[PATCH] ima-evm-utils: add support for tpm2-tools to read the TPM 2.0 PCRs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This adds support for reading TPM 2.0 PCRs using the tpm2-tools TSS.

Signed-off-by: Patrick Uiterwijk <patrick@xxxxxxxxxxxxxx>
---
 configure.ac |  6 ++++++
 src/evmctl.c | 34 ++++++++++++++++++++++++++++++----
 2 files changed, 36 insertions(+), 4 deletions(-)

diff --git a/configure.ac b/configure.ac
index 7747481..adcc6ce 100644
--- a/configure.ac
+++ b/configure.ac
@@ -35,6 +35,11 @@ if test "x$TSSPCRREAD" = "xyes"; then
 	AC_DEFINE(HAVE_TSSPCRREAD, 1, [Define to 1 if you have tsspcrread
binary installed])
 fi

+AC_CHECK_PROG(TPM2PCRLIST, [tpm2_pcrlist], yes, no)
+if test "x$TPM2PCRLIST" = "xyes"; then
+	AC_DEFINE(HAVE_TPM2PCRLIST, 1, [Define to 1 if you have the
tpm2_pcrlist binary installed])
+fi
+
 AC_CHECK_HEADERS(sys/xattr.h, , [AC_MSG_ERROR([sys/xattr.h header not
found. You need the c-library development package.])])
 AC_CHECK_HEADERS(keyutils.h, , [AC_MSG_ERROR([keyutils.h header not
found. You need the libkeyutils development package.])])

@@ -78,4 +83,5 @@ echo	"Configuration:"
 echo	"          debug: $pkg_cv_enable_debug"
 echo	"   openssl-conf: $enable_openssl_conf"
 echo	"     tsspcrread: $TSSPCRREAD"
+echo	"   tpm2_pcrlist: $TPM2PCRLIST"
 echo
diff --git a/src/evmctl.c b/src/evmctl.c
index be59ead..393a20d 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1421,15 +1421,20 @@ static int tpm_pcr_read(int idx, uint8_t *pcr, int len)
 	return result;
 }

-#ifdef HAVE_TSSPCRREAD
+#if defined(HAVE_TSSPCRREAD) || defined(HAVE_TPM2PCRLIST)
 static int tpm2_pcr_read(int idx, uint8_t *hwpcr, int len, char **errmsg)
 {
 	FILE *fp;
+	char *pcrval;
 	char pcr[100];	/* may contain an error */
 	char cmd[50];
 	int ret;

+	#if defined(HAVE_TSSPCRREAD)
 	sprintf(cmd, "tsspcrread -halg sha1 -ha %d -ns 2> /dev/null", idx);
+	#elif defined(HAVE_TPM2PCRLIST)
+	sprintf(cmd, "tpm2_pcrlist -L sha1:%d", idx);
+	#endif
 	fp = popen(cmd, "r");
 	if (!fp) {
 		ret = asprintf(errmsg, "popen failed: %s", strerror(errno));
@@ -1439,18 +1444,39 @@ static int tpm2_pcr_read(int idx, uint8_t
*hwpcr, int len, char **errmsg)
 	}

 	if (fgets(pcr, sizeof(pcr), fp) == NULL) {
-		ret = asprintf(errmsg, "tsspcrread failed: %s",
+		ret = asprintf(errmsg, "PCR Reading failed: %s",
 			       strerror(errno));
 		if (ret == -1)	/* the contents of errmsg is undefined */
 			*errmsg = NULL;
 		ret = pclose(fp);
 		return -1;
 	}
+	pcrval = &pcr;
+
+	#ifdef HAVE_TPM2PCRLIST
+	/* Get the second line of output as PCR value */
+	if (fgets(pcr, sizeof(pcr), fp) == NULL) {
+		ret = asprintf(errmsg, "PCW Reading failed: %s",
+			       strerror(errno));
+		if (ret == -1)	/* the contents of errmsg is undefined */
+			*errmsg = NULL;
+		ret = pclose(fp);
+		return -1;
+	}
+	pcrval = strchr(&pcr, ':');
+	if (pcrval == NULL) {
+		*errmsg = NULL;
+		ret = pclose(fp);
+		return -1;
+	}
+	/* Skip the colon */
+	pcrval++;
+	#endif

 	/* get the popen "cmd" return code */
 	ret = pclose(fp);
 	if (!ret)
-		hex2bin(hwpcr, pcr, SHA_DIGEST_LENGTH);
+		hex2bin(hwpcr, pcrval, SHA_DIGEST_LENGTH);
 	else
 		*errmsg = strndup(pcr, strlen(pcr) - 1); /* remove newline */

@@ -1715,7 +1741,7 @@ static int ima_measurement(const char *file)
 		log_dump(pcr[i], SHA_DIGEST_LENGTH);

 		if (tpm_pcr_read(i, hwpcr, sizeof(hwpcr))) {
-#ifdef HAVE_TSSPCRREAD
+#if defined(HAVE_TSSPCRREAD) || defined(HAVE_TPM2PCRLIST)
 			char *errmsg = NULL;

 			err = tpm2_pcr_read(i, hwpcr, sizeof(hwpcr), &errmsg);
-- 
2.21.0



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux