From patchwork Mon Oct 5 22:27:19 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ken Goldman X-Patchwork-Id: 11817815 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 49581139A for ; Mon, 5 Oct 2020 22:27:24 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 2839520774 for ; Mon, 5 Oct 2020 22:27:24 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b="OzWzI1ON" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727184AbgJEW1X (ORCPT ); Mon, 5 Oct 2020 18:27:23 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:8780 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727155AbgJEW1X (ORCPT ); Mon, 5 Oct 2020 18:27:23 -0400 Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 095M2I0f157331 for ; Mon, 5 Oct 2020 18:27:22 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=to : from : subject : message-id : date : mime-version : content-type : content-transfer-encoding; s=pp1; bh=wS2ZtYUP1Xck2Gsf1iNYRa89qdCDFKwQ+cW/INvn940=; b=OzWzI1ONSY8hZJjLnB2x8CTcUdAqlM0/0WuNGKbfc+Cxz+jYLQ3EMmwYzrB3aBFsmg5I LzNH+yJ1cqeM0PmHbTyK0ESYwBdfXEhDzIy+RwDlqqUNmqoy/dtvK1jdBTd4nZh720dK o8VPcPJImBp+UHLBC05VG9D2WN/qegeFH3IG4AVFJGz6a0KdgBS+O5GOhFbVsy2JVf/X fZrvi3JqPMTqRaFK99iZiE/5Ki60u4FbbZJM9A7ReMvvFWzXBq79+Yl15SPNDXL139ge mDH+m7Q9rlyb+9tZGwGVlumY6tBgqcnh9F1nkjW/wjkFA+aqqyqqGSfmy6od1re1+0es Zg== Received: from ppma01dal.us.ibm.com (83.d6.3fa9.ip4.static.sl-reverse.com [169.63.214.131]) by mx0b-001b2d01.pphosted.com with ESMTP id 340a4sbkfk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 05 Oct 2020 18:27:22 -0400 Received: from pps.filterd (ppma01dal.us.ibm.com [127.0.0.1]) by ppma01dal.us.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 095M7MI1013503 for ; Mon, 5 Oct 2020 22:27:21 GMT Received: from b03cxnp08025.gho.boulder.ibm.com (b03cxnp08025.gho.boulder.ibm.com [9.17.130.17]) by ppma01dal.us.ibm.com with ESMTP id 33xgx97kf0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 05 Oct 2020 22:27:21 +0000 Received: from b03ledav006.gho.boulder.ibm.com (b03ledav006.gho.boulder.ibm.com [9.17.130.237]) by b03cxnp08025.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 095MRFYr36831726 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Mon, 5 Oct 2020 22:27:15 GMT Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 13548C6057 for ; Mon, 5 Oct 2020 22:27:20 +0000 (GMT) Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E3BE7C6059 for ; Mon, 5 Oct 2020 22:27:19 +0000 (GMT) Received: from [9.85.186.165] (unknown [9.85.186.165]) by b03ledav006.gho.boulder.ibm.com (Postfix) with ESMTP for ; Mon, 5 Oct 2020 22:27:19 +0000 (GMT) To: Linux Integrity From: Ken Goldman Subject: [PATCH 2/6] ima-evm-utils: Change PCR iterater from int to uint32_t Message-ID: <8877d400-7888-bc64-6ceb-b2f611419e1d@linux.ibm.com> Date: Mon, 5 Oct 2020 18:27:19 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.3.1 MIME-Version: 1.0 Content-Language: en-US X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235,18.0.687 definitions=2020-10-05_16:2020-10-05,2020-10-05 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 spamscore=0 mlxlogscore=698 suspectscore=0 priorityscore=1501 mlxscore=0 phishscore=0 lowpriorityscore=0 adultscore=0 malwarescore=0 clxscore=1015 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2010050153 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org PCR numbers are naturally unsigned values. Further, they are 32 bits, even on 64-bit machines. This change eliminates the need for negative value and overflow tests. The parameter name is changed from j and idx to pcrHandle, which is