Hello community,
here is the log from the commit of package ima-evm-utils for openSUSE:Factory
checked in at 2020-08-16 20:33:10
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/ima-evm-utils (Old)
and /work/SRC/openSUSE:Factory/.ima-evm-utils.new.3399 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ima-evm-utils"
Sun Aug 16 20:33:10 2020 rev:17 rq:826695 version:1.3.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/ima-evm-utils/ima-evm-utils.changes
2020-07-26 16:18:48.968778668 +0200
+++ /work/SRC/openSUSE:Factory/.ima-evm-utils.new.3399/ima-evm-utils.changes
2020-08-16 20:33:13.406295485 +0200
@@ -1,0 +2,13 @@
+Fri Aug 14 14:50:08 UTC 2020 - Petr Vorel <pvo...@suse.cz>
+
+- Update to version 1.3.1
+ * "--pcrs" support for per crypto algorithm
+ * Drop/rename "ima_measurement" options
+ * Moved this summary from "Changelog" to "NEWS", removing
+ requirement for GNU empty files
+ * Distro build fixes
+
+ * Remove 0001-pcr_tss-Fix-compilation-for-old-compilers.patch (from this
+ release)
+
+-------------------------------------------------------------------
Old:
----
0001-pcr_tss-Fix-compilation-for-old-compilers.patch
ima-evm-utils-1.3.tar.gz
New:
----
ima-evm-utils-1.3.1.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ ima-evm-utils.spec ++++++
--- /var/tmp/diff_new_pack.NPOkPe/_old 2020-08-16 20:33:13.870295741 +0200
+++ /var/tmp/diff_new_pack.NPOkPe/_new 2020-08-16 20:33:13.874295744 +0200
@@ -19,14 +19,13 @@
%define sover 2
%define libname libimaevm%{sover}
Name: ima-evm-utils
-Version: 1.3
+Version: 1.3.1
Release: 0
Summary: IMA/EVM control utility
License: LGPL-2.1-or-later
Group: System/Base
URL: http://sourceforge.net/projects/linux-ima/
Source0:
http://downloads.sourceforge.net/project/linux-ima/ima-evm-utils/%{name}-%{version}.tar.gz
-Patch1: 0001-pcr_tss-Fix-compilation-for-old-compilers.patch
BuildRequires: asciidoc
BuildRequires: autoconf
BuildRequires: automake
++++++ ima-evm-utils-1.3.tar.gz -> ima-evm-utils-1.3.1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ima-evm-utils-1.3/ChangeLog
new/ima-evm-utils-1.3.1/ChangeLog
--- old/ima-evm-utils-1.3/ChangeLog 2020-07-22 00:39:17.000000000 +0200
+++ new/ima-evm-utils-1.3.1/ChangeLog 1970-01-01 01:00:00.000000000 +0100
@@ -1,184 +0,0 @@
-2020-07-21 Mimi Zohar <zo...@linux.ibm.com>
-
- version 1.3 new features:
- * NEW ima-evm-utils regression test infrastructure with two initial
- tests:
- - ima_hash.test: calculate/verify different crypto hash algorithms
- - sign_verify.test: EVM and IMA sign/verify signature tests
- * TPM 2.0 support
- - Calculate the new per TPM 2.0 bank template data digest
- - Support original padding the SHA1 template data digest
- - Compare ALL the re-calculated TPM 2.0 bank PCRs against the
- TPM 2.0 bank PCR values
- - Calculate the per TPM bank "boot_aggregate" values, including
- PCRs 8 & 9 in calculation
- - Support reading the per TPM 2.0 Bank PCRs using Intel's TSS
- - boot_aggregate.test: compare the calculated "boot_aggregate"
- values with the "boot_aggregate" value included in the IMA
- measurement.
- * TPM 1.2 support
- - Additionally support reading the TPM 1.2 PCRs from a supplied file
- ("--pcrs" option)
- * Based on original IMA LTP and standalone version support
- - Calculate the TPM 1.2 "boot_aggregate" based on the exported
- TPM 1.2 BIOS event log.
- - In addition to verifying the IMA measurement list against the
- the TPM PCRs, verify the IMA template data digest against the
- template data. (Based on LTP "--verify" option.)
- - Ignore file measurement violations while verifying the IMA
- measurment list. (Based on LTP "--validate" option.)
- - Verify the file data signature included in the measurement list
- based on the file hash also included in the measurement list
- (--verify-sig)
- - Support original "ima" template (mixed templates not supported)
- * Support "sm3" crypto name
-
- Bug fixes and code cleanup:
- * Don't exit with -1 on failure, exit with 125
- * On signature verification failure, include pathname.
- * Provide minimal hash_info.h file in case one doesn't exist, needed
- by the ima-evm-utils regression tests.
- * On systems with TPM 1.2, skip "boot_aggregate.test" using sample logs
- * Fix hash_algo type comparison mismatch
- * Simplify/clean up code
- * Address compiler complaints and failures
- * Fix memory allocations and leaks
- * Sanity check provided input files are regular files
- * Revert making "tsspcrread" a compile build time decision.
- * Limit additional messages based on log level (-v)
-
-2019-07-30 Mimi Zohar <zo...@linux.ibm.com>
-
- version 1.2.1 Bug fixes:
- * When verifying multiple file signatures, return correct status
- * Don't automatically use keys from x509 certs if user supplied "--rsa"
- * Fix verifying DIGSIG_VERSION_1 signatures
- * autoconf, openssl fixes
-
-
-2019-07-24 Mimi Zohar <zo...@linux.ibm.com>
-
- version 1.2 new features:
- * Generate EVM signatures based on the specified hash algorithm
- * include "security.apparmor" in EVM signature
- * Add support for writing & verifying "user.xxxx" xattrs for testing
- * Support Strebog/Gost hash functions
- * Add OpenSSL engine support
- * Use of EVP_PKEY OpenSSL API to generate/verify v2 signatures
- * Support verifying multiple signatures at once
- * Support new template "buf" field and warn about other unknown fields
- * Improve OpenSSL error reporting
- * Support reading TPM 2.0 PCRs using tsspcrread
-
- Bug fixes and code cleanup:
- * Update manpage stylesheet detection
- * Fix xattr.h include file
- * On error when reading TPM PCRs, don't log gargabe
- * Properly return keyid string to calc_keyid_v1/v2 callers, caused by
- limiting keyid output to verbose mode
- * Fix hash buffer overflow caused by EVM support for larger hashes,
- defined MAX_DIGEST_SIZE and MAX_SIGNATURE_SIZE, and added "asserts".
- * Linked with libcrypto instead of OpenSSL
- * Updated Autotools, replacing INCLUDES with AM_CPPFLAGS
- * Include new "hash-info.gen" in tar
- * Log the hash algorithm, not just the hash value
- * Fixed memory leaks in: EV_MD_CTX, init_public_keys
- * Fixed other warnings/bugs discovered by clang, coverity
- * Remove indirect calls in verify_hash() to improve code readability
- * Don't fallback to using sha1
- * Namespace some too generic object names
- * Make functions/arrays static if possible
-
-
-2018-01-28 Mimi Zohar <zo...@us.ibm.com>
-
- version 1.1
- * Support the new openssl 1.1 api
- * Support for validating multiple pcrs
- * Verify the measurement list signature based on the list digest
- * Verify the "ima-sig" measurement list using multiple keys
- * Fixed parsing the measurement template data field length
- * Portable & immutable EVM signatures (new format)
- * Multiple fixes that have been lingering in the next branch. Some
- are for experimental features that are not yet supported in the
- kernel.
