pax_global_header00006660000000000000000000000064144013574470014523gustar00rootroot0000000000000052 comment=1803accc3ff8a4e347f9a93e68b14ed9cbbb56f7 ima-evm-utils-1.5/000077500000000000000000000000001440135744700140615ustar00rootroot00000000000000ima-evm-utils-1.5/.github/000077500000000000000000000000001440135744700154215ustar00rootroot00000000000000ima-evm-utils-1.5/.github/workflows/000077500000000000000000000000001440135744700174565ustar00rootroot00000000000000ima-evm-utils-1.5/.github/workflows/ci.yml000066400000000000000000000146351440135744700206050ustar00rootroot00000000000000# Copyright (c) 2021 Petr Vorel name: "distros" on: [push, pull_request] jobs: build: runs-on: ubuntu-latest outputs: LINUX_SHA: ${{ steps.last-commit.outputs.LINUX_SHA }} name: build timeout-minutes: 100 strategy: fail-fast: false steps: - uses: actions/checkout@v3 - name: Determine last kernel commit id: last-commit shell: bash run: | mkdir linux-integrity pushd linux-integrity git init LINUX_URL=${{ vars.LINUX_URL }} if [ -z "$LINUX_URL" ]; then LINUX_URL=https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git fi LINUX_BRANCH=${{ vars.LINUX_BRANCH }} if [ -z "$LINUX_BRANCH" ]; then LINUX_BRANCH=next-integrity fi git remote add origin $LINUX_URL LINUX_SHA=$(git ls-remote origin $GITHUB_REF_NAME | awk '{print $1}') [ -z "$LINUX_SHA" ] && LINUX_SHA=$(git ls-remote origin $LINUX_BRANCH | awk '{print $1}') echo "LINUX_SHA=$LINUX_SHA" >> $GITHUB_OUTPUT popd - name: Cache UML kernel id: cache-linux uses: actions/cache@v3 with: path: linux key: linux-${{ steps.last-commit.outputs.LINUX_SHA }}-${{ hashFiles('**/kernel-configs/*') }} - name: Cache signing key id: cache-key uses: actions/cache@v3 with: path: signing_key.pem key: signing_key.pem-${{ steps.last-commit.outputs.LINUX_SHA }}-${{ hashFiles('**/kernel-configs/*') }} - name: Compile UML kernel if: steps.cache-linux.outputs.cache-hit != 'true' || steps.cache-key.outputs.cache-hit != 'true' shell: bash run: | if [ "$DEVTOOLSET" = "yes" ]; then source /opt/rh/devtoolset-10/enable fi if [ "$ARCH" = "i386" ]; then CROSS_COMPILE_OPT="CROSS_COMPILE=i686-linux-gnu-" fi pushd linux-integrity git pull --depth 1 origin ${{ steps.last-commit.outputs.LINUX_SHA }} make ARCH=um defconfig ./scripts/kconfig/merge_config.sh -m .config $(ls ../kernel-configs/*) # Update manually, to specify ARCH=um make ARCH=um olddefconfig # Make everything built-in make ARCH=um localyesconfig make ARCH=um $CROSS_COMPILE_OPT -j$(nproc) chmod +x linux cp linux .. cp certs/signing_key.pem .. popd job: needs: build runs-on: ubuntu-latest strategy: fail-fast: false matrix: include: # 32bit build - container: "debian:stable" env: CC: gcc ARCH: i386 TSS: tpm2-tss VARIANT: i386 COMPILE_SSL: openssl-3.0.5 # cross compilation builds - container: "debian:stable" env: ARCH: ppc64el CC: powerpc64le-linux-gnu-gcc TSS: ibmtss VARIANT: cross-compile - container: "debian:stable" env: ARCH: arm64 CC: aarch64-linux-gnu-gcc TSS: tpm2-tss VARIANT: cross-compile - container: "debian:stable" env: ARCH: s390x CC: s390x-linux-gnu-gcc TSS: ibmtss VARIANT: cross-compile # musl (native) - container: "alpine:latest" env: CC: gcc TSS: tpm2-tss # glibc (gcc/clang) - container: "opensuse/tumbleweed" env: CC: clang TSS: ibmtss - container: "opensuse/leap" env: CC: gcc TSS: tpm2-tss - container: "ubuntu:jammy" env: CC: gcc TSS: ibmtss COMPILE_SSL: openssl-3.0.5 - container: "ubuntu:xenial" env: CC: clang TSS: tpm2-tss - container: "fedora:latest" env: CC: clang TSS: ibmtss - container: "fedora:latest" env: CC: clang TSS: ibmtss TST_ENV: um TST_KERNEL: ../linux - container: "centos:7" env: CC: gcc TSS: tpm2-tss - container: "debian:testing" env: CC: clang TSS: tpm2-tss - container: "debian:stable" env: CC: clang TSS: ibmtss - container: "alt:sisyphus" env: CC: gcc TSS: libtpm2-tss-devel container: image: ${{ matrix.container }} env: ${{ matrix.env }} options: --privileged --device /dev/loop-control -v /dev/shm:/dev/shm steps: - name: Show OS run: cat /etc/os-release - name: Git checkout uses: actions/checkout@v1 - name: Install additional packages run: | INSTALL=${{ matrix.container }} INSTALL="${INSTALL%%:*}" INSTALL="${INSTALL%%/*}" if [ "$VARIANT" ]; then ARCH="$ARCH" ./ci/$INSTALL.$VARIANT.sh; fi ARCH="$ARCH" CC="$CC" TSS="$TSS" ./ci/$INSTALL.sh - name: Build openSSL run: | if [ "$COMPILE_SSL" ]; then COMPILE_SSL="$COMPILE_SSL" VARIANT="$VARIANT" ./tests/install-openssl3.sh; \ fi - name: Build swtpm run: | if [ ! "$VARIANT" ]; then which tpm_server || which swtpm || \ if which tssstartup; then ./tests/install-swtpm.sh; fi fi - name: Retrieve UML kernel if: ${{ matrix.env.TST_ENV }} uses: actions/cache@v3 continue-on-error: false with: path: linux key: linux-${{ needs.build.outputs.LINUX_SHA }}-${{ hashFiles('**/kernel-configs/*') }} - name: Retrieve signing key if: ${{ matrix.env.TST_ENV }} continue-on-error: false uses: actions/cache@v3 with: path: signing_key.pem key: signing_key.pem-${{ needs.build.outputs.LINUX_SHA }}-${{ hashFiles('**/kernel-configs/*') }} - name: Compiler version run: $CC --version - name: Compile run: CC="$CC" VARIANT="$VARIANT" COMPILE_SSL="$COMPILE_SSL" TST_ENV="$TST_ENV" TST_KERNEL="$TST_KERNEL" ./build.sh ima-evm-utils-1.5/.gitignore000066400000000000000000000011231440135744700160460ustar00rootroot00000000000000*.swp *~ # Generated by autotools .libs m4 .deps aclocal.m4 autom4te.cache config.guess config.log config.status config.sub configure depcomp install-sh Makefile.in Makefile !tests/data/Makefile missing compile libtool ltmain.sh test-driver # Compiled executables *.o *.a *.lo *.la src/evmctl tests/openclose config.h config.h.in stamp-h1 *.spec # But don't ignore the symlinks with the same names in this directory !tests/valgrind/* # cscope/tags tags TAGS cscope.* ncscope.* # Generated documentation *.1 *.8 *.5 manpage.links manpage.refs # quilt's files patches series # test output ima-evm-utils-1.5/.travis.yml000066400000000000000000000075741440135744700162070ustar00rootroot00000000000000# Copyright (c) 2017-2021 Petr Vorel dist: focal language: C services: - docker matrix: include: # 32 bit build - os: linux env: DISTRO=debian:stable VARIANT=i386 ARCH=i386 TSS=tpm2-tss COMPILE_SSL=openssl-3.0.5 compiler: gcc # cross compilation builds - os: linux env: DISTRO=debian:stable VARIANT=cross-compile ARCH=ppc64el TSS=ibmtss compiler: powerpc64le-linux-gnu-gcc - os: linux env: DISTRO=debian:stable VARIANT=cross-compile ARCH=arm64 TSS=tpm2-tss compiler: aarch64-linux-gnu-gcc - os: linux env: DISTRO=debian:stable VARIANT=cross-compile ARCH=s390x TSS=ibmtss compiler: s390x-linux-gnu-gcc # musl - os: linux env: DISTRO=alpine:latest TSS=tpm2-tss CONTAINER=podman CONTAINER_ARGS="--runtime=/usr/bin/crun --network=host" compiler: gcc # glibc (gcc/clang) - os: linux env: DISTRO=opensuse/tumbleweed TSS=ibmtss CONTAINER=podman CONTAINER_ARGS="--runtime=/usr/bin/crun --network=host" compiler: clang - os: linux env: DISTRO=opensuse/leap TSS=tpm2-tss compiler: gcc - os: linux env: DISTRO=ubuntu:jammy TSS=ibmtss COMPILE_SSL=openssl-3.0.5 compiler: gcc - os: linux env: DISTRO=ubuntu:xenial TSS=tpm2-tss compiler: clang - os: linux env: DISTRO=fedora:latest TSS=ibmtss CONTAINER=podman CONTAINER_ARGS="--runtime=/usr/bin/crun --network=host" compiler: clang - os: linux env: DISTRO=centos:7 TSS=tpm2-tss CONTAINER=podman CONTAINER_ARGS="--runtime=/usr/bin/crun --network=host" compiler: gcc - os: linux env: REPO="quay.io/centos/" DISTRO="${REPO}centos:stream8" TSS=tpm2-tss CONTAINER=podman CONTAINER_ARGS="--runtime=/usr/bin/crun --network=host" compiler: clang - os: linux env: DISTRO=debian:testing TSS=tpm2-tss compiler: clang - os: linux env: DISTRO=debian:stable TSS=ibmtss compiler: gcc - os: linux env: REPO="docker.io/library/" DISTRO=${REPO}alt:sisyphus TSS=libtpm2-tss-devel CONTAINER=podman CONTAINER_ARGS="--runtime=/usr/bin/crun --network=host" compiler: gcc before_install: # Tumbleweed requires podman due docker incompatible with glibc 2.33 # (faccessat2) and crun (for clone3). - CONTAINER="${CONTAINER:-docker}" - > if [ "$CONTAINER" = "podman" ]; then # podman . /etc/os-release sudo sh -c "echo 'deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_${VERSION_ID}/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list" wget -nv https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/xUbuntu_${VERSION_ID}/Release.key -O- | sudo apt-key add - sudo apt update sudo apt -y install fuse-overlayfs podman slirp4netns crun fi - $CONTAINER info - DIR="/usr/src/ima-evm-utils" - printf "FROM $DISTRO\nRUN mkdir -p $DIR\nWORKDIR $DIR\nCOPY . $DIR\n" > Dockerfile - cat Dockerfile - $CONTAINER build $CONTAINER_ARGS -t ima-evm-utils . script: - INSTALL="${DISTRO#${REPO}}" - INSTALL="${INSTALL%%:*}" - INSTALL="${INSTALL%%/*}" - $CONTAINER run $CONTAINER_ARGS -t ima-evm-utils /bin/sh -c "if [ \"$VARIANT\" ]; then ARCH=\"$ARCH\" ./ci/$INSTALL.$VARIANT.sh; fi && ARCH=\"$ARCH\" CC=\"$CC\" TSS=\"$TSS\" ./ci/$INSTALL.sh && if [ \"$COMPILE_SSL\" ]; then COMPILE_SSL=\"$COMPILE_SSL\" VARIANT=\"$VARIANT\" ./tests/install-openssl3.sh; fi && if [ ! \"$VARIANT\" ]; then which tpm_server || which swtpm || if which tssstartup; then ./tests/install-swtpm.sh; fi; fi && CC=\"$CC\" VARIANT=\"$VARIANT\" COMPILE_SSL=\"$COMPILE_SSL\" ./build.sh" ima-evm-utils-1.5/AUTHORS000066400000000000000000000001771440135744700151360ustar00rootroot00000000000000Dmitry Kasatkin CONTRIBUTORS: Vivek Goyal Mimi Zohar ima-evm-utils-1.5/COPYING000066400000000000000000000432541440135744700151240ustar00rootroot00000000000000 GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Lesser General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. ima-evm-utils-1.5/INSTALL000066400000000000000000000376531440135744700151300ustar00rootroot00000000000000Installation Instructions ************************* Copyright (C) 1994-1996, 1999-2002, 2004-2013 Free Software Foundation, Inc. Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved. This file is offered as-is, without warranty of any kind. Prerequisites ============= This project has the following prerequisites: (Ubuntu package names) libkeyutils-dev libtasn1-dev libgmp-dev libnspr4-dev libnss3-dev These software TPMs are supported: https://sourceforge.net/projects/ibmswtpm2/ https://github.com/stefanberger/swtpm swtpm depends upon https://github.com/stefanberger/libtpms Supported TSSes include these. Both are included in some distros. IBM TSS https://sourceforge.net/projects/ibmtpm20tss/ Intel TSS Basic Installation ================== Briefly, the shell commands `autoreconf -i; ./configure; make; make install' should configure, build, and install this package. The following more-detailed instructions are generic; see the `README' file for instructions specific to this package. Some packages provide this `INSTALL' file but do not implement all of the features documented below. The lack of an optional feature in a given package is not necessarily a bug. More recommendations for GNU packages can be found in *note Makefile Conventions: (standards)Makefile Conventions. The `configure' shell script attempts to guess correct values for various system-dependent variables used during compilation. It uses those values to create a `Makefile' in each directory of the package. It may also create one or more `.h' files containing system-dependent definitions. Finally, it creates a shell script `config.status' that you can run in the future to recreate the current configuration, and a file `config.log' containing compiler output (useful mainly for debugging `configure'). It can also use an optional file (typically called `config.cache' and enabled with `--cache-file=config.cache' or simply `-C') that saves the results of its tests to speed up reconfiguring. Caching is disabled by default to prevent problems with accidental use of stale cache files. If you need to do unusual things to compile the package, please try to figure out how `configure' could check whether to do them, and mail diffs or instructions to the address given in the `README' so they can be considered for the next release. If you are using the cache, and at some point `config.cache' contains results you don't want to keep, you may remove or edit it. The file `configure.ac' (or `configure.in') is used to create `configure' by a program called `autoconf'. You need `configure.ac' if you want to change it or regenerate `configure' using a newer version of `autoconf'. The simplest way to compile this package is: 1. `cd' to the directory containing the package's source code and type `autoreconf -i' and then `./configure' to configure the package for your system. Running `configure' might take a while. While running, it prints some messages telling which features it is checking for. 2. Type `make' to compile the package. 3. Optionally, type `make check' to run any self-tests that come with the package, generally using the just-built uninstalled binaries. 4. Type `make install' to install the programs and any data files and documentation. When installing into a prefix owned by root, it is recommended that the package be configured and built as a regular user, and only the `make install' phase executed with root privileges. 5. Optionally, type `make installcheck' to repeat any self-tests, but this time using the binaries in their final installed location. This target does not install anything. Running this target as a regular user, particularly if the prior `make install' required root privileges, verifies that the installation completed correctly. 6. You can remove the program binaries and object files from the source code directory by typing `make clean'. To also remove the files that `configure' created (so you can compile the package for a different kind of computer), type `make distclean'. There is also a `make maintainer-clean' target, but that is intended mainly for the package's developers. If you use it, you may have to get all sorts of other programs in order to regenerate files that came with the distribution. 7. Often, you can also type `make uninstall' to remove the installed files again. In practice, not all packages have tested that uninstallation works correctly, even though it is required by the GNU Coding Standards. 8. Some packages, particularly those that use Automake, provide `make distcheck', which can by used by developers to test that all other targets like `make install' and `make uninstall' work correctly. This target is generally not run by end users. Compilers and Options ===================== Some systems require unusual options for compilation or linking that the `configure' script does not know about. Run `./configure --help' for details on some of the pertinent environment variables. You can give `configure' initial values for configuration parameters by setting variables in the command line or in the environment. Here is an example: ./configure CC=c99 CFLAGS=-g LIBS=-lposix *Note Defining Variables::, for more details. Compiling For Multiple Architectures ==================================== You can compile the package for more than one kind of computer at the same time, by placing the object files for each architecture in their own directory. To do this, you can use GNU `make'. `cd' to the directory where you want the object files and executables to go and run the `configure' script. `configure' automatically checks for the source code in the directory that `configure' is in and in `..'. This is known as a "VPATH" build. With a non-GNU `make', it is safer to compile the package for one architecture at a time in the source code directory. After you have installed the package for one architecture, use `make distclean' before reconfiguring for another architecture. On MacOS X 10.5 and later systems, you can create libraries and executables that work on multiple system types--known as "fat" or "universal" binaries--by specifying multiple `-arch' options to the compiler but only a single `-arch' option to the preprocessor. Like this: ./configure CC="gcc -arch i386 -arch x86_64 -arch ppc -arch ppc64" \ CXX="g++ -arch i386 -arch x86_64 -arch ppc -arch ppc64" \ CPP="gcc -E" CXXCPP="g++ -E" This is not guaranteed to produce working output in all cases, you may have to build one architecture at a time and combine the results using the `lipo' tool if you have problems. Installation Names ================== By default, `make install' installs the package's commands under `/usr/local/bin', include files under `/usr/local/include', etc. You can specify an installation prefix other than `/usr/local' by giving `configure' the option `--prefix=PREFIX', where PREFIX must be an absolute file name. You can specify separate installation prefixes for architecture-specific files and architecture-independent files. If you pass the option `--exec-prefix=PREFIX' to `configure', the package uses PREFIX as the prefix for installing programs and libraries. Documentation and other data files still use the regular prefix. In addition, if you use an unusual directory layout you can give options like `--bindir=DIR' to specify different values for particular kinds of files. Run `configure --help' for a list of the directories you can set and what kinds of files go in them. In general, the default for these options is expressed in terms of `${prefix}', so that specifying just `--prefix' will affect all of the other directory specifications that were not explicitly provided. The most portable way to affect installation locations is to pass the correct locations to `configure'; however, many packages provide one or both of the following shortcuts of passing variable assignments to the `make install' command line to change installation locations without having to reconfigure or recompile. The first method involves providing an override variable for each affected directory. For example, `make install prefix=/alternate/directory' will choose an alternate location for all directory configuration variables that were expressed in