diff mbox series

[ima-evm-utils:,2/3] Rename "--validate" to "--ignore-violations"

Message ID 20200731141432.668318-3-zohar@linux.ibm.com
State New
Headers show
Series evmctl option improvements | expand

Commit Message

Mimi Zohar July 31, 2020, 2:14 p.m. UTC
IMA records file "Time of Measure, Time of Use (ToMToU)" and "open
writers" integrity violations by adding a record to the measurement
list containing one value (0x00's), but extending the TPM with a
different value (0xFF's).

To avoid known file integrity violations, the builtin "tcb" measurement
policy should be replaced with a custom policy as early as possible.
This patch renames the existing "--validate" option to
"--ignore-violations".

Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 README       |  4 ++--
 src/evmctl.c | 13 +++++++------
 2 files changed, 9 insertions(+), 8 deletions(-)

Comments

Lakshmi Ramasubramanian Aug. 1, 2020, 12:46 a.m. UTC | #1
On 7/31/20 7:14 AM, Mimi Zohar wrote:
> IMA records file "Time of Measure, Time of Use (ToMToU)" and "open
> writers" integrity violations by adding a record to the measurement
> list containing one value (0x00's), but extending the TPM with a
> different value (0xFF's).
> 
> To avoid known file integrity violations, the builtin "tcb" measurement
> policy should be replaced with a custom policy as early as possible.
> This patch renames the existing "--validate" option to
> "--ignore-violations".
> 
> Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
>   README       |  4 ++--
>   src/evmctl.c | 13 +++++++------
>   2 files changed, 9 insertions(+), 8 deletions(-)

Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>

> 
> diff --git a/README b/README
> index d8b8f404534b..b37325f31802 100644
> --- a/README
> +++ b/README
> @@ -31,7 +31,7 @@ COMMANDS
>    ima_sign [--sigfile] [--key key] [--pass password] file
>    ima_verify file
>    ima_hash file
> - ima_measurement [--validate] [--verify-sig [--key "key1, key2, ..."]]  [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
> + ima_measurement [--ignore-violations] [--verify-sig [--key "key1, key2, ..."]]  [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
>    ima_fix [-t fdsxm] path
>    sign_hash [--key key] [--pass password]
>    hmac [--imahash | --imasig ] file
> @@ -60,7 +60,7 @@ OPTIONS
>         --m64          force EVM hmac/signature for 64 bit target system
>         --engine e     preload OpenSSL engine e (such as: gost)
>         --pcrs         file containing TPM pcrs, one per hash-algorithm/bank
> -      --validate     ignore ToMToU measurement violations
> +      --ignore-violations ignore ToMToU measurement violations
>         --verify-sig   verify the file signature based on the file hash, both
>                        stored in the template data.
>     -v                 increase verbosity level
> diff --git a/src/evmctl.c b/src/evmctl.c
> index b4d2333fb880..7ad11507487f 100644
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -1392,7 +1392,7 @@ struct template_entry {
>   
>   static uint8_t zero[MAX_DIGEST_SIZE];
>   
> -static int validate = 0;
> +static int ignore_violations = 0;
>   
>   static int ima_verify_template_hash(struct template_entry *entry)
>   {
> @@ -1739,7 +1739,7 @@ static void extend_tpm_banks(struct template_entry *entry, int num_banks,
>   		 * size.
>   		 */
>   		if (memcmp(entry->header.digest, zero, SHA_DIGEST_LENGTH) == 0) {
> -			if (!validate) {
> +			if (!ignore_violations) {
>   				memset(bank[i].digest, 0x00, bank[i].digest_size);
>   				memset(padded_bank[i].digest, 0x00, padded_bank[i].digest_size);
>   			} else {
> @@ -2467,6 +2467,7 @@ static void usage(void)
>   		"      --caps         use custom Capabilities for EVM(unspecified: from FS, empty: do not use)\n"
>   		"      --verify-sig   verify measurement list signatures\n"
>   		"      --engine e     preload OpenSSL engine e (such as: gost)\n"
> +		"      --ignore-violations ignore ToMToU measurement violations"
>   		"  -v                 increase verbosity level\n"
>   		"  -h, --help         display this help and exit\n"
>   		"\n");
> @@ -2483,7 +2484,7 @@ struct command cmds[] = {
>   	{"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"},
>   	{"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"},
>   	{"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
> -	{"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file", "Verify measurement list (experimental).\n"},
> +	{"ima_measurement", cmd_ima_measurement, 0, "[--ignore-violations] [--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file", "Verify measurement list (experimental).\n"},
>   	{"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[file]", "Calculate per TPM bank boot_aggregate digests\n"},
>   	{"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
>   	{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
> @@ -2522,7 +2523,7 @@ static struct option opts[] = {
>   	{"verify-sig", 0, 0, 138},
>   	{"engine", 1, 0, 139},
>   	{"xattr-user", 0, 0, 140},
> -	{"validate", 0, 0, 141},
> +	{"ignore-violations", 0, 0, 141},
>   	{"pcrs", 1, 0, 142},
>   	{}
>   
> @@ -2702,8 +2703,8 @@ int main(int argc, char *argv[])
>   			xattr_ima = "user.ima";
>   			xattr_evm = "user.evm";
>   			break;
> -		case 141: /* --validate */
> -			validate = 1;
> +		case 141: /* --ignore-violations */
> +			ignore_violations = 1;
>   			break;
>   		case 142:
>   			if (npcrfile >= MAX_PCRFILE) {
>
diff mbox series

