From patchwork Sun Jul 19 16:02:02 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 11672503 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 86CEB1510 for ; Sun, 19 Jul 2020 16:02:24 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 7486A207EA for ; Sun, 19 Jul 2020 16:02:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726146AbgGSQCY (ORCPT ); Sun, 19 Jul 2020 12:02:24 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:26990 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726038AbgGSQCX (ORCPT ); Sun, 19 Jul 2020 12:02:23 -0400 Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 06JFX361068428; Sun, 19 Jul 2020 12:02:21 -0400 Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 32bvcs495d-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 19 Jul 2020 12:02:20 -0400 Received: from m0098409.ppops.net (m0098409.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 06JFohcM101047; Sun, 19 Jul 2020 12:02:20 -0400 Received: from ppma06ams.nl.ibm.com (66.31.33a9.ip4.static.sl-reverse.com [169.51.49.102]) by mx0a-001b2d01.pphosted.com with ESMTP id 32bvcs494n-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 19 Jul 2020 12:02:20 -0400 Received: from pps.filterd (ppma06ams.nl.ibm.com [127.0.0.1]) by ppma06ams.nl.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 06JG1bdj008653; Sun, 19 Jul 2020 16:02:18 GMT Received: from b06avi18878370.portsmouth.uk.ibm.com (b06avi18878370.portsmouth.uk.ibm.com [9.149.26.194]) by ppma06ams.nl.ibm.com with ESMTP id 32brbh1em4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 19 Jul 2020 16:02:18 +0000 Received: from d06av26.portsmouth.uk.ibm.com (d06av26.portsmouth.uk.ibm.com [9.149.105.62]) by b06avi18878370.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 06JG2GbS62456146 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sun, 19 Jul 2020 16:02:16 GMT Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 10C39AE057; Sun, 19 Jul 2020 16:02:16 +0000 (GMT) Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 3B947AE04D; Sun, 19 Jul 2020 16:02:15 +0000 (GMT) Received: from localhost.localdomain (unknown [9.85.150.54]) by d06av26.portsmouth.uk.ibm.com (Postfix) with ESMTP; Sun, 19 Jul 2020 16:02:15 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , Petr Vorel , Bruno Meneguele Subject: [PATCH 1/3] ima-evm-utils: similarly add sanity check for file parameter of TPM 1.2 PCRs Date: Sun, 19 Jul 2020 12:02:02 -0400 Message-Id: <1595174524-4976-1-git-send-email-zohar@linux.ibm.com> X-Mailer: git-send-email 2.7.5 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235,18.0.687 definitions=2020-07-19_03:2020-07-17,2020-07-19 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 clxscore=1015 impostorscore=0 bulkscore=0 mlxscore=0 mlxlogscore=999 suspectscore=1 malwarescore=0 phishscore=0 priorityscore=1501 lowpriorityscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2007190119 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Parameter expects to be a copy of /sys/class/tpm/tpm0/device/pcrs (i.e. regular file, not a directory, block or character device, socket, ...) Signed-off-by: Mimi Zohar Reviewed-by: Petr Vorel --- src/evmctl.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/src/evmctl.c b/src/evmctl.c index 0f1c5a023516..06a2ffb879d9 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -1379,14 +1379,26 @@ static char *misc_pcrs = "/sys/class/misc/tpm0/device/pcrs"; /* Read all of the TPM 1.2 PCRs */ static int tpm_pcr_read(struct tpm_bank_info *tpm_banks, int len) { + struct stat s; FILE *fp = NULL; char *p, pcr_str[8], buf[70]; /* length of the TPM string */ int result = -1; int i = 0; /* Use the provided TPM 1.2 pcrs file */ - if (pcrfile) + if (pcrfile) { + if (stat(pcrfile, &s) == -1) { + errno = 0; + return 1; + } + + if (!S_ISREG(s.st_mode)) { + log_info("TPM 1.2 PCR file: not a regular file or link to regular file\n"); + return 1; + } + fp = fopen(pcrfile, "r"); + } if (!fp) fp = fopen(pcrs, "r"); From patchwork Sun Jul 19 16:02:03 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 11672505 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0827B913 for ; Sun, 19 Jul 2020 16:02:25 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id EDD7C20B1F for ; Sun, 19 Jul 2020 16:02:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726038AbgGSQCY (ORCPT ); Sun, 19 Jul 2020 12:02:24 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:22414 "EHLO mx0b-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726109AbgGSQCY (ORCPT ); Sun, 19 Jul 2020 12:02:24 -0400 Received: from pps.filterd (m0098417.