From patchwork Fri Jul 10 16:00:52 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 11656937 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5CCD66C1 for ; Fri, 10 Jul 2020 16:01:15 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 4D47F2078D for ; Fri, 10 Jul 2020 16:01:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727916AbgGJQBP (ORCPT ); Fri, 10 Jul 2020 12:01:15 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:25850 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727810AbgGJQBO (ORCPT ); Fri, 10 Jul 2020 12:01:14 -0400 Received: from pps.filterd (m0098394.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 06AFWpvb156762; Fri, 10 Jul 2020 12:01:11 -0400 Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 326bpk8unc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Jul 2020 12:01:11 -0400 Received: from m0098394.ppops.net (m0098394.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 06AFkA42016279; Fri, 10 Jul 2020 12:01:11 -0400 Received: from ppma06fra.de.ibm.com (48.49.7a9f.ip4.static.sl-reverse.com [159.122.73.72]) by mx0a-001b2d01.pphosted.com with ESMTP id 326bpk8ukq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Jul 2020 12:01:10 -0400 Received: from pps.filterd (ppma06fra.de.ibm.com [127.0.0.1]) by ppma06fra.de.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 06AFr4kX031046; Fri, 10 Jul 2020 16:01:08 GMT Received: from b06avi18626390.portsmouth.uk.ibm.com (b06avi18626390.portsmouth.uk.ibm.com [9.149.26.192]) by ppma06fra.de.ibm.com with ESMTP id 326bcvrbkh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Jul 2020 16:01:08 +0000 Received: from d06av24.portsmouth.uk.ibm.com (mk.ibm.com [9.149.105.60]) by b06avi18626390.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 06AFxiA239977424 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 10 Jul 2020 15:59:44 GMT Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 49B3742047; Fri, 10 Jul 2020 16:01:06 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9DC3242049; Fri, 10 Jul 2020 16:01:05 +0000 (GMT) Received: from localhost.localdomain (unknown [9.85.158.149]) by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP; Fri, 10 Jul 2020 16:01:05 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , Petr Vorel , Bruno Meneguele Subject: [PATCH v2 1/8] ima-evm-utils: improve reading TPM 1.2 PCRs Date: Fri, 10 Jul 2020 12:00:52 -0400 Message-Id: <1594396859-9232-2-git-send-email-zohar@linux.ibm.com> X-Mailer: git-send-email 2.7.5 In-Reply-To: <1594396859-9232-1-git-send-email-zohar@linux.ibm.com> References: <1594396859-9232-1-git-send-email-zohar@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235,18.0.687 definitions=2020-07-10_10:2020-07-10,2020-07-10 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 mlxlogscore=999 mlxscore=0 adultscore=0 impostorscore=0 lowpriorityscore=0 malwarescore=0 priorityscore=1501 bulkscore=0 clxscore=1015 spamscore=0 suspectscore=1 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2007100104 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Instead of reading the TPM 1.2 PCRs one at a time, opening and closing the securityfs file each time, read all of PCRs at once. Signed-off-by: Mimi Zohar --- src/evmctl.c | 39 ++++++++++++++++++--------------------- 1 file changed, 18 insertions(+), 21 deletions(-) diff --git a/src/evmctl.c b/src/evmctl.c index 21809b3229e9..0e489e2c7ba6 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -152,6 +152,14 @@ static void print_usage(struct command *cmd); static const char *xattr_ima = "security.ima"; static const char *xattr_evm = "security.evm"; +struct tpm_bank_info { + int digest_size; + int supported; + const char *algo_name; + uint8_t digest[MAX_DIGEST_SIZE]; + uint8_t pcr[NUM_PCRS][MAX_DIGEST_SIZE]; +}; + static int bin2file(const char *file, const char *ext, const unsigned char *data, int len) { FILE *fp; @@ -1366,13 +1374,13 @@ static int cmd_ima_clear(struct command *cmd) static char *pcrs = "/sys/class/tpm/tpm0/device/pcrs"; /* Kernels >= 4.0 */ static char *misc_pcrs = "/sys/class/misc/tpm0/device/pcrs"; -static int tpm_pcr_read(int idx, uint8_t *pcr, int len) +/* Read all of the TPM 1.2 PCRs */ +static int tpm_pcr_read(struct tpm_bank_info *tpm_banks, int len) { FILE *fp; char *p, pcr_str[7], buf[70]; /* length of the TPM string */ int result = -1; - - sprintf(pcr_str, "PCR-%2.2d", idx); + int i = 0; fp = fopen(pcrs, "r"); if (!fp) @@ -1385,11 +1393,10 @@ static int tpm_pcr_read(int idx, uint8_t *pcr, int len) p = fgets(buf, sizeof(buf), fp); if (!p) break; - if (!strncmp(p, pcr_str, 6)) { - hex2bin(pcr, p + 7, len); - result = 0; - break; - } + sprintf(pcr_str, "PCR-%2.2d", i); + if (!strncmp(p, pcr_str, 6)) + hex2bin(tpm_banks[0].pcr[i++], p + 7, len); + result = 0; } fclose(fp); return result; @@ -1571,14 +1578,6 @@ void ima_ng_show(struct template_entry *entry) } } -struct tpm_bank_info { - int digest_size; - int supported; - const char *algo_name; - uint8_t digest[MAX_DIGEST_SIZE]; - uint8_t pcr[NUM_PCRS][MAX_DIGEST_SIZE]; -}; - static void set_bank_info(struct tpm_bank_info *bank, const char *algo_name) { const EVP_MD *md; @@ -1771,11 +1770,9 @@ static int read_tpm_pcrs(int num_banks, struct tpm_bank_info *tpm_banks) { int i; - for (i = 0; i < NUM_PCRS; i++) { - if (tpm_pcr_read(i, tpm_banks[0].pcr[i], SHA_DIGEST_LENGTH)) { - log_debug("Failed to read TPM 1.2 PCRs.\n"); - return -1; - } + if (tpm_pcr_read(tpm_banks, SHA_DIGEST_LENGTH)) { + log_debug("Failed to read TPM 1.2 PCRs.