Reading the TPM PCRs before walking the measurement list guarantees
the measurement list contains all the records.
Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
---
src/evmctl.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/src/evmctl.c b/src/evmctl.c
index fac6a270794f..5787887882b4 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1876,6 +1876,7 @@ static int ima_measurement(const char *file)
struct tpm_bank_info *tpm_banks;
int is_ima_template, cur_template_fmt;
int num_banks = 0;
+ int tpmbanks = 1;
int first_record = 1;
struct template_entry entry = { .template = 0 };
@@ -1901,6 +1902,14 @@ static int ima_measurement(const char *file)
else /* assume read pubkey from x509 cert */
init_public_keys("/etc/keys/x509_evm.der");
+ /*
+ * Reading the PCRs before walking the IMA measurement list
+ * guarantees that all of the measurements are included in
+ * the PCRs.
+ */
+ if (read_tpm_banks(num_banks, tpm_banks) != 0)
+ tpmbanks = 0;
+
while (fread(&entry.header, sizeof(entry.header), 1, fp)) {
if (entry.header.name_len > TCG_EVENT_NAME_LEN_MAX) {
log_err("%d ERROR: event name too long!\n",
@@ -1999,10 +2008,9 @@ static int ima_measurement(const char *file)
ima_ng_show(&entry);
}
- if (read_tpm_banks(num_banks, tpm_banks) != 0) {
- err = 0;
+ if (tpmbanks == 0)
log_info("Failed to read any TPM PCRs\n");
- } else {
+ else {
err = compare_tpm_banks(num_banks, pseudo_banks, tpm_banks);
if (!err)
log_info("Matched per TPM bank calculated digest(s).\n");
--
2.7.5