more descriptive and is the parameter name used in the TPM 2.0 specification. Signed-off-by: Ken Goldman --- src/evmctl.c | 9 +++++---- src/pcr.h | 2 +- src/pcr_tss.c | 4 ++-- src/pcr_tsspcrread.c | 4 ++-- 4 files changed, 10 insertions(+), 9 deletions(-) diff --git a/src/evmctl.c b/src/evmctl.c index 1815f55..b056a1e 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -1895,7 +1895,8 @@ static int read_tpm_banks(int num_banks, struct tpm_bank_info *bank) { int tpm_enabled = 0; char *errmsg = NULL; - int i, j; + int i; + uint32_t pcrHandle; int err; /* If --pcrs was specified, read only from the specified file(s) */ @@ -1915,9 +1916,9 @@ static int read_tpm_banks(int num_banks, struct tpm_bank_info *bank) /* Read PCRs from multiple TPM 2.0 banks */ for (i = 0; i < num_banks; i++) { err = 0; - for (j = 0; j < NUM_PCRS && !err; j++) { - err = tpm2_pcr_read(bank[i].algo_name, j, - bank[i].pcr[j], bank[i].digest_size, + for (pcrHandle = 0; pcrHandle < NUM_PCRS && !err; pcrHandle++) { + err = tpm2_pcr_read(bank[i].algo_name, pcrHandle, + bank[i].pcr[pcrHandle], bank[i].digest_size, &errmsg); if (err) { log_debug("Failed to read %s PCRs: (%s)\n", diff --git a/src/pcr.h b/src/pcr.h index 79547bd..dd8311a 100644 --- a/src/pcr.h +++ b/src/pcr.h @@ -1,3 +1,3 @@ int tpm2_pcr_supported(void); -int tpm2_pcr_read(const char *algo_name, int idx, uint8_t *hwpcr, +int tpm2_pcr_read(const char *algo_name, uint32_t pcrHandle, uint8_t *hwpcr, int len, char **errmsg); diff --git a/src/pcr_tss.c b/src/pcr_tss.c index feb1ff7..5e00524 100644 --- a/src/pcr_tss.c +++ b/src/pcr_tss.c @@ -106,7 +106,7 @@ static TPM2_ALG_ID algo_to_tss2(const char *algo_name) return TPM2_ALG_ERROR; } -int tpm2_pcr_read(const char *algo_name, int idx, uint8_t *hwpcr, +int tpm2_pcr_read(const char *algo_name, uint32_t pcrHandle, uint8_t *hwpcr, int len, char **errmsg) { TSS2_ABI_VERSION abi_version = { @@ -140,7 +140,7 @@ int tpm2_pcr_read(const char *algo_name, int idx, uint8_t *hwpcr, } }; - pcr_select_in.pcrSelections[0].pcrSelect[idx / 8] = (1 << (idx % 8)); + pcr_select_in.pcrSelections[0].pcrSelect[pcrHandle / 8] = (1 << (pcrHandle % 8)); ret = Esys_Initialize(&ctx, NULL, &abi_version); if (ret != TPM2_RC_SUCCESS) { diff --git a/src/pcr_tsspcrread.c b/src/pcr_tsspcrread.c index 462f270..118c7d2 100644 --- a/src/pcr_tsspcrread.c +++ b/src/pcr_tsspcrread.c @@ -68,7 +68,7 @@ int tpm2_pcr_supported(void) return 1; } -int tpm2_pcr_read(const char *algo_name, int idx, uint8_t *hwpcr, +int tpm2_pcr_read(const char *algo_name, uint32_t pcrHandle, uint8_t *hwpcr, int len, char **errmsg) { FILE *fp; @@ -77,7 +77,7 @@ int tpm2_pcr_read(const char *algo_name, int idx, uint8_t *hwpcr, int ret; sprintf(cmd, "%s -halg %s -ha %d -ns 2> /dev/null", - path, algo_name, idx); + path, algo_name, pcrHandle); fp = popen(cmd, "r"); if (!fp) { ret = asprintf(errmsg, "popen failed: %s", strerror(errno)); From patchwork Mon Oct 5 22:28:22 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ken Goldman X-Patchwork-Id: 11817817 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 98EE0112E for ; Mon, 5 Oct 2020 22:28:26 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 59C1D20774 for ; Mon, 5 Oct 2020 22:28:26 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b="X9R/hXmp" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726793AbgJEW20 (ORCPT ); Mon, 5 Oct 2020 18:28:26 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:1050 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726006AbgJEW2Z (ORCPT ); Mon, 5 Oct 2020 18:28:25 -0400 Received: from pps.filterd (m0098393.