On Fri, 2019-05-24 at 12:00 -0700, prakhar srivastava wrote: > On Fri, May 24, 2019 at 11:09 AM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > > > > > >> As mentioned, the first patch description should include a shell > > > >> command for verifying the digest in the kexec boot command line > > > >> measurement list record against /proc/cmdline. This patch description > > > >> should include a shell command showing how to verify the digest based > > > >> on the new field. Should the new field in the ascii measurement list > > > >> be displayed as a string, not hex? > > > > > > > > We should define a new type. If the type is DATA_FMT_STRING, spaces are > > > > replaced with '_'. > > > > > > Or better. Leave it as hex, otherwise there would be a parsing problem > > > if there are spaces in the data for a field. > > > > After making a few changes, the measurement list contains the > > following kexec-cmdline data: > > > > 10 edc32d1e3a5ba7272280a395b6fb56a5ef7c78c3 ima-buf > > sha256:4f43b7db850e > > 88c49dfeffd4b1eb4f021d78033dfb05b07e45eec8d0b45275 > > kexec-cmdline > > 726f6f > > 743d2f6465762f7364613420726f2072642e6c756b732e757569643d6c756b73 > > 2d6637 > > 3633643737632d653236622d343431642d613734652d62363633636334643832 > > 656120 > > 696d615f706f6c6963793d7463627c61707072616973655f746362 > > > > There's probably a better shell command, but the following works to > > verify the digest locally against the /proc/cmdline: > > > > $ echo -n -e `cat /proc/cmdline | sed 's/^.*root=/root=/'` | sha256sum > > 4f43b7db850e88c49dfeffd4b1eb4f021d78033dfb05b07e45eec8d0b4527f65 - > > > > If we leave the "buf" field as ascii-hex, what would the shell command > > look like when verifying the digest based on the "buf" field? > > > > Mimi > > > To quickly test the sha256 i used the my /proc/cmdline > ro quiet splash vt.handoff=1 ima_policy=tcb ima_appraise=fix > ima_template_fmt=n-ng|d-ng|sig|buf ima_hash=sha256 > > export $VAL= > 726f2071756965742073706c6173682076742e68616e646f66663d3120 > 696d615f706f6c6963793d74636220696d615f61707072616973653d666 > 97820696d615f74656d706c6174655f666d743d6e2d6e677c642d6e677c > 7369677c62756620696d615f686173683d736861323536 > > echo -n -e $VAL | xxd -r -p | sha256sum > 0d0b891bb730120d9593799cba1a7b3febf68f2bb81fb1304b0c963f95f6bc58 - > > I will run it through the code as well, but the shell command should work. Yes, that works. sudo cat /sys/kernel/security/integrity/ima/ascii_runtime_measurements | grep kexec-cmdline | cut -d' ' -f 6 | xxd -r -p | sha256sum Mimi