\n"); + return -1; } tpm_banks[0].supported = 1; From patchwork Fri Jul 10 16:00:53 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 11656939 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id AF6FF14E3 for ; Fri, 10 Jul 2020 16:01:15 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 9ABF12078B for ; Fri, 10 Jul 2020 16:01:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727810AbgGJQBP (ORCPT ); Fri, 10 Jul 2020 12:01:15 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:34548 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727901AbgGJQBP (ORCPT ); Fri, 10 Jul 2020 12:01:15 -0400 Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 06AFXf1a157319; Fri, 10 Jul 2020 12:01:12 -0400 Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-001b2d01.pphosted.com with ESMTP id 326bpc1c5x-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Jul 2020 12:01:12 -0400 Received: from m0098416.ppops.net (m0098416.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 06AFXpov158421; Fri, 10 Jul 2020 12:01:11 -0400 Received: from ppma02fra.de.ibm.com (47.49.7a9f.ip4.static.sl-reverse.com [159.122.73.71]) by mx0b-001b2d01.pphosted.com with ESMTP id 326bpc1c3u-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Jul 2020 12:01:11 -0400 Received: from pps.filterd (ppma02fra.de.ibm.com [127.0.0.1]) by ppma02fra.de.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 06AG19HS030328; Fri, 10 Jul 2020 16:01:09 GMT Received: from b06cxnps3074.portsmouth.uk.ibm.com (d06relay09.portsmouth.uk.ibm.com [9.149.109.194]) by ppma02fra.de.ibm.com with ESMTP id 326bcf0sg3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Jul 2020 16:01:09 +0000 Received: from d06av24.portsmouth.uk.ibm.com (d06av24.portsmouth.uk.ibm.com [9.149.105.60]) by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 06AG17vw6226176 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 10 Jul 2020 16:01:07 GMT Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1C70F4204D; Fri, 10 Jul 2020 16:01:07 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 727EF4203F; Fri, 10 Jul 2020 16:01:06 +0000 (GMT) Received: from localhost.localdomain (unknown [9.85.158.149]) by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP; Fri, 10 Jul 2020 16:01:06 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , Petr Vorel , Bruno Meneguele Subject: [PATCH v2 2/8] ima_evm_utils: support extending TPM 2.0 banks w/original SHA1 padded digest Date: Fri, 10 Jul 2020 12:00:53 -0400 Message-Id: <1594396859-9232-3-git-send-email-zohar@linux.ibm.com> X-Mailer: git-send-email 2.7.5 In-Reply-To: <1594396859-9232-1-git-send-email-zohar@linux.ibm.com> References: <1594396859-9232-1-git-send-email-zohar@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235,18.0.687 definitions=2020-07-10_10:2020-07-10,2020-07-10 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=3 impostorscore=0 bulkscore=0 priorityscore=1501 spamscore=0 phishscore=0 clxscore=1015 lowpriorityscore=0 mlxlogscore=999 adultscore=0 mlxscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2007100104 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Initially the sha1 digest, including violations, was padded with zeroes before being extended into the other TPM banks. Support walking the IMA measurement list, calculating the per TPM bank SHA1 padded digest(s). Signed-off-by: Mimi Zohar --- src/evmctl.c | 73 +++++++++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 58 insertions(+), 15 deletions(-) diff --git a/src/evmctl.c b/src/evmctl.c index 0e489e2c7ba6..814aa6b75571 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -1613,6 +1613,10 @@ static struct tpm_bank_info *init_tpm_banks(int *num_banks) return banks; } +/* + * Compare the calculated TPM PCR banks against the PCR values read. + * On failure to match any TPM bank, fail comparison. + */ static int compare_tpm_banks(int num_banks, struct tpm_bank_info *bank, struct tpm_bank_info *tpm_bank) { @@ -1632,14 +1636,15 @@ static int compare_tpm_banks(int num_banks, struct tpm_bank_info *bank, log_info("%s: TPM PCR-%d: ", tpm_bank[i].algo_name, j); log_dump(tpm_bank[i].pcr[j], tpm_bank[i].digest_size); - ret = memcmp(bank[i].pcr[j], tpm_bank[i].pcr[j], - bank[i].digest_size); - if (!ret) + if (memcmp(bank[i].pcr[j], tpm_bank[i].pcr[j], + bank[i].digest_size) == 0) { log_info("%s PCR-%d: succeed\n", bank[i].algo_name, j); - else + } else { + ret = 1; log_info("%s: PCRAgg %d does not match TPM PCR-%d\n", bank[i].algo_name, j, j); + } } } return ret; @@ -1695,10 +1700,7 @@ static int extend_tpm_bank(EVP_MD_CTX *pctx, const EVP_MD *md, goto out; } - if (validate && !memcmp(entry->header.digest, zero, SHA_DIGEST_LENGTH)) - err = EVP_DigestUpdate(pctx, fox, bank->digest_size); - else - err = EVP_DigestUpdate(pctx, bank->digest, bank->digest_size); + err = EVP_DigestUpdate(pctx, bank->digest, bank->digest_size); if (!err) { printf("EVP_DigestUpdate() failed\n"); goto out; @@ -1716,7 +1718,8 @@ out: /* Calculate and extend the template hash for multiple hash algorithms */ static void extend_tpm_banks(struct template_entry *entry, int num_banks, - struct tpm_bank_info *bank) + struct tpm_bank_info *bank, + struct tpm_bank_info *padded_bank) { EVP_MD_CTX *pctx; const EVP_MD *md; @@ -1741,24 +1744,53 @@ static void extend_tpm_banks(struct template_entry *entry, int num_banks, } /* - * Measurement violations are 0x00 digests. No need to - * calculate the per TPM bank template digests. + * Measurement violations are 0x00 digests, which are extended + * into the TPM as 0xff. Verifying the IMA measurement list + * will