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 06JFXPmm088482; Sun, 19 Jul 2020 12:02:21 -0400 Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 32bvy3bqq8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 19 Jul 2020 12:02:21 -0400 Received: from m0098417.ppops.net (m0098417.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 06JFmTnV114328; Sun, 19 Jul 2020 12:02:21 -0400 Received: from ppma03fra.de.ibm.com (6b.4a.5195.ip4.static.sl-reverse.com [149.81.74.107]) by mx0a-001b2d01.pphosted.com with ESMTP id 32bvy3bqp8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 19 Jul 2020 12:02:21 -0400 Received: from pps.filterd (ppma03fra.de.ibm.com [127.0.0.1]) by ppma03fra.de.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 06JG0V8r019802; Sun, 19 Jul 2020 16:02:19 GMT Received: from b06avi18878370.portsmouth.uk.ibm.com (b06avi18878370.portsmouth.uk.ibm.com [9.149.26.194]) by ppma03fra.de.ibm.com with ESMTP id 32brq80qek-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 19 Jul 2020 16:02:19 +0000 Received: from d06av26.portsmouth.uk.ibm.com (d06av26.portsmouth.uk.ibm.com [9.149.105.62]) by b06avi18878370.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 06JG2GfH65208788 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sun, 19 Jul 2020 16:02:17 GMT Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id DF18BAE053; Sun, 19 Jul 2020 16:02:16 +0000 (GMT) Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 3D233AE058; Sun, 19 Jul 2020 16:02:16 +0000 (GMT) Received: from localhost.localdomain (unknown [9.85.150.54]) by d06av26.portsmouth.uk.ibm.com (Postfix) with ESMTP; Sun, 19 Jul 2020 16:02:16 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , Petr Vorel , Bruno Meneguele Subject: [PATCH 2/3] ima-evm-utils: output specific "unknown keyid" file msg based on log level Date: Sun, 19 Jul 2020 12:02:03 -0400 Message-Id: <1595174524-4976-2-git-send-email-zohar@linux.ibm.com> X-Mailer: git-send-email 2.7.5 In-Reply-To: <1595174524-4976-1-git-send-email-zohar@linux.ibm.com> References: <1595174524-4976-1-git-send-email-zohar@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235,18.0.687 definitions=2020-07-19_02:2020-07-17,2020-07-19 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=1 impostorscore=0 phishscore=0 clxscore=1015 malwarescore=0 mlxlogscore=999 lowpriorityscore=0 bulkscore=0 spamscore=0 mlxscore=0 priorityscore=1501 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2007190119 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org When the IMA measurement list contains file signatures, the file signatures are verified either by calculating the local file data hash or based on the file hash contained in the measurement list. In either case a list of trusted public keys needs to be provided. In addition to the list of known/unknown public keys needed to verify the measurement list being output, the specific files signed by an unknown public key are output as well. Output the individual "unknown keyid" file messages based on log level. Example 1: "ima_measurement" list of known/unknown public keys Verify the provided IMA measurement list against the provided TPM 1.2 PCRs. --validate: ignore measurement violations. --verify: calculate and verify the template digest against the template data. --verify-sig: verify the file signature against the file hash stored in the template data. $ evmctl ima_measurement /tmp/local_binary_runtime_measurements --pcrs /tmp/local_pcrs_new --validate --verify --verify-sig key 1: 14c2d147 /etc/keys/x509_evm.der key 2: 6e6c1046 (unknown keyid) key 3: c4e2426e (unknown keyid) Matched per TPM bank calculated digest(s). Example 2: verbose mode (-v) includes specific unknown files. /usr/bin/evmctl: verification failed: unknown keyid 6e6c1046 Signed-off-by: Mimi Zohar Reviewed-by: Petr Vorel --- src/libimaevm.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/libimaevm.c b/src/libimaevm.c index 16e07e82b9e3..fa6c27858d0f 100644 --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -512,8 +512,9 @@ static int verify_hash_v2(const char *file, const unsigned char *hash, int size, if (!pkey) { uint32_t keyid = hdr->keyid; - log_info("%s: verification failed: unknown keyid %x\n", - file, __be32_to_cpup(&keyid)); + if (imaevm_params.verbose > LOG_INFO) + log_info("%s: verification failed: unknown keyid %x\n", + file, __be32_to_cpup(&keyid)); return -1; } From patchwork Sun Jul 19 16:02:04 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 11672507 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 61D2E1667 for ; Sun, 19 Jul 2020 16:02:25 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 50BFC208B3 for ; Sun, 19 Jul 2020 16:02:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726109AbgGSQCZ (ORCPT ); Sun, 19 Jul 2020 12:02:25 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:40564 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726131AbgGSQCY (ORCPT ); Sun, 19 Jul 2020 12:02:24 -0400 Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 06JG1A3w066644; Sun, 19 Jul 2020 12:02:22 -0400 Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-001b2d01.pphosted.com with ESMTP id 32btpvdhqn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 19 Jul 2020 12:02:22 -0400 Received: from m0098416.ppops.net (m0098416.