-
-2014-07-30 Dmitry Kasatkin <dmitry.kasat...@huawei.com>
-
- version 1.0
- * Recursive hashing
- * Immutable EVM signatures (experimental)
- * Command 'ima_clear' to remove xattrs
- * Support for passing password to the library
- * Support for asking password safely from the user
-
-2014-09-23 Dmitry Kasatkin <d.kasat...@samsung.com>
-
- version 0.9
- * Updated README
- * man page generated and added to the package
- * Use additional SMACK xattrs for EVM signature generation
- * Signing functions moved to libimaevm for external use (RPM)
- * Fixed setting of correct hash header
-
-2014-05-05 Dmitry Kasatkin <d.kasat...@samsung.com>
-
- version 0.8
- * Symbilic names for keyrings
- * Hash list signing
- * License text fix for using OpenSSL
- * Help output fix
-
-2014-02-17 Dmitry Kasatkin <d.kasat...@samsung.com>
-
- version 0.7
- * Fix symbolic links related bugs
- * Provide recursive fixing
- * Provide recursive signing
- * Move IMA verification to the library (first for LTP use)
- * Support for target architecture data size
- * Remove obsolete module signing code
- * Code cleanup
-
-2013-08-28 Dmitry Kasatkin <d.kasat...@samsung.com>
-
- version 0.6
- * support for asymmetric crypto keys and new signature format (v2)
- * fixes to set correct hash algo for digital signature v1
- * uuid support for EVM
- * signature verification support
- * test scripts removed
- * README updates
-
-2012-05-18 Dmitry Kasatkin <dmitry.kasat...@intel.com>
-
- version 0.3
- * llistxattr returns 0 if there are no xattrs and it is valid
- * Added entry type to directory hash calculation
- * inline block variable renamed
- * Remove forced tag creation
- * Use libexec for programs and scripts
- * Some files updated
- * Do not search for algorithm as it is known
- * Refactored to remove redundant hash initialization code
- * Added hash calculation for special files
-
-2012-04-05 Dmitry Kasatkin <dmitry.kasat...@intel.com>
-
- version 0.2
- * added RPM & TAR building makefile rules
- * renamed evm-utils to ima-evm-utils
- * added command options description
- * updated error handling
- * refactored redundant code
-
-2012-04-02 Dmitry Kasatkin <dmitry.kasat...@intel.com>
-
- version 0.1.0
- * Fully functional version for lastest 3.x kernels
-
-2011-08-24 Dmitry Kasatkin <dmitry.kasat...@intel.com>
-
- version 0.1
- * Initial public version.
-
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ima-evm-utils-1.3/NEWS new/ima-evm-utils-1.3.1/NEWS
--- old/ima-evm-utils-1.3/NEWS 2020-07-22 00:39:17.000000000 +0200
+++ new/ima-evm-utils-1.3.1/NEWS 2020-08-11 13:19:04.000000000 +0200
@@ -0,0 +1,193 @@
+2020-08-11 Mimi Zohar <zo...@linux.ibm.com>
+
+ version 1.3.1:
+ * "--pcrs" support for per crypto algorithm
+ * Drop/rename "ima_measurement" options
+ * Moved this summary from "Changelog" to "NEWS", removing
+ requirement for GNU empty files
+ * Distro build fixes
+
+2020-07-21 Mimi Zohar <zo...@linux.ibm.com>
+
+ version 1.3 new features:
+ * NEW ima-evm-utils regression test infrastructure with two initial
+ tests:
+ - ima_hash.test: calculate/verify different crypto hash algorithms
+ - sign_verify.test: EVM and IMA sign/verify signature tests
+ * TPM 2.0 support
+ - Calculate the new per TPM 2.0 bank template data digest
+ - Support original padding the SHA1 template data digest
+ - Compare ALL the re-calculated TPM 2.0 bank PCRs against the
+ TPM 2.0 bank PCR values
+ - Calculate the per TPM bank "boot_aggregate" values, including
+ PCRs 8 & 9 in calculation
+ - Support reading the per TPM 2.0 Bank PCRs using Intel's TSS
+ - boot_aggregate.test: compare the calculated "boot_aggregate"
+ values with the "boot_aggregate" value included in the IMA
+ measurement.
+ * TPM 1.2 support
+ - Additionally support reading the TPM 1.2 PCRs from a supplied file
+ ("--pcrs" option)
+ * Based on original IMA LTP and standalone version support
+ - Calculate the TPM 1.2 "boot_aggregate" based on the exported
+ TPM 1.2 BIOS event log.
+ - In addition to verifying the IMA measurement list against the
+ the TPM PCRs, verify the IMA template data digest against the
+ template data. (Based on LTP "--verify" option.)
+ - Ignore file measurement violations while verifying the IMA
+ measurment list. (Based on LTP "--validate" option.)
+ - Verify the file data signature included in the measurement list
+ based on the file hash also included in the measurement list
+ (--verify-sig)
+ - Support original "ima" template (mixed templates not supported)
+ * Support "sm3" crypto name
+
+ Bug fixes and code cleanup:
+ * Don't exit with -1 on failure, exit with 125
+ * On signature verification failure, include pathname.
+ * Provide minimal hash_info.h file in case one doesn't exist, needed
+ by the ima-evm-utils regression tests.
+ * On systems with TPM 1.2, skip "boot_aggregate.test" using sample logs
+ * Fix hash_algo type comparison mismatch
+ * Simplify/clean up code
+ * Address compiler complaints and failures
+ * Fix memory allocations and leaks
+ * Sanity check provided input files are regular files
+ * Revert making "tsspcrread" a compile build time decision.
+ * Limit additional messages based on log level (-v)
+
+2019-07-30 Mimi Zohar <zo...@linux.ibm.com>
+
+ version 1.2.1 Bug fixes:
+ * When verifying multiple file signatures, return correct status
+ * Don't automatically use keys from x509 certs if user supplied "--rsa"
+ * Fix verifying DIGSIG_VERSION_1 signatures
+ * autoconf, openssl fixes
+
+
+2019-07-24 Mimi Zohar <zo...@linux.ibm.com>
+
+ version 1.2 new features:
+ * Generate EVM signatures based on the specified hash algorithm
+ * include "security.apparmor" in EVM signature
+ * Add support for writing & verifying "user.xxxx" xattrs for testing
+ * Support Strebog/Gost hash functions
+ * Add OpenSSL engine support
+ * Use of EVP_PKEY OpenSSL API to generate/verify v2 signatures
+ * Support verifying multiple signatures at once
+ * Support new template "buf" field and warn about other unknown fields
+ * Improve OpenSSL error reporting
+ * Support reading TPM 2.0 PCRs using tsspcrread
+
+ Bug fixes and code cleanup:
+ * Update manpage stylesheet detection
+ * Fix xattr.h include file
+ * On error when reading TPM PCRs, don't log gargabe
+ * Properly return keyid string to calc_keyid_v1/v2 callers, caused by
+ limiting keyid output to verbose mode
+ * Fix hash buffer overflow caused by EVM support for larger hashes,
+ defined MAX_DIGEST_SIZE and MAX_SIGNATURE_SIZE, and added "asserts".
+ * Linked with libcrypto instead of OpenSSL
+ * Updated Autotools, replacing INCLUDES with AM_CPPFLAGS
+ * Include new "hash-info.gen" in tar
+ * Log the hash algorithm, not just the hash value
+ * Fixed memory leaks in: EV_MD_CTX, init_public_keys
+ * Fixed other warnings/bugs discovered by clang, coverity
+ * Remove indirect calls in verify_hash() to improve code readability
+ * Don't fallback to using sha1
+ * Namespace some too generic object names
+ * Make functions/arrays static if possible
+
+
+2018-01-28 Mimi Zohar <zo...@us.ibm.com>
+
+ version 1.1
+ * Support the new openssl 1.1 api
+ * Support for validating multiple pcrs
+ * Verify the measurement list signature based on the list digest
+ * Verify the "ima-sig" measurement list using multiple keys
+ * Fixed parsing the measurement template data field length
+ * Portable & immutable EVM signatures (new format)
+ * Multiple fixes that have been lingering in the next branch. Some
+ are for experimental features that are not yet supported in the
+ kernel.