fail, unless the 0x00 digests are converted to 0xff's. + * + * Initially the sha1 digest, including violations, was padded + * with zeroes before being extended into the TPM. With the + * per TPM bank digest, violations are the full per bank digest + * size. */ - if (memcmp(entry->header.digest, zero, SHA_DIGEST_LENGTH) == 0) - memset(bank[i].digest, 0x00, bank[i].digest_size); - else { + if (memcmp(entry->header.digest, zero, SHA_DIGEST_LENGTH) == 0) { + if (!validate) { + memset(bank[i].digest, 0x00, bank[i].digest_size); + memset(padded_bank[i].digest, 0x00, padded_bank[i].digest_size); + } else { + memset(bank[i].digest, 0xff, + bank[i].digest_size); + + memset(padded_bank[i].digest, 0x00, + padded_bank[i].digest_size); + memset(padded_bank[i].digest, 0xff, + SHA_DIGEST_LENGTH); + } + } else { err = calculate_template_digest(pctx, md, entry, &bank[i]); if (!err) { bank[i].supported = 0; continue; } + + /* + * calloc set the memory to zero, so just copy the + * sha1 digest. + */ + memcpy(padded_bank[i].digest, entry->header.digest, + SHA_DIGEST_LENGTH); } /* extend TPM BANK with template digest */ err = extend_tpm_bank(pctx, md, entry, &bank[i]); if (!err) bank[i].supported = 0; + + /* extend TPM BANK with zero padded sha1 template digest */ + err = extend_tpm_bank(pctx, md, entry, &padded_bank[i]); + if (!err) + padded_bank[i].supported = 0; } #if OPENSSL_VERSION_NUMBER >= 0x10100000 EVP_MD_CTX_free(pctx); @@ -1825,6 +1857,7 @@ static int read_tpm_banks(int num_banks, struct tpm_bank_info *bank) static int ima_measurement(const char *file) { + struct tpm_bank_info *pseudo_padded_banks; struct tpm_bank_info *pseudo_banks; struct tpm_bank_info *tpm_banks; int is_ima_template, cur_template_fmt; @@ -1839,6 +1872,7 @@ static int ima_measurement(const char *file) memset(zero, 0, MAX_DIGEST_SIZE); memset(fox, 0xff, MAX_DIGEST_SIZE); + pseudo_padded_banks = init_tpm_banks(&num_banks); pseudo_banks = init_tpm_banks(&num_banks); tpm_banks = init_tpm_banks(&num_banks); @@ -1939,7 +1973,8 @@ static int ima_measurement(const char *file) entry.template_buf_len - len); } - extend_tpm_banks(&entry, num_banks, pseudo_banks); + extend_tpm_banks(&entry, num_banks, pseudo_banks, + pseudo_padded_banks); if (verify) ima_verify_template_hash(&entry); @@ -1954,7 +1989,15 @@ static int ima_measurement(const char *file) err = 0; log_info("Failed to read any TPM PCRs\n"); } else { + log_info("Comparing with per TPM digest\n"); err = compare_tpm_banks(num_banks, pseudo_banks, tpm_banks); + + /* On failure, check older SHA1 zero padded hashes */ + if (err) { + log_info("Comparing with SHA1 padded digest\n"); + err = compare_tpm_banks(num_banks, pseudo_padded_banks, + tpm_banks); + } } out: From patchwork Fri Jul 10 16:00:54 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 11656941 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DF9EA6C1 for ; Fri, 10 Jul 2020 16:01:16 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id D34D8207BB for ; Fri, 10 Jul 2020 16:01:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727999AbgGJQBQ (ORCPT ); Fri, 10 Jul 2020 12:01:16 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:6326 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727952AbgGJQBQ (ORCPT ); Fri, 10 Jul 2020 12:01:16 -0400 Received: from pps.filterd (m0098394.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 06AFWmTe156449; Fri, 10 Jul 2020 12:01:13 -0400 Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 326bpk8uq2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Jul 2020 12:01:13 -0400 Received: from m0098394.ppops.net (m0098394.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 06AFjQ4q013009; Fri, 10 Jul 2020 12:01:12 -0400 Received: from ppma03ams.nl.ibm.com (62.31.33a9.ip4.static.sl-reverse.com [169.51.49.98]) by mx0a-001b2d01.pphosted.com with ESMTP id 326bpk8una-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Jul 2020 12:01:12 -0400 Received: from pps.filterd (ppma03ams.nl.ibm.com [127.0.0.1]) by ppma03ams.nl.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 06AG0S7p003359; Fri, 10 Jul 2020 16:01:10 GMT Received: from b06cxnps3075.portsmouth.uk.ibm.com (d06relay10.portsmouth.uk.ibm.com [9.149.109.195]) by ppma03ams.nl.ibm.com with ESMTP id 326bc30rk5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Jul 2020 16:01:10 +0000 Received: from d06av24.portsmouth.uk.ibm.com (mk.ibm.com [9.149.105.60]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 06AG18hW65077392 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 10 Jul 2020 16:01:08 GMT Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E834142047; Fri, 10 Jul 2020 16:01:07 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 461ED4203F; Fri, 10 Jul 2020 16:01:07 +0000 (GMT) Received: from localhost.localdomain (unknown [9.85.158.149]) by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP; Fri, 10 Jul 2020 16:01:07 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , Petr Vorel , Bruno Meneguele Subject: [PATCH v2 3/8] ima-evm-utils: support providing the TPM 1.2 PCRs as a file Date: Fri, 10 Jul 2020 12:00:54 -0400 Message-Id: <1594396859-9232-4-git-send-email-zohar@linux.ibm.com> X-Mailer: git-send-email 2.7.5 In-Reply-To: <1594396859-9232-1-git-send-email-zohar@linux.ibm.com> References: <1594396859-9232-1-git-send-email-zohar@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235,18.0.687 definitions=2020-07-10_10:2020-07-10,2020-07-10 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 mlxlogscore=999 mlxscore=0 adultscore=0 impostorscore=0 lowpriorityscore=0 malwarescore=0 priorityscore=1501 bulkscore=0 clxscore=1015 spamscore=0 suspectscore=1 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2007100104 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org "evmctl ima_measurement" walks the IMA measurement list calculating the PCRs and verifies the calculated values against the system's PCRs. Instead of reading the system's PCRs, provide the PCRs as a file. For TPM 1.2 the PCRs are exported via a securityfs file. Verifying the IMA measurement list against the exported TPM 1.2 PCRs file may be used remotely for regression testing. If used in a production environment, the provided TPM PCRs must be compared with those included in the TPM 1.2 quote as well. This patch defines an evmctl ima_measurement "--pcrs " option. Signed-off-by: Mimi Zohar --- src/evmctl.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/src/evmctl.c b/src/evmctl.c index 814aa6b75571..21ae1c7ca5a7 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -160,6 +160,8 @@ struct tpm_bank_info { uint8_t pcr[NUM_PCRS][MAX_DIGEST_SIZE]; }; +static char *pcrfile; + static int bin2file(const char *file, const char *ext, const unsigned char *data, int len) { FILE *fp; @@ -1377,12 +1379,18 @@ static char *misc_pcrs = "/sys/class/misc/tpm0/device/pcrs"; /* Read all of the TPM 1.2 PCRs */ static int tpm_pcr_read(struct tpm_bank_info *tpm_banks, int len) { - FILE *fp; + FILE *fp = NULL; char *p, pcr_str[7], buf[70]; /* length of the TPM string */ int result = -1; int i = 0; - fp = fopen(pcrs, "r"); + /* Use the provided TPM 1.2 pcrs file */ + if (pcrfile) + fp = fopen(pcrfile, "r"); + + if (!fp) + fp = fopen(pcrs, "r"); + if (!fp) fp = fopen(misc_pcrs, "r"); @@ -2347,7 +2355,7 @@ struct command cmds[] = { {"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"}, {"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"}, {"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"}, - {"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify] file", "Verify measurement list (experimental).\n"}, + {"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify] [--pcrs file] file", "Verify measurement list (experimental).\n"}, {"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[file]", "Calculate per TPM bank boot_aggregate digests\n"}, {"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"}, {"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"}, @@ -2388,6 +2396,7 @@ static struct option opts[] = { {"xattr-user", 0, 0, 140}, {"validate", 0, 0, 141}, {"verify", 0, 0, 142}, + {"pcrs", 1, 0, 143}, {} }; @@ -2572,6 +2581,9 @@ int main(int argc, char *argv[]) case 142: /* --verify */ verify = 1; break; + case 143: + pcrfile = optarg; + break; case '?': exit(1); break; From patchwork Fri Jul 10 16:00:55 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 11656943 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5D05614E3 for ; Fri, 10 Jul 2020 16:01:17 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 4E57B2078D for ; Fri, 10 Jul 2020 16:01:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727952AbgGJQBR (ORCPT ); Fri, 10 Jul 2020 12:01:17 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:8170 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727901AbgGJQBQ (ORCPT ); Fri, 10 Jul 2020 12:01:16 -0400 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 06AFVvEk034066; Fri, 10 Jul 2020 12:01:14 -0400 Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-001b2d01.pphosted.com with ESMTP id 326bpbhfrv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Jul 2020 12:01:13 -0400 Received: from m0098420.ppops.net (m0098420.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 06AFW1d2034558; Fri, 10 Jul 2020 12:01:13 -0400 Received: from ppma04ams.nl.ibm.com (63.31.33a9.ip4.static.sl-reverse.com [169.51.49.99]) by mx0b-001b2d01.pphosted.com with ESMTP id 326bpbhfqj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Jul 2020 12:01:13 -0400 Received: from pps.filterd (ppma04ams.nl.ibm.com [127.0.0.1]) by ppma04ams.nl.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 06AG1Bn4002571; Fri, 10 Jul 2020 16:01:11 GMT Received: from b06cxnps3075.portsmouth.uk.ibm.com (d06relay10.portsmouth.uk.ibm.com [9.149.109.195]) by ppma04ams.nl.ibm.com with ESMTP id 326bch8rqu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Jul 2020 16:01:11 +0000 Received: from d06av24.portsmouth.uk.ibm.com (mk.ibm.com [9.149.105.60]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 06AG18N563701092 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 10 Jul 2020 16:01:08 GMT Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A3BF34203F; Fri, 10 Jul 2020 16:01:08 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2702442041; Fri, 10 Jul 2020 16:01:08 +0000 (GMT) Received: from localhost.localdomain (unknown [9.85.158.149]) by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP; Fri, 10 Jul 2020 16:01:08 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , Petr Vorel , Bruno Meneguele Subject: [PATCH v2 4/8] ima-evm-utils: emit "ima_measurement" messages based on log level Date: Fri, 10 Jul 2020 12:00:55 -0400 Message-Id: <1594396859-9232-5-git-send-email-zohar@linux.ibm.com> X-Mailer: git-send-email 2.7.5 In-Reply-To: <1594396859-9232-1-git-send-email-zohar@linux.ibm.com> References: <1594396859-9232-1-git-send-email-zohar@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235,18.0.687 definitions=2020-07-10_10:2020-07-10,2020-07-10 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 lowpriorityscore=0 priorityscore=1501 