terms of `${prefix}'. Any directories that were specified during `configure', but not in terms of `${prefix}', must each be overridden at install time for the entire installation to be relocated. The approach of makefile variable overrides for each directory variable is required by the GNU Coding Standards, and ideally causes no recompilation. However, some platforms have known limitations with the semantics of shared libraries that end up requiring recompilation when using this method, particularly noticeable in packages that use GNU Libtool. The second method involves providing the `DESTDIR' variable. For example, `make install DESTDIR=/alternate/directory' will prepend `/alternate/directory' before all installation names. The approach of `DESTDIR' overrides is not required by the GNU Coding Standards, and does not work on platforms that have drive letters. On the other hand, it does better at avoiding recompilation issues, and works well even when some directory options were not specified in terms of `${prefix}' at `configure' time. Optional Features ================= If the package supports it, you can cause programs to be installed with an extra prefix or suffix on their names by giving `configure' the option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'. Some packages pay attention to `--enable-FEATURE' options to `configure', where FEATURE indicates an optional part of the package. They may also pay attention to `--with-PACKAGE' options, where PACKAGE is something like `gnu-as' or `x' (for the X Window System). The `README' should mention any `--enable-' and `--with-' options that the package recognizes. For packages that use the X Window System, `configure' can usually find the X include and library files automatically, but if it doesn't, you can use the `configure' options `--x-includes=DIR' and `--x-libraries=DIR' to specify their locations. Some packages offer the ability to configure how verbose the execution of `make' will be. For these packages, running `./configure --enable-silent-rules' sets the default to minimal output, which can be overridden with `make V=1'; while running `./configure --disable-silent-rules' sets the default to verbose, which can be overridden with `make V=0'. Particular systems ================== On HP-UX, the default C compiler is not ANSI C compatible. If GNU CC is not installed, it is recommended to use the following options in order to use an ANSI C compiler: ./configure CC="cc -Ae -D_XOPEN_SOURCE=500" and if that doesn't work, install pre-built binaries of GCC for HP-UX. HP-UX `make' updates targets which have the same time stamps as their prerequisites, which makes it generally unusable when shipped generated files such as `configure' are involved. Use GNU `make' instead. On OSF/1 a.k.a. Tru64, some versions of the default C compiler cannot parse its `' header file. The option `-nodtk' can be used as a workaround. If GNU CC is not installed, it is therefore recommended to try ./configure CC="cc" and if that doesn't work, try ./configure CC="cc -nodtk" On Solaris, don't put `/usr/ucb' early in your `PATH'. This directory contains several dysfunctional programs; working variants of these programs are available in `/usr/bin'. So, if you need `/usr/ucb' in your `PATH', put it _after_ `/usr/bin'. On Haiku, software installed for all users goes in `/boot/common', not `/usr/local'. It is recommended to use the following options: ./configure --prefix=/boot/common Specifying the System Type ========================== There may be some features `configure' cannot figure out automatically, but needs to determine by the type of machine the package will run on. Usually, assuming the package is built to be run on the _same_ architectures, `configure' can figure that out, but if it prints a message saying it cannot guess the machine type, give it the `--build=TYPE' option. TYPE can either be a short name for the system type, such as `sun4', or a canonical name which has the form: CPU-COMPANY-SYSTEM where SYSTEM can have one of these forms: OS KERNEL-OS See the file `config.sub' for the possible values of each field. If `config.sub' isn't included in this package, then this package doesn't need to know the machine type. If you are _building_ compiler tools for cross-compiling, you should use the option `--target=TYPE' to select the type of system they will produce code for. If you want to _use_ a cross compiler, that generates code for a platform different from the build platform, you should specify the "host" platform (i.e., that on which the generated programs will eventually be run) with `--host=TYPE'. Sharing Defaults ================ If you want to set default values for `configure' scripts to share, you can create a site shell script called `config.site' that gives default values for variables like `CC', `cache_file', and `prefix'. `configure' looks for `PREFIX/share/config.site' if it exists, then `PREFIX/etc/config.site' if it exists. Or, you can set the `CONFIG_SITE' environment variable to the location of the site script. A warning: not all `configure' scripts look for a site script. Defining Variables ================== Variables not defined in a site shell script can be set in the environment passed to `configure'. However, some packages may run configure again during the build, and the customized values of these variables may be lost. In order to avoid this problem, you should set them in the `configure' command line, using `VAR=value'. For example: ./configure CC=/usr/local2/bin/gcc causes the specified `gcc' to be used as the C compiler (unless it is overridden in the site shell script). Unfortunately, this technique does not work for `CONFIG_SHELL' due to an Autoconf limitation. Until the limitation is lifted, you can use this workaround: CONFIG_SHELL=/bin/bash ./configure CONFIG_SHELL=/bin/bash `configure' Invocation ====================== `configure' recognizes the following options to control how it operates. `--help' `-h' Print a summary of all of the options to `configure', and exit. `--help=short' `--help=recursive' Print a summary of the options unique to this package's `configure', and exit. The `short' variant lists options used only in the top level, while the `recursive' variant lists options also present in any nested packages. `--version' `-V' Print the version of Autoconf used to generate the `configure' script, and exit. `--cache-file=FILE' Enable the cache: use and save the results of the tests in FILE, traditionally `config.cache'. FILE defaults to `/dev/null' to disable caching. `--config-cache' `-C' Alias for `--cache-file=config.cache'. `--quiet' `--silent' `-q' Do not print messages saying which checks are being made. To suppress all normal output, redirect it to `/dev/null' (any error messages will still be shown). `--srcdir=DIR' Look for the package's source code in directory DIR. Usually `configure' can determine that directory automatically. `--prefix=DIR' Use DIR as the installation prefix. *note Installation Names:: for more details, including other options available for fine-tuning the installation locations. `--no-create' `-n' Run the configure checks, but stop before creating any output files. `configure' also accepts some other, not widely useful, options. Run `configure --help' for more details. ima-evm-utils-1.5/Makefile.am000066400000000000000000000016211440135744700161150ustar00rootroot00000000000000SUBDIRS = src tests if HAVE_PANDOC SUBDIRS += doc endif if MANPAGE_DOCBOOK_XSL dist_man_MANS = evmctl.1 endif doc_DATA = examples/ima-genkey-self.sh examples/ima-genkey.sh examples/ima-gen-local-ca.sh EXTRA_DIST = autogen.sh $(doc_DATA) CLEANFILES = *.html *.xsl ACLOCAL_AMFLAGS = -I m4 SRCS = $(HOME)/rpmbuild/SOURCES SPEC = $(PACKAGE_NAME).spec pkgname = $(PACKAGE_NAME)-$(PACKAGE_VERSION) tarname = $(pkgname).tar.gz $(tarname): git archive --format=tar --prefix=$(pkgname)/ v$(PACKAGE_VERSION) $(FILES) | gzip >$@ tar: $(tarname) rpm: $(tarname) cp $(tarname) $(SRCS)/ rpmbuild -ba --nodeps $(SPEC) if MANPAGE_DOCBOOK_XSL evmctl.1.html: README @asciidoc -o $@ $< evmctl.1: asciidoc -d manpage -b docbook -o evmctl.1.xsl README xsltproc --nonet -o $@ $(MANPAGE_DOCBOOK_XSL) evmctl.1.xsl rm -f evmctl.1.xsl rmman: rm -f evmctl.1 doc: evmctl.1.html rmman evmctl.1 endif .PHONY: $(tarname) ima-evm-utils-1.5/NEWS000066400000000000000000000214721440135744700145660ustar00rootroot000000000000002023-2-24 Mimi Zohar version 1.5: * CI changes: * New: UML kernel testing environment * Support for running specific test(s) * Update distros * Update software release versions * New features: * Signing fs-verity signatures * Reading TPM 2.0 PCRs via sysfs interface * New tests: * Missing IMA mmapped file measurements * Overlapping IMA policy rules * EVM portable signatures * fs-verity file measurements in the IMA measurement list * Build and library changes: * OpenSSL 3.0 version related changes * New configuration options: --disable-engine, --enable-sigv1 * Deprecate IMA signature v1 format * Misc bug fixes and code cleanup: * memory leaks, bounds checking, use after free * Fix and update test output * Add missing sanity checks * Documentation: * Store the sourceforge ima-evm-utils wiki for historical purposes. 2021-10-22 Mimi Zohar version 1.4: * Elliptic curve support and tests * PKCS11 support and tests * Ability to manually specify the keyid included in the IMA xattr * Improve IMA measurement list per TPM bank verification * Linking with IBM TSS * Set default hash algorithm in package configuration * (Minimal) support and test EVM portable signatures * CI testing: * Refresh and include new distros * Podman support * GitHub Actions * Limit "sudo" usage * Misc bug fixes and code cleanup * Fix static analysis bug reports, memory leaks * Remove experimental code that was never upstreamed in the kernel * Use unsigned variable, remove unused variables, etc 2020-10-28 Mimi Zohar version 1.3.2: * Bugfixes: importing keys * NEW: Docker based travis distro testing * Travis bugfixes, code cleanup, software version update, and script removal * Initial travis testing 2020-08-11 Mimi Zohar version 1.3.1: * "--pcrs" support for per crypto algorithm * Drop/rename "ima_measurement" options * Moved this summary from "Changelog" to "NEWS", removing requirement for GNU empty files * Distro build fixes 2020-07-21 Mimi Zohar version 1.3 new features: * NEW ima-evm-utils regression test infrastructure with two initial tests: - ima_hash.test: calculate/verify different crypto hash algorithms - sign_verify.test: EVM and IMA sign/verify signature tests * TPM 2.0 support - Calculate the new per TPM 2.0 bank template data digest - Support original padding the SHA1 template data digest - Compare ALL the re-calculated TPM 2.0 bank PCRs against the TPM 2.0 bank PCR values - Calculate the per TPM bank "boot_aggregate" values, including PCRs 8 & 9 in calculation - Support reading the per TPM 2.0 Bank PCRs using Intel's TSS - boot_aggregate.test: compare the calculated "boot_aggregate" values with the "boot_aggregate" value included in the IMA measurement. * TPM 1.2 support - Additionally support reading the TPM 1.2 PCRs from a supplied file ("--pcrs" option) * Based on original IMA LTP and standalone version support - Calculate the TPM 1.2 "boot_aggregate" based on the exported TPM 1.2 BIOS event log. - In addition to verifying the IMA measurement list against the the TPM PCRs, verify the IMA template data digest against the template data. (Based on LTP "--verify" option.) - Ignore file measurement violations while verifying the IMA measurement list. (Based on LTP "--validate" option.) - Verify the file data signature included in the measurement list based on the file hash also included in the measurement list (--verify-sig) - Support original "ima" template (mixed templates not supported) * Support "sm3" crypto name Bug fixes and code cleanup: * Don't exit with -1 on failure, exit with 125 * On signature verification failure, include pathname. * Provide minimal hash_info.h file in case one doesn't exist, needed by the ima-evm-utils regression tests. * On systems with TPM 1.2, skip "boot_aggregate.test" using sample logs * Fix hash_algo type comparison mismatch * Simplify/clean up code * Address compiler complaints and failures * Fix memory allocations and leaks * Sanity check provided input files are regular files * Revert making "tsspcrread" a compile build time decision. * Limit additional messages based on log level (-v) 2019-07-30 Mimi Zohar version 1.2.1 Bug fixes: * When verifying multiple file signatures, return correct status * Don't automatically use keys from x509 certs if user supplied "--rsa" * Fix verifying DIGSIG_VERSION_1 signatures * autoconf, openssl fixes 2019-07-24 Mimi Zohar version 1.2 new features: * Generate EVM signatures based on the specified hash algorithm * include "security.apparmor" in EVM signature * Add support for writing & verifying "user.xxxx" xattrs for testing * Support Strebog/Gost hash functions * Add OpenSSL engine support * Use of EVP_PKEY OpenSSL API to generate/verify v2 signatures * Support verifying multiple signatures at once * Support new template "buf" field and warn about other unknown fields * Improve OpenSSL error reporting * Support reading TPM 2.0 PCRs using tsspcrread Bug fixes and code cleanup: * Update manpage stylesheet detection * Fix xattr.h include file * On error when reading TPM PCRs, don't log gargabe * Properly return keyid string to calc_keyid_v1/v2 callers, caused by limiting keyid output to verbose mode * Fix hash buffer overflow caused by EVM support for larger hashes, defined MAX_DIGEST_SIZE and MAX_SIGNATURE_SIZE, and added "asserts". * Linked with libcrypto instead of OpenSSL * Updated Autotools, replacing INCLUDES with AM_CPPFLAGS * Include new "hash-info.gen" in tar * Log the hash algorithm, not just the hash value * Fixed memory leaks in: EV_MD_CTX, init_public_keys * Fixed other warnings/bugs discovered by clang, coverity * Remove indirect calls in verify_hash() to improve code readability * Don't fallback to using sha1 * Namespace some too generic object names * Make functions/arrays static if possible 2018-01-28 Mimi Zohar version 1.1 * Support the new openssl 1.1 api * Support for validating multiple pcrs * Verify the measurement list signature based on the list digest * Verify the "ima-sig" measurement list using multiple keys * Fixed parsing the measurement template data field length * Portable & immutable EVM signatures (new format) * Multiple fixes that have been lingering in the next branch. Some are for experimental features that are not yet supported in the kernel. 2014-07-30 Dmitry Kasatkin version 1.0 * Recursive hashing * Immutable EVM signatures (experimental) * Command 'ima_clear' to remove xattrs * Support for passing password to the library * Support for asking password safely from the user 2014-09-23 Dmitry Kasatkin version 0.9 * Updated README * man page generated and added to the package * Use additional SMACK xattrs for EVM signature generation * Signing functions moved to libimaevm for external use (RPM) * Fixed setting of correct hash header 2014-05-05 Dmitry Kasatkin version 0.8 * Symbilic names for keyrings * Hash list signing * License text fix for using OpenSSL * Help output fix 2014-02-17 Dmitry Kasatkin version 0.7 * Fix symbolic links related bugs * Provide recursive fixing * Provide recursive signing * Move IMA verification to the library (first for LTP use) * Support for target architecture data size * Remove obsolete module signing code * Code cleanup 2013-08-28 Dmitry Kasatkin version 0.6 * support for asymmetric crypto keys and new signature format (v2) * fixes to set correct hash algo for digital signature v1 * uuid support for EVM * signature verification support * test scripts removed * README updates 2012-05-18 Dmitry Kasatkin version 0.3 * llistxattr returns 0 if there are no xattrs and it is valid * Added entry type to directory hash calculation * inline block variable renamed * Remove forced tag creation * Use libexec for programs and scripts * Some files updated * Do not search for algorithm as it is known * Refactored to remove redundant hash initialization code * Added hash calculation for special files 2012-04-05 Dmitry Kasatkin version 0.2 * added RPM & TAR building makefile rules * renamed evm-utils to ima-evm-utils * added command options description * updated error handling * refactored redundant code 2012-04-02 Dmitry Kasatkin version 0.1.0 * Fully functional version for latest 3.x kernels 2011-08-24 Dmitry Kasatkin version 0.1 * Initial public version. ima-evm-utils-1.5/README000066400000000000000000000360221440135744700147440ustar00rootroot00000000000000EVMCTL(1) ========= NAME ---- evmctl - IMA/EVM signing utility SYNOPSIS -------- evmctl [options] [OPTIONS] DESCRIPTION ----------- The evmctl utility can be used for producing and verifying digital signatures, which are used by Linux kernel integrity subsystem (IMA/EVM). It can be also used to import keys into the kernel keyring. COMMANDS -------- --version help import [--rsa (deprecated)] pubkey keyring sign [-r] [--imahash | --imasig ] [--key key] [--pass[=] file verify file ima_sign [--sigfile] [--key key] [--pass[=]] file ima_verify file ima_setxattr [--sigfile file] ima_hash file ima_measurement [--ignore-violations] [--verify-sig [--key "key1, key2, ..."]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] [--verify-bank hash-algorithm] file ima_boot_aggregate [--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log] [--hwtpm] ima_fix [-t fdsxm] path ima_clear [-t fdsxm] path sign_hash [--veritysig] [--key key] [--pass=] hmac [--imahash | --imasig ] file OPTIONS ------- -a, --hashalgo sha1, sha224, sha256, sha384, sha512, streebog256, streebog512 (default: sha256) -s, --imasig make IMA signature --veritysig sign an fs-verity file digest hash -d, --imahash make IMA hash -f, --sigfile store IMA signature in .sig file instead of xattr --xattr-user store xattrs in user namespace (for testing purposes) --rsa use RSA key type and signing scheme v1 (deprecated) -k, --key path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem) or a pkcs11 URI --keyid n overwrite signature keyid with a 32-bit value in hex (for signing) --keyid-from-cert file read keyid value from SKID of a x509 cert file -o, --portable generate portable EVM signatures -p, --pass password for encrypted signing key -r, --recursive recurse into directories (sign) -t, --type file types to fix 'fxm' (f: file) x - skip fixing if both ima and evm xattrs exist (use with caution) m - stay on the same filesystem (like 'find -xdev') -n print result to stdout instead of setting xattr -u, --uuid use custom FS UUID for EVM (unspecified: from FS, empty: do not use) --smack use extra SMACK xattrs for EVM --m32 force EVM hmac/signature for 32 bit target system --m64 force EVM hmac/signature for 64 bit target system --engine e preload OpenSSL engine e (such as: gost) is deprecated --ino use custom inode for EVM --uid use custom UID for EVM --gid use custom GID for EVM --mode use custom Mode for EVM --generation use custom Generation for EVM(unspecified: from FS, empty: use 0) --ima use custom IMA signature for EVM --selinux use custom Selinux label for EVM --caps use custom Capabilities for EVM(unspecified: from FS, empty: do not use) --pcrs file containing TPM pcrs, one per hash-algorithm/bank --ignore-violations ignore ToMToU measurement violations --verify-sig verify the file signature based on the file hash, both stored in the template data. -v increase verbosity level -h, --help display this help and exit Environment variables: EVMCTL_KEY_PASSWORD : Private key password to use; do not use --pass option INTRODUCTION ------------ Linux kernel integrity subsystem is comprised of a number of different components including the Integrity Measurement Architecture (IMA), Extended Verification Module (EVM), IMA-appraisal extension, digital signature verification extension and audit measurement log support. The evmctl utility is used for producing and verifying digital signatures, which are used by the Linux kernel integrity subsystem. It is also used for importing keys into the kernel keyring. Linux integrity subsystem allows to use IMA and EVM signatures. EVM signature protects file metadata, such as file attributes and extended attributes. IMA signature protects file content. For more detailed information about integrity subsystem it is recommended to follow resources in RESOURCES section. EVM HMAC and signature metadata ------------------------------- EVM protects file metadata by including following attributes into HMAC and signature calculation: inode number, inode generation, UID, GID, file mode, security.selinux, security.SMACK64, security.ima, security.capability. EVM HMAC and signature in may also include additional file and file system attributes. Currently supported additional attributes are filesystem UUID and extra SMACK extended attributes. Kernel configuration option CONFIG_EVM_ATTR_FSUUID controls whether to include filesystem UUID into HMAC and enabled by default. Therefore evmctl also includes fsuuid by default. Providing '--uuid' option without parameter allows to disable usage of fs uuid. Providing '--uuid=UUID' option with parameter allows to use custom UUID. Providing the '--portable' option will disable usage of the fs uuid and also the inode number and generation. Kernel configuration option CONFIG_EVM_EXTRA_SMACK_XATTRS controls whether to include additional SMACK extended attributes into HMAC. They are following: security.SMACK64EXEC, security.SMACK64TRANSMUTE and security.SMACK64MMAP. evmctl '--smack' options enables that. Key and signature formats ------------------------- Linux integrity subsystem supports two type of signature and respectively two key formats. First key format (v1) is pure RSA key encoded in PEM a format and uses own signature format. It is now non-default format and requires to provide evmctl '--rsa' option for signing and importing the key. Second key format uses X509 DER encoded public key certificates and uses asymmetric key support in the kernel (since kernel 3.9). CONFIG_INTEGRITY_ASYMMETRIC_KEYS must be enabled (default). For v2 signatures x509 certificate (containing the public key) could be appended to the private key (they both are in PEM format) to automatically extract keyid from its Subject Key Identifier (SKID). Integrity keyrings ---------------- Integrity subsystem uses dedicated IMA/EVM keyrings to search for signature verification keys - '_ima' and '_evm' respectively. Since 3.13 IMA allows to declare IMA keyring as trusted. It allows only to load keys, signed by a key from the system keyring (.system). It means self-signed keys are not allowed. This is a default behavior unless CONFIG_IMA_TRUSTED_KEYRING is undefined. IMA trusted keyring is has different name '.ima'. Trusted keyring requires X509 public key certificates. Old version RSA public keys are not compatible with trusted keyring. Generate EVM encrypted keys --------------------------- EVM encrypted key is used for EVM HMAC calculation: # create and save the key kernel master key (user type) # LMK is used to encrypt encrypted keys keyctl add user kmk "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u keyctl pipe `keyctl search @u user kmk` > /etc/keys/kmk # create the EVM encrypted key keyctl add encrypted evm-key "new user:kmk 64" @u keyctl pipe `keyctl search @u encrypted evm-key` >/etc/keys/evm-key Generate EVM trusted keys (TPM based) ------------------------------------- Trusted EVM keys are keys which a generate with the help of TPM. They are not related to integrity trusted keys. # create and save the key kernel master key (user type) keyctl add trusted kmk "new 32" @u keyctl pipe `keyctl search @u trusted kmk` >kmk # create the EVM trusted key keyctl add encrypted evm-key "new trusted:kmk 32" @u keyctl pipe `keyctl search @u encrypted evm-key` >evm-key Generate signing and verification keys -------------------------------------- Generate private key in plain text format: openssl genrsa -out privkey_evm.pem 1024 Generate encrypted private key: openssl genrsa -des3 -out privkey_evm.pem 1024 Make encrypted private key from unencrypted: openssl rsa -in /etc/keys/privkey_evm.pem -out privkey_evm_enc.pem -des3 Generate self-signed X509 public key certificate and private key for using kernel asymmetric keys support: openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \ -x509 -config x509_evm.genkey \ -outform DER -out x509_evm.der -keyout privkey_evm.pem Configuration file x509_evm.genkey: # Beginning of the file [ req ] default_bits = 1024 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only x509_extensions = myexts [ req_distinguished_name ] O = Magrathea CN = Glacier signing key emailAddress = slartibartfast@magrathea.h2g2 [ myexts ] basicConstraints=critical,CA:FALSE keyUsage=digitalSignature subjectKeyIdentifier=hash authorityKeyIdentifier=keyid # EOF Generate public key for using RSA key format: openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem Copy keys to /etc/keys: cp pubkey_evm.pem /etc/keys scp pubkey_evm.pem target:/etc/keys or cp x509_evm.pem /etc/keys scp x509_evm.pem target:/etc/keys Generate trusted keys --------------------- Generation of trusted keys is a bit more complicated process and involves following steps: * Creation of local IMA certification authority (CA). It consist of private and public key certificate which are used to sign and verify other keys. * Build Linux kernel with embedded local IMA CA X509 certificate. It is used to verify other keys added to the '.ima' trusted keyring * Generate IMA private signing key and verification public key certificate, which is signed using local IMA CA private key. Configuration file ima-local-ca.genkey: # Beginning of the file [ req ] default_bits = 2048 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only x509_extensions = v3_ca [ req_distinguished_name ] O = IMA-CA CN = IMA/EVM certificate signing key emailAddress = ca@ima-ca [ v3_ca ] basicConstraints=CA:TRUE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer # keyUsage = cRLSign, keyCertSign # EOF Generate private key and X509 public key certificate: openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \ -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv Produce X509 in DER format for using while building the kernel: openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem Configuration file ima.genkey: # Beginning of the file [ req ] default_bits = 1024 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only x509_extensions = v3_usr [ req_distinguished_name ] O = `hostname` CN = `whoami` signing key emailAddress = `whoami`@`hostname` [ v3_usr ] basicConstraints=critical,CA:FALSE #basicConstraints=CA:FALSE keyUsage=digitalSignature #keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectKeyIdentifier=hash