[PATCH 4/6] ima-evm-utils: calculate and verify the template data digest

Mimi Zohar <zohar@xxxxxxxxxxxxx> · Mon, 6 Jul 2020 22:26:29 -0400

Validating a TPM quote of PCR-10, the default IMA PCR, requires not only
sending the quote to the verifier, but the IMA measurement list as well.
The attestation server can verify the IMA measurement list simply by
walking the measurement list and re-calculating the PCRs based on the
template data digest.  In addition, the attestation server could verify
the template data digest based on the template data.

The LTP and standalone "ima_measure" test optionally verify the template
data digest.  Similarly add "--verify" support to conditionally verify
the template data digest against the template data.

Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
---
 src/evmctl.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/evmctl.c b/src/evmctl.c
index 3c4483ef2b0e..eda7dd845930 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1413,6 +1413,7 @@ static uint8_t zero[MAX_DIGEST_SIZE];
 static uint8_t fox[MAX_DIGEST_SIZE];
 
 static int validate = 0;
+static int verify = 0;
 
 static int ima_verify_template_hash(struct template_entry *entry)
 {
@@ -1875,7 +1876,7 @@ static int ima_measurement(const char *file)
 
 		extend_tpm_banks(&entry, num_banks, pseudo_banks);
 
-		if (validate)
+		if (verify)
 			ima_verify_template_hash(&entry);
 
 		if (!strcmp(entry.name, "ima"))
@@ -2156,7 +2157,7 @@ struct command cmds[] = {
 	{"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"},
 	{"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"},
 	{"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
-	{"ima_measurement", cmd_ima_measurement, 0, "[--validate] file", "Verify measurement list (experimental).\n"},
+	{"ima_measurement", cmd_ima_measurement, 0, "[--validate] [--verify] file", "Verify measurement list (experimental).\n"},
 	{"ima_boot_aggregate", cmd_ima_bootaggr, 0, "", "Calculate per TPM bank boot_aggregate digests\n"},
 	{"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
 	{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
@@ -2196,6 +2197,7 @@ static struct option opts[] = {
 	{"engine", 1, 0, 139},
 	{"xattr-user", 0, 0, 140},
 	{"validate", 0, 0, 141},
+	{"verify", 0, 0, 142},
 	{}
 
 };
@@ -2377,6 +2379,9 @@ int main(int argc, char *argv[])
 		case 141: /* --validate */
 			validate = 1;
 			break;
+		case 142: /* --verify */
+			verify = 1;
+			break;
 		case '?':
 			exit(1);
 			break;
-- 
2.7.5