mlxscore=0 spamscore=0 malwarescore=0 mlxlogscore=999 phishscore=0 adultscore=0 suspectscore=1 impostorscore=0 clxscore=1015 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2007100104 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org "ima_measurement" emits quite a few messages. Only a few messages belong at the default log level. Signed-off-by: Mimi Zohar --- src/evmctl.c | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/src/evmctl.c b/src/evmctl.c index 21ae1c7ca5a7..fac6a270794f 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -1638,21 +1638,27 @@ static int compare_tpm_banks(int num_banks, struct tpm_bank_info *bank, if (memcmp(bank[i].pcr[j], zero, bank[i].digest_size) == 0) continue; + + if (memcmp(bank[i].pcr[j], tpm_bank[i].pcr[j], + bank[i].digest_size) != 0) + ret = 1; + + if ((!ret && imaevm_params.verbose <= LOG_INFO) || + (ret && imaevm_params.verbose <= LOG_DEBUG)) + continue; + log_info("%s: PCRAgg %d: ", bank[i].algo_name, j); log_dump(bank[i].pcr[j], bank[i].digest_size); log_info("%s: TPM PCR-%d: ", tpm_bank[i].algo_name, j); log_dump(tpm_bank[i].pcr[j], tpm_bank[i].digest_size); - if (memcmp(bank[i].pcr[j], tpm_bank[i].pcr[j], - bank[i].digest_size) == 0) { + if (!ret) log_info("%s PCR-%d: succeed\n", bank[i].algo_name, j); - } else { - ret = 1; + else log_info("%s: PCRAgg %d does not match TPM PCR-%d\n", bank[i].algo_name, j, j); - } } } return ret; @@ -1997,15 +2003,20 @@ static int ima_measurement(const char *file) err = 0; log_info("Failed to read any TPM PCRs\n"); } else { - log_info("Comparing with per TPM digest\n"); err = compare_tpm_banks(num_banks, pseudo_banks, tpm_banks); + if (!err) + log_info("Matched per TPM bank calculated digest(s).\n"); /* On failure, check older SHA1 zero padded hashes */ if (err) { - log_info("Comparing with SHA1 padded digest\n"); err = compare_tpm_banks(num_banks, pseudo_padded_banks, tpm_banks); + if (!err) + log_info("Matched SHA1 padded TPM digest(s).\n"); } + + if (err) + log_info("Failed to match per TPM bank or SHA1 padded TPM digest(s).\n"); } out: From patchwork Fri Jul 10 16:00:56 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 11656945 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 92D3913B6 for ; Fri, 10 Jul 2020 16:01:17 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8137D2078B for ; Fri, 10 Jul 2020 16:01:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728003AbgGJQBR (ORCPT ); Fri, 10 Jul 2020 12:01:17 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:33080 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727998AbgGJQBQ (ORCPT ); Fri, 10 Jul 2020 12:01:16 -0400 Received: from pps.filterd (m0098394.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 06AFWoLV156659; Fri, 10 Jul 2020 12:01:14 -0400 Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 326bpk8ur8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Jul 2020 12:01:14 -0400 Received: from m0098394.ppops.net (m0098394.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 06AFXGwG159652; Fri, 10 Jul 2020 12:01:14 -0400 Received: from ppma03ams.nl.ibm.com (62.31.33a9.ip4.static.sl-reverse.com [169.51.49.98]) by mx0a-001b2d01.pphosted.com with ESMTP id 326bpk8uph-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Jul 2020 12:01:13 -0400 Received: from pps.filterd (ppma03ams.nl.ibm.com [127.0.0.1]) by ppma03ams.nl.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 06AG0lqh003422; Fri, 10 Jul 2020 16:01:11 GMT Received: from b06cxnps4074.portsmouth.uk.ibm.com (d06relay11.portsmouth.uk.ibm.com [9.149.109.196]) by ppma03ams.nl.ibm.com with ESMTP id 326bc30rk8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Jul 2020 16:01:11 +0000 Received: from d06av24.portsmouth.uk.ibm.com (d06av24.portsmouth.uk.ibm.com [9.149.105.60]) by b06cxnps4074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 06AG197763111332 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 10 Jul 2020 16:01:09 GMT Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7320F4204C; Fri, 10 Jul 2020 16:01:09 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D72B14203F; Fri, 10 Jul 2020 16:01:08 +0000 (GMT) Received: from localhost.localdomain (unknown [9.85.158.149]) by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP; Fri, 10 Jul 2020 16:01:08 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , Petr Vorel , Bruno Meneguele Subject: [PATCH v2 5/8] ima-evm-utils: guarantee the measurement list contains all the records Date: Fri, 10 Jul 2020 12:00:56 -0400 Message-Id: <1594396859-9232-6-git-send-email-zohar@linux.ibm.com> X-Mailer: git-send-email 2.7.5 In-Reply-To: <1594396859-9232-1-git-send-email-zohar@linux.ibm.com> References: <1594396859-9232-1-git-send-email-zohar@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235,18.0.687 definitions=2020-07-10_10:2020-07-10,2020-07-10 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 mlxlogscore=999 mlxscore=0 adultscore=0 impostorscore=0 lowpriorityscore=0 malwarescore=0 priorityscore=1501 bulkscore=0 clxscore=1015 spamscore=0 suspectscore=1 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2007100104 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Reading the TPM PCRs before walking the measurement list guarantees the measurement list contains all the records. Signed-off-by: Mimi Zohar --- src/evmctl.