authorityKeyIdentifier=keyid #authorityKeyIdentifier=keyid,issuer # EOF Generate private key and X509 public key certificate signing request: openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \ -out csr_ima.pem -keyout privkey_ima.pem Sign X509 public key certificate signing request with local IMA CA private key: openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \ -CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \ -outform DER -out x509_ima.der Sign file data and metadata --------------------------- Default key locations: Private RSA key: /etc/keys/privkey_evm.pem Public RSA key: /etc/keys/pubkey_evm.pem X509 certificate: /etc/keys/x509_evm.der Options to remember: '-k', '-r', '--rsa', '--uuid', '--smack'. Sign file with EVM signature and calculate hash value for IMA: evmctl sign --imahash test.txt Sign file with both IMA and EVM signatures: evmctl sign --imasig test.txt: Sign file with IMA signature: evmctl ima_sign test.txt Sign recursively whole filesystem: evmctl -r sign --imahash / Fix recursively whole filesystem: evmctl -r ima_fix / Sign filesystem selectively using 'find' command: find / \( -fstype rootfs -o -fstype ext4 \) -exec evmctl sign --imahash '{}' \; Fix filesystem selectively using 'find' command: find / \( -fstype rootfs -o -fstype ext4 \) -exec sh -c "< '{}'" \; Initialize IMA/EVM at early boot -------------------------------- IMA/EVM initialization should be normally done from initial RAM file system before mounting root filesystem. Here is Ubuntu initramfs example script (/etc/initramfs-tools/scripts/local-top/ima.sh) # mount securityfs if not mounted SECFS=/sys/kernel/security grep -q $SECFS /proc/mounts || mount -n -t securityfs securityfs $SECFS # search for IMA trusted keyring, then for untrusted ima_id="`awk '/\.ima/ { printf "%d", "0x"$1; }' /proc/keys`" if [ -z "$ima_id" ]; then ima_id=`keyctl search @u keyring _ima 2>/dev/null` if [ -z "$ima_id" ]; then ima_id=`keyctl newring _ima @u` fi fi # import IMA X509 certificate evmctl import /etc/keys/x509_ima.der $ima_id # search for EVM keyring evm_id=`keyctl search @u keyring _evm 2>/dev/null` if [ -z "$evm_id" ]; then evm_id=`keyctl newring _evm @u` fi # import EVM X509 certificate evmctl import /etc/keys/x509_evm.der $evm_id # a) import EVM encrypted key cat /etc/keys/kmk | keyctl padd user kmk @u keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u # OR # b) import EVM trusted key keyctl add trusted kmk "load `cat /etc/keys/kmk`" @u keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u # enable EVM echo "1" > /sys/kernel/security/evm Optionally it is possible also to forbid adding, removing of new public keys and certificates into keyrings and revoking keys using 'keyctl setperm' command: # protect EVM keyring keyctl setperm $evm_id 0x0b0b0000 # protect IMA keyring keyctl setperm $ima_id 0x0b0b0000 # protecting IMA key from revoking (against DoS) ima_key=`evmctl import /etc/keys/x509_ima.der $ima_id` keyctl setperm $ima_key 0x0b0b0000 When using plain RSA public keys in PEM format, use 'evmctl import --rsa' for importing keys: evmctl import --rsa /etc/keys/pubkey_evm.pem $evm_id Latest version of keyctl allows to import X509 public key certificates: cat /etc/keys/x509_ima.der | keyctl padd asymmetric '' $ima_id FILES ----- Examples of scripts to generate X509 public key certificates: /usr/share/doc/ima-evm-utils/ima-genkey-self.sh /usr/share/doc/ima-evm-utils/ima-genkey.sh /usr/share/doc/ima-evm-utils/ima-gen-local-ca.sh AUTHOR ------ Written by Dmitry Kasatkin, and others. RESOURCES --------- http://sourceforge.net/p/linux-ima/wiki/Home http://sourceforge.net/p/linux-ima/ima-evm-utils COPYING ------- Copyright \(C) 2012 - 2014 Linux Integrity Project. Free use of this software is granted under the terms of the GNU Public License (GPL). ima-evm-utils-1.5/acinclude.m4000066400000000000000000000006221440135744700162520ustar00rootroot00000000000000 AC_DEFUN([PKG_ARG_ENABLE], [ AC_MSG_CHECKING(whether to enable $1) AC_ARG_ENABLE([$1], AS_HELP_STRING([--enable-$1], [enable $1 (default is $2)]), [pkg_cv_enable_$1=$enableval], [AC_CACHE_VAL([pkg_cv_enable_$1], [pkg_cv_enable_$1=$2])]) if test $pkg_cv_enable_$1 = yes; then AC_DEFINE([$3],, [$4]) fi AC_MSG_RESULT([$pkg_cv_enable_$1]) AM_CONDITIONAL($3, test $pkg_cv_enable_$1 = yes) ]) ima-evm-utils-1.5/autogen.sh000077500000000000000000000000411440135744700160550ustar00rootroot00000000000000#! /bin/sh set -e autoreconf -i ima-evm-utils-1.5/build-static.sh000077500000000000000000000001611440135744700170020ustar00rootroot00000000000000#!/bin/sh gcc -static -o evmctl.static -include config.h src/evmctl.c src/libimaevm.c -lcrypto -lkeyutils -ldl ima-evm-utils-1.5/build.sh000077500000000000000000000046001440135744700155170ustar00rootroot00000000000000#!/bin/sh # Copyright (c) 2020 Petr Vorel if [ -n "$CI" ]; then # If we under CI only thing we can analyze is logs so better to enable # verbosity to a maximum. set -x # This is to make stdout and stderr synchronous in the logs. exec 2>&1 mount -t securityfs -o rw securityfs /sys/kernel/security fi set -e CC="${CC:-gcc}" CFLAGS="${CFLAGS:--Wformat -Werror=format-security -Werror=implicit-function-declaration -Werror=return-type -fno-common}" PREFIX="${PREFIX:-$HOME/ima-evm-utils-install}" export LD_LIBRARY_PATH="$PREFIX/lib64:$PREFIX/lib:/usr/local/lib64:/usr/local/lib" export PATH="$PREFIX/bin:/usr/local/bin:$PATH" title() { echo "===== $1 =====" } log_exit() { local ret="${3:-$?}" local log="$1" local msg="$2" local prefix echo "=== $log ===" [ $ret -eq 0 ] || prefix="FAIL: " cat $log echo echo "$prefix$msg, see output of $log above" exit $ret } cd `dirname $0` if [ "$COMPILE_SSL" ]; then echo "COMPILE_SSL: $COMPILE_SSL" export CFLAGS="-I/opt/openssl3/include $CFLAGS" export LD_LIBRARY_PATH="/opt/openssl3/lib64:/opt/openssl3/lib:$HOME/src/ima-evm-utils/src/.libs:$LD_LIBRARY_PATH" export LDFLAGS="-L/opt/openssl3/lib64 -L/opt/openssl3/lib $LDFLAGS" export PATH="/opt/openssl3/bin:$HOME/src/ima-evm-utils/src/.libs:$PATH" fi case "$VARIANT" in i386) echo "32-bit compilation" export CFLAGS="-m32 $CFLAGS" LDFLAGS="-m32 $LDFLAGS" export PKG_CONFIG_LIBDIR=/usr/lib/i386-linux-gnu/pkgconfig ;; cross-compile) host="${CC%-gcc}" export CROSS_COMPILE="${host}-" host="--host=$host" echo "cross compilation: $host" echo "CROSS_COMPILE: '$CROSS_COMPILE'" ;; *) if [ "$VARIANT" ]; then echo "Wrong VARIANT: '$VARIANT'" >&2 exit 1 fi echo "native build" ;; esac title "compiler version" $CC --version echo "CFLAGS: '$CFLAGS'" echo "LDFLAGS: '$LDFLAGS'" echo "PREFIX: '$PREFIX'" title "configure" ./autogen.sh ./configure --prefix=$PREFIX $host || log_exit config.log "configure failed" title "make" make -j$(nproc) make install title "test" if [ "$VARIANT" = "cross-compile" ]; then echo "skip make check on cross compilation" exit 0 fi ret=0 VERBOSE=1 make check || ret=$? title "logs" if [ $ret -eq 0 ]; then cd tests; make check_logs; cd .. exit 0 fi cat tests/test-suite.log if [ $ret -eq 77 ]; then msg="WARN: some tests skipped" ret=0 else msg="FAIL: tests exited: $ret" fi log_exit tests/test-suite.log "$msg" $ret ima-evm-utils-1.5/ci/000077500000000000000000000000001440135744700144545ustar00rootroot00000000000000ima-evm-utils-1.5/ci/alpine.sh000077500000000000000000000014411440135744700162630ustar00rootroot00000000000000#!/bin/sh # Copyright (c) 2020 Petr Vorel set -ex if [ -z "$CC" ]; then echo "missing \$CC!" >&2 exit 1 fi case "$TSS" in ibmtss) echo "No IBM TSS package, will be installed from git" >&2; TSS=;; tpm2-tss) TSS="tpm2-tss-dev";; '') echo "Missing TSS!" >&2; exit 1;; *) echo "Unsupported TSS: '$TSS'!" >&2; exit 1;; esac # ibmswtpm2 requires gcc [ "$CC" = "gcc" ] || CC="gcc $CC" apk update apk add \ $CC $TSS \ asciidoc \ attr \ attr-dev \ autoconf \ automake \ bash \ diffutils \ docbook-xml \ docbook-xsl \ e2fsprogs-extra \ keyutils-dev \ libtool \ libxslt \ linux-headers \ make \ musl-dev \ openssl \ openssl-dev \ pkgconfig \ procps \ sudo \ util-linux \ wget \ which \ xxd \ gawk if [ ! "$TSS" ]; then apk add git ../tests/install-tss.sh fi ima-evm-utils-1.5/ci/alt.sh000077500000000000000000000007751440135744700156040ustar00rootroot00000000000000#!/bin/sh -ex # SPDX-License-Identifier: GPL-2.0-only # # Install build env for ALT Linux apt-get update -y # rpm-build brings basic build environment with gcc, make, autotools, etc. apt-get install -y \ $CC \ $TSS \ asciidoc \ attr \ e2fsprogs \ fsverity-utils-devel \ gnutls-utils \ libattr-devel \ libkeyutils-devel \ libp11 \ libssl-devel \ openssl \ openssl-gost-engine \ rpm-build \ softhsm \ util-linux \ wget \ xsltproc \ xxd \ && control openssl-gost enabled ima-evm-utils-1.5/ci/centos.sh000077700000000000000000000000001440135744700200722fedora.shustar00rootroot00000000000000ima-evm-utils-1.5/ci/debian.cross-compile.sh000077500000000000000000000006721440135744700210200ustar00rootroot00000000000000#!