From patchwork Tue Jun 26 16:28:27 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: George Wilson X-Patchwork-Id: 10489527 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 5BCDE60386 for ; Tue, 26 Jun 2018 16:28:49 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4CBBD2838F for ; Tue, 26 Jun 2018 16:28:49 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 40F0A28397; Tue, 26 Jun 2018 16:28:49 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00, MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EEF2428396 for ; Tue, 26 Jun 2018 16:28:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751997AbeFZQ2r (ORCPT ); Tue, 26 Jun 2018 12:28:47 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:59082 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750933AbeFZQ2r (ORCPT ); Tue, 26 Jun 2018 12:28:47 -0400 Received: from pps.filterd (m0098394.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w5QGO0mh045422 for ; Tue, 26 Jun 2018 12:28:46 -0400 Received: from e35.co.us.ibm.com (e35.co.us.ibm.com [32.97.110.153]) by mx0a-001b2d01.pphosted.com with ESMTP id 2jupexfht0-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 26 Jun 2018 12:28:46 -0400 Received: from localhost by e35.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 26 Jun 2018 10:28:45 -0600 Received: from b03cxnp08028.gho.boulder.ibm.com (9.17.130.20) by e35.co.us.ibm.com (192.168.1.135) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Tue, 26 Jun 2018 10:28:42 -0600 Received: from b03ledav005.gho.boulder.ibm.com (b03ledav005.gho.boulder.ibm.com [9.17.130.236]) by b03cxnp08028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w5QGSeag12321108 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Tue, 26 Jun 2018 09:28:40 -0700 Received: from b03ledav005.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C0CAABE053; Tue, 26 Jun 2018 10:28:40 -0600 (MDT) Received: from b03ledav005.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7A029BE04F; Tue, 26 Jun 2018 10:28:40 -0600 (MDT) Received: from witherspoon-1.localdomain (unknown [9.27.30.66]) by b03ledav005.gho.boulder.ibm.com (Postfix) with ESMTP; Tue, 26 Jun 2018 10:28:40 -0600 (MDT) From: George Wilson To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , George Wilson Subject: [PATCH] ima-evm-utils: add --pcrinit and --pcr options to ima_measurement command Date: Tue, 26 Jun 2018 10:28:27 -0600 X-Mailer: git-send-email 2.17.0.582.gccdcbd5 X-TM-AS-GCONF: 00 x-cbid: 18062616-0012-0000-0000-00001682C15F X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00009259; HX=3.00000241; KW=3.00000007; PH=3.00000004; SC=3.00000266; SDB=6.01052655; UDB=6.00539660; IPR=6.00830579; MB=3.00021864; MTD=3.00000008; XFM=3.00000015; UTC=2018-06-26 16:28:43 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18062616-0013-0000-0000-00005375BFF8 Message-Id: <20180626162827.4987-1-gcwilson@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-06-26_08:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=987 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1806210000 definitions=main-1806260185 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Add a --pcrinit option to the evmctl ima_measurement command so it can initialize the calculated value of the IMA PCR to something other than the default of 0, allowing it to accommodate cases where the PCR has been extended prior to boot. Also add a --pcr option to select the IMA PCR that is initialized. The IMA PCR index defaults to DEFAULT_PCR. Signed-off-by: George Wilson Reviewed-by: Claudio Carvalho --- README | 4 +++- src/evmctl.c | 44 ++++++++++++++++++++++++++++++++++++++++---- 2 files changed, 43 insertions(+), 5 deletions(-) diff --git a/README b/README index 4805564..6bb30d0 100644 --- a/README +++ b/README @@ -31,7 +31,7 @@ COMMANDS ima_sign [--sigfile] [--key key] [--pass password] file ima_verify file ima_hash file - ima_measurement [--key "key1, key2, ..."] [--list] file + ima_measurement [--key "key1, key2, ..."] [--list] [--pcrinit hash] [--pcr index] file ima_fix [-t fdsxm] path