Helps to indicate when the template data digest verification fails.
Indicate the problematic record in the measurement list based on
log level and fail verification.
fixes: ff26f9704ec4 ("ima-evm-utils: calculate and verify the template
data digest")
Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
---
src/evmctl.c | 23 ++++++++++++++++++++---
1 file changed, 20 insertions(+), 3 deletions(-)
diff --git a/src/evmctl.c b/src/evmctl.c
index 06a2ffb879d9..faddc3c361a0 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1444,14 +1444,21 @@ static int verify = 0;
static int ima_verify_template_hash(struct template_entry *entry)
{
uint8_t digest[SHA_DIGEST_LENGTH];
+ static int line = 0;
+
+ line++;
if (!memcmp(zero, entry->header.digest, sizeof(digest)))
return 0;
SHA1(entry->template, entry->template_len, digest);
- if (memcmp(digest, entry->header.digest, sizeof(digest)))
+ if (memcmp(digest, entry->header.digest, sizeof(digest))) {
+ if (imaevm_params.verbose > LOG_INFO)
+ log_info("Failed to verify template data digest(line %d).\n",
+ line);
return 1;
+ }
return 0;
}
@@ -1892,6 +1899,7 @@ static int ima_measurement(const char *file)
struct template_entry entry = { .template = 0 };
FILE *fp;
+ int verified_template_digest = 0;
int err_padded = -1;
int err = -1;
@@ -2020,8 +2028,12 @@ static int ima_measurement(const char *file)
extend_tpm_banks(&entry, num_banks, pseudo_banks,
pseudo_padded_banks);
- if (verify)
- ima_verify_template_hash(&entry);
+ /* Recalculate and verify template data digest */
+ if (verify) {
+ err = ima_verify_template_hash(&entry);
+ if (err)
+ verified_template_digest = 1;
+ }
if (is_ima_template)
ima_show(&entry);
@@ -2058,6 +2070,11 @@ static int ima_measurement(const char *file)
log_info("Failed to match per TPM bank or SHA1 padded TPM digest(s).\n");
}
+ if (verified_template_digest) {
+ log_info("Failed to verify template data digest.\n");
+ err = 1;
+ }
+
out:
fclose(fp);
return err;
--
2.7.5