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/src/evmctl.c b/src/evmctl.c index fac6a270794f..5787887882b4 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -1876,6 +1876,7 @@ static int ima_measurement(const char *file) struct tpm_bank_info *tpm_banks; int is_ima_template, cur_template_fmt; int num_banks = 0; + int tpmbanks = 1; int first_record = 1; struct template_entry entry = { .template = 0 }; @@ -1901,6 +1902,14 @@ static int ima_measurement(const char *file) else /* assume read pubkey from x509 cert */ init_public_keys("/etc/keys/x509_evm.der"); + /* + * Reading the PCRs before walking the IMA measurement list + * guarantees that all of the measurements are included in + * the PCRs. + */ + if (read_tpm_banks(num_banks, tpm_banks) != 0) + tpmbanks = 0; + while (fread(&entry.header, sizeof(entry.header), 1, fp)) { if (entry.header.name_len > TCG_EVENT_NAME_LEN_MAX) { log_err("%d ERROR: event name too long!\n", @@ -1999,10 +2008,9 @@ static int ima_measurement(const char *file) ima_ng_show(&entry); } - if (read_tpm_banks(num_banks, tpm_banks) != 0) { - err = 0; + if (tpmbanks == 0) log_info("Failed to read any TPM PCRs\n"); - } else { + else { err = compare_tpm_banks(num_banks, pseudo_banks, tpm_banks); if (!err) log_info("Matched per TPM bank calculated digest(s).\n"); From patchwork Fri Jul 10 16:00:57 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 11656947 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id F06C21709 for ; Fri, 10 Jul 2020 16:01:17 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E13FD207BB for ; Fri, 10 Jul 2020 16:01:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727998AbgGJQBR (ORCPT ); Fri, 10 Jul 2020 12:01:17 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:36294 "EHLO mx0b-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727989AbgGJQBR (ORCPT ); Fri, 10 Jul 2020 12:01:17 -0400 Received: from pps.filterd (m0098417.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 06AFXKtQ100425; Fri, 10 Jul 2020 12:01:14 -0400 Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 326bpshbbv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Jul 2020 12:01:14 -0400 Received: from m0098417.ppops.net (m0098417.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 06AFZAob113542; Fri, 10 Jul 2020 12:01:14 -0400 Received: from ppma06ams.nl.ibm.com (66.31.33a9.ip4.static.sl-reverse.com [169.51.49.102]) by mx0a-001b2d01.pphosted.com with ESMTP id 326bpshbar-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Jul 2020 12:01:14 -0400 Received: from pps.filterd (ppma06ams.nl.ibm.com [127.0.0.1]) by ppma06ams.nl.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 06AFvam5023653; Fri, 10 Jul 2020 16:01:12 GMT Received: from b06cxnps4075.portsmouth.uk.ibm.com (d06relay12.portsmouth.uk.ibm.com [9.149.109.197]) by ppma06ams.nl.ibm.com with ESMTP id 326bahrqr9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Jul 2020 16:01:12 +0000 Received: from d06av24.portsmouth.uk.ibm.com (mk.ibm.com [9.149.105.60]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 06AG1Amn60883144 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 10 Jul 2020 16:01:10 GMT Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 481544203F; Fri, 10 Jul 2020 16:01:10 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9C31F42041; Fri, 10 Jul 2020 16:01:09 +0000 (GMT) Received: from localhost.localdomain (unknown [9.85.158.149]) by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP; Fri, 10 Jul 2020 16:01:09 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , Petr Vorel , Bruno Meneguele Subject: [PATCH v2 6/8] ima-evm-utils: the IMA measurement list may have too many measurements Date: Fri, 10 Jul 2020 12:00:57 -0400 Message-Id: <1594396859-9232-7-git-send-email-zohar@linux.ibm.com> X-Mailer: git-send-email 2.7.5 In-Reply-To: <1594396859-9232-1-git-send-email-zohar@linux.ibm.com> References: <1594396859-9232-1-git-send-email-zohar@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235,18.0.687 definitions=2020-07-10_10:2020-07-10,2020-07-10 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 spamscore=0 mlxlogscore=999 impostorscore=0 priorityscore=1501 lowpriorityscore=0 bulkscore=0 malwarescore=0 mlxscore=0 phishscore=0 adultscore=0 suspectscore=1 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2007100104 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Reading the TPM PCRs before walking the measurement list guarantees the measurement list contains all the records, possibly too many records. Compare the re-calculated hash after each extend with both the per bank TPM PCR digests and the SHA1 paddeded TPM PCR digests. Signed-off-by: Mimi Zohar --- src/evmctl.c | 33 ++++++++++++++++++++++----------- 1 file changed, 22 insertions(+), 11 deletions(-) diff --git a/src/evmctl.c b/src/evmctl.c index 5787887882b4..88fd8e4c31f0 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -1881,6 +1881,7 @@ static int ima_measurement(const char *file) struct template_entry entry = { .template = 0 }; FILE *fp; + int err_padded = -1; int err = -1; errno = 0; @@ -2006,24 +2007,34 @@ static int ima_measurement(const char *file) ima_show(&entry); else ima_ng_show(&entry); + + if (!tpmbanks) + continue; + + /* The measurement list might contain too many entries, + * compare the re-calculated TPM PCR values after each + * extend. + */ + err = compare_tpm_banks(num_banks, pseudo_banks, tpm_banks); + if (!err) + break; + + /* Compare against original SHA1 zero padded TPM PCR values */ + err_padded = compare_tpm_banks(num_banks, pseudo_padded_banks, + tpm_banks); + if (!err_padded) + break; } if (tpmbanks == 0) log_info("Failed to read any TPM PCRs\n"); else { - err = compare_tpm_banks(num_banks, pseudo_banks, tpm_banks); if (!err) log_info("Matched per TPM bank calculated digest(s).\n"); - - /* On failure, check older SHA1 zero padded hashes */ - if (err) { - err = compare_tpm_banks(num_banks, pseudo_padded_banks, - tpm_banks); - if (!err) - log_info("Matched SHA1 padded TPM digest(s).\n"); - } - - if (err) + else if (!err_padded) { + log_info("Matched SHA1 padded TPM digest(s).\n"); + err = 0; + } else log_info("Failed to match per TPM bank or SHA1 padded TPM digest(s).\n"); } From patchwork Fri Jul 10 16:00:58 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 11656959 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DCB1813BD for ; Fri, 10 Jul 2020 16:08:00 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id CD563207BB for ; Fri, 10 Jul 2020 16:08:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726925AbgGJQIA (ORCPT ); Fri, 10 Jul 2020 12:08:00 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:5168 "EHLO mx0b-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726828AbgGJQIA (ORCPT ); Fri, 10 Jul 2020 12:08:00 -0400 Received: from pps.filterd (m0127361.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 06AG7QY2180906; Fri, 10 Jul 2020 12:07:58 -0400 Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 326b8yg8uc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Jul 2020 12:07:57 -0400 Received: from m0127361.ppops.net (m0127361.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 06AFaQXl098907; Fri, 10 Jul 2020 12:02:58 -0400 Received: from ppma02fra.de.ibm.com (47.49.7a9f.ip4.static.sl-reverse.com [159.122.73.71]) by mx0a-001b2d01.pphosted.com with ESMTP id 326b8yg86k-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Jul 2020 12:02:56 -0400 Received: from pps.filterd (ppma02fra.de.ibm.com [127.0.0.1]) by ppma02fra.de.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 06AG1D99030445; Fri, 10 Jul 2020 16:02:28 GMT Received: from b06cxnps4076.portsmouth.uk.ibm.com (d06relay13.portsmouth.uk.ibm.com [9.149.109.198]) by ppma02fra.de.ibm.com with ESMTP id 326bcf0sha-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Jul 2020 16:02:28 +0000 Received: from d06av24.portsmouth.uk.ibm.com (d06av24.portsmouth.uk.ibm.com [9.149.105.60]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 06AG1BqG28049610 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 10 Jul 2020 16:01:11 GMT Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 041614204D; Fri, 10 Jul 2020 16:01:11 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 71CB042049; Fri, 10 Jul 2020 16:01:10 +0000 (GMT) Received: from localhost.localdomain (unknown [9.85.158.149]) by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP; Fri, 10 Jul 2020 16:01:10 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , Petr Vorel , Bruno Meneguele Subject: [PATCH v2 7/8] ima-evm-utils: optionally verify the template data file signature Date: Fri, 10 Jul 2020 12:00:58 -0400 Message-Id: <1594396859-9232-8-git-send-email-zohar@linux.ibm.com> X-Mailer: git-send-email 2.7.5 In-Reply-To: <1594396859-9232-1-git-send-email-zohar@linux.ibm.com> References: <1594396859-9232-1-git-send-email-zohar@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235,18.0.687 definitions=2020-07-10_13:2020-07-10,2020-07-10 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=999 lowpriorityscore=0 phishscore=0 mlxscore=0 spamscore=0 adultscore=0 impostorscore=0 bulkscore=0 priorityscore=1501 suspectscore=1 malwarescore=0 clxscore=1015 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2007100109 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Rename "--list" to "verify-sig" to optionally verify the file signature contained in the template data based on the supplied set of keys. Signed-off-by: Mimi Zohar --- README | 3 ++- src/evmctl.c | 12 ++++++------ 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/README b/README index 3603ae8a6084..374b748c59bf 100644 --- a/README +++ b/README @@ -31,7 +31,7 @@ COMMANDS ima_sign [--sigfile] [--key key] [--pass password] file ima_verify file ima_hash file - ima_measurement [--key "key1, key2, ..."] [--list] file + ima_measurement [--verify-sig [--key "key1, key2, ..."]] file ima_fix [-t fdsxm] path sign_hash [--key key] [--pass password] hmac [--imahash | --imasig ] file @@ -59,6 +59,7 @@ OPTIONS --m32 force EVM hmac/signature for 32 bit target system --m64 force EVM hmac/signature for 64 bit target system --engine e preload OpenSSL engine e (such as: gost) + --verify-sig verify the template data file signature -v increase verbosity level -h, --help display this help and exit diff --git a/src/evmctl.c b/src/evmctl.c index 88fd8e4c31f0..90a3eebc4431 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -125,7 +125,7 @@ static char *caps_str; static char *ima_str; static char *selinux_str; static char *search_type; -static int measurement_list; +static int verify_list_sig; static int recursive; static int msize; static dev_t fs_dev; @@ -1566,7 +1566,7 @@ void ima_ng_show(struct template_entry *entry) log_info(" "); log_dump(sig, sig_len); } - if (measurement_list) + if (verify_list_sig) err = ima_verify_signature(path, sig, sig_len, digest, digest_len); else @@ -2367,7 +2367,7 @@ static void usage(void) " --ima use custom IMA signature for EVM\n" " --selinux use custom Selinux label for EVM\n" " --caps use custom Capabilities for EVM(unspecified: from FS, empty: do not use)\n" - " --list measurement list verification\n" + " --verify-sig verify measurement list signatures\n" " --engine e preload OpenSSL engine e (such as: gost)\n" " -v increase verbosity level\n" " -h, --help display this help and exit\n" @@ -2385,7 +2385,7 @@ struct command cmds[] = { {"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"}, {"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"}, {"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"}, - {"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify] [--pcrs file] file", "Verify measurement list (experimental).