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 06JG1Vx0067756; Sun, 19 Jul 2020 12:02:21 -0400 Received: from ppma03ams.nl.ibm.com (62.31.33a9.ip4.static.sl-reverse.com [169.51.49.98]) by mx0b-001b2d01.pphosted.com with ESMTP id 32btpvdhqa-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 19 Jul 2020 12:02:21 -0400 Received: from pps.filterd (ppma03ams.nl.ibm.com [127.0.0.1]) by ppma03ams.nl.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 06JG0vKF004255; Sun, 19 Jul 2020 16:02:20 GMT Received: from b06avi18626390.portsmouth.uk.ibm.com (b06avi18626390.portsmouth.uk.ibm.com [9.149.26.192]) by ppma03ams.nl.ibm.com with ESMTP id 32brq7hech-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 19 Jul 2020 16:02:20 +0000 Received: from d06av26.portsmouth.uk.ibm.com (d06av26.portsmouth.uk.ibm.com [9.149.105.62]) by b06avi18626390.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 06JG0sEZ49152464 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sun, 19 Jul 2020 16:00:54 GMT Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C77C1AE05D; Sun, 19 Jul 2020 16:02:17 +0000 (GMT) Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 16395AE053; Sun, 19 Jul 2020 16:02:17 +0000 (GMT) Received: from localhost.localdomain (unknown [9.85.150.54]) by d06av26.portsmouth.uk.ibm.com (Postfix) with ESMTP; Sun, 19 Jul 2020 16:02:16 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , Petr Vorel , Bruno Meneguele Subject: [PATCH 3/3] ima_evm_utils: indicate "--verify" template data digest failures Date: Sun, 19 Jul 2020 12:02:04 -0400 Message-Id: <1595174524-4976-3-git-send-email-zohar@linux.ibm.com> X-Mailer: git-send-email 2.7.5 In-Reply-To: <1595174524-4976-1-git-send-email-zohar@linux.ibm.com> References: <1595174524-4976-1-git-send-email-zohar@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235,18.0.687 definitions=2020-07-19_03:2020-07-17,2020-07-19 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 mlxscore=0 lowpriorityscore=0 bulkscore=0 spamscore=0 mlxlogscore=999 adultscore=0 malwarescore=0 phishscore=0 priorityscore=1501 suspectscore=1 clxscore=1015 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2007190119 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Helps to indicate when the template data digest verification fails. Indicate the problematic record in the measurement list based on log level and fail verification. fixes: ff26f9704ec4 ("ima-evm-utils: calculate and verify the template data digest") Signed-off-by: Mimi Zohar Reviewed-by: Petr Vorel --- src/evmctl.c | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/src/evmctl.c b/src/evmctl.c index 06a2ffb879d9..faddc3c361a0 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -1444,14 +1444,21 @@ static int verify = 0; static int ima_verify_template_hash(struct template_entry *entry) { uint8_t digest[SHA_DIGEST_LENGTH]; + static int line = 0; + + line++; if (!memcmp(zero, entry->header.digest, sizeof(digest))) return 0; SHA1(entry->template, entry->template_len, digest); - if (memcmp(digest, entry->header.digest, sizeof(digest))) + if (memcmp(digest, entry->header.digest, sizeof(digest))) { + if (imaevm_params.verbose > LOG_INFO) + log_info("Failed to verify template data digest(line %d).\n", + line); return 1; + } return 0; } @@ -1892,6 +1899,7 @@ static int ima_measurement(const char *file) struct template_entry entry = { .template = 0 }; FILE *fp; + int verified_template_digest = 0; int err_padded = -1; int err = -1; @@ -2020,8 +2028,12 @@ static int ima_measurement(const char *file) extend_tpm_banks(&entry, num_banks, pseudo_banks, pseudo_padded_banks); - if (verify) - ima_verify_template_hash(&entry); + /* Recalculate and verify template data digest */ + if (verify) { + err = ima_verify_template_hash(&entry); + if (err) + verified_template_digest = 1; + } if (is_ima_template) ima_show(&entry); @@ -2058,6 +2070,11 @@ static int ima_measurement(const char *file) log_info("Failed to match per TPM bank or SHA1 padded TPM digest(s).\n"); } + if (verified_template_digest) { + log_info("Failed to verify template data digest.\n"); + err = 1; + } + out: fclose(fp); return err;