[PATCH 3/6] ima-evm-utils: don't hardcode validating the IMA measurement list

linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Mimi Zohar <zohar@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: Mimi Zohar <zohar@linux.ibm.com>, Petr Vorel <pvorel@suse.cz>,
	Bruno Meneguele <bmeneg@redhat.com>,
	Vitaly Chikunov <vt@altlinux.org>
Subject: [PATCH 3/6] ima-evm-utils: don't hardcode validating the IMA measurement list
Date: Mon,  6 Jul 2020 22:26:28 -0400	[thread overview]
Message-ID: <1594088791-27370-4-git-send-email-zohar@linux.ibm.com> (raw)
In-Reply-To: <1594088791-27370-1-git-send-email-zohar@linux.ibm.com>

File time of measure, time of use (ToMToU) violations are annotated in
the measurement list by including a template data digest of zeroes, but
extending the TPM with 0xFF's.  This causes validating the measurement
against the TPM PCRs to fail.  To validate the measurement list against
the PCRs requires replacing the zero template data digest with OxFF's.

The default behavior, unless specifically requested, should be to fail
the measurement list verification.  Support validating the measurement
list based on a "--validate" option.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 src/evmctl.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/evmctl.c b/src/evmctl.c
index 71712d91703a..3c4483ef2b0e 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1412,7 +1412,7 @@ struct template_entry {
 static uint8_t zero[MAX_DIGEST_SIZE];
 static uint8_t fox[MAX_DIGEST_SIZE];
 
-int validate = 1;
+static int validate = 0;
 
 static int ima_verify_template_hash(struct template_entry *entry)
 {
@@ -2156,7 +2156,7 @@ struct command cmds[] = {
 	{"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"},
 	{"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"},
 	{"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
-	{"ima_measurement", cmd_ima_measurement, 0, "file", "Verify measurement list (experimental).\n"},
+	{"ima_measurement", cmd_ima_measurement, 0, "[--validate] file", "Verify measurement list (experimental).\n"},
 	{"ima_boot_aggregate", cmd_ima_bootaggr, 0, "", "Calculate per TPM bank boot_aggregate digests\n"},
 	{"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
 	{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
@@ -2195,6 +2195,7 @@ static struct option opts[] = {
 	{"list", 0, 0, 138},
 	{"engine", 1, 0, 139},
 	{"xattr-user", 0, 0, 140},
+	{"validate", 0, 0, 141},
 	{}
 
 };
@@ -2373,6 +2374,9 @@ int main(int argc, char *argv[])
 			xattr_ima = "user.ima";
 			xattr_evm = "user.evm";
 			break;
+		case 141: /* --validate */
+			validate = 1;
+			break;
 		case '?':
 			exit(1);
 			break;
-- 
2.7.5

next prev parent reply	other threads:[~2020-07-07  2:26 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-07  2:26 [PATCH 0/6] ima-evm-utils: miscellanous code clean up and bug fixes Mimi Zohar
2020-07-07  2:26 ` [PATCH 1/6] ima-evm-utils: fix PCRAggr error message Mimi Zohar
2020-07-07  2:26 ` [PATCH 2/6] ima-evm-utils: fix measurement violation checking Mimi Zohar
2020-07-07  2:26 ` Mimi Zohar [this message]
2020-07-07  2:26 ` [PATCH 4/6] ima-evm-utils: calculate and verify the template data digest Mimi Zohar
2020-07-07  2:26 ` [PATCH 5/6] ima-evm-utils: use uint32_t for template length Mimi Zohar
2020-07-07  2:26 ` [PATCH 6/6] ima-evm-utils: define a basic hash_info.h file Mimi Zohar
2020-07-15 17:58   ` Bruno Meneguele
2020-07-15 19:28     ` Mimi Zohar
2020-07-15 20:18       ` Bruno Meneguele

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:71712d91703 dfblob:3c4483ef2b0 )
 OR (
bs:"[PATCH 3/6] ima-evm-utils: don't hardcode validating the IMA measurement list" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1594088791-27370-4-git-send-email-zohar@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=bmeneg@redhat.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=pvorel@suse.cz \
    --cc=vt@altlinux.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).