/bin/sh # Copyright (c) 2020 Petr Vorel set -ex if [ -z "$ARCH" ]; then echo "missing \$ARCH!" >&2 exit 1 fi case "$ARCH" in arm64) gcc_arch="aarch64";; ppc64el) gcc_arch="powerpc64le";; s390x) gcc_arch="$ARCH";; *) echo "unsupported arch: '$ARCH'!" >&2; exit 1;; esac dpkg --add-architecture $ARCH apt update apt install -y --no-install-recommends \ dpkg-dev \ gcc-${gcc_arch}-linux-gnu \ libc6-dev-${ARCH}-cross ima-evm-utils-1.5/ci/debian.i386.sh000077500000000000000000000003161440135744700167250ustar00rootroot00000000000000#!/bin/sh # Copyright (c) 2020 Petr Vorel set -ex dpkg --add-architecture i386 apt update apt install -y --no-install-recommends \ linux-libc-dev:i386 \ gcc-multilib \ pkg-config:i386 ima-evm-utils-1.5/ci/debian.sh000077500000000000000000000020571440135744700162410ustar00rootroot00000000000000#!/bin/sh # Copyright (c) 2020 Petr Vorel set -ex # workaround for Ubuntu impish asking to interactively configure tzdata export DEBIAN_FRONTEND="noninteractive" if [ -z "$CC" ]; then echo "missing \$CC!" >&2 exit 1 fi # debian.*.sh must be run first if [ "$ARCH" ]; then ARCH=":$ARCH" unset CC else apt update fi # ibmswtpm2 requires gcc [ "$CC" = "gcc" ] || CC="gcc $CC" case "$TSS" in ibmtss) TSS="libtss-dev";; tpm2-tss) TSS="libtss2-dev";; '') echo "Missing TSS!" >&2; exit 1;; *) [ "$TSS" ] && echo "Unsupported TSS: '$TSS'!" >&2; exit 1;; esac apt="apt install -y --no-install-recommends" $apt \ $CC $TSS \ asciidoc \ attr \ autoconf \ automake \ diffutils \ debianutils \ docbook-xml \ docbook-xsl \ e2fsprogs \ gzip \ libattr1-dev$ARCH \ libkeyutils-dev$ARCH \ libssl-dev$ARCH \ libtool \ make \ openssl \ pkg-config \ procps \ sudo \ util-linux \ wget \ xsltproc \ gawk $apt xxd || $apt vim-common $apt libengine-gost-openssl1.1$ARCH || true $apt softhsm gnutls-bin libengine-pkcs11-openssl1.1$ARCH || true ima-evm-utils-1.5/ci/fedora.sh000077500000000000000000000021451440135744700162550ustar00rootroot00000000000000#!/bin/sh # Copyright (c) 2020 Petr Vorel set -e if [ -z "$CC" ]; then echo "missing \$CC!" >&2 exit 1 fi case "$TSS" in ibmtss) TSS="tss2-devel";; tpm2-tss) TSS="tpm2-tss-devel";; '') echo "Missing TSS!" >&2; exit 1;; *) echo "Unsupported TSS: '$TSS'!" >&2; exit 1;; esac # ibmswtpm2 requires gcc [ "$CC" = "gcc" ] || CC="gcc $CC" yum -y install \ $CC $TSS \ asciidoc \ attr \ autoconf \ automake \ diffutils \ docbook-xsl \ e2fsprogs \ git-core \ gnutls-utils \ gzip \ keyutils-libs-devel \ kmod \ libattr-devel \ libtool \ libxslt \ make \ openssl \ openssl-devel \ openssl-pkcs11 \ pkg-config \ procps \ sudo \ util-linux \ vim-common \ wget \ which \ zstd \ systemd \ keyutils \ e2fsprogs \ acl \ libcap yum -y install docbook5-style-xsl || true yum -y install swtpm || true # SoftHSM is available via EPEL on CentOS if [ -f /etc/centos-release ]; then yum -y install epel-release fi yum -y install softhsm || true # haveged is available via EPEL on CentOS stream8. yum -y install haveged || true ./tests/install-fsverity.sh ./tests/install-mount-idmapped.sh ima-evm-utils-1.5/ci/opensuse.sh000077700000000000000000000000001440135744700213352tumbleweed.shustar00rootroot00000000000000ima-evm-utils-1.5/ci/tumbleweed.sh000077500000000000000000000017511440135744700171540ustar00rootroot00000000000000#!/bin/sh # Copyright (c) 2020 Petr Vorel set -ex if [ -z "$CC" ]; then echo "missing \$CC!" >&2 exit 1 fi case "$TSS" in ibmtss) TSS="ibmtss-devel";; tpm2-tss) TSS="tpm2-0-tss-devel";; '') echo "Missing TSS!" >&2; exit 1;; *) echo "Unsupported TSS: '$TSS'!" >&2; exit 1;; esac # clang has some gcc dependency [ "$CC" = "gcc" ] || CC="gcc $CC" zypper --non-interactive install --force-resolution --no-recommends \ $CC $TSS \ asciidoc \ attr \ autoconf \ automake \ diffutils \ docbook_5 \ docbook5-xsl-stylesheets \ e2fsprogs \ gzip \ ibmswtpm2 \ keyutils-devel \ libattr-devel \ libopenssl-devel \ libtool \ make \ openssl \ pkg-config \ procps \ sudo \ util-linux \ vim \ wget \ which \ xsltproc \ gawk zypper --non-interactive install --force-resolution --no-recommends \ gnutls openssl-engine-libp11 softhsm || true if [ -f /usr/lib/ibmtss/tpm_server -a ! -e /usr/local/bin/tpm_server ]; then ln -s /usr/lib/ibmtss/tpm_server /usr/local/bin fi ima-evm-utils-1.5/ci/ubuntu.sh000077700000000000000000000000001440135744700201032debian.shustar00rootroot00000000000000ima-evm-utils-1.5/configure.ac000066400000000000000000000067131440135744700163560ustar00rootroot00000000000000# autoconf script AC_PREREQ([2.65]) AC_INIT(ima-evm-utils, 1.5, zohar@linux.ibm.com) AM_INIT_AUTOMAKE([foreign]) AC_CONFIG_HEADERS([config.h]) AC_CONFIG_MACRO_DIR([m4]) AC_CANONICAL_HOST AC_USE_SYSTEM_EXTENSIONS # Checks for programs. AC_PROG_CC AM_PROG_CC_C_O #AC_PROG_CXX #AC_PROG_CPP AC_PROG_INSTALL #AC_PROG_LN_S AC_CHECK_PROG(have_pandoc, [pandoc], [yes], [no]) AM_CONDITIONAL([HAVE_PANDOC], [test "x$have_pandoc" = "xyes"]) LT_INIT # FIXME: Replace `main' with a function in `-lpthread': #AC_CHECK_LIB([pthread], [main]) PKG_CHECK_MODULES(LIBCRYPTO, [libcrypto >= 0.9.8 ]) AC_SUBST(KERNEL_HEADERS) AC_CHECK_HEADER(unistd.h) AC_CHECK_HEADERS(openssl/conf.h) # Intel TSS AC_CHECK_LIB([tss2-esys], [Esys_Free]) AC_CHECK_LIB([tss2-rc], [Tss2_RC_Decode]) AM_CONDITIONAL([USE_PCRTSS], [test "x$ac_cv_lib_tss2_esys_Esys_Free" = "xyes"]) # IBM TSS include files AC_CHECK_HEADER(ibmtss/tss.h, [], [], [[#define TPM_POSIX]]) AM_CONDITIONAL([USE_IBMTSS], [test "x$ac_cv_header_ibmtss_tss_h" = "xyes"]) AC_CHECK_HEADERS(sys/xattr.h, , [AC_MSG_ERROR([sys/xattr.h header not found. You need the c-library development package.])]) AC_CHECK_HEADERS(keyutils.h, , [AC_MSG_ERROR([keyutils.h header not found. You need the libkeyutils development package.])]) AC_ARG_WITH(kernel_headers, [AS_HELP_STRING([--with-kernel-headers=PATH], [specifies the Linux kernel-headers package location or kernel root directory you want to use])], [KERNEL_HEADERS="$withval"], [KERNEL_HEADERS=/lib/modules/$(uname -r)/source]) AC_ARG_ENABLE([openssl_conf], [AS_HELP_STRING([--disable-openssl-conf], [disable loading of openssl config by evmctl])], [if test "$enable_openssl_conf" = "no"; then AC_DEFINE(DISABLE_OPENSSL_CONF, 1, [Define to disable loading of openssl config by evmctl.]) fi], [enable_openssl_conf=yes]) AC_ARG_ENABLE(sigv1, AS_HELP_STRING([--enable-sigv1], [Build ima-evm-utils with signature v1 support])) AM_CONDITIONAL([CONFIG_SIGV1], [test "x$enable_sigv1" = "xyes"]) AS_IF([test "$enable_sigv1" != "yes"], [enable_sigv1="no"]) AC_ARG_ENABLE(engine, [AS_HELP_STRING([--disable-engine], [build ima-evm-utils without OpenSSL engine support])],,[enable_engine=yes]) AC_CHECK_LIB([crypto], [ENGINE_init],, [enable_engine=no]) AM_CONDITIONAL([CONFIG_IMA_EVM_ENGINE], [test "x$enable_engine" = "xyes"]) #debug support - yes for a while PKG_ARG_ENABLE(debug, "yes", DEBUG, [Enable Debug support]) if test $pkg_cv_enable_debug = yes; then CFLAGS="$CFLAGS -g -O1 -Wall -Wstrict-prototypes -pipe" else CFLAGS="$CFLAGS -Wall -Wstrict-prototypes -pipe -fomit-frame-pointer" fi EVMCTL_MANPAGE_DOCBOOK_XSL AX_DEFAULT_HASH_ALGO([$KERNEL_HEADERS]) # for gcov #CFLAGS="$CFLAGS -Wall -fprofile-arcs -ftest-coverage" #CXXFLAGS="$CXXFLAGS -Wall -fprofile-arcs -ftest-coverage" #LDFLAGS="$LDFLAGS -fprofile-arcs" #DISTCLEANFILES="*.gcno *.gcda" AC_CONFIG_FILES([Makefile src/Makefile tests/Makefile doc/Makefile doc/sf/Makefile packaging/ima-evm-utils.spec ]) AC_OUTPUT # Give some feedback echo echo echo "Configuration:" echo " debug: $pkg_cv_enable_debug" echo " default-hash: $HASH_ALGO" echo " openssl-conf: $enable_openssl_conf" echo " tss2-esys: $ac_cv_lib_tss2_esys_Esys_Free" echo " tss2-rc-decode: $ac_cv_lib_tss2_rc_Tss2_RC_Decode" echo " ibmtss: $ac_cv_header_ibmtss_tss_h" echo " sigv1: $enable_sigv1" echo " engine: $enable_engine" echo " doc: $have_doc" echo " pandoc: $have_pandoc" echo ima-evm-utils-1.5/doc/000077500000000000000000000000001440135744700146265ustar00rootroot00000000000000ima-evm-utils-1.5/doc/Makefile.am000066400000000000000000000000151440135744700166560ustar00rootroot00000000000000SUBDIRS = sf ima-evm-utils-1.5/doc/sf/000077500000000000000000000000001440135744700152365ustar00rootroot00000000000000ima-evm-utils-1.5/doc/sf/Makefile.am000066400000000000000000000001631440135744700172720ustar00rootroot00000000000000noinst_DATA = sf-wiki.html sf-wiki.html:sf-wiki.md pandoc $+ -f markdown -t html > $@ CLEANFILES = sf-wiki.html ima-evm-utils-1.5/doc/sf/sf-diagram.html000066400000000000000000000051121440135744700201350ustar00rootroot00000000000000

See documentation at Linux IMA/EVM Wiki
Linux Integrity Subsystem

The goals of the kernel integrity subsystem are to detect if files have been accidentally or maliciously altered, both remotely and locally, appraise a file's measurement against a "good" value stored as an extended attribute, and enforce local file integrity. These goals are complementary to Mandatory Access Control(MAC) protections provided by LSM modules, such as SElinux and Smack, which, depending on policy, can attempt to protect file integrity. The following modules provide several integrity functions:

  • Collect - measure a file before it is accessed.