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 095M6hTm093669 for ; Mon, 5 Oct 2020 18:28:25 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=to : from : subject : message-id : date : mime-version : content-type : content-transfer-encoding; s=pp1; bh=FkCH3FM1AVI7gY82K+Lx3cOjIz4Z83WeYiroHlOjBgg=; b=X9R/hXmpeqTA8B7EC4hV73VGxCX4tu2+m/EZLkqo+zkmF9Ubjxe0Nf0rMURYqyxxwlmE 8ubbEizElRlCC2E1bUzp25+diKuUBMFzgno2iRZ/l/UhdxkV6WKvDIxpZKxXkiaNP0oc Kx2zImgZW7qpDNuKcdCajPlpi3utOI8Kxc3ImwITtmGRGUhpxQUdgroX38yu6tHTh8mY pVswtWy5qsfqzvL/g9zsOJwy0zxVttYsv/IuXWog+fXD8PywqPID1bXjWKNWGhPBN/4f ZYjCVfNfvWnk5uOkVB1SuzgaWYd6/cAbtaKZqdWOiMjoptU9gEGkSky3cZABfaRk0Kc1 8A== Received: from ppma02wdc.us.ibm.com (aa.5b.37a9.ip4.static.sl-reverse.com [169.55.91.170]) by mx0a-001b2d01.pphosted.com with ESMTP id 340b7nsdmw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 05 Oct 2020 18:28:25 -0400 Received: from pps.filterd (ppma02wdc.us.ibm.com [127.0.0.1]) by ppma02wdc.us.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 095MRGMU009029 for ; Mon, 5 Oct 2020 22:28:24 GMT Received: from b03cxnp08028.gho.boulder.ibm.com (b03cxnp08028.gho.boulder.ibm.com [9.17.130.20]) by ppma02wdc.us.ibm.com with ESMTP id 33xgx9av0s-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 05 Oct 2020 22:28:24 +0000 Received: from b03ledav006.gho.boulder.ibm.com (b03ledav006.gho.boulder.ibm.com [9.17.130.237]) by b03cxnp08028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 095MSNOM53805478 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Mon, 5 Oct 2020 22:28:23 GMT Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 33AA3C6059 for ; Mon, 5 Oct 2020 22:28:23 +0000 (GMT) Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 07B58C6055 for ; Mon, 5 Oct 2020 22:28:22 +0000 (GMT) Received: from [9.85.186.165] (unknown [9.85.186.165]) by b03ledav006.gho.boulder.ibm.com (Postfix) with ESMTP for ; Mon, 5 Oct 2020 22:28:22 +0000 (GMT) To: Linux Integrity From: Ken Goldman Subject: [PATCH 3/6] ima-evm-utils: When using the IBM TSS, link in its library Message-ID: <136e154e-16bc-9d6e-90a3-075cc67be333@linux.ibm.com> Date: Mon, 5 Oct 2020 18:28:22 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.3.1 MIME-Version: 1.0 Content-Language: en-US X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235,18.0.687 definitions=2020-10-05_16:2020-10-05,2020-10-05 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 phishscore=0 mlxlogscore=999 bulkscore=0 clxscore=1015 priorityscore=1501 adultscore=0 malwarescore=0 mlxscore=0 lowpriorityscore=0 impostorscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2010050156 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org This is a prerequisite for the code change that uses the TSS rather than the command line tools. Signed-off-by: Ken Goldman --- src/Makefile.am | 1 + 1 file changed, 1 insertion(+) diff --git a/src/Makefile.am b/src/Makefile.am index d6c779f..bf18caf 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -26,6 +26,7 @@ if USE_PCRTSS evmctl_SOURCES += pcr_tss.c else evmctl_SOURCES += pcr_tsspcrread.c +evmctl_LDADD += -libmtss endif AM_CPPFLAGS = -I$(top_srcdir) -include config.h From patchwork Mon Oct 5 22:32:24 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ken Goldman X-Patchwork-Id: 11817821 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id EC6E7112E for ; Mon, 5 Oct 2020 22:32:31 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A856D20774 for ; Mon, 5 Oct 2020 22:32:31 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b="jOI31Sxt" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726418AbgJEWcb (ORCPT ); Mon, 5 Oct 2020 18:32:31 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:19812 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725934AbgJEWcb (ORCPT ); Mon, 5 Oct 2020 18:32:31 -0400 Received: from pps.filterd (m0098413.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 095MWTY9132647 for ; Mon, 5 Oct 2020 18:32:29 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=to : from : subject : message-id : date : mime-version : content-type : content-transfer-encoding; s=pp1; bh=5T5YbxwugQVcZkI+k9Qx+esmACa3m2qNC3MGlblWtq4=; b=jOI31SxtQPKvISdFWZfcZxroVWI+dX26SeAwphwKOPS+KNl0NlbtV3NEgkhBnThsfDWT 6HfFNjBU7HaPZTALSZOX5EkHoAHvGe3xs3wj3zIAhoY2DEbv9am0NnQERUvgiOqa+GBT scB8CvM8WUC+n8CJQMDtVxAS4/RuU5oQN0OdWgYZOiUZo1R+JRkOLfqii9DKX5gin2mF aJcYmEW2wjcP3UahbXCZFLvph1eA6ozp4aL0QW9p0QfBKKP+XTUqwlGMpajNpK0e50s6 aezvo+dQUvpUuUjWde9K81DaHjLKVm2K0pHPrX8sJjBEGODyK2NdS9wVGLtwk1NtADiO pw== Received: from ppma05wdc.us.ibm.com (1b.90.2fa9.ip4.static.sl-reverse.com [169.47.144.27]) by mx0b-001b2d01.pphosted.com with ESMTP id 340cc6004y-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 05 Oct 2020 18:32:29 -0400 Received: from pps.filterd (ppma05wdc.us.ibm.com [127.0.0.1]) by ppma05wdc.us.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 095MQiKb028322 for ; Mon, 5 Oct 2020 22:32:26 GMT Received: from b03cxnp07029.gho.boulder.ibm.com (b03cxnp07029.gho.boulder.ibm.com [9.17.130.16]) by ppma05wdc.us.ibm.com with ESMTP id 33xgx8tvgm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 05 Oct 2020 22:32:26 +0000 Received: from b03ledav006.gho.boulder.ibm.com (b03ledav006.gho.boulder.ibm.com [9.17.130.237]) by b03cxnp07029.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 095MWPbc35258850 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Mon, 5 Oct 2020 22:32:25 GMT Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 36F4DC607A for ; Mon, 5 Oct 2020 22:32:25 +0000 (GMT) Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 09233C6079 for ; Mon, 5 Oct 2020 22:32:24 +0000 (GMT) Received: from [9.85.186.165] (unknown [9.85.186.165]) by b03ledav006.gho.boulder.ibm.com (Postfix) with ESMTP for ; Mon, 5 Oct 2020 22:32:24 +0000 (GMT) To: Linux Integrity From: Ken Goldman Subject: [PATCH 4/6] ima-evm-utils: Change tpm2_pcr_read() to use C code Message-ID: <0f40ad14-8391-57f4-9a57-5be5e0f4302f@linux.ibm.com> Date: Mon, 5 Oct 2020 18:32:24 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.3.1 MIME-Version: 1.0 Content-Language: en-US X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235,18.0.687 definitions=2020-10-05_16:2020-10-05,2020-10-05 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 mlxlogscore=999 impostorscore=0 mlxscore=0 clxscore=1015 priorityscore=1501 phishscore=0 lowpriorityscore=0 adultscore=0 malwarescore=0 suspectscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2010050156 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Replace the call out to the command line tools with C functions. The algorithm_string_to_algid() function supports only the digest algorithms in use. The table has place holders for other algorithms as they are needed and the C strings are defined. The table can also be used for an algorithm ID to string function if it's ever needed. Signed-off-by: Ken Goldman --- src/pcr_tsspcrread.c | 156 +++++++++++++++++++++++++++++++++---------- 1 file changed, 122 insertions(+), 34 deletions(-) diff --git a/src/pcr_tsspcrread.c b/src/pcr_tsspcrread.c index 118c7d2..5694e68 100644 --- a/src/pcr_tsspcrread.c +++ b/src/pcr_tsspcrread.c @@ -50,6 +50,10 @@ #include "utils.h" #include "imaevm.h" +#define TPM_POSIX /* use Posix, not Windows constructs in TSS */ +#undef MAX_DIGEST_SIZE /* imaevm uses a different value than the TSS */ +#include + #define CMD "tsspcrread" static char path[PATH_MAX]; @@ -68,44 +72,128 @@ int tpm2_pcr_supported(void) return 1; } -int tpm2_pcr_read(const char *algo_name, uint32_t pcrHandle, uint8_t *hwpcr, - int len, char **errmsg) -{ - FILE *fp; - char pcr[100]; /* may contain an error */ - char cmd[PATH_MAX + 50]; - int ret; - - sprintf(cmd, "%s -halg %s -ha %d -ns 2> /dev/null", - path, algo_name, pcrHandle); - fp = popen(cmd, "r"); - if (!fp) { - ret = asprintf(errmsg, "popen failed: %s", strerror(errno)); - if (ret == -1) /* the contents of errmsg is undefined */ - *errmsg = NULL; - return -1; - } +/* Table mapping C strings to TCG algorithm identifiers */ + +typedef struct tdAlgorithm_Map { + const char *algorithm_string; + TPMI_ALG_HASH algid; +} Algorithm_Map; - if (fgets(pcr, sizeof(pcr), fp) == NULL) { - ret = asprintf(errmsg, "tsspcrread failed: %s", - strerror(errno)); - if (ret == -1) /* the contents of errmsg is undefined */ - *errmsg = NULL; - ret = pclose(fp); - return -1; +Algorithm_Map algorithm_map[] = { + { "sha1", TPM_ALG_SHA1}, + { "sha256", TPM_ALG_SHA256}, +#if 0 /* uncomment as these digest algorithms are supported */ + { "", TPM_ALG_SHA384}, + { "", TPM_ALG_SHA512}, + { "", TPM_ALG_SM3_256}, + { "", TPM_ALG_SHA3_256}, + { "", TPM_ALG_SHA3_384}, + { "", TPM_ALG_SHA3_512}, +#endif +}; + +/* algorithm_string_to_algid() converts a digest algorithm from a C string to a TCG algorithm + identifier as defined in the TCG Algorithm Registry.. + + Returns TPM_ALG_ERROR if the string has an unsupported value. +*/ + +static TPMI_ALG_HASH algorithm_string_to_algid(const char *algorithm_string) +{ + size_t i; + for (i=0 ; i < sizeof(algorithm_map)/sizeof(Algorithm_Map) ; i++) { + if (strcmp(algorithm_string, algorithm_map[i].algorithm_string) == 0) { + return algorithm_map[i].algid; /* if match */ } + } + return TPM_ALG_ERROR; +} - /* get the popen "cmd" return code */ - ret = pclose(fp); +/* tpm2_pcr_read() reads the PCR - /* Treat an unallocated bank as an error */ - if (!ret && (strlen(pcr) < SHA_DIGEST_LENGTH)) - ret = -1; + algo_name is the PCR digest algorithm (the PCR bank) as a C string + pcrHandle is the PCR number to read + hwpcr is a buffer for the PCR output in binary + len is the allocated size of hwpcr and should match the digest algorithm +*/ - if (!ret) - hex2bin(hwpcr, pcr, len); - else - *errmsg = strndup(pcr, strlen(pcr) - 1); /* remove newline */ +int tpm2_pcr_read(const char *algo_name, uint32_t pcrHandle, uint8_t *hwpcr, + int len, char **errmsg) +{ + int ret = 0; /* function return code */ + TPM_RC rc = 0; /* TCG return code */ + PCR_Read_In pcrReadIn; /* command input */ + PCR_Read_Out pcrReadOut; /* response output */ + TSS_CONTEXT *tssContext = NULL; + TPMI_ALG_HASH alg_id; /* PCR algorithm */ - return ret; + if (rc == 0) { /* map algorithm string to TCG value */ + alg_id = algorithm_string_to_algid(algo_name); + if (alg_id == TPM_ALG_ERROR) { + ret = asprintf(errmsg, "tpm2_pcr_read: unknown algorithm %s", algo_name); + if (ret == -1) { /* the contents of errmsg is undefined */ + *errmsg = NULL; + } + rc = 1; + } + } + if (rc == 0) { + rc = TSS_Create(&tssContext); + } + /* call TSS to execute the command */ + if (rc == 0) { + pcrReadIn.pcrSelectionIn.count = 1; + pcrReadIn.pcrSelectionIn.pcrSelections[0].hash = alg_id; + pcrReadIn.pcrSelectionIn.pcrSelections[0].sizeofSelect = 3; + pcrReadIn.pcrSelectionIn.pcrSelections[0].pcrSelect[0] = 0; + pcrReadIn.pcrSelectionIn.pcrSelections[0].pcrSelect[1] = 0; + pcrReadIn.pcrSelectionIn.pcrSelections[0].pcrSelect[2] = 0; + pcrReadIn.pcrSelectionIn.pcrSelections[0].pcrSelect[pcrHandle / 8] = + 1 << (pcrHandle % 8); + rc = TSS_Execute(tssContext, + (RESPONSE_PARAMETERS *)&pcrReadOut, + (COMMAND_PARAMETERS *)&pcrReadIn, + NULL, + TPM_CC_PCR_Read, + TPM_RH_NULL, NULL, 0); + } + if (rc == 0) { + /* nothing read, bank missing */ + if (pcrReadOut.pcrValues.count == 0) { + ret = asprintf(errmsg, "tpm2_pcr_read: returned count 0 for %s", algo_name); + if (ret == -1) { /* the contents of errmsg is undefined */ + *errmsg = NULL; + } + rc = 1; + } + /* len parameter did not match the digest algorithm */ + else if (pcrReadOut.pcrValues.digests[0].t.size != len) { + ret = asprintf(errmsg, + "tpm2_pcr_read: expected length %d actual %u for %s", + len, pcrReadOut.pcrValues.digests[0].t.size, algo_name); + if (ret == -1) { /* the contents of errmsg is undefined */ + *errmsg = NULL; + } + rc = 1; + } + else { + memcpy(hwpcr, + pcrReadOut.pcrValues.digests[0].t.buffer, + pcrReadOut.pcrValues.digests[0].t.size); + } + } + { + TPM_RC rc1 = TSS_Delete(tssContext); + if (rc == 0) { + rc = rc1; + } + } + /* map TCG return code to function return code */ + if (rc == 0) { + return 0; + } + else { + return -1; + } } + From patchwork Mon Oct 5 22:33:39 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ken Goldman X-Patchwork-Id: 11817823 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 35EFE112E for ; Mon, 5 Oct 2020 22:34:13 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 1A57E2078A for ; Mon, 5 Oct 2020 22:34:13 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b="sgIq3BNi" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727203AbgJEWeK (ORCPT ); Mon, 5 Oct 2020 18:34:10 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:49288 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725997AbgJEWdn (ORCPT ); Mon, 5 Oct 2020 18:33:43 -0400 Received: from pps.filterd (m0098393.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 095M6gfB093623 for ; Mon, 5 Oct 2020 18:33:42 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=to : from : subject : message-id : date : mime-version : content-type : content-transfer-encoding; s=pp1; bh=gGSkcxbdSw8kG8W1pUThqT6PdaEus3M59SaUGv9eC2g=; b=sgIq3BNiE9tyEW6ABVeGB8/wFsyNi+VEOZPnJ2CielM1p9BVo9v23PtZhZCjJoORDtXO m6meqgIbdpMAeogVSrRNtNy5rbFSe1/jzsbby4Pl2haZprfuUXV2X3aZUXcspoO1MA2R kY3jHqgz+b9TbEtybLDPmg/Yml9DW8RwXQ+hkIG8wjB2d0hXZzyrZ03R0dsVB/asg7oK FMNzSxEoWtTRHnta5hdq1HgCnyxEUQDj1iKin8DZ31G8V/o9sTxVGSTQ5vgWGYPRZfwJ N9fCY5thaiGRfKgmuhhX0Ed/6nYJpd16LIbEEdHfXXNNrlf0Hvfc/QldJWfyd1WbPcHl nQ== Received: from ppma01dal.us.ibm.com (83.d6.3fa9.ip4.static.sl-reverse.com [169.63.214.131]) by mx0a-001b2d01.pphosted.com with ESMTP id 340b7nsgnf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 05 Oct 2020 18:33:42 -0400 Received: from pps.filterd (ppma01dal.us.ibm.com [127.0.0.1]) by ppma01dal.us.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 095MRPpt003780 for ; Mon, 5 Oct 2020 22:33:41 GMT Received: from b03cxnp08027.gho.boulder.ibm.com (b03cxnp08027.gho.boulder.ibm.com [9.17.130.19]) by ppma01dal.us.ibm.com with ESMTP id 33xgx97mqj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 05 Oct 2020 22:33:41 +0000 Received: from b03ledav006.gho.boulder.ibm.com (b03ledav006.gho.boulder.ibm.com [9.17.130.237]) by b03cxnp08027.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 095MXZQJ27656538 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Mon, 5 Oct 2020 22:33:35 GMT Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 32BA3C6077 for ; Mon, 5 Oct 2020 22:33:40 +0000 (GMT) Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 079FDC6079 for ; Mon, 5 Oct 2020 22:33:39 +0000 (GMT) Received: from [9.85.186.165] (unknown [9.85.186.165]) by b03ledav006.gho.boulder.ibm.com (Postfix) with ESMTP for ; Mon, 5 Oct 2020 22:33:39 +0000 (GMT) To: Linux Integrity From: Ken Goldman Subject: [PATCH 5/6] ima-evm-utils: Correct spelling errors Message-ID: Date: Mon, 5 Oct 2020 18:33:39 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.3.1 MIME-Version: 1.0 Content-Language: en-US X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235,18.0.687 definitions=2020-10-05_16:2020-10-05,2020-10-05 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 phishscore=0 mlxlogscore=999 bulkscore=0 clxscore=1015 priorityscore=1501 adultscore=0 malwarescore=0 mlxscore=0 lowpriorityscore=0 impostorscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2010050156 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org In comments and error messages. No impact to code. Signed-off-by: Ken Goldman --- tests/boot_aggregate.test | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/boot_aggregate.test b/tests/boot_aggregate.test index 0c58469..688f91e 100755 --- a/tests/boot_aggregate.test +++ b/tests/boot_aggregate.test @@ -58,7 +58,7 @@ swtpm_start() { swtpm="$(which tpm_server)" swtpm1="$(which swtpm)" if [ -z "${swtpm}" ] && [ -z "${swtpm1}" ]; then - echo "${CYAN}SKIP: Softare TPM (tpm_server and swtpm) not found${NORM}" + echo "${CYAN}SKIP: Software TPM (tpm_server and swtpm) not found${NORM}" return "$SKIP" fi @@ -122,7 +122,7 @@ display_pcrs() { done } -# The first entry in the IMA measuremnet list is the "boot_aggregate". +# The first entry in the IMA measurement list is the "boot_aggregate". # For each kexec, an additional "boot_aggregate" will appear in the # measurement list, assuming the previous measurement list is carried # across the kexec. From patchwork Mon Oct 5 22:34:49 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ken Goldman X-Patchwork-Id: 11817825 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0BE9D112E for ; Mon, 5 Oct 2020 22:34:54 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E467D20774 for ; Mon, 5 Oct 2020 22:34:53 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b="n/kw5Pzj" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725997AbgJEWex (ORCPT ); Mon, 5 Oct 2020 18:34:53 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:60410 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725917AbgJEWex (ORCPT ); Mon, 5 Oct 2020 18:34:53 -0400 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 095MXOlQ044258 for ; Mon, 5 Oct 2020 18:34:52 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=to : from : subject : message-id : date : mime-version : content-type : content-transfer-encoding; s=pp1; bh=/mjPZYxrXDv+TKKuBOCyCArxDeKMNQontADYbn80Mk8=; b=n/kw5Pzj3snqiMSQyH9IzaqQNk1HjoCEIXRIkUzhgrjZY5TvUm0WTAMo3RcQMzqvP7SQ lQAKgLxAufAx52vYNPL1FAWXOYt0DmU1u3I/rESiS6MVCuhH6+806nAsGyLysLpghRJr hlfRLVob95jrXriEZrmOT/SMLjbT/COFXyQigQnaAY58RAN8l/Ywo16j7akinBGiYlGC bNFdsYpDq7p7b2AIRI88RjkrnL/5gTIB5wd3l0E5sULLQ9Br/lk/IrYJsuyVEZH0BBHI +FDRdDIv2PcW7un5SASesMQBMw/v5VsB3GnhQjm2uNjZhcqHp9SH+XkcsWTM3h+t6vZW 4A== Received: from ppma01dal.us.ibm.com (83.d6.3fa9.ip4.static.sl-reverse.com [169.63.214.131]) by mx0b-001b2d01.pphosted.com with ESMTP id 340c33gbq2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 05 Oct 2020 18:34:52 -0400 Received: from pps.filterd (ppma01dal.us.ibm.com [127.0.0.1]) by ppma01dal.us.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 095MROmO003771 for ; Mon, 5 Oct 2020 22:34:51 GMT Received: from b03cxnp08025.gho.boulder.ibm.com (b03cxnp08025.gho.boulder.ibm.com [9.17.130.17]) by ppma01dal.us.ibm.com with ESMTP id 33xgx97mx0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 05 Oct 2020 22:34:51 +0000 Received: from b03ledav006.gho.boulder.ibm.com (b03ledav006.gho.boulder.ibm.com [9.17.130.237]) by b03cxnp08025.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 095MYjUf61800758 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Mon, 5 Oct 2020 22:34:45 GMT Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E8FE2C607B for ; Mon, 5 Oct 2020 22:34:49 +0000 (GMT) Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id BF589C607C for ; Mon, 5 Oct 2020 22:34:49 +0000 (GMT) Received: from [9.85.186.165] (unknown [9.85.186.165]) by b03ledav006.gho.boulder.ibm.com (Postfix) with ESMTP for ; Mon, 5 Oct 2020 22:34:49 +0000 (GMT) To: Linux Integrity From: Ken Goldman Subject: [PATCH 6/6] ima-evm-utils: Expand the INSTALL instructions. Message-ID: <1709109b-15e1-a30a-b39b-ccf824902ce1@linux.ibm.com> Date: Mon, 5 Oct 2020 18:34:49 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.3.1 MIME-Version: 1.0 Content-Language: en-US X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235,18.0.687 definitions=2020-10-05_16:2020-10-05,2020-10-05 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 suspectscore=0 adultscore=0 mlxlogscore=902 spamscore=0 priorityscore=1501 phishscore=0 malwarescore=0 bulkscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2010050156 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Add some of the less obvious package, TPM, and TSS prerequisites. autoreconf -i is required before ./configure Signed-off-by: Ken Goldman --- INSTALL | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/INSTALL b/INSTALL index 007e939..58a1f46 100644 --- a/INSTALL +++ b/INSTALL @@ -9,10 +9,31 @@ are permitted in any medium without royalty provided the copyright notice and this notice are preserved. This file is offered as-is, without warranty of any kind. +Prerequisites +============= + +This project has the following prerequisites: + +(Ubuntu package names) + libkeyutils-dev + libtasn1-dev + libgmp-dev + libnspr4-dev + libnss3-dev + +These software TPMs are supported: + https://github.com/stefanberger/swtpm + https://sourceforge.net/projects/ibmswtpm2/ + https://github.com/stefanberger/libtpms + +Supported TSSes include these. Both are included in some distros. + IBM TSS https://sourceforge.net/projects/ibmtpm20tss/ + Intel TSS + Basic Installation ================== - Briefly, the shell commands `./configure; make; make install' should + Briefly, the shell commands `autoreconf -i; ./configure; make; make install' should configure, build, and install this package. The following more-detailed instructions are generic; see the `README' file for instructions specific to this package. Some packages provide this @@ -51,7 +72,7 @@ of `autoconf'. The simplest way to compile this package is: 1. `cd' to the directory containing the package's source code and type - `./configure' to configure the package for your system. + `autoreconf -i' and then `./configure' to configure the package for your system. Running `configure' might take a while. While running, it prints some messages telling which features it is checking for.