+
+2014-07-30 Dmitry Kasatkin <dmitry.kasat...@huawei.com>
+
+ version 1.0
+ * Recursive hashing
+ * Immutable EVM signatures (experimental)
+ * Command 'ima_clear' to remove xattrs
+ * Support for passing password to the library
+ * Support for asking password safely from the user
+
+2014-09-23 Dmitry Kasatkin <d.kasat...@samsung.com>
+
+ version 0.9
+ * Updated README
+ * man page generated and added to the package
+ * Use additional SMACK xattrs for EVM signature generation
+ * Signing functions moved to libimaevm for external use (RPM)
+ * Fixed setting of correct hash header
+
+2014-05-05 Dmitry Kasatkin <d.kasat...@samsung.com>
+
+ version 0.8
+ * Symbilic names for keyrings
+ * Hash list signing
+ * License text fix for using OpenSSL
+ * Help output fix
+
+2014-02-17 Dmitry Kasatkin <d.kasat...@samsung.com>
+
+ version 0.7
+ * Fix symbolic links related bugs
+ * Provide recursive fixing
+ * Provide recursive signing
+ * Move IMA verification to the library (first for LTP use)
+ * Support for target architecture data size
+ * Remove obsolete module signing code
+ * Code cleanup
+
+2013-08-28 Dmitry Kasatkin <d.kasat...@samsung.com>
+
+ version 0.6
+ * support for asymmetric crypto keys and new signature format (v2)
+ * fixes to set correct hash algo for digital signature v1
+ * uuid support for EVM
+ * signature verification support
+ * test scripts removed
+ * README updates
+
+2012-05-18 Dmitry Kasatkin <dmitry.kasat...@intel.com>
+
+ version 0.3
+ * llistxattr returns 0 if there are no xattrs and it is valid
+ * Added entry type to directory hash calculation
+ * inline block variable renamed
+ * Remove forced tag creation
+ * Use libexec for programs and scripts
+ * Some files updated
+ * Do not search for algorithm as it is known
+ * Refactored to remove redundant hash initialization code
+ * Added hash calculation for special files
+
+2012-04-05 Dmitry Kasatkin <dmitry.kasat...@intel.com>
+
+ version 0.2
+ * added RPM & TAR building makefile rules
+ * renamed evm-utils to ima-evm-utils
+ * added command options description
+ * updated error handling
+ * refactored redundant code
+
+2012-04-02 Dmitry Kasatkin <dmitry.kasat...@intel.com>
+
+ version 0.1.0
+ * Fully functional version for lastest 3.x kernels
+
+2011-08-24 Dmitry Kasatkin <dmitry.kasat...@intel.com>
+
+ version 0.1
+ * Initial public version.
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ima-evm-utils-1.3/README
new/ima-evm-utils-1.3.1/README
--- old/ima-evm-utils-1.3/README 2020-07-22 00:39:17.000000000 +0200
+++ new/ima-evm-utils-1.3.1/README 2020-08-11 13:19:04.000000000 +0200
@@ -31,7 +31,7 @@
ima_sign [--sigfile] [--key key] [--pass password] file
ima_verify file
ima_hash file
- ima_measurement [--validate] [--verify] [--verify-sig [--key "key1, key2,
..."]] [--pcrs file] file
+ ima_measurement [--ignore-violations] [--verify-sig [--key "key1, key2,
..."]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
ima_fix [-t fdsxm] path
sign_hash [--key key] [--pass password]
hmac [--imahash | --imasig ] file
@@ -59,9 +59,8 @@
--m32 force EVM hmac/signature for 32 bit target system
--m64 force EVM hmac/signature for 64 bit target system
--engine e preload OpenSSL engine e (such as: gost)
- --pcrs file containing TPM 1.2 pcrs
- --validate ignore ToMToU measurement violations
- --verify verify the template data digest
+ --pcrs file containing TPM pcrs, one per hash-algorithm/bank
+ --ignore-violations ignore ToMToU measurement violations
--verify-sig verify the file signature based on the file hash, both
stored in the template data.
