Hi Mimi,
> > +ima_check()
...
> > + [ "$DIGEST_INDEX" ] && digest="$(echo "$line" | awk '{print $(NF-'$DIGEST_INDEX')}' | cut -d ':' -f 1)"
> > + hash="$(echo "$line" | awk '{print $(NF-1)}' | cut -d ':' -f 2)"
> With the "ima-sig" template, with a measurement that does not contain
> the signature, this works fine. There's a problem with lines
> containing the signature.
> Sample ima-sig template measurements with/without the signature:
> line="10 ee788468d1b416a394feb9f4e5650302d9cd5574 ima-sig sha256:866c2542efd5c7528591eb3bb2861a1994a655da47732ccf28f7f4b1ce42d564 /usr/lib64/libpam.so.0.84.1"
> line="10 d3afb4df5fe42485b99677f4b68a04692977b4bc ima-sig sha256:7b85508c9181670fe169935310b8c95d7c2573f0318a70cecd12868569aab891 /etc/profile.d/less.sh 0302046e6c104601008bd533707b34a9e896d3d530a88e9af517fb7e8cf79e9e55064a577fcbcdb81236ede6fec0638d357e4c2ed9b261320f8789378d1e58af8e1c6f40ebdf080759be2c633b27bc8aed85af0620fa27700c68fdf31d33b2f9e36432a1e7d7eb8dbf20b9474d332deb9697767ee13e13c116544a843b54fce842d24ea485bb41f6f7b1e9fa3faed0c591f5243cee008b9499e48064141662d3c4d002b07448ae54dc8d8674437143d73c4e34f5b416300ba890dc391eae9e5b1e89190790d0ea77d1dc57e07dae9ca003294a36fda09c31f8afa347701bfcf5aed0fda9cf7a37f734ba80fc10f2d60409f0beba532f3e5cc15ae995128e466b20fdadef789e285519"
Sorry, I haven't setup machine with IMA signature support yet. So booting with
ima_template_fmt=d-ng|n-ng|sig (or kernel with CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig")
without any keys generated with evmctl obviously doesn't bring any signatures.
It could be a solution to detect presence of signature for 'ima-sig' with simple counting
parameters (5: no signature, 6: signature when ima_template_fmt is not used). And good
thing is that line without signature is different: signature part isn't left, but there is
and space (' ') for it.
The detection of both indexes (the hash itself and the digest) needs to be bit smarter
anyway as imagine someone crazy using ima_template_fmt=d-ng|n-ng|sig|d-ng|n-ng|sig
parameter.
Kind regards,
Petr
