From patchwork Fri Oct 9 15:49:19 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ken Goldman X-Patchwork-Id: 11826391 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6637C139F for ; Fri, 9 Oct 2020 15:49:24 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 38450222BA for ; Fri, 9 Oct 2020 15:49:24 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b="J2xDMezX" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389461AbgJIPtX (ORCPT ); Fri, 9 Oct 2020 11:49:23 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:52122 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389457AbgJIPtX (ORCPT ); Fri, 9 Oct 2020 11:49:23 -0400 Received: from pps.filterd (m0098396.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 099Fl8qJ145624 for ; Fri, 9 Oct 2020 11:49:23 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=to : from : subject : message-id : date : mime-version : content-type : content-transfer-encoding; s=pp1; bh=UCCkSJI+dNHyVJU5jhqco7sxHNn9Fg86LCneSDJ50mk=; b=J2xDMezXPx9YI3nvo4ARGrfBdqArnyJCwttn0ZXytsNtuahZpEcBVuPdcR1x5j3l+VvG UGeSgEJbwX9bTgEzaJZ6/NuV3EFCMjFRv4y3xcAz/xaEAtoMaTqNXMKr9tNW58bWGJ6B ZO/h2CBwbUgfEg/t5EDMXq6IqmeAa6EgLV4GhgVahh95kfBBVbgtMaFi5H9ntM7ouJTT 78e91g8kcs+0JxQMI3DrPWiywfb/VlfPeNw1uDtbF7UpxRNCaTqRsCsj11ZGn+W1vy36 5EJCmjFnaQYtUW/emMfS/qqHgJP+/yYyK30UDmpqcJWkmVyyYppPrVgpeQTaYPN5jfu6 zw== Received: from ppma03wdc.us.ibm.com (ba.79.3fa9.ip4.static.sl-reverse.com [169.63.121.186]) by mx0a-001b2d01.pphosted.com with ESMTP id 342ttd817x-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 09 Oct 2020 11:49:23 -0400 Received: from pps.filterd (ppma03wdc.us.ibm.com [127.0.0.1]) by ppma03wdc.us.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 099FmTqQ018369 for ; Fri, 9 Oct 2020 15:49:21 GMT Received: from b03cxnp08025.gho.boulder.ibm.com (b03cxnp08025.gho.boulder.ibm.com [9.17.130.17]) by ppma03wdc.us.ibm.com with ESMTP id 3429j36ctk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 09 Oct 2020 15:49:21 +0000 Received: from b03ledav006.gho.boulder.ibm.com (b03ledav006.gho.boulder.ibm.com [9.17.130.237]) by b03cxnp08025.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 099FnGQO48955880 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Fri, 9 Oct 2020 15:49:16 GMT Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E3DE3C605D for ; Fri, 9 Oct 2020 15:49:20 +0000 (GMT) Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A90E2C605A for ; Fri, 9 Oct 2020 15:49:20 +0000 (GMT) Received: from [9.85.186.165] (unknown [9.85.186.165]) by b03ledav006.gho.boulder.ibm.com (Postfix) with ESMTP for ; Fri, 9 Oct 2020 15:49:20 +0000 (GMT) To: Linux Integrity From: Ken Goldman Subject: [PATCH 1/5] ima-evm-utils: Change env variable TPM_SERVER_TYPE for, tpm_server Message-ID: Date: Fri, 9 Oct 2020 11:49:19 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.3.1 MIME-Version: 1.0 Content-Language: en-US X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235,18.0.687 definitions=2020-10-09_06:2020-10-09,2020-10-09 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 clxscore=1015 mlxlogscore=999 impostorscore=0 malwarescore=0 bulkscore=0 mlxscore=0 lowpriorityscore=0 priorityscore=1501 phishscore=0 spamscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2010090116 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org The default value raw is appropriate for 'swtpm'. tpm_server uses the Microsoft packet encapsulation, so the env variable must have the value mssim. Signed-off-by: Ken Goldman --- tests/boot_aggregate.test | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/boot_aggregate.test b/tests/boot_aggregate.test index 1c7b1f2..b109a32 100755 --- a/tests/boot_aggregate.test +++ b/tests/boot_aggregate.test @@ -35,6 +35,7 @@ else export TPM_COMMAND_PORT=2321 export TPM_PLATFORM_PORT=2322 export TPM_SERVER_NAME="localhost" + # swtpm uses the raw, unencapsulated packet format export TPM_SERVER_TYPE="raw" fi @@ -73,6 +74,8 @@ swtpm_start() { SWTPM_PPID=$! fi elif [ -n "${swtpm}" ]; then + # tpm_server uses the Microsoft simulator encapsulated packet format + export TPM_SERVER_TYPE="mssim" pgrep swtpm if [ $? -eq 0 ]; then echo "INFO: Software TPM (tpm_server) already running" From patchwork Fri Oct 9 15:50:08 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ken Goldman X-Patchwork-Id: 11826393 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2266014D5 for ; Fri, 9 Oct 2020 15:50:13 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id EE6A722284 for ; Fri, 9 Oct 2020 15:50:12 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b="hjaSexEB" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389286AbgJIPuM (ORCPT ); Fri, 9 Oct 2020 11:50:12 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:32904 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S2389235AbgJIPuM (ORCPT ); Fri, 9 Oct 2020 11:50:12 -0400 Received: from pps.filterd (m0098413.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 099FgCna067070 for ; Fri, 9 Oct 2020 11:50:11 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=to : from : subject : message-id : date : mime-version : content-type : content-transfer-encoding; s=pp1; bh=L3TDXvrJf3m/VsVBVClyqsMoMPUFvFRo9mIjq4WiHVE=; b=hjaSexEBWsMsdI9cCMX7rwdCfAcc4pG/vNAHMwFKkCpLPHzXy+tBf6Rvkh7Ms74xJbOh wzf/QKw5IXMl+UgzYILs7UaVaEZmudilUB1HHQj/8qyDJPXZeJ3P+85U7ZuGu8RW35Jy 9HeIq/vkSrufx+15bGNEfljypz39MyBifoslxG+UkGl79iclhhiQxGlev5qFHpkfdAgn eRwt89MI0+k2vPbhKKKlzMzVYjgVAV33zQ021fCuODuBjl4Wk+JKW9fKY3Jg9irRUfb8 mHmsFeEZzHxU7KnsFNqAK41j+Uga3YDVoWMXcM0JW/Df2FOVWj9C0DFVRRhuaStTwEz9 9w== Received: from ppma02dal.us.ibm.com (a.bd.3ea9.ip4.static.sl-reverse.com [169.62.189.10]) by mx0b-001b2d01.pphosted.com with ESMTP id 342tr2g7rx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 09 Oct 2020 11:50:10 -0400 Received: from pps.filterd (ppma02dal.us.ibm.com [127.0.0.1]) by ppma02dal.us.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 099FlgN5031318 for ; Fri, 9 Oct 2020 15:50:10 GMT Received: from b03cxnp08026.gho.boulder.ibm.com (b03cxnp08026.gho.boulder.ibm.com [9.17.130.18]) by ppma02dal.us.ibm.com with ESMTP id 3429hrfywg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 09 Oct 2020 15:50:10 +0000 Received: from b03ledav006.gho.boulder.ibm.com (b03ledav006.gho.boulder.ibm.com [9.17.130.237]) by b03cxnp08026.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 099Fo25K21627284 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Fri, 9 Oct 2020 15:50:02 GMT Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 14698C605B for ; Fri, 9 Oct 2020 15:50:09 +0000 (GMT) Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D9894C6059 for ; Fri, 9 Oct 2020 15:50:08 +0000 (GMT) Received: from [9.85.186.165] (unknown [9.85.186.165]) by b03ledav006.gho.boulder.ibm.com (Postfix) with ESMTP for ; Fri, 9 Oct 2020 15:50:08 +0000 (GMT) To: Linux Integrity From: Ken Goldman Subject: [PATCH 2/5] ima-evm-utils: Change PCR iterater from int to uint32_t Message-ID: <3c7eca9d-c14c-2883-5e4c-d8728e161d70@linux.ibm.com> Date: Fri, 9 Oct 2020 11:50:08 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.3.1 MIME-Version: 1.0 Content-Language: en-US X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235,18.0.687 definitions=2020-10-09_06:2020-10-09,2020-10-09 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 bulkscore=0 spamscore=0 mlxlogscore=813 adultscore=0 malwarescore=0 lowpriorityscore=0 impostorscore=0 clxscore=1015 priorityscore=1501 suspectscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2010090112 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org PCR numbers are naturally unsigned values. Further, they are 32 bits, even on 64-bit machines. This change eliminates the need for negative value and overflow tests. The parameter name is changed from j and idx to pcrHandle, which is more decriptive and is the parameter name used in the TPM 2.0 specification. Signed-off-by: Ken Goldman --- src/evmctl.c | 9 +++++---- src/pcr.h | 2 +- src/pcr_tss.c | 4 ++-- src/pcr_tsspcrread.c | 4 ++-- 4 files changed, 10 insertions(+), 9 deletions(-) diff --git a/src/evmctl.c b/src/evmctl.c index 1815f55..b056a1e 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -1895,7 +1895,8 @@ static int read_tpm_banks(int num_banks, struct tpm_bank_info *bank) { int tpm_enabled = 0; char *errmsg = NULL; - int i, j; + int i; + uint32_t pcrHandle; int err; /* If --pcrs was specified, read only from the specified file(s) */ @@ -1915,9 +1916,9 @@ static int read_tpm_banks(int num_banks, struct tpm_bank_info *bank) /* Read PCRs from multiple TPM 2.0 banks */ for (i = 0; i < num_banks; i++) { err = 0; - for (j = 0; j < NUM_PCRS && !err; j++) { - err = tpm2_pcr_read(bank[i].algo_name, j, - bank[i].pcr[j], bank[i].digest_size, + for (pcrHandle = 0; pcrHandle < NUM_PCRS && !err; pcrHandle++) { + err = tpm2_pcr_read(bank[i].algo_name, pcrHandle, + bank[i].pcr[pcrHandle], bank[i].digest_size, &errmsg); if (err) { log_debug("Failed to read %s PCRs: (%s)\n", diff --git a/src/pcr.h b/src/pcr.h index 79547bd..dd8311a 100644 --- a/src/pcr.h +++ b/src/pcr.h @@ -1,3 +1,3 @@ int tpm2_pcr_supported(void); -int tpm2_pcr_read(const char *algo_name, int idx, uint8_t *hwpcr, +int tpm2_pcr_read(const char *algo_name, uint32_t pcrHandle, uint8_t *hwpcr, int len, char **errmsg); diff --git a/src/pcr_tss.c b/src/pcr_tss.c index feb1ff7..5e00524 100644 --- a/src/pcr_tss.c +++ b/src/pcr_tss.c @@ -106,7 +106,7 @@ static TPM2_ALG_ID algo_to_tss2(const char *algo_name) return TPM2_ALG_ERROR; } -int tpm2_pcr_read(const char *algo_name, int idx, uint8_t *hwpcr, +int tpm2_pcr_read(const char *algo_name, uint32_t pcrHandle, uint8_t *hwpcr, int len, char **errmsg) { TSS2_ABI_VERSION abi_version = { @@ -140,7 +140,7 @@ int tpm2_pcr_read(const char *algo_name, int idx, uint8_t *hwpcr, } }; - pcr_select_in.pcrSelections[0].pcrSelect[idx / 8] = (1 << (idx % 8)); + pcr_select_in.pcrSelections[0].pcrSelect[pcrHandle / 8] = (1 << (pcrHandle % 8)); ret = Esys_Initialize(&ctx, NULL, &abi_version); if (ret != TPM2_RC_SUCCESS) { diff --git a/src/pcr_tsspcrread.c b/src/pcr_tsspcrread.c index 462f270..118c7d2 100644 --- a/src/pcr_tsspcrread.c +++ b/src/pcr_tsspcrread.c @@ -68,7 +68,7 @@ int tpm2_pcr_supported(void) return 1; } -int tpm2_pcr_read(const char *algo_name, int idx, uint8_t *hwpcr, +int tpm2_pcr_read(const char *algo_name, uint32_t pcrHandle, uint8_t *hwpcr, int len, char **errmsg) { FILE *fp; @@ -77,7 +77,7 @@ int tpm2_pcr_read(const char *algo_name, int idx, uint8_t *hwpcr, int ret; sprintf(cmd, "%s -halg %s -ha %d -ns 2> /dev/null", - path, algo_name, idx); + path, algo_name, pcrHandle); fp = popen(cmd, "r"); if (!fp) { ret = asprintf(errmsg, "popen failed: %s", strerror(errno)); From patchwork Fri Oct 9 15:51:12 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ken Goldman X-Patchwork-Id: 11826395 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D64B4139F for ; Fri, 9 Oct 2020 15:51:17 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id B2BEA222BA for ; Fri, 9 Oct 2020 15:51:17 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b="CEYZGQjI" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389257AbgJIPvR (ORCPT ); Fri, 9 Oct 2020 11:51:17 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:28162 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S2388745AbgJIPvR (ORCPT ); Fri, 9 Oct 2020 11:51:17 -0400 Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 099FWkwW118934 for ; Fri, 9 Oct 2020 11:51:15 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=to : from : subject : message-id : date : mime-version : content-type : content-transfer-encoding; s=pp1; bh=XnxDJmIdYDmKkY+O8tTYgDQhm6ewypNbOuSdnJP5CoI=; b=CEYZGQjIUJlC5m+Rlr4y42ZHKpoUkI2+IuDkvFZ0RRSCZkuFEPYg8nVAJKKvDtTq4zhd Yeh/wpwqvNqnNyFgoYMAcPEvzSem74fkg+xDvA49Ld+WVqB1kxMsKGu0Ms4mvq/e9t8a J5VXGxZBHISRT6tvGgRh1CARCi8zu08w52jw/RAaXywJF9k9LlqmTN0QrUxVPWYdlklj A/bCE6M3ENMmsGKSDxZSnnmfiEiCSGJLbwPcy08RYJsok4mjMvj2NbMCtqD6bgbUV8xU D17zxjUyjZRA48P8Fms7A3+GNV5ISw9ySHCLJ1zlBgj8GKR0GQVk43DPc2yVQzdyOk3n ww== Received: from ppma01dal.us.ibm.com (83.d6.3fa9.ip4.static.sl-reverse.com [169.63.214.131]) by mx0b-001b2d01.pphosted.com with ESMTP id 342t9k1a2j-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 09 Oct 2020 11:51:15 -0400 Received: from pps.filterd (ppma01dal.us.ibm.com [127.0.0.1]) by ppma01dal.us.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 099FlcVI014390 for ; Fri, 9 Oct 2020 15:51:14 GMT Received: from b03cxnp07029.gho.boulder.ibm.com (b03cxnp07029.gho.boulder.ibm.com [9.17.130.16]) by ppma01dal.us.ibm.com with ESMTP id 3429hq7ydm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 09 Oct 2020 15:51:14 +0000 Received: from b03ledav006.gho.boulder.ibm.com (b03ledav006.gho.boulder.ibm.com [9.17.130.237]) by b03cxnp07029.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 099FpD5E39256532 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Fri, 9 Oct 2020 15:51:13 GMT Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2C8E6C605F for ; Fri, 9 Oct 2020 15:51:13 +0000 (GMT) Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id EB948C6055 for ; Fri, 9 Oct 2020 15:51:12 +0000 (GMT) Received: from [9.85.186.165] (unknown [9.85.186.165]) by b03ledav006.gho.boulder.ibm.com (Postfix) with ESMTP for ; Fri, 9 Oct 2020 15:51:12 +0000 (GMT) To: Linux Integrity From: Ken Goldman Subject: [PATCH 3/5] ima-evm-utils: Change tpm2_pcr_read() to use C code Message-ID: <76ae7cf8-d955-2001-f8dd-67fd7737c5c6@linux.ibm.com> Date: Fri, 9 Oct 2020 11:51:12 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.3.1 MIME-Version: 1.0 Content-Language: en-US X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235,18.0.687 definitions=2020-10-09_06:2020-10-09,2020-10-09 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 spamscore=0 clxscore=1015 bulkscore=0 priorityscore=1501 mlxscore=0 mlxlogscore=999 adultscore=0 impostorscore=0 suspectscore=0 malwarescore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2010090112 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Replace the call out to the command line tools with C functions. The algorithm_string_to_algid() function supports only the digest algorithms in use. The table has place holders for other algorithms as they are needed and the C strings are defined. The table can also be used for an algorithm ID to string function if it's ever needed. When using the IBM TSS, link in its library. Signed-off-by: Ken Goldman --- src/Makefile.am | 1 + src/pcr_tsspcrread.c | 156 +++++++++++++++++++++++++++++++++---------- 2 files changed, 123 insertions(+), 34 deletions(-) diff --git a/src/Makefile.am b/src/Makefile.am index d6c779f..bf18caf 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -26,6 +26,7 @@ if USE_PCRTSS evmctl_SOURCES += pcr_tss.c else evmctl_SOURCES += pcr_tsspcrread.c +evmctl_LDADD += -libmtss endif AM_CPPFLAGS = -I$(top_srcdir) -include config.h diff --git a/src/pcr_tsspcrread.c b/src/pcr_tsspcrread.c index 118c7d2..eae68b7 100644 --- a/src/pcr_tsspcrread.c +++ b/src/pcr_tsspcrread.c @@ -50,6 +50,10 @@ #include "utils.h" #include "imaevm.h" +#define TPM_POSIX /* use Posix, not Windows constructs in TSS */ +#undef MAX_DIGEST_SIZE /* imaevm uses a different value than the TSS */ +#include + #define CMD "tsspcrread" static char path[PATH_MAX]; @@ -68,44 +72,128 @@ int tpm2_pcr_supported(void) return 1; } -int tpm2_pcr_read(const char *algo_name, uint32_t pcrHandle, uint8_t *hwpcr, - int len, char **errmsg) -{ - FILE *fp; - char pcr[100]; /* may contain an error */ - char cmd[PATH_MAX + 50]; - int ret; - - sprintf(cmd, "%s -halg %s -ha %d -ns 2> /dev/null", - path, algo_name, pcrHandle); - fp = popen(cmd, "r"); - if (!fp) { - ret = asprintf(errmsg, "popen failed: %s", strerror(errno)); - if (ret == -1) /* the contents of errmsg is undefined */ - *errmsg = NULL; - return -1; - } +/* Table mapping C strings to TCG algorithm identifiers */ + +typedef struct tdAlgorithm_Map { + const char *algorithm_string; + TPMI_ALG_HASH algid; +} Algorithm_Map; - if (fgets(pcr, sizeof(pcr), fp) == NULL) { - ret = asprintf(errmsg, "tsspcrread failed: %s", - strerror(errno)); - if (ret == -1) /* the contents of errmsg is undefined */ - *errmsg = NULL; - ret = pclose(fp); - return -1; +Algorithm_Map algorithm_map[] = { + { "sha1", TPM_ALG_SHA1}, + { "sha256", TPM_ALG_SHA256}, +#if 0 /* uncomment as these digest algorithms are supported */ + { "", TPM_ALG_SHA384}, + { "", TPM_ALG_SHA512}, + { "", TPM_ALG_SM3_256}, + { "", TPM_ALG_SHA3_256}, + { "", TPM_ALG_SHA3_384}, + { "", TPM_ALG_SHA3_512}, +#endif +}; + +/* algorithm_string_to_algid() converts a digest algorithm from a C string to a TCG algorithm + identifier as defined in the TCG Algorithm Regisrty.. + + Returns TPM_ALG_ERROR if the string has an unsupported value. +*/ + +static TPMI_ALG_HASH algorithm_string_to_algid(const char *algorithm_string) +{ + size_t i; + for (i=0 ; i < sizeof(algorithm_map)/sizeof(Algorithm_Map) ; i++) { + if (strcmp(algorithm_string, algorithm_map[i].algorithm_string) == 0) { + return algorithm_map[i].algid; /* if match */ } + } + return TPM_ALG_ERROR; +} - /* get the popen "cmd" return code */ - ret = pclose(fp); +/* tpm2_pcr_read() reads the PCR - /* Treat an unallocated bank as an error */ - if (!ret && (strlen(pcr) < SHA_DIGEST_LENGTH)) - ret = -1; + algo_name is the PCR digest algorithm (the PCR bank) as a C string + pcrHandle is the PCR number to read + hwpcr is a buffer for the PCR output in binary + len is the allocated size of hwpcr and should match the digest algorithm +*/ - if (!ret) - hex2bin(hwpcr, pcr, len); - else - *errmsg = strndup(pcr, strlen(pcr) - 1); /* remove newline */ +int tpm2_pcr_read(const char *algo_name, uint32_t pcrHandle, uint8_t *hwpcr, + int len, char **errmsg) +{ + int ret = 0; /* function return code */ + TPM_RC rc = 0; /* TCG return code */ + PCR_Read_In pcrReadIn; /* command input */ + PCR_Read_Out pcrReadOut; /* response output */ + TSS_CONTEXT *tssContext = NULL; + TPMI_ALG_HASH alg_id; /* PCR algorithm */ - return ret; + if (rc == 0) { /* map algorithm string to TCG value */ + alg_id = algorithm_string_to_algid(algo_name); + if (alg_id == TPM_ALG_ERROR) { + ret = asprintf(errmsg, "tpm2_pcr_read: unknown algorithm %s", algo_name); + if (ret == -1) { /* the contents of errmsg is undefined */ + *errmsg = NULL; + } + rc = 1; + } + } + if (rc == 0) { + rc = TSS_Create(&tssContext); + } + /* call TSS to execute the command */ + if (rc == 0) { + pcrReadIn.pcrSelectionIn.count = 1; + pcrReadIn.pcrSelectionIn.pcrSelections[0].hash = alg_id; + pcrReadIn.pcrSelectionIn.pcrSelections[0].sizeofSelect = 3; + pcrReadIn.pcrSelectionIn.pcrSelections[0].pcrSelect[0] = 0; + pcrReadIn.pcrSelectionIn.pcrSelections[0].pcrSelect[1] = 0; + pcrReadIn.pcrSelectionIn.pcrSelections[0].pcrSelect[2] = 0; + pcrReadIn.pcrSelectionIn.pcrSelections[0].pcrSelect[pcrHandle / 8] = + 1 << (pcrHandle % 8); + rc = TSS_Execute(tssContext, + (RESPONSE_PARAMETERS *)&pcrReadOut, + (COMMAND_PARAMETERS *)&pcrReadIn, + NULL, + TPM_CC_PCR_Read, + TPM_RH_NULL, NULL, 0); + } + if (rc == 0) { + /* nothing read, bank missing */ + if (pcrReadOut.pcrValues.count == 0) { + ret = asprintf(errmsg, "tpm2_pcr_read: returned count 0 for %s", algo_name); + if (ret == -1) { /* the contents of errmsg is undefined */ + *errmsg = NULL; + } + rc = 1; + } + /* len parameter did not match the digest algorithm */ + else if (pcrReadOut.pcrValues.digests[0].t.size != len) { + ret = asprintf(errmsg, + "tpm2_pcr_read: expected length %d actual %u for %s", + len, pcrReadOut.pcrValues.digests[0].t.size, algo_name); + if (ret == -1) { /* the contents of errmsg is undefined */ + *errmsg = NULL; + } + rc = 1; + } + else { + memcpy(hwpcr, + pcrReadOut.pcrValues.digests[0].t.buffer, + pcrReadOut.pcrValues.digests[0].t.size); + } + } + { + TPM_RC rc1 = TSS_Delete(tssContext); + if (rc == 0) { + rc = rc1; + } + } + /* map TCG return code to function return code */ + if (rc == 0) { + return 0; + } + else { + return -1; + } } + From patchwork Fri Oct 9 15:51:58 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ken Goldman X-Patchwork-Id: 11826397 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6A76814D5 for ; Fri, 9 Oct 2020 15:52:05 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 487E22225D for ; Fri, 9 Oct 2020 15:52:03 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b="SCMnM4p3" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389453AbgJIPwC (ORCPT ); Fri, 9 Oct 2020 11:52:02 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:16770 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S2388745AbgJIPwC (ORCPT ); Fri, 9 Oct 2020 11:52:02 -0400 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 099FXEde017988 for ; Fri, 9 Oct 2020 11:52:01 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=to : from : subject : message-id : date : mime-version : content-type : content-transfer-encoding; s=pp1; bh=4AAjb3PftdUw7W8InFz6aUjFPOmEncf+UEBNT5Y+qV4=; b=SCMnM4p3pCCe+L3DcdR5Lbl/eV2aimUkdZgImheAnMWB+GGhRqxnk5vPNMCKfgWEKR3Q RIuvoYnGjeBPvwvyExYjdySNF9dEU754767HLnbzHob990IrI6dpyhBJOG43mz5IpTZg On/C/IKFlbDmbF3iZdK0SRn/WyleKrUmDYpmsm8SPHELacoZHdPE9k2yaqjgg4yC23JC OwDQCweLy1qopUOcJp2UDes/eb8MGuoEStgJOuwRB9rgs7c9BPgD3LwXqpIddiW5ZPeV KAFhNR/VMVFXMrJqjMrGUGbbl2GP9OgypP7hPjT1j/HJMIoK8w77qMVS/YFqGXmiRGLj pA== Received: from ppma02dal.us.ibm.com (a.bd.3ea9.ip4.static.sl-reverse.com [169.62.189.10]) by mx0b-001b2d01.pphosted.com with ESMTP id 342t4xsv87-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 09 Oct 2020 11:52:01 -0400 Received: from pps.filterd (ppma02dal.us.ibm.com [127.0.0.1]) by ppma02dal.us.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 099FlkE5031332 for ; Fri, 9 Oct 2020 15:52:01 GMT Received: from b03cxnp08028.gho.boulder.ibm.com (b03cxnp08028.gho.boulder.ibm.com [9.17.130.20]) by ppma02dal.us.ibm.com with ESMTP id 3429hrg0dq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 09 Oct 2020 15:52:00 +0000 Received: from b03ledav006.gho.boulder.ibm.com (b03ledav006.gho.boulder.ibm.com [9.17.130.237]) by b03cxnp08028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 099Fpxba48366010 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Fri, 9 Oct 2020 15:51:59 GMT Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 88115C6055 for ; Fri, 9 Oct 2020 15:51:59 +0000 (GMT) Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 59643C6059 for ; Fri, 9 Oct 2020 15:51:59 +0000 (GMT) Received: from [9.85.186.165] (unknown [9.85.186.165]) by b03ledav006.gho.boulder.ibm.com (Postfix) with ESMTP for ; Fri, 9 Oct 2020 15:51:59 +0000 (GMT) To: Linux Integrity From: Ken Goldman Subject: [PATCH 4/5] ima-evm-utils: Correct spelling errors Message-ID: <73653f1c-a611-7b36-9804-7a7fdc2de00a@linux.ibm.com> Date: Fri, 9 Oct 2020 11:51:58 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.3.1 MIME-Version: 1.0 Content-Language: en-US X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235,18.0.687 definitions=2020-10-09_06:2020-10-09,2020-10-09 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 impostorscore=0 clxscore=1015 phishscore=0 lowpriorityscore=0 mlxlogscore=999 spamscore=0 bulkscore=0 malwarescore=0 mlxscore=0 suspectscore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2010090112 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org In comments and error messages. No impact to code. Signed-off-by: Ken Goldman --- tests/boot_aggregate.test | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/boot_aggregate.test b/tests/boot_aggregate.test index b109a32..9967de2 100755 --- a/tests/boot_aggregate.test +++ b/tests/boot_aggregate.test @@ -58,7 +58,7 @@ swtpm_start() { swtpm="$(which tpm_server)" swtpm1="$(which swtpm)" if [ -z "${swtpm}" ] && [ -z "${swtpm1}" ]; then - echo "${CYAN}SKIP: Softare TPM (tpm_server and swtpm) not found${NORM}" + echo "${CYAN}SKIP: Software TPM (tpm_server and swtpm) not found${NORM}" return "$SKIP" fi @@ -122,7 +122,7 @@ display_pcrs() { done } -# The first entry in the IMA measuremnet list is the "boot_aggregate". +# The first entry in the IMA measurement list is the "boot_aggregate". # For each kexec, an additional "boot_aggregate" will appear in the # measurement list, assuming the previous measurement list is carried # across the kexec. From patchwork Fri Oct 9 15:52:55 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ken Goldman X-Patchwork-Id: 11826399 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 578B314D5 for ; Fri, 9 Oct 2020 15:52:59 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3CE9722261 for ; Fri, 9 Oct 2020 15:52:59 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b="TiWN0vVj" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389135AbgJIPw7 (ORCPT ); Fri, 9 Oct 2020 11:52:59 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:50122 "EHLO mx0b-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388745AbgJIPw6 (ORCPT ); Fri, 9 Oct 2020 11:52:58 -0400 Received: from pps.filterd (m0098417.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 099FglGn171372 for ; Fri, 9 Oct 2020 11:52:57 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=to : from : subject : message-id : date : mime-version : content-type : content-transfer-encoding; s=pp1; bh=/mjPZYxrXDv+TKKuBOCyCArxDeKMNQontADYbn80Mk8=; b=TiWN0vVjNUCZI/CNd/pyGOI8+fLDHqhrbKOgsSRI4ddkNev6t8NQHIgGVY8//X+IUY5u XIGMqRx4YAqbRtn8/76R0JWDARwBcWwkcLDGCPaOIcbwOb0B+XrbJRqIB7UqUtGJc7hJ LsRC8nWix6J1IwWI3kSaXy9IJaA5RkDD4401HX3JwEzN4CYYS2di04w9OxrxICgvuBfC RgJ6YrkKECGcBbgu4Xpf1nUwDfoEM2QzKabwFCoAgYM3NZ4nGxmbMPWDpMeQOCBLxqlv uoYah54qzLynbBgnW8ckYDKgrTN/3XdZhFWAYzzRE7Tm/6pqkm8GxHopabq/XZxulZOj yA== Received: from ppma03dal.us.ibm.com (b.bd.3ea9.ip4.static.sl-reverse.com [169.62.189.11]) by mx0a-001b2d01.pphosted.com with ESMTP id 342tr9r9je-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 09 Oct 2020 11:52:57 -0400 Received: from pps.filterd (ppma03dal.us.ibm.com [127.0.0.1]) by ppma03dal.us.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 099FlbZd012333 for ; Fri, 9 Oct 2020 15:52:57 GMT Received: from b03cxnp08025.gho.boulder.ibm.com (b03cxnp08025.gho.boulder.ibm.com [9.17.130.17]) by ppma03dal.us.ibm.com with ESMTP id 3429hq00hf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 09 Oct 2020 15:52:57 +0000 Received: from b03ledav006.gho.boulder.ibm.com (b03ledav006.gho.boulder.ibm.com [9.17.130.237]) by b03cxnp08025.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 099Fqpuw56164716 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Fri, 9 Oct 2020 15:52:51 GMT Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0171CC6057 for ; Fri, 9 Oct 2020 15:52:56 +0000 (GMT) Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D3EEBC605D for ; Fri, 9 Oct 2020 15:52:55 +0000 (GMT) Received: from [9.85.186.165] (unknown [9.85.186.165]) by b03ledav006.gho.boulder.ibm.com (Postfix) with ESMTP for ; Fri, 9 Oct 2020 15:52:55 +0000 (GMT) To: Linux Integrity From: Ken Goldman Subject: [PATCH 5/5] ima-evm-utils: Expand the INSTALL instructions. Message-ID: Date: Fri, 9 Oct 2020 11:52:55 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.3.1 MIME-Version: 1.0 Content-Language: en-US X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235,18.0.687 definitions=2020-10-09_06:2020-10-09,2020-10-09 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 clxscore=1015 impostorscore=0 lowpriorityscore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 mlxlogscore=914 priorityscore=1501 adultscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2010090112 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Add some of the less obvious package, TPM, and TSS prerequisites. autoreconf -i is required before ./configure Signed-off-by: Ken Goldman --- INSTALL | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/INSTALL b/INSTALL index 007e939..58a1f46 100644 --- a/INSTALL +++ b/INSTALL @@ -9,10 +9,31 @@ are permitted in any medium without royalty provided the copyright notice and this notice are preserved. This file is offered as-is, without warranty of any kind. +Prerequisites +============= + +This project has the following prerequisites: + +(Ubuntu package names) + libkeyutils-dev + libtasn1-dev + libgmp-dev + libnspr4-dev + libnss3-dev + +These software TPMs are supported: + https://github.com/stefanberger/swtpm + https://sourceforge.net/projects/ibmswtpm2/ + https://github.com/stefanberger/libtpms + +Supported TSSes include these. Both are included in some distros. + IBM TSS https://sourceforge.net/projects/ibmtpm20tss/ + Intel TSS + Basic Installation ================== - Briefly, the shell commands `./configure; make; make install' should + Briefly, the shell commands `autoreconf -i; ./configure; make; make install' should configure, build, and install this package. The following more-detailed instructions are generic; see the `README' file for instructions specific to this package. Some packages provide this @@ -51,7 +72,7 @@ of `autoconf'. The simplest way to compile this package is: 1. `cd' to the directory containing the package's source code and type - `./configure' to configure the package for your system. + `autoreconf -i' and then `./configure' to configure the package for your system. Running `configure' might take a while. While running, it prints some messages telling which features it is checking for.