Re: [PATCH v2 2/8] ima_evm_utils: support extending TPM 2.0 banks w/original SHA1 padded digest

Bruno Meneguele <bmeneg@xxxxxxxxxx> · Wed, 15 Jul 2020 15:43:27 -0300

Hi Mimi,

On Fri, Jul 10, 2020 at 12:00:53PM -0400, Mimi Zohar wrote:
> Initially the sha1 digest, including violations, was padded with zeroes
> before being extended into the other TPM banks.  Support walking the
> IMA measurement list, calculating the per TPM bank SHA1 padded
> digest(s).
> 
> Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
> ---
>  src/evmctl.c | 73 +++++++++++++++++++++++++++++++++++++++++++++++-------------
>  1 file changed, 58 insertions(+), 15 deletions(-)
> 
> diff --git a/src/evmctl.c b/src/evmctl.c
> index 0e489e2c7ba6..814aa6b75571 100644
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -1613,6 +1613,10 @@ static struct tpm_bank_info *init_tpm_banks(int *num_banks)
>  	return banks;
>  }
>  
> +/*
> + * Compare the calculated TPM PCR banks against the PCR values read.
> + * On failure to match any TPM bank, fail comparison.
> + */
>  static int compare_tpm_banks(int num_banks, struct tpm_bank_info *bank,
>  			     struct tpm_bank_info *tpm_bank)
>  {
> @@ -1632,14 +1636,15 @@ static int compare_tpm_banks(int num_banks, struct tpm_bank_info *bank,
>  			log_info("%s: TPM PCR-%d: ", tpm_bank[i].algo_name, j);
>  			log_dump(tpm_bank[i].pcr[j], tpm_bank[i].digest_size);
>  
> -			ret = memcmp(bank[i].pcr[j], tpm_bank[i].pcr[j],
> -				     bank[i].digest_size);
> -			if (!ret)
> +			if (memcmp(bank[i].pcr[j], tpm_bank[i].pcr[j],
> +				     bank[i].digest_size) == 0) {
>  				log_info("%s PCR-%d: succeed\n",
>  					 bank[i].algo_name, j);
> -			else
> +			} else {
> +				ret = 1;
>  				log_info("%s: PCRAgg %d does not match TPM PCR-%d\n",
>  					 bank[i].algo_name, j, j);
> +			}
>  		}
>  	}
>  	return ret;
> @@ -1695,10 +1700,7 @@ static int extend_tpm_bank(EVP_MD_CTX *pctx, const EVP_MD *md,
>  		goto out;
>  	}
>  
> -	if (validate && !memcmp(entry->header.digest, zero, SHA_DIGEST_LENGTH))
> -		err = EVP_DigestUpdate(pctx, fox, bank->digest_size);

'fox' is not being used in the code anymore. It could be totally removed
afaics.

diff --git a/src/evmctl.c b/src/evmctl.c
index 90a3eeb..ae513b0 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1425,7 +1425,6 @@ struct template_entry {
 };

 static uint8_t zero[MAX_DIGEST_SIZE];
-static uint8_t fox[MAX_DIGEST_SIZE];

 static int validate = 0;
 static int verify = 0;
@@ -1886,7 +1885,6 @@ static int ima_measurement(const char *file)

        errno = 0;
        memset(zero, 0, MAX_DIGEST_SIZE);
-       memset(fox, 0xff, MAX_DIGEST_SIZE);

        pseudo_padded_banks = init_tpm_banks(&num_banks);
        pseudo_banks = init_tpm_banks(&num_banks);


-- 
bmeneg 
PGP Key: http://bmeneg.com/pubkey.txt
Attachment:
signature.asc

Description: PGP signature




