From patchwork Tue Aug 3 20:40:06 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ken Goldman X-Patchwork-Id: 12417343 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-21.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C6E96C4338F for ; Tue, 3 Aug 2021 20:40:39 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A58076105A for ; Tue, 3 Aug 2021 20:40:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229941AbhHCUku (ORCPT ); Tue, 3 Aug 2021 16:40:50 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:5854 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229551AbhHCUkt (ORCPT ); Tue, 3 Aug 2021 16:40:49 -0400 Received: from pps.filterd (m0187473.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 173KYUJM018489 for ; Tue, 3 Aug 2021 16:40:38 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : mime-version; s=pp1; bh=NSHfizskoDBwTETKKmvv9Jo8YHiD8ypvmM8mmz4v1fg=; b=sJi94HewRqKkLaocB3GNlcqnbeuPnVyUDzR8dd+T4DBSZjfKNXNfQbz0DPgqX2O7ZdXO Nuejh3hQaffHh1Qa7Msx9WcHZP7FQPERM5dZqXv6Qsn1jx6UGFEfJLXSQlvp4XTBfOtI CfMXprYBqHEEOCjK7UJLkJyr4nRqHX4S+QwtfG3o/bQmwLzsqIZ23UwnioruqibRLHAd 9jMawM+NKSGt8Ludt067A+yWyIGdJ49i5CQ0itkSfZr10cwS8x74/y8tkPT0yQKq7FGy WnXzQgi5vkIBNM0YXW0zUv9n/YX7AUlNN9Sq9z+A4pjKW/w6XL68IabnWiobKCnZTfgQ Ww== Received: from ppma05wdc.us.ibm.com (1b.90.2fa9.ip4.static.sl-reverse.com [169.47.144.27]) by mx0a-001b2d01.pphosted.com with ESMTP id 3a73423hgs-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 03 Aug 2021 16:40:38 -0400 Received: from pps.filterd (ppma05wdc.us.ibm.com [127.0.0.1]) by ppma05wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 173KdDX4015930 for ; Tue, 3 Aug 2021 20:40:37 GMT Received: from b01cxnp22034.gho.pok.ibm.com (b01cxnp22034.gho.pok.ibm.com [9.57.198.24]) by ppma05wdc.us.ibm.com with ESMTP id 3a4x5cfv2e-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 03 Aug 2021 20:40:37 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 173KeabJ14811462 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 3 Aug 2021 20:40:36 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 482A4B2064; Tue, 3 Aug 2021 20:40:36 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 5D00BB2065; Tue, 3 Aug 2021 20:40:35 +0000 (GMT) Received: from eve.home (unknown [9.211.130.149]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Tue, 3 Aug 2021 20:40:35 +0000 (GMT) From: Ken Goldman To: zohar@linux.ibm.com, maroon@lists.linux.ibm.com, linux-integrity@vger.kernel.org Cc: kgold@linux.ibm.com, Ken Goldman Subject: [PATCH v5 ima-evm-utils 1/3] Expand the INSTALL instructions. Date: Tue, 3 Aug 2021 16:40:06 -0400 Message-Id: <20210803204008.29612-2-kgoldman@us.ibm.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210803204008.29612-1-kgoldman@us.ibm.com> References: <20210803204008.29612-1-kgoldman@us.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: 7nOmp-2i669UiXsqFVF-TkYM0dn7P-h5 X-Proofpoint-GUID: 7nOmp-2i669UiXsqFVF-TkYM0dn7P-h5 X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.790 definitions=2021-08-03_05:2021-08-03,2021-08-03 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=978 malwarescore=0 adultscore=0 spamscore=0 lowpriorityscore=0 bulkscore=0 priorityscore=1501 impostorscore=0 phishscore=0 suspectscore=0 clxscore=1015 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108030128 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Add some of the less obvious package, TPM, and TSS prerequisites. autoreconf -i is required before ./configure Signed-off-by: Ken Goldman --- INSTALL | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/INSTALL b/INSTALL index 007e939..052652d 100644 --- a/INSTALL +++ b/INSTALL @@ -9,10 +9,33 @@ are permitted in any medium without royalty provided the copyright notice and this notice are preserved. This file is offered as-is, without warranty of any kind. +Prerequisites +============= + +This project has the following prerequisites: + +(Ubuntu package names) + libkeyutils-dev + libtasn1-dev + libgmp-dev + libnspr4-dev + libnss3-dev + +These software TPMs are supported: + https://sourceforge.net/projects/ibmswtpm2/ + https://github.com/stefanberger/swtpm + + swtpm depends upon + https://github.com/stefanberger/libtpms + +Supported TSSes include these. Both are included in some distros. + IBM TSS https://sourceforge.net/projects/ibmtpm20tss/ + Intel TSS + Basic Installation ================== - Briefly, the shell commands `./configure; make; make install' should + Briefly, the shell commands `autoreconf -i; ./configure; make; make install' should configure, build, and install this package. The following more-detailed instructions are generic; see the `README' file for instructions specific to this package. Some packages provide this @@ -51,7 +74,7 @@ of `autoconf'. The simplest way to compile this package is: 1. `cd' to the directory containing the package's source code and type - `./configure' to configure the package for your system. + `autoreconf -i' and then `./configure' to configure the package for your system. Running `configure' might take a while. While running, it prints some messages telling which features it is checking for. From patchwork Tue Aug 3 20:40:07 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ken Goldman X-Patchwork-Id: 12417345 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id AAF52C4338F for ; Tue, 3 Aug 2021 20:40:43 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 923A66105A for ; Tue, 3 Aug 2021 20:40:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229903AbhHCUky (ORCPT ); Tue, 3 Aug 2021 16:40:54 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:56550 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S229551AbhHCUky (ORCPT ); Tue, 3 Aug 2021 16:40:54 -0400 Received: from pps.filterd (m0098414.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 173Kb6PI161737 for ; Tue, 3 Aug 2021 16:40:42 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=Xa+MeCwjlYyLI+r+laok5Ia6yEXcL2rZViKH+UF1O5E=; b=SU04HRS+CJABduSJS/+CbZnKUbBdXoZTYQ0qr1iGOi3SYFMXMxRLkGm5wD4dmbACwaH6 S5txRtcMcV2hHzYxM/Ry5xuLGRpeLkOfx+1Q/MpGRF2/pf2A99QDHx+R3XtnlIgRhBzD SvopNumokpSMqmZ9KPrylRUXRwYT+6Jsmr7XCh1005KMX3ipTtNoYpO3mHhltF3fzdXT dwnwSmBSrZuqFQrtU1av0tK7xBAewhxB6Eegu9mObXxCmadVzlGPb7adg93kbQMfer6n 3o4tnIioxaXB2uSEE70dU5naRUJcg2OCp1ci+eGHiu4EDXj+Zys5wTAht5kldO9A3FMe Jg== Received: from ppma04wdc.us.ibm.com (1a.90.2fa9.ip4.static.sl-reverse.com [169.47.144.26]) by mx0b-001b2d01.pphosted.com with ESMTP id 3a7232kpvx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 03 Aug 2021 16:40:41 -0400 Received: from pps.filterd (ppma04wdc.us.ibm.com [127.0.0.1]) by ppma04wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 173Kcm8t019185 for ; Tue, 3 Aug 2021 20:40:41 GMT Received: from b01cxnp23033.gho.pok.ibm.com (b01cxnp23033.gho.pok.ibm.com [9.57.198.28]) by ppma04wdc.us.ibm.com with ESMTP id 3a4x5d05gs-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 03 Aug 2021 20:40:41 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp23033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 173Kee6G19398924 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 3 Aug 2021 20:40:40 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 57F62B2064; Tue, 3 Aug 2021 20:40:40 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id CFE98B2068; Tue, 3 Aug 2021 20:40:38 +0000 (GMT) Received: from eve.home (unknown [9.211.130.149]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Tue, 3 Aug 2021 20:40:38 +0000 (GMT) From: Ken Goldman To: zohar@linux.ibm.com, maroon@lists.linux.ibm.com, linux-integrity@vger.kernel.org Cc: kgold@linux.ibm.com, Ken Goldman Subject: [PATCH v5 ima-evm-utils 2/3] Change PCR iterator from int to uint32_t Date: Tue, 3 Aug 2021 16:40:07 -0400 Message-Id: <20210803204008.29612-3-kgoldman@us.ibm.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210803204008.29612-1-kgoldman@us.ibm.com> References: <20210803204008.29612-1-kgoldman@us.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: 3neNZ9gpIvPN6rFh3f_5q_UfOG12-HZY X-Proofpoint-ORIG-GUID: 3neNZ9gpIvPN6rFh3f_5q_UfOG12-HZY X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.790 definitions=2021-08-03_05:2021-08-03,2021-08-03 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 phishscore=0 mlxscore=0 clxscore=1015 impostorscore=0 spamscore=0 mlxlogscore=708 malwarescore=0 bulkscore=0 priorityscore=1501 adultscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108030128 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org PCR numbers are naturally unsigned values. Further, they are 32 bits, even on 64-bit machines. This change eliminates the need for negative value and overflow tests. The parameter name is changed from j and idx to pcr_handle, which is more descriptive and is similar to the parameter name used in the TPM 2.0 specification. Signed-off-by: Ken Goldman --- src/evmctl.c | 12 ++++++++---- src/pcr.h | 2 +- src/pcr_tss.c | 5 +++-- src/pcr_tsspcrread.c | 6 +++--- 4 files changed, 15 insertions(+), 10 deletions(-) diff --git a/src/evmctl.c b/src/evmctl.c index a8065bb..c999589 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -1914,7 +1914,8 @@ static int read_tpm_banks(int num_banks, struct tpm_bank_info *bank) { int tpm_enabled = 0; char *errmsg = NULL; - int i, j; + int i; + uint32_t pcr_handle; int err; /* If --pcrs was specified, read only from the specified file(s) */ @@ -1934,9 +1935,12 @@ static int read_tpm_banks(int num_banks, struct tpm_bank_info *bank) /* Read PCRs from multiple TPM 2.0 banks */ for (i = 0; i < num_banks; i++) { err = 0; - for (j = 0; j < NUM_PCRS && !err; j++) { - err = tpm2_pcr_read(bank[i].algo_name, j, - bank[i].pcr[j], bank[i].digest_size, + for (pcr_handle = 0; + pcr_handle < NUM_PCRS && !err; + pcr_handle++) { + err = tpm2_pcr_read(bank[i].algo_name, pcr_handle, + bank[i].pcr[pcr_handle], + bank[i].digest_size, &errmsg); if (err) { log_debug("Failed to read %s PCRs: (%s)\n", diff --git a/src/pcr.h b/src/pcr.h index 79547bd..205bae8 100644 --- a/src/pcr.h +++ b/src/pcr.h @@ -1,3 +1,3 @@ int tpm2_pcr_supported(void); -int tpm2_pcr_read(const char *algo_name, int idx, uint8_t *hwpcr, +int tpm2_pcr_read(const char *algo_name, uint32_t pcr_handle, uint8_t *hwpcr, int len, char **errmsg); diff --git a/src/pcr_tss.c b/src/pcr_tss.c index feb1ff7..10930e2 100644 --- a/src/pcr_tss.c +++ b/src/pcr_tss.c @@ -106,7 +106,7 @@ static TPM2_ALG_ID algo_to_tss2(const char *algo_name) return TPM2_ALG_ERROR; } -int tpm2_pcr_read(const char *algo_name, int idx, uint8_t *hwpcr, +int tpm2_pcr_read(const char *algo_name, uint32_t pcr_handle, uint8_t *hwpcr, int len, char **errmsg) { TSS2_ABI_VERSION abi_version = { @@ -140,7 +140,8 @@ int tpm2_pcr_read(const char *algo_name, int idx, uint8_t *hwpcr, } }; - pcr_select_in.pcrSelections[0].pcrSelect[idx / 8] = (1 << (idx % 8)); + pcr_select_in.pcrSelections[0].pcrSelect[pcr_handle / 8] = + (1 << (pcr_handle % 8)); ret = Esys_Initialize(&ctx, NULL, &abi_version); if (ret != TPM2_RC_SUCCESS) { diff --git a/src/pcr_tsspcrread.c b/src/pcr_tsspcrread.c index 183dfc2..95048f8 100644 --- a/src/pcr_tsspcrread.c +++ b/src/pcr_tsspcrread.c @@ -68,7 +68,7 @@ int tpm2_pcr_supported(void) return 1; } -int tpm2_pcr_read(const char *algo_name, int idx, uint8_t *hwpcr, +int tpm2_pcr_read(const char *algo_name, uint32_t pcr_handle, uint8_t *hwpcr, int len, char **errmsg) { FILE *fp; @@ -76,8 +76,8 @@ int tpm2_pcr_read(const char *algo_name, int idx, uint8_t *hwpcr, char cmd[PATH_MAX + 50]; int ret; - sprintf(cmd, "%s -halg %s -ha %d -ns 2> /dev/null", - path, algo_name, idx); + sprintf(cmd, "%s -halg %s -ha %u -ns 2> /dev/null", + path, algo_name, pcr_handle); fp = popen(cmd, "r"); if (!fp) { ret = asprintf(errmsg, "popen failed: %s", strerror(errno)); From patchwork Tue Aug 3 20:40:08 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ken Goldman X-Patchwork-Id: 12417347 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9B2D8C4338F for ; Tue, 3 Aug 2021 20:40:46 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8001B6105A for ; Tue, 3 Aug 2021 20:40:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229947AbhHCUk5 (ORCPT ); Tue, 3 Aug 2021 16:40:57 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:35850 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229551AbhHCUk4 (ORCPT ); Tue, 3 Aug 2021 16:40:56 -0400 Received: from pps.filterd (m0098393.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 173KXAc0135829 for ; Tue, 3 Aug 2021 16:40:45 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : mime-version; s=pp1; bh=PLCftpi0YYftbLMdv61d0dGfJ0v1BLHffG9QGz3Y0Yw=; b=KyMXTZRwkMKI96FRpA1sIDnpCp0RI9k8PmPK9Mw3pmcoXvPYZk+sPsL7Lr//IzuTzQeW aovXQbEfaW6dPtvNDA4Dvqb9zjEP4Xq1tvmAcAUeHA4rfykm4h+PEo/14/m/YsBZLljb YNETWfSK1nLF872PzPrEJcRtYL9TZosnw8uQMVoOyWRQpfFm/wriK9JINuuwtxSK6jcI 0qQPRwK0knja1oKjbIHws2tEKUGmMZPsiIeEAlXgOvw79SPdzGNgmwrGq7wXxqa8C0/J t+mcQo/YkceYAGGxL2p3bDTPf9Yrnrl5qowLYS2yWU0KQmwd1L5qNHMaEhwIiz4/fn7p +g== Received: from ppma04dal.us.ibm.com (7a.29.35a9.ip4.static.sl-reverse.com [169.53.41.122]) by mx0a-001b2d01.pphosted.com with ESMTP id 3a7brpt0ur-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 03 Aug 2021 16:40:45 -0400 Received: from pps.filterd (ppma04dal.us.ibm.com [127.0.0.1]) by ppma04dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 173KchRP015026 for ; Tue, 3 Aug 2021 20:40:44 GMT Received: from b01cxnp22034.gho.pok.ibm.com (b01cxnp22034.gho.pok.ibm.com [9.57.198.24]) by ppma04dal.us.ibm.com with ESMTP id 3a4x5dcgtt-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 03 Aug 2021 20:40:44 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 173KehBV43254104 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 3 Aug 2021 20:40:43 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 27F87B2067; Tue, 3 Aug 2021 20:40:43 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 24ECAB2064; Tue, 3 Aug 2021 20:40:42 +0000 (GMT) Received: from eve.home (unknown [9.211.130.149]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Tue, 3 Aug 2021 20:40:41 +0000 (GMT) From: Ken Goldman To: zohar@linux.ibm.com, maroon@lists.linux.ibm.com, linux-integrity@vger.kernel.org Cc: kgold@linux.ibm.com, Ken Goldman Subject: [PATCH v5 ima-evm-utils 3/3] Create alternative tpm2_pcr_read() that uses IBM TSS Date: Tue, 3 Aug 2021 16:40:08 -0400 Message-Id: <20210803204008.29612-4-kgoldman@us.ibm.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210803204008.29612-1-kgoldman@us.ibm.com> References: <20210803204008.29612-1-kgoldman@us.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: ZXCg-c480NCuKidYKRJzqRiHYZJAYCpz X-Proofpoint-GUID: ZXCg-c480NCuKidYKRJzqRiHYZJAYCpz X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.790 definitions=2021-08-03_05:2021-08-03,2021-08-03 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 impostorscore=0 adultscore=0 lowpriorityscore=0 mlxscore=0 phishscore=0 mlxlogscore=999 malwarescore=0 priorityscore=1501 clxscore=1015 spamscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108030128 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Use the IBM TSS to implement the functions as an alternative to the command line tools. The algorithm_string_to_algid() function supports only the digest algorithms in use. The table has place holders for other algorithms as they are needed and the C strings are defined. The table can also be used for an algorithm ID to string function if it's ever needed. When using the IBM TSS, link in its library. Signed-off-by: Ken Goldman Please review the configure.ac change. --- configure.ac | 8 ++ src/Makefile.am | 15 +++- src/pcr_ibmtss.c | 192 +++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 213 insertions(+), 2 deletions(-) create mode 100644 src/pcr_ibmtss.c diff --git a/configure.ac b/configure.ac index e1ed100..4f6fe7c 100644 --- a/configure.ac +++ b/configure.ac @@ -30,10 +30,17 @@ AC_SUBST(KERNEL_HEADERS) AC_CHECK_HEADER(unistd.h) AC_CHECK_HEADERS(openssl/conf.h) +# Intel TSS AC_CHECK_LIB([tss2-esys], [Esys_Free]) AC_CHECK_LIB([tss2-rc], [Tss2_RC_Decode]) AM_CONDITIONAL([USE_PCRTSS], [test "x$ac_cv_lib_tss2_esys_Esys_Free" = "xyes"]) +# IBM TSS include files +AC_CHECK_HEADER(ibmtss/tss.h, [have_ibmtss=true], + [have_ibmtss=false], + [[#define TPM_POSIX]]) +AM_CONDITIONAL([USE_IBMTSS], $have_ibmtss) + AC_CHECK_HEADERS(sys/xattr.h, , [AC_MSG_ERROR([sys/xattr.h header not found. You need the c-library development package.])]) AC_CHECK_HEADERS(keyutils.h, , [AC_MSG_ERROR([keyutils.h header not found. You need the libkeyutils development package.])]) @@ -79,5 +86,6 @@ echo " debug: $pkg_cv_enable_debug" echo " openssl-conf: $enable_openssl_conf" echo " tss2-esys: $ac_cv_lib_tss2_esys_Esys_Free" echo " tss2-rc-decode: $ac_cv_lib_tss2_rc_Tss2_RC_Decode" +echo " ibmtss: $have_ibmtss" echo " doc: $have_doc" echo diff --git a/src/Makefile.am b/src/Makefile.am index d6c779f..f89d971 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -22,10 +22,21 @@ evmctl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS) evmctl_LDFLAGS = $(LDFLAGS_READLINE) evmctl_LDADD = $(LIBCRYPTO_LIBS) -lkeyutils libimaevm.la +# USE_PCRTSS uses the Intel TSS if USE_PCRTSS -evmctl_SOURCES += pcr_tss.c + evmctl_SOURCES += pcr_tss.c + +# USE_IBMTSS uses the IBM TSS +else +if USE_IBMTSS + evmctl_SOURCES += pcr_ibmtss.c + evmctl_LDADD += -libmtss + +# uses the IBM TSS command line utilities else -evmctl_SOURCES += pcr_tsspcrread.c + evmctl_SOURCES += pcr_tsspcrread.c + +endif endif AM_CPPFLAGS = -I$(top_srcdir) -include config.h diff --git a/src/pcr_ibmtss.c b/src/pcr_ibmtss.c new file mode 100644 index 0000000..551f9c4 --- /dev/null +++ b/src/pcr_ibmtss.c @@ -0,0 +1,192 @@ +/* + * ima-evm-utils - IMA/EVM support utilities + * + * Copyright (C) 2021 IBM + * + * Authors: + * Ken Goldman + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * version 2 as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + * As a special exception, the copyright holders give permission to link the + * code of portions of this program with the OpenSSL library under certain + * conditions as described in each individual source file and distribute + * linked combinations including the program with the OpenSSL library. You + * must comply with the GNU General Public License in all respects + * for all of the code used other than as permitted herein. If you modify + * file(s) with this exception, you may extend this exception to your + * version of the file(s), but you are not obligated to do so. If you do not + * wish to do so, delete this exception statement from your version. If you + * delete this exception statement from all source files in the program, + * then also delete it in the license file. + * + * File: pcr_tsspcrread.c + * PCR reading implementation based on IBM TSS2 + */ + +#include +#include +#include +#include +#include + +#include + +#define USE_FPRINTF +#include "utils.h" +#include "imaevm.h" + +#define TPM_POSIX /* use Posix, not Windows constructs in TSS */ +#undef MAX_DIGEST_SIZE /* imaevm uses a different value than the TSS */ +#include + +#define CMD "tsspcrread" + +static char path[PATH_MAX]; + +int tpm2_pcr_supported(void) +{ + if (imaevm_params.verbose > LOG_INFO) + log_info("Using %s to read PCRs.\n", CMD); + + if (get_cmd_path(CMD, path, sizeof(path))) { + log_debug("Couldn't find '%s' in $PATH\n", CMD); + return 0; + } + + log_debug("Found '%s' in $PATH\n", CMD); + return 1; +} + +/* Table mapping C strings to TCG algorithm identifiers */ +typedef struct tdAlgorithm_Map { + const char *algorithm_string; + TPMI_ALG_HASH algid; +} Algorithm_Map; + +Algorithm_Map algorithm_map[] = { + { "sha1", TPM_ALG_SHA1}, + { "sha256", TPM_ALG_SHA256}, +#if 0 /* uncomment as these digest algorithms are supported */ + { "", TPM_ALG_SHA384}, + { "", TPM_ALG_SHA512}, + { "", TPM_ALG_SM3_256}, + { "", TPM_ALG_SHA3_256}, + { "", TPM_ALG_SHA3_384}, + { "", TPM_ALG_SHA3_512}, +#endif +}; + +/* + * algorithm_string_to_algid() converts a digest algorithm from a C string to a + * TCG algorithm identifier as defined in the TCG Algorithm Regisrty.. + * + * Returns TPM_ALG_ERROR if the string has an unsupported value. + */ +static TPMI_ALG_HASH algorithm_string_to_algid(const char *algorithm_string) +{ + size_t i; + + for (i=0 ; i < sizeof(algorithm_map)/sizeof(Algorithm_Map) ; i++) { + if (strcmp(algorithm_string, algorithm_map[i].algorithm_string) + == 0) { + return algorithm_map[i].algid; /* if match */ + } + } + return TPM_ALG_ERROR; +} + +/* tpm2_pcr_read() reads the PCR + * + * algo_name: PCR digest algorithm (the PCR bank) as a C string + * pcr_handle: PCR number to read + * hwpcr: buffer for the PCR output in binary + * len: allocated size of hwpcr and should match the digest algorithm + */ +int tpm2_pcr_read(const char *algo_name, uint32_t pcr_handle, uint8_t *hwpcr, + int len, char **errmsg) +{ + int ret = 0; /* function return code */ + TPM_RC rc = 0; /* TCG return code */ + TPM_RC rc1 = 0; /* secondary return code */ + PCR_Read_In pcr_read_in; /* command input */ + PCR_Read_Out pcr_read_out; /* response output */ + TSS_CONTEXT *tss_context = NULL; + TPMI_ALG_HASH alg_id; /* PCR algorithm */ + + alg_id = algorithm_string_to_algid(algo_name); + if (alg_id == TPM_ALG_ERROR) { + ret = asprintf(errmsg, "tpm2_pcr_read: unknown algorithm %s", + algo_name); + if (ret == -1) /* the contents of errmsg is undefined */ + *errmsg = NULL; + rc = 1; + goto end; + } + rc = TSS_Create(&tss_context); + if (rc != 0) + goto end; + /* call TSS to execute the command */ + pcr_read_in.pcrSelectionIn.count = 1; + pcr_read_in.pcrSelectionIn.pcrSelections[0].hash = alg_id; + pcr_read_in.pcrSelectionIn.pcrSelections[0].sizeofSelect = 3; + pcr_read_in.pcrSelectionIn.pcrSelections[0].pcrSelect[0] = 0; + pcr_read_in.pcrSelectionIn.pcrSelections[0].pcrSelect[1] = 0; + pcr_read_in.pcrSelectionIn.pcrSelections[0].pcrSelect[2] = 0; + pcr_read_in.pcrSelectionIn.pcrSelections[0].pcrSelect[pcr_handle / 8] = + 1 << (pcr_handle % 8); + rc = TSS_Execute(tss_context, + (RESPONSE_PARAMETERS *)&pcr_read_out, + (COMMAND_PARAMETERS *)&pcr_read_in, + NULL, + TPM_CC_PCR_Read, + TPM_RH_NULL, NULL, 0); + if (rc != 0) + goto end; + /* nothing read, bank missing */ + if (pcr_read_out.pcrValues.count == 0) { + ret = asprintf(errmsg, "tpm2_pcr_read: returned count 0 for %s", + algo_name); + if (ret == -1) /* the contents of errmsg is undefined */ + *errmsg = NULL; + rc = 1; + goto end; + } + /* len parameter did not match the digest algorithm */ + else if (pcr_read_out.pcrValues.digests[0].t.size != len) { + ret = asprintf(errmsg, + "tpm2_pcr_read: " + "expected length %d actual %u for %s", + len, pcr_read_out.pcrValues.digests[0].t.size, + algo_name); + if (ret == -1) /* the contents of errmsg is undefined */ + *errmsg = NULL; + rc = 1; + goto end; + } + else { + memcpy(hwpcr, + pcr_read_out.pcrValues.digests[0].t.buffer, + pcr_read_out.pcrValues.digests[0].t.size); + } + end: + rc1 = TSS_Delete(tss_context); + if (rc == 0) + rc = rc1; + /* map TCG return code to function return code */ + if (rc == 0) + return 0; + else + return -1; +} +