Patch

diff --git a/README b/README
index d8b8f404534b..b37325f31802 100644
--- a/README
+++ b/README
@@ -31,7 +31,7 @@  COMMANDS
  ima_sign [--sigfile] [--key key] [--pass password] file
  ima_verify file
  ima_hash file
- ima_measurement [--validate] [--verify-sig [--key "key1, key2, ..."]]  [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
+ ima_measurement [--ignore-violations] [--verify-sig [--key "key1, key2, ..."]]  [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
  ima_fix [-t fdsxm] path
  sign_hash [--key key] [--pass password]
  hmac [--imahash | --imasig ] file
@@ -60,7 +60,7 @@  OPTIONS
       --m64          force EVM hmac/signature for 64 bit target system
       --engine e     preload OpenSSL engine e (such as: gost)
       --pcrs         file containing TPM pcrs, one per hash-algorithm/bank
-      --validate     ignore ToMToU measurement violations
+      --ignore-violations ignore ToMToU measurement violations
       --verify-sig   verify the file signature based on the file hash, both
                      stored in the template data.
   -v                 increase verbosity level
diff --git a/src/evmctl.c b/src/evmctl.c
index b4d2333fb880..7ad11507487f 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1392,7 +1392,7 @@  struct template_entry {
 
 static uint8_t zero[MAX_DIGEST_SIZE];
 
-static int validate = 0;
+static int ignore_violations = 0;
 
 static int ima_verify_template_hash(struct template_entry *entry)
 {
@@ -1739,7 +1739,7 @@  static void extend_tpm_banks(struct template_entry *entry, int num_banks,
 		 * size.
 		 */
 		if (memcmp(entry->header.digest, zero, SHA_DIGEST_LENGTH) == 0) {
-			if (!validate) {
+			if (!ignore_violations) {
 				memset(bank[i].digest, 0x00, bank[i].digest_size);
 				memset(padded_bank[i].digest, 0x00, padded_bank[i].digest_size);
 			} else {
@@ -2467,6 +2467,7 @@  static void usage(void)
 		"      --caps         use custom Capabilities for EVM(unspecified: from FS, empty: do not use)\n"
 		"      --verify-sig   verify measurement list signatures\n"
 		"      --engine e     preload OpenSSL engine e (such as: gost)\n"
+		"      --ignore-violations ignore ToMToU measurement violations"
 		"  -v                 increase verbosity level\n"
 		"  -h, --help         display this help and exit\n"
 		"\n");
@@ -2483,7 +2484,7 @@  struct command cmds[] = {
 	{"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"},
 	{"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"},
 	{"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
-	{"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file", "Verify measurement list (experimental).\n"},
+	{"ima_measurement", cmd_ima_measurement, 0, "[--ignore-violations] [--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file", "Verify measurement list (experimental).\n"},
 	{"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[file]", "Calculate per TPM bank boot_aggregate digests\n"},
 	{"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
 	{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
@@ -2522,7 +2523,7 @@  static struct option opts[] = {
 	{"verify-sig", 0, 0, 138},
 	{"engine", 1, 0, 139},
 	{"xattr-user", 0, 0, 140},
-	{"validate", 0, 0, 141},
+	{"ignore-violations", 0, 0, 141},
 	{"pcrs", 1, 0, 142},
 	{}
 
@@ -2702,8 +2703,8 @@  int main(int argc, char *argv[])
 			xattr_ima = "user.ima";
 			xattr_evm = "user.evm";
 			break;
-		case 141: /* --validate */
-			validate = 1;
+		case 141: /* --ignore-violations */
+			ignore_violations = 1;
 			break;
 		case 142:
 			if (npcrfile >= MAX_PCRFILE) {