-v increase verbosity level
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ima-evm-utils-1.3/configure.ac
new/ima-evm-utils-1.3.1/configure.ac
--- old/ima-evm-utils-1.3/configure.ac 2020-07-22 00:39:17.000000000 +0200
+++ new/ima-evm-utils-1.3.1/configure.ac 2020-08-11 13:19:04.000000000
+0200
@@ -1,8 +1,8 @@
# autoconf script
AC_PREREQ([2.65])
-AC_INIT(ima-evm-utils, 1.3, zo...@linux.ibm.com)
-AM_INIT_AUTOMAKE
+AC_INIT(ima-evm-utils, 1.3.1, zo...@linux.ibm.com)
+AM_INIT_AUTOMAKE([foreign])
AC_CONFIG_HEADERS([config.h])
AC_CONFIG_MACRO_DIR([m4])
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ima-evm-utils-1.3/packaging/ima-evm-utils.spec
new/ima-evm-utils-1.3.1/packaging/ima-evm-utils.spec
--- old/ima-evm-utils-1.3/packaging/ima-evm-utils.spec 2020-07-22
00:39:17.000000000 +0200
+++ new/ima-evm-utils-1.3.1/packaging/ima-evm-utils.spec 2020-08-11
13:19:04.000000000 +0200
@@ -1,5 +1,5 @@
Name: ima-evm-utils
-Version: 1.3
+Version: 1.3.1
Release: 1%{?dist}
Summary: ima-evm-utils - IMA/EVM control utility
Group: System/Libraries
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ima-evm-utils-1.3/src/evmctl.c
new/ima-evm-utils-1.3.1/src/evmctl.c
--- old/ima-evm-utils-1.3/src/evmctl.c 2020-07-22 00:39:17.000000000 +0200
+++ new/ima-evm-utils-1.3.1/src/evmctl.c 2020-08-11 13:19:04.000000000
+0200
@@ -160,7 +160,10 @@
uint8_t pcr[NUM_PCRS][MAX_DIGEST_SIZE];
};
-static char *pcrfile;
+/* One --pcrs file per hash-algorithm/bank */
+#define MAX_PCRFILE 2
+static char *pcrfile[MAX_PCRFILE];
+static unsigned npcrfile;
static int bin2file(const char *file, const char *ext, const unsigned char
*data, int len)
{
@@ -1373,55 +1376,6 @@
return do_cmd(cmd, ima_clear);
}
-static char *pcrs = "/sys/class/tpm/tpm0/device/pcrs"; /* Kernels >= 4.0 */
-static char *misc_pcrs = "/sys/class/misc/tpm0/device/pcrs";
-
-/* Read all of the TPM 1.2 PCRs */
-static int tpm_pcr_read(struct tpm_bank_info *tpm_banks, int len)
-{
- struct stat s;
- FILE *fp = NULL;
- char *p, pcr_str[8], buf[70]; /* length of the TPM string */
- int result = -1;
- int i = 0;
-
- /* Use the provided TPM 1.2 pcrs file */
- if (pcrfile) {
- if (stat(pcrfile, &s) == -1) {
- errno = 0;
- return 1;
- }
-
- if (!S_ISREG(s.st_mode)) {
- log_info("TPM 1.2 PCR file: not a regular file or link
to regular file\n");
- return 1;
- }
-
- fp = fopen(pcrfile, "r");
- }
-
- if (!fp)
- fp = fopen(pcrs, "r");
-
- if (!fp)
- fp = fopen(misc_pcrs, "r");
-
- if (!fp)
- return -1;
-
- for (;;) {
- p = fgets(buf, sizeof(buf), fp);
- if (!p || i > 99)
- break;
- sprintf(pcr_str, "PCR-%2.2d", i);
- if (!strncmp(p, pcr_str, 6))
- hex2bin(tpm_banks[0].pcr[i++], p + 7, len);
- result = 0;
- }
- fclose(fp);
- return result;
-}
-
#define TCG_EVENT_NAME_LEN_MAX 255
struct template_entry {
@@ -1438,8 +1392,7 @@
static uint8_t zero[MAX_DIGEST_SIZE];
-static int validate = 0;
-static int verify = 0;
+static int ignore_violations = 0;
static int ima_verify_template_hash(struct template_entry *entry)
{
@@ -1786,7 +1739,7 @@
* size.
*/
if (memcmp(entry->header.digest, zero, SHA_DIGEST_LENGTH) == 0)
{
- if (!validate) {
+ if (!ignore_violations) {
memset(bank[i].digest, 0x00,
bank[i].digest_size);
memset(padded_bank[i].digest, 0x00,
padded_bank[i].digest_size);
} else {
@@ -1829,20 +1782,108 @@
#endif
}
-/* Read TPM 1.2 PCRs */
-static int read_tpm_pcrs(int num_banks, struct tpm_bank_info *tpm_banks)
+static int read_one_bank(struct tpm_bank_info *tpm_bank, FILE *fp)
{
- int i;
+ char *p, pcr_str[8], buf[MAX_DIGEST_SIZE * 2 + 8];
+ int i = 0;
+ int result = -1;
+ for (;;) {
+ p = fgets(buf, sizeof(buf), fp);
+ if (!p || i >= NUM_PCRS)
+ break;
+ sprintf(pcr_str, "PCR-%2.2d", i);
+ if (!strncmp(p, pcr_str, 6))
+ hex2bin(tpm_bank->pcr[i++], p + 7,
tpm_bank->digest_size);
+ result = 0;
+ }
+ return result;
+}
- if (tpm_pcr_read(tpm_banks, SHA_DIGEST_LENGTH)) {
- log_debug("Failed to read TPM 1.2 PCRs.\n");
+static char *pcrs = "/sys/class/tpm/tpm0/device/pcrs"; /* Kernels >= 4.0 */
+static char *misc_pcrs = "/sys/class/misc/tpm0/device/pcrs";
+
+/* Read one of the TPM 1.2 sysfs files if present */
+static int read_sysfs_pcrs(int num_banks, struct tpm_bank_info *tpm_banks)
+{
+ FILE *fp;
+ int i, result;
+
+ fp = fopen(pcrs, "r");
+ if (!fp)
+ fp = fopen(misc_pcrs, "r");
+ if (!fp)
return -1;
- }
+ result = read_one_bank(&tpm_banks[0], fp);
+ fclose(fp);
+ if (result < 0)
+ return result;
tpm_banks[0].supported = 1;
for (i = 1; i < num_banks; i++)
tpm_banks[i].supported = 0;
return 0;
+
+}
+
+/* Read PCRs from per-bank file(s) specified via --pcrs */
+static int read_file_pcrs(int num_banks, struct tpm_bank_info *tpm_banks)
+{
+ struct stat s;
+ FILE *fp;
+ char *p;
+ const char *alg, *path;
+ int i, j, bank, result;
+
+ for (i = 0; i < num_banks; i++)
+ tpm_banks[i].supported = 0;
+
+ for (i = 0; i < npcrfile; i++) {
+ p = strchr(pcrfile[i], ',');
+ if (p) {
+ *p = 0;
+ alg = pcrfile[i];
+ path = ++p;
+ } else {
+ alg = "sha1";
+ path = pcrfile[i];
+ }
+
+ bank = -1;
+ for (j = 0; j < num_banks; j++) {
+ if (!strcmp(tpm_banks[j].algo_name, alg)) {
+ bank = j;
+ break;
+ }
+ }
+ if (bank < 0) {
+ log_err("Unknown algorithm '%s'\n", alg);
+ return -1;
+ }
+
+ if (stat(path, &s) == -1) {
+ log_err("Could not stat '%s'\n", path);
+ return -1;
+ }
+
+ if (!S_ISREG(s.st_mode)) {
+ log_err("PCR file: not a regular file or link to
regular file\n");
+ return -1;
+ }
+
+ fp = fopen(path, "r");
+ if (!fp) {
+ log_err("Could not open '%s'\n", path);
+ return -1;
+ }
+
+ result = read_one_bank(&tpm_banks[bank], fp);
+ fclose(fp);
+ if (result < 0)
+ return result;
+ tpm_banks[bank].supported = 1;
+ }
+
+ return 0;
}
/*
@@ -1857,8 +1898,12 @@
int i, j;
int err;
- /* First try reading PCRs from exported TPM 1.2 sysfs file */
- if (read_tpm_pcrs(num_banks, bank) == 0)
+ /* If --pcrs was specified, read only from the specified file(s) */
+ if (npcrfile)
+ return read_file_pcrs(num_banks, bank);
+
+ /* Else try reading PCRs from the sysfs file if present */
+ if (read_sysfs_pcrs(num_banks, bank) == 0)
return 0;
/* Any userspace applications available for reading TPM 2.0 PCRs? */
@@ -1899,7 +1944,7 @@
struct template_entry entry = { .template = 0 };
FILE *fp;
- int verified_template_digest = 0;
+ int invalid_template_digest = 0;
int err_padded = -1;
int err = -1;
@@ -2029,11 +2074,9 @@
pseudo_padded_banks);
/* Recalculate and verify template data digest */
- if (verify) {
- err = ima_verify_template_hash(&entry);
- if (err)
- verified_template_digest = 1;
- }
+ err = ima_verify_template_hash(&entry);
+ if (err)
+ invalid_template_digest = 1;
if (is_ima_template)
ima_show(&entry);
@@ -2070,7 +2113,7 @@
log_info("Failed to match per TPM bank or SHA1 padded
TPM digest(s).\n");
}
- if (verified_template_digest) {
+ if (invalid_template_digest) {
log_info("Failed to verify template data digest.\n");
err = 1;
}
@@ -2424,6 +2467,7 @@
" --caps use custom Capabilities for
EVM(unspecified: from FS, empty: do not use)\n"
" --verify-sig verify measurement list signatures\n"
" --engine e preload OpenSSL engine e (such as:
gost)\n"
+ " --ignore-violations ignore ToMToU measurement violations"
" -v increase verbosity level\n"
" -h, --help display this help and exit\n"
"\n");
@@ -2440,7 +2484,7 @@
{"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for
debugging).\n"},
{"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA
signature from sigfile\n"},
{"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
- {"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify]
[--verify-sig [--key key1, key2, ...]] [--pcrs file] file", "Verify measurement
list (experimental).\n"},
+ {"ima_measurement", cmd_ima_measurement, 0, "[--ignore-violations]
[--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs
hash-algorithm,file] ...] file", "Verify measurement list (experimental).\n"},
{"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[file]", "Calculate per
TPM bank boot_aggregate digests\n"},
{"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM
xattrs in fix mode.\n"},
{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove
IMA/EVM xattrs.\n"},
@@ -2479,9 +2523,8 @@
{"verify-sig", 0, 0, 138},
{"engine", 1, 0, 139},
{"xattr-user", 0, 0, 140},
- {"validate", 0, 0, 141},
- {"verify", 0, 0, 142},
- {"pcrs", 1, 0, 143},
+ {"ignore-violations", 0, 0, 141},
+ {"pcrs", 1, 0, 142},
{}
};
@@ -2660,14 +2703,15 @@
xattr_ima = "user.ima";
xattr_evm = "user.evm";
break;
- case 141: /* --validate */
- validate = 1;
+ case 141: /* --ignore-violations */
+ ignore_violations = 1;
break;
- case 142: /* --verify */
- verify = 1;
- break;
- case 143:
- pcrfile = optarg;
+ case 142:
+ if (npcrfile >= MAX_PCRFILE) {
+ log_err("too many --pcrfile options\n");
+ exit(1);
+ }
+ pcrfile[npcrfile++] = optarg;
break;
case '?':
exit(1);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ima-evm-utils-1.3/src/imaevm.h
new/ima-evm-utils-1.3.1/src/imaevm.h
--- old/ima-evm-utils-1.3/src/imaevm.h 2020-07-22 00:39:17.000000000 +0200
+++ new/ima-evm-utils-1.3.1/src/imaevm.h 2020-08-11 13:19:04.000000000
+0200
@@ -46,7 +46,7 @@
#include <syslog.h>
#include <stdbool.h>
#include <errno.h>
-
+#include <sys/types.h>
#include <openssl/rsa.h>
#ifdef USE_FPRINTF
@@ -203,7 +203,7 @@
size_t size;
};
-#define NUM_PCRS 20
+#define NUM_PCRS 24
#define DEFAULT_PCR 10
extern struct libimaevm_params imaevm_params;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ima-evm-utils-1.3/src/pcr_tss.c
new/ima-evm-utils-1.3.1/src/pcr_tss.c
--- old/ima-evm-utils-1.3/src/pcr_tss.c 2020-07-22 00:39:17.000000000 +0200
+++ new/ima-evm-utils-1.3.1/src/pcr_tss.c 2020-08-11 13:19:04.000000000
+0200
@@ -68,14 +68,17 @@
static int pcr_selections_match(TPML_PCR_SELECTION *a, TPML_PCR_SELECTION *b)
{
+ int i, j;
+
if (a->count != b->count)
return 0;
- for (int i = 0; i < a->count; i++) {
+
+ for (i = 0; i < a->count; i++) {
if (a->pcrSelections[i].hash != b->pcrSelections[i].hash)
return 0;
if (a->pcrSelections[i].sizeofSelect !=
b->pcrSelections[i].sizeofSelect)
return 0;
- for (int j = 0; j < a->pcrSelections[i].sizeofSelect; j++) {
+ for (j = 0; j < a->pcrSelections[i].sizeofSelect; j++) {
if (a->pcrSelections[i].pcrSelect[j] !=
b->pcrSelections[i].pcrSelect[j])
return 0;
}