  • Store - add the measurement to a kernel resident list and, if a hardware Trusted Platform Module (TPM) is present, extend the IMA PCR
  • Attest -if present, use the TPM to sign the IMA PCR value, to allow a remote validation of the measurement list.
  • Appraise - enforce local validation of a measurement against a 'good' value stored in an extended attribute of the file.
  • Protect - protect a file's security extended attributes

The first three functions were introduced with Integrity Measurement Architecture (IMA) in 2.6.30. The EVM/IMA-appraisal patches add support for the last two features.

For additional information about the Linux integrity subsystem, refer to the Wiki.

Trusted Computing: architecture and opensource components

IMA measurement, one component of the kernel's integrity subsystem, is part of an overall Integrity Architecture based on the Trusted Computing Group's open standards, including Trusted Platform Module (TPM), Trusted Boot, Trusted Software Stack (TSS), Trusted Network Connect (TNC), and Platform Trust Services (PTS). The diagram shows how these standards relate, and provides links to the respective specifications and open source implementations. IMA and EVM can still run on platforms without a hardware TPM, although without the hardware guarantee of compromise detection.

ima-evm-utils-1.5/doc/sf/sf-tcg.html000066400000000000000000000054031440135744700173110ustar00rootroot00000000000000

Applications
spec info
PTS OpenPTS
tpm-tools

Libraries
spec info
TSS TrouSerS

Linux Kernel
spec info
IMA, EVM
tpm-1.2 TPM driver

Boot
spec info
BIOS GRUB-IMA, TBOOT

Hardware
spec info
TPM (swTPM)

ima-evm-utils-1.5/doc/sf/sf-wiki.md000066400000000000000000001362031440135744700171360ustar00rootroot00000000000000The goals of the kernel integrity subsystem are to detect if files have been accidentally or maliciously altered, both remotely and locally, appraise a file's measurement against a "good" value stored as an extended attribute, and enforce local file integrity. These goals are complementary to Mandatory Access Control(MAC) protections provided by LSM modules, such as SElinux and Smack, which, depending on policy, can attempt to protect file integrity. [TOC] ## Overview ### Features The following modules provide several integrity functions: - **Collect** – measure a file before it is accessed. - **Store** – add the measurement to a kernel resident list and, if a hardware Trusted Platform Module (TPM) is present, extend the IMA PCR - **Attest** – if present, use the TPM to sign the IMA PCR value, to allow a remote validation of the measurement list. - **Appraise** – enforce local validation of a measurement against a “good” value stored in an extended attribute of the file. - **Protect** – protect a file's security extended attributes (including appraisal hash) against off-line attack. - **Audit** – audit the file hashes. The first three functions were introduced with Integrity Measurement Architecture ([IMA](#integrity-measurement-architecture-ima)) in 2.6.30. The "appraise" and "protect" features were originally posted as a single [EVM](#linux-extended-verification-module-evm)/[IMA-appraisal](#ima-appraisal) patch set for in the 2.6.36 timeframe, but were subsequently split. EVM, the "protect" feature, was upstreamed in Linux 3.2, using a simplier and more secure method for loading the 'evm-key', based on the new Kernel Key Retention [Trusted and Encrypted keys](#creating-trusted-and-evm-encrypted-keys). EVM support for protecting file metadata based on digital signatures was upstreamed in the Linux 3.3. IMA-appraisal, the fourth aspect, appraising a file's integrity, was upstreamed in Linux 3.7. The goals, design, and benefits of these features are further described in the whitepaper ["An Overview of the Linux Integrity Subsystem"](http://downloads.sf.net/project/linux-ima/linux-ima/Integrity_overview.pdf "http://downloads.sf.net/project/linux-ima/linux-ima/Integrity_overview.pdf"). ### Components IMA-measurement, one component of the kernel's integrity subsystem, is part of an overall Integrity Architecture based on the Trusted Computing Group's open standards, including Trusted Platform Module (TPM), Trusted Boot, Trusted Software Stack (TSS), Trusted Network Connect (TNC), and Platform Trust Services (PTS). The linux-ima project page contains a [diagram](http://linux-ima.sourceforge.net/) showing how these standards relate, and provides links to the respective specifications and open source implementations. IMA-measurement and EVM can still run on platforms without a hardware TPM, although without the hardware guarantee of compromise detection. IMA-appraisal, a second component of the kernel's integrity subsystem, extends the "secure boot" concept of verifying a file's integrity, before transferring control or allowing the file to be accessed by the OS. IMA-audit, another component of the kernel's integrity subsystem, includes file hashes in the system audit logs, which can be used to augment existing system security analytics/forensics. The IMA-measurement, IMA-appraisal, and IMA-audit aspects of the kernel's integrity subsystem complement each other, but can be configured and used independently of each other. ## Integrity Measurement Architecture (IMA-measurement) IMA-measurement is an open source trusted computing component. IMA maintains a runtime measurement list and, if anchored in a hardware Trusted Platform Module(TPM), an aggregate integrity value over this list. The benefit of anchoring the aggregate integrity value in the TPM is that the measurement list cannot be compromised by any software attack, without being detectable. Hence, on a trusted boot system, IMA-measurement can be used to attest to the system's runtime integrity. ### Enabling IMA-measurement IMA was first included in the 2.6.30 kernel. For distros that enable IMA by default in their kernels, collecting IMA measurements simply requires rebooting the kernel with a builtin "ima_policy=" on the boot command line. (Fedora/RHEL may also require the boot command line parameter 'ima=on'.) To determine if your distro enables IMA by default, mount securityfs (mount -t securityfs security /sys/kernel/security), if it isn't already mounted, and then check if '/integrity/ima' exists. If it exists, IMA is indeed enabled. On systems without IMA enabled, [recompile the kernel](#compiling-the-kernel-with-evmima-appraisal-enabled) with the config option 'CONFIG_IMA' enabled. ### Controlling IMA-measurement IMA is controlled with several kernel command line parameters: ima_audit= informational audit logging Format: { "0" | "1" } 0 -- normal integrity auditing messages. (Default) 1 -- enable additional informational integrity auditing messages. (eg. Although file measurements are only added to the measurement list once and cached, if the inode is flushed, subsequent access to the inode will result in re-measuring the file and attempting to add the measurement again to the measurement list. Enabling ima_audit will log such attempts.) ima_policy= builtin policy Format: {"tcb" | "appraise_tcb" | "secure-boot"} **NEW** Linux-4.13 default: no policy ima_template= template used Format: { "ima" | "ima-ng" | "ima-sig" } Linux 3.13 default: "ima-ng" ima_hash= hash used Format: { "sha1" | "md5" | "sha256" | "sha512" | "wp512" | ... } 'ima' template default: "sha1" Linux 3.13 default: "sha256" ima_tcb (deprecated) If specified, enables the TCB policy, which meets the needs of the Trusted Computing Base. This means IMA will measure all programs exec'd, files mmap'd for exec, and all files opened for read by uid=0. ### IMA Measurement List IMA-measurements maintains a runtime measurement list, which can be displayed as shown below. - mount securityfs as /sys/kernel/security $ su -c 'mkdir /sys/kernel/security' $ su -c 'mount -t securityfs securityfs /sys/kernel/security' Modify /etc/fstab to mount securityfs on boot. - display the runtime measurement list (Only root is allowed access to securityfs files.) Example 1: 'ima-ng' template $ su -c 'head -5 /sys/kernel/security/ima/ascii_runtime_measurements' PCR template-hash filedata-hash filename-hint 10 91f34b5c671d73504b274a919661cf80dab1e127 ima-ng sha1:1801e1be3e65ef1eaa5c16617bec8f1274eaf6b3 boot_aggregate 10 8b1683287f61f96e5448f40bdef6df32be86486a ima-ng sha256:efdd249edec97caf9328a4a01baa99b7d660d1afc2e118b69137081c9b689954 /init 10 ed893b1a0bc54ea5cd57014ca0a0f087ce71e4af ima-ng sha256:1fd312aa6e6417a4d8dcdb2693693c81892b3db1a6a449dec8e64e4736a6a524 /usr/lib64/ld-2.16.so 10 9051e8eb6a07a2b10298f4dc2342671854ca432b ima-ng sha256:3d3553312ab91bb95ae7a1620fedcc69793296bdae4e987abc5f8b121efd84b8 /etc/ld.so.cache PCR: default CONFIG_IMA_MEASURE_PCR_IDX is 10 template-hash: sha1 hash(filedata-hash length, filedata-hash, pathname length, pathname) filedata-hash: sha256 hash(filedata) Example 2: 'ima-sig' template (same format as ima-ng, but with an appended signature when present) PCR template-hash filedata-hash filename-hint file-signature 10 f63c10947347c71ff205ebfde5971009af27b0ba ima-sig sha256:6c118980083bccd259f069c2b3c3f3a2f5302d17a685409786564f4cf05b3939 /usr/lib64/libgspell-1.so.1.0.0 0302046e6c10460100aa43a4b1136f45735669632ad ... 10 595eb9bf805874b459ce073af158378f274ea961 ima-sig sha256:8632769297867a80a9614caa98034d992441e723f0b383ca529faa306c640638 /usr/lib64/gedit/plugins/libmodelines.so 0302046e6c104601002394b70ab93 ... Example 3: *original* 'ima' template PCR template-hash filedata-hash filename-hint 10 7971593a7ad22a7cce5b234e4bc5d71b04696af4 ima b5a166c10d153b7cc3e5b4f1eab1f71