[PATCH ima-evm-utils v2] add support for reading per bank TPM 2.0 PCRs via sysfs

Tergel Myanganbayar <tergel@xxxxxxxxxxxxx> · Wed, 7 Sep 2022 20:25:00 -0400

Until Linux kernel version 5.11, a TSS was required to read TPM 2.0 PCR
values. A feature which exposed the per bank TPM 2.0 PCRs directly via
sysfs was upstreamed in newer Kernel versions.

Use this recent feature in IMA-EVM-UTILS to remove TSS dependency.

Signed-off-by: Tergel Myanganbayar <tergel@xxxxxxxxxxxxx>
---
 src/evmctl.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)

diff --git a/src/evmctl.c b/src/evmctl.c
index 46a34cc..07209b6 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1922,7 +1922,60 @@ static int read_sysfs_pcrs(int num_banks, struct tpm_bank_info *tpm_banks)
 	for (i = 1; i < num_banks; i++)
 		tpm_banks[i].supported = 0;
 	return 0;
+}
+
+static int read_tpm2_one_bank(struct tpm_bank_info *tpm_bank)
+{
+	FILE *fp;
+	char digest[MAX_DIGEST_SIZE + 1];
+	char file_name[NAME_MAX];
+	char *p;
+	int i;
+
+	for (i = 0; i < NUM_PCRS; i++) {
+		sprintf(file_name, "/sys/class/tpm/tpm0/pcr-%s/%d",
+			tpm_bank->algo_name, i);
+		fp = fopen(file_name, "r");
+		if (!fp)
+			return -1;
 
+		p = fgets(digest, tpm_bank->digest_size * 2 + 1, fp);
+		if (!p) {
+			fclose(fp);
+			return -1;
+		}
+
+		hex2bin(tpm_bank->pcr[i], digest, tpm_bank->digest_size);
+		fclose(fp);
+	}
+	return 0;
+}
+
+static int read_sysfs_tpm2_pcrs(int num_banks, struct tpm_bank_info *tpm_banks)
+{
+	int tpm_enabled = 0;
+	int rt, j;
+
+	if (imaevm_params.verbose > LOG_INFO)
+		log_info("Trying to read PCRs via sysfs.\n");
+
+	for (j = 0; j < num_banks; j++) {
+		rt = read_tpm2_one_bank(&tpm_banks[j]);
+		if (rt < 0) {
+			tpm_banks[j].supported = 0;
+			continue;
+		}
+		tpm_enabled = 1;
+	}
+
+	/* On failure to read any TPM bank PCRs, re-initialize the TPM banks*/
+	if (tpm_enabled == 0) {
+		for (j = 0; j < num_banks; j++)
+			tpm_banks[j].supported = 1;
+		return 1;
+	}
+
+	return 0;
 }
 
 /* Read PCRs from per-bank file(s) specified via --pcrs */
@@ -2008,6 +2061,9 @@ static int read_tpm_banks(int num_banks, struct tpm_bank_info *bank)
 	if (read_sysfs_pcrs(num_banks, bank) == 0)
 		return 0;
 
+	if (read_sysfs_tpm2_pcrs(num_banks, bank) == 0)
+		return 0;
+
 	/* Any userspace applications available for reading TPM 2.0 PCRs? */
 	if (!tpm2_pcr_supported()) {
 		log_debug("Failed to read TPM 2.0 PCRs\n");
-- 
2.32.1 (Apple Git-133)







