digest */
+		err = extend_tpm_bank(pctx, md, entry, &padded_bank[i]);
+		if (!err)
+			padded_bank[i].supported = 0;
 	}
 #if OPENSSL_VERSION_NUMBER >= 0x10100000
 	EVP_MD_CTX_free(pctx);
@@ -1825,6 +1857,7 @@  static int read_tpm_banks(int num_banks, struct tpm_bank_info *bank)
 
 static int ima_measurement(const char *file)
 {
+	struct tpm_bank_info *pseudo_padded_banks;
 	struct tpm_bank_info *pseudo_banks;
 	struct tpm_bank_info *tpm_banks;
 	int is_ima_template, cur_template_fmt;
@@ -1839,6 +1872,7 @@  static int ima_measurement(const char *file)
 	memset(zero, 0, MAX_DIGEST_SIZE);
 	memset(fox, 0xff, MAX_DIGEST_SIZE);
 
+	pseudo_padded_banks = init_tpm_banks(&num_banks);
 	pseudo_banks = init_tpm_banks(&num_banks);
 	tpm_banks = init_tpm_banks(&num_banks);
 
@@ -1939,7 +1973,8 @@  static int ima_measurement(const char *file)
 			       entry.template_buf_len - len);
 		}
 
-		extend_tpm_banks(&entry, num_banks, pseudo_banks);
+		extend_tpm_banks(&entry, num_banks, pseudo_banks,
+				 pseudo_padded_banks);
 
 		if (verify)
 			ima_verify_template_hash(&entry);
@@ -1954,7 +1989,15 @@  static int ima_measurement(const char *file)
 		err = 0;
 		log_info("Failed to read any TPM PCRs\n");
 	} else {
+		log_info("Comparing with per TPM digest\n");
 		err = compare_tpm_banks(num_banks, pseudo_banks, tpm_banks);
+
+		/* On failure, check older SHA1 zero padded hashes */
+		if (err) {
+			log_info("Comparing with SHA1 padded digest\n");
+			err = compare_tpm_banks(num_banks, pseudo_padded_banks,
+						tpm_banks);
+		}
 	}
 
 out: