[LTP] [RFC PATCH v2 4/4] ima/tpm: Various fixes
Petr Vorel
pvorel@suse.cz
Wed Mar 14 16:57:31 CET 2018
test1
* Fix reading boot_aggregate for ima-ng
test2
* Fix pcrs paths
* Drop ima_measure binary, use upstream tool evmctl from ima-evm-utils instead
https://git.code.sf.net/p/linux-ima/ima-evm-utils
test3
* Dropped, as evmctl has no 'ima_measure --validate` equivalent
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
testcases/kernel/security/integrity/.gitignore | 1 -
.../security/integrity/ima/src/ima_measure.c | 219 ---------------------
.../kernel/security/integrity/ima/tests/ima_tpm.sh | 58 +++---
3 files changed, 26 insertions(+), 252 deletions(-)
delete mode 100644 testcases/kernel/security/integrity/ima/src/ima_measure.c
diff --git a/testcases/kernel/security/integrity/.gitignore b/testcases/kernel/security/integrity/.gitignore
index 1759bc98b..184aa78ce 100644
--- a/testcases/kernel/security/integrity/.gitignore
+++ b/testcases/kernel/security/integrity/.gitignore
@@ -1,3 +1,2 @@
/ima/src/ima_boot_aggregate
-/ima/src/ima_measure
/ima/src/ima_mmap
diff --git a/testcases/kernel/security/integrity/ima/src/ima_measure.c b/testcases/kernel/security/integrity/ima/src/ima_measure.c
deleted file mode 100644
index 3aa56490f..000000000
--- a/testcases/kernel/security/integrity/ima/src/ima_measure.c
+++ /dev/null
@@ -1,219 +0,0 @@
-/*
- * Copyright (c) International Business Machines Corp., 2008
- *
- * Authors:
- * Reiner Sailer <sailer@watson.ibm.com>
- * Mimi Zohar <zohar@us.ibm.com>
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License as
- * published by the Free Software Foundation, version 2 of the
- * License.
- *
- * File: ima_measure.c
- *
- * Calculate the SHA1 aggregate-pcr value based on the IMA runtime
- * binary measurements.
- */
-#include <stdio.h>
-#include <stdlib.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-#include <string.h>
-#include <unistd.h>
-
-#include "config.h"
-#include "test.h"
-
-char *TCID = "ima_measure";
-
-#if HAVE_LIBCRYPTO
-#include <openssl/sha.h>
-
-#define TCG_EVENT_NAME_LEN_MAX 255
-
-int TST_TOTAL = 1;
-
-static int verbose;
-
-#define print_info(format, arg...) \
- if (verbose) \
- printf(format, ##arg)
-
-static u_int8_t zero[SHA_DIGEST_LENGTH];
-static u_int8_t fox[SHA_DIGEST_LENGTH];
-
-struct event {
- struct {
- u_int32_t pcr;
- u_int8_t digest[SHA_DIGEST_LENGTH];
- u_int32_t name_len;
- } header;
- char name[TCG_EVENT_NAME_LEN_MAX + 1];
- struct {
- u_int8_t digest[SHA_DIGEST_LENGTH];
- char filename[TCG_EVENT_NAME_LEN_MAX + 1];
- } ima_data;
- int filename_len;
-};
-
-static void display_sha1_digest(u_int8_t * digest)
-{
- int i;
-
- for (i = 0; i < 20; i++)
- print_info(" %02X", (*(digest + i) & 0xff));
-}
-
-/*
- * Calculate the sha1 hash of data
- */
-static void calc_digest(u_int8_t * digest, int len, void *data)
-{
- SHA_CTX c;
-
- /* Calc template hash for an ima entry */
- memset(digest, 0, sizeof *digest);
- SHA1_Init(&c);
- SHA1_Update(&c, data, len);
- SHA1_Final(digest, &c);
-}
-
-static int verify_template_hash(struct event *template)
-{
- int rc;
-
- rc = memcmp(fox, template->header.digest, sizeof fox);
- if (rc != 0) {
- u_int8_t digest[SHA_DIGEST_LENGTH];
-
- memset(digest, 0, sizeof digest);
- calc_digest(digest, sizeof template->ima_data,
- &template->ima_data);
- rc = memcmp(digest, template->header.digest, sizeof digest);
- return rc != 0 ? 1 : 0;
- }
- return 0;
-}
-
-/*
- * ima_measurements.c - calculate the SHA1 aggregate-pcr value based
- * on the IMA runtime binary measurements.
- *
- * format: ima_measurement [--validate] [--verify] [--verbose]
- *
- * --validate: forces validation of the aggregrate pcr value
- * for an invalidated PCR. Replace all entries in the
- * runtime binary measurement list with 0x00 hash values,
- * which indicate the PCR was invalidated, either for
- * "a time of measure, time of use"(ToMToU) error, or a
- * file open for read was already open for write, with
- * 0xFF's hash value, when calculating the aggregate
- * pcr value.
- *
- * --verify: for all IMA template entries in the runtime binary
- * measurement list, calculate the template hash value
- * and compare it with the actual template hash value.
- * Return the number of incorrect hash measurements.
- *
- * --verbose: For all entries in the runtime binary measurement
- * list, display the template information.
- *
- * template info: list #, PCR-register #, template hash, template name
- * IMA info: IMA hash, filename hint
- *
- * Ouput: displays the aggregate-pcr value
- * Return code: if verification enabled, returns number of verification
- * errors.
- */
-int main(int argc, char *argv[])
-{
- FILE *fp;
- struct event template;
- u_int8_t pcr[SHA_DIGEST_LENGTH];
- int i, count = 0;
-
- int validate = 0;
- int verify = 0;
-
- if (argc < 2) {
- printf("format: %s binary_runtime_measurements"
- " [--validate] [--verbose] [--verify]\n", argv[0]);
- return 1;
- }
-
- for (i = 2; i < argc; i++) {
- if (strncmp(argv[i], "--validate", 8) == 0)
- validate = 1;
- if (strncmp(argv[i], "--verbose", 7) == 0)
- verbose = 1;
- if (strncmp(argv[i], "--verify", 6) == 0)
- verify = 1;
- }
-
- fp = fopen(argv[1], "r");
- if (!fp) {
- printf("fn: %s\n", argv[1]);
- perror("Unable to open file\n");
- return 1;
- }
- memset(pcr, 0, SHA_DIGEST_LENGTH); /* initial PCR content 0..0 */
- memset(zero, 0, SHA_DIGEST_LENGTH);
- memset(fox, 0xff, SHA_DIGEST_LENGTH);
-
- print_info("### PCR HASH "
- "TEMPLATE-NAME\n");
- while (fread(&template.header, sizeof template.header, 1, fp)) {
- SHA_CTX c;
-
- /* Extend simulated PCR with new template digest */
- SHA1_Init(&c);
- SHA1_Update(&c, pcr, SHA_DIGEST_LENGTH);
- if (validate) {
- if (memcmp(template.header.digest, zero, 20) == 0)
- memset(template.header.digest, 0xFF, 20);
- }
- SHA1_Update(&c, template.header.digest, 20);
- SHA1_Final(pcr, &c);
-
- print_info("%3d %03u ", count++, template.header.pcr);
- display_sha1_digest(template.header.digest);
- if (template.header.name_len > TCG_EVENT_NAME_LEN_MAX) {
- printf("%d ERROR: event name too long!\n",
- template.header.name_len);
- exit(1);
- }
- memset(template.name, 0, sizeof template.name);
- fread(template.name, template.header.name_len, 1, fp);
- print_info(" %s ", template.name);
-
- memset(&template.ima_data, 0, sizeof template.ima_data);
- fread(&template.ima_data.digest,
- sizeof template.ima_data.digest, 1, fp);
- display_sha1_digest(template.ima_data.digest);
-
- fread(&template.filename_len,
- sizeof template.filename_len, 1, fp);
- fread(template.ima_data.filename, template.filename_len, 1, fp);
- print_info(" %s\n", template.ima_data.filename);
-
- if (verify)
- if (verify_template_hash(&template) != 0) {
- tst_resm(TFAIL, "Hash failed");
- }
- }
- fclose(fp);
-
- verbose = 1;
- print_info("PCRAggr (re-calculated):");
- display_sha1_digest(pcr);
- tst_exit();
-}
-
-#else
-int main(void)
-{
- tst_brkm(TCONF, NULL, "test requires libcrypto and openssl development packages");
-}
-#endif
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh b/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh
index e78926165..ced1383a1 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh
@@ -21,13 +21,13 @@
TST_TESTFUNC="test"
TST_SETUP="init"
-TST_CNT=3
+TST_CNT=2
. ima_setup.sh
init()
{
- tst_check_cmds ima_boot_aggregate ima_measure
+ tst_check_cmds awk cut evmctl ima_boot_aggregate
}
test1()
@@ -37,24 +37,23 @@ test1()
local zero="0000000000000000000000000000000000000000"
local tpm_bios="$SECURITYFS/tpm0/binary_bios_measurements"
local ima_measurements="$ASCII_MEASUREMENTS"
- local boot_aggregate boot_hash ima_hash line
+ local boot_aggregate boot_hash line
# IMA boot aggregate
read line < $ima_measurements
- ima_hash=$(expr substr "${line}" 49 40)
+ boot_hash=$(echo $line | awk '{print $(NF-1)}' | cut -d':' -f2)
if [ ! -f "$tpm_bios" ]; then
tst_res TINFO "TPM not builtin kernel, or TPM not enabled"
- if [ "${ima_hash}" = "${zero}" ]; then
+ if [ "${boot_hash}" = "${zero}" ]; then
tst_res TPASS "bios boot aggregate is 0"
else
tst_res TFAIL "bios boot aggregate is not 0"
fi
else
- boot_aggregate=$(ima_boot_aggregate $tpm_bios)
- boot_hash=$(expr substr $boot_aggregate 16 40)
- if [ "${ima_hash}" = "${boot_hash}" ]; then
+ boot_aggregate=$(ima_boot_aggregate $tpm_bios | grep "boot_aggregate:" | cut -d':' -f2)
+ if [ "${boot_hash}" = "${boot_aggregate}" ]; then
tst_res TPASS "bios aggregate matches IMA boot aggregate"
else
tst_res TFAIL "bios aggregate does not match IMA boot aggregate"
@@ -69,29 +68,37 @@ validate_pcr()
{
tst_res TINFO "verify PCR (Process Control Register)"
- local ima_measurements="$BINARY_MEASUREMENTS"
- local aggregate_pcr="$(ima_measure $ima_measurements --validate)"
local dev_pcrs="$1"
- local ret=0
+ local pcr hash aggregate_pcr
+
+ aggregate_pcr="$(evmctl -v ima_measurement $BINARY_MEASUREMENTS 2>&1 | \
+ grep 'HW PCR-10:' | awk '{print $3}')"
+ [ -e "$aggregate_pcr" ] || tst_res TFAIL "failed to get PCR-10"
while read line; do
- pcr=$(expr substr "${line}" 1 6)
+ pcr="$(echo $line | cut -d':' -f1)"
if [ "${pcr}" = "PCR-10" ]; then
- aggr=$(expr substr "${aggregate_pcr}" 26 59)
- pcr=$(expr substr "${line}" 9 59)
- [ "${pcr}" = "${aggr}" ] || ret=$?
+ hash="$(echo $line | cut -d':' -f2 | awk '{ gsub (" ", "", $0); print tolower($0) }')"
+ [ "${hash}" = "${aggregate_pcr}" ]
+ return $?
fi
done < $dev_pcrs
- return $ret
+ return 1
}
test2()
{
tst_res TINFO "verify PCR values"
+ tst_res TINFO "evmctl version: $(evmctl --version)"
- # Would be nice to know where the PCRs are located. Is this safe?
- local pcrs_path="$(find $SYSFS/devices/ | grep pcrs)"
- if [ $? -eq 0 ]; then
+ local pcrs_path="/sys/class/tpm/tpm0/device/pcrs"
+ if [ -f "$pcrs_path" ]; then
+ tst_res TINFO "new PCRS path, evmctl >= 1.1 required"
+ else
+ pcrs_path="/sys/class/misc/tpm0/device/pcrs"
+ fi
+
+ if [ -f "$pcrs_path" ]; then
validate_pcr $pcrs_path
if [ $? -eq 0 ]; then
tst_res TPASS "aggregate PCR value matches real PCR value"
@@ -103,17 +110,4 @@ test2()
fi
}
-test3()
-{
- tst_res TINFO "verify template hash value"
-
- local ima_measurements="$BINARY_MEASUREMENTS"
- ima_measure $ima_measurements --verify --validate
- if [ $? -eq 0 ]; then
- tst_res TPASS "verified IMA template hash values"
- else
- tst_res TFAIL "error verifing IMA template hash values"
- fi
-}
-
tst_run
--
2.16.2
More information about the ltp
mailing list