\n"}, + {"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify] [--verify-sig [--key key1, key2, ...]] [--pcrs file] file", "Verify measurement list (experimental).\n"}, {"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[file]", "Calculate per TPM bank boot_aggregate digests\n"}, {"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"}, {"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"}, @@ -2421,7 +2421,7 @@ static struct option opts[] = { {"ima", 1, 0, 135}, {"selinux", 1, 0, 136}, {"caps", 2, 0, 137}, - {"list", 0, 0, 138}, + {"verify-sig", 0, 0, 138}, {"engine", 1, 0, 139}, {"xattr-user", 0, 0, 140}, {"validate", 0, 0, 141}, @@ -2586,7 +2586,7 @@ int main(int argc, char *argv[]) hmac_flags |= HMAC_FLAG_CAPS_SET; break; case 138: - measurement_list = 1; + verify_list_sig = 1; break; case 139: /* --engine e */ eng = ENGINE_by_id(optarg); From patchwork Fri Jul 10 16:00:59 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 11656951 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A68D06C1 for ; Fri, 10 Jul 2020 16:01:20 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 983C42078D for ; Fri, 10 Jul 2020 16:01:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728028AbgGJQBU (ORCPT ); Fri, 10 Jul 2020 12:01:20 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:57654 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727901AbgGJQBU (ORCPT ); Fri, 10 Jul 2020 12:01:20 -0400 Received: from pps.filterd (m0098399.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 06AFVxiU031715; Fri, 10 Jul 2020 12:01:17 -0400 Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 326bpesgwp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Jul 2020 12:01:17 -0400 Received: from m0098399.ppops.net (m0098399.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 06AFX9PG038791; Fri, 10 Jul 2020 12:01:16 -0400 Received: from ppma04fra.de.ibm.com (6a.4a.5195.ip4.static.sl-reverse.com [149.81.74.106]) by mx0a-001b2d01.pphosted.com with ESMTP id 326bpesgur-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Jul 2020 12:01:16 -0400 Received: from pps.filterd (ppma04fra.de.ibm.com [127.0.0.1]) by ppma04fra.de.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 06AFw9Gf030245; Fri, 10 Jul 2020 16:01:14 GMT Received: from b06cxnps4076.portsmouth.uk.ibm.com (d06relay13.portsmouth.uk.ibm.com [9.149.109.198]) by ppma04fra.de.ibm.com with ESMTP id 326bcj8cmh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Jul 2020 16:01:14 +0000 Received: from d06av24.portsmouth.uk.ibm.com (d06av24.portsmouth.uk.ibm.com [9.149.105.60]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 06AG1BeQ30670880 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 10 Jul 2020 16:01:11 GMT Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id CAD5F42041; Fri, 10 Jul 2020 16:01:11 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2D1DD42054; Fri, 10 Jul 2020 16:01:11 +0000 (GMT) Received: from localhost.localdomain (unknown [9.85.158.149]) by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP; Fri, 10 Jul 2020 16:01:11 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , Petr Vorel , Bruno Meneguele Subject: [PATCH v2 8/8] ima-evm-utils: update README to reflect "--pcrs", "--verify" and "--validate" Date: Fri, 10 Jul 2020 12:00:59 -0400 Message-Id: <1594396859-9232-9-git-send-email-zohar@linux.ibm.com> X-Mailer: git-send-email 2.7.5 In-Reply-To: <1594396859-9232-1-git-send-email-zohar@linux.ibm.com> References: <1594396859-9232-1-git-send-email-zohar@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235,18.0.687 definitions=2020-07-10_10:2020-07-10,2020-07-10 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 lowpriorityscore=0 malwarescore=0 suspectscore=1 mlxscore=0 spamscore=0 adultscore=0 bulkscore=0 clxscore=1015 phishscore=0 mlxlogscore=999 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2007100104 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org "--pcrs" compares the re-calculate PCRs against a file containing TPM 1.2 pcrs. "--validate" ignores ToMToU measurement violations. "--verify" verifies the template data digest based on the template data. Signed-off-by: Mimi Zohar --- README | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/README b/README index 374b748c59bf..64b9da508d8d 100644 --- a/README +++ b/README @@ -31,7 +31,7 @@ COMMANDS ima_sign [--sigfile] [--key key] [--pass password] file ima_verify file ima_hash file - ima_measurement [--verify-sig [--key "key1, key2, ..."]] file + ima_measurement [--validate] [--verify] [--verify-sig [--key "key1, key2, ..."]] [--pcrs file] file ima_fix [-t fdsxm] path sign_hash [--key key] [--pass password] hmac [--imahash | --imasig ] file @@ -59,6 +59,9 @@ OPTIONS --m32 force EVM hmac/signature for 32 bit target system --m64 force EVM hmac/signature for 64 bit target system --engine e preload OpenSSL engine e (such as: gost) + --pcrs file containing TPM 1.2 pcrs + --validate ignore ToMToU measurement violations + --verify verify the template data digest --verify-sig verify the template data file signature -v increase verbosity level -h, --help display this help and exit