sign_hash [--key key] [--pass password] hmac [--imahash | --imasig ] file @@ -57,6 +57,8 @@ OPTIONS --smack use extra SMACK xattrs for EVM --m32 force EVM hmac/signature for 32 bit target system --m64 force EVM hmac/signature for 64 bit target system + --pcrinit IMA PCR initialization hash (hex without 0x prefix; defaults to 0) + --pcr IMA PCR index (decimal; defaults to DEFAULT_PCR - usually 10) -v increase verbosity level -h, --help display this help and exit diff --git a/src/evmctl.c b/src/evmctl.c index 2ffee78..cee515f 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -4,6 +4,7 @@ * Copyright (C) 2011 Nokia Corporation * Copyright (C) 2011,2012,2013 Intel Corporation * Copyright (C) 2013,2014 Samsung Electronics + * Copyright (C) 2014,2018 IBM Corp. * * Authors: * Dmitry Kasatkin @@ -112,6 +113,8 @@ static char *generation_str; static char *caps_str; static char *ima_str; static char *selinux_str; +static char *pcrinit_str; +static char *pcridx_str; static char *search_type; static int measurement_list; static int recursive; @@ -1443,7 +1446,7 @@ void ima_ng_show(struct template_entry *entry) log_err("Remain unprocessed data: %d\n", total_len); } -static int ima_measurement(const char *file) +static int ima_measurement(const char *file, uint8_t *pcrinit, int pcridx) { uint8_t pcr[NUM_PCRS][SHA_DIGEST_LENGTH] = {{0}}; uint8_t hwpcr[SHA_DIGEST_LENGTH]; @@ -1457,6 +1460,10 @@ static int ima_measurement(const char *file) memset(zero, 0, SHA_DIGEST_LENGTH); memset(fox, 0xff, SHA_DIGEST_LENGTH); + /* Initialize calculated IMA PCR to designated value */ + if (pcrinit) + memcpy(pcr[pcridx], pcrinit, SHA_DIGEST_LENGTH); + log_debug("Initial PCR value: "); log_debug_dump(pcr, sizeof(pcr)); @@ -1535,6 +1542,8 @@ out: static int cmd_ima_measurement(struct command *cmd) { char *file = g_argv[optind++]; + uint8_t _pcrinit[SHA_DIGEST_LENGTH], *pcrinit = NULL; + int pcridx = DEFAULT_PCR; if (!file) { log_err("Parameters missing\n"); @@ -1542,7 +1551,23 @@ static int cmd_ima_measurement(struct command *cmd) return -1; } - return ima_measurement(file); + if (pcrinit_str) { + pcrinit = _pcrinit; + if(hex2bin(pcrinit, pcrinit_str, SHA_DIGEST_LENGTH)) { + log_err("Bad pcrinit hash argument\n"); + return -1; + } + } + + if (pcridx_str) + pcridx = atoi(pcridx_str); + + if (pcridx < 0 || pcridx >= NUM_PCRS) { + log_err("PCR index is out of range\n"); + return -1; + } + + return(ima_measurement(file, pcrinit, pcridx)); } static void print_usage(struct command *cmd) @@ -1641,9 +1666,12 @@ static void usage(void) " --selinux use custom Selinux label for EVM\n" " --caps use custom Capabilities for EVM(unspecified: from FS, empty: do not use)\n" " --list measurement list verification\n" + " --pcrinit IMA PCR initialization hash (hex without 0x prefix; defaults to 0)\n" + " --pcr IMA PCR index (decimal; defaults to %d)\n" " -v increase verbosity level\n" " -h, --help display this help and exit\n" - "\n"); + "\n", + DEFAULT_PCR); } struct command cmds[] = { @@ -1657,7 +1685,7 @@ struct command cmds[] = { {"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"}, {"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"}, {"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"}, - {"ima_measurement", cmd_ima_measurement, 0, "file", "Verify measurement list (experimental).\n"}, + {"ima_measurement", cmd_ima_measurement, 0, "[--pcrinit hash] [--pcr index] file", "Verify measurement list (experimental).\n"}, {"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"}, {"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"}, {"sign_hash", cmd_sign_hash, 0, "[--key key] [--pass [password]", "Sign hashes from shaXsum output.\n"}, @@ -1693,6 +1721,8 @@ static struct option opts[] = { {"selinux", 1, 0, 136}, {"caps", 2, 0, 137}, {"list", 0, 0, 138}, + {"pcrinit", 1, 0, 139}, + {"pcr", 1, 0, 140}, {} }; @@ -1844,6 +1874,12 @@ int main(int argc, char *argv[]) case 138: measurement_list = 1; break; + case 139: + pcrinit_str = optarg; + break; + case 140: + pcridx_str = optarg; + break; case '?': exit(1); break;