[PATCH 06/10] ima-evm-utils: indicate measurement list signature verification failure

[Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx>]

Walking the measurement list and calculating the PCR to compare
against the TPM is only the first step.  The next step is verifying
the file signatures contained in the measurement list.  This patch
differentiates between the two.

Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx>
---
 src/evmctl.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/src/evmctl.c b/src/evmctl.c
index e0ed93d..f791a5b 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1333,13 +1333,14 @@ void ima_show(struct template_entry *entry)
 	log_debug_dump(entry->header.digest, sizeof(entry->header.digest));
 }
 
-void ima_ng_show(struct template_entry *entry)
+int ima_ng_show(struct template_entry *entry)
 {
 	uint8_t *fieldp = entry->template;
 	uint32_t field_len;
 	int total_len = entry->template_len, digest_len, len, sig_len;
 	uint8_t *digest, *sig = NULL;
 	char *algo, *path;
+	int err = 0;
 
 	/* get binary digest */
 	field_len = *(uint32_t *)fieldp;
@@ -1392,12 +1393,13 @@ void ima_ng_show(struct template_entry *entry)
 	if (sig) {
 		log_info(" ");
 		log_dump(sig, sig_len);
-		ima_verify_signature(path, sig, sig_len);
+		err = ima_verify_signature(path, sig, sig_len);
 	} else
 		log_info("\n");
 
 	if (total_len)
 		log_err("Remain unprocessed data: %d\n", total_len);
+	return err;
 }
 
 static int ima_measurement(const char *file)
@@ -1407,6 +1409,7 @@ static int ima_measurement(const char *file)
 	struct template_entry entry = { .template = 0 };
 	FILE *fp;
 	int err = -1;
+	int verify_sig_failed = 0;
 
 	memset(fox, 0xff, SHA_DIGEST_LENGTH);
 
@@ -1452,10 +1455,12 @@ static int ima_measurement(const char *file)
 		if (validate)
 			ima_verify_template_hash(&entry);
 
-		if (!strcmp(entry.name, "ima"))
+		if (!strcmp(entry.name, "ima")) {
 			ima_show(&entry);
-		else
-			ima_ng_show(&entry);
+		} else {
+			if (ima_ng_show(&entry) != 0)
+				verify_sig_failed = 1;
+		}
 	}
 
 	tpm_pcr_read(10, pcr10, sizeof(pcr10));
@@ -1469,6 +1474,8 @@ static int ima_measurement(const char *file)
 	if (memcmp(pcr, pcr10, sizeof(pcr))) {
 		log_err("PCRAgg does not match PCR-10\n");
 		goto out;
+	} else if (verify_sig_failed == 1) {
+		log_err("PCRAgg matches PCR-10, but list contains unknown keys or invalid signatures\n");
 	}
 
 	err = 0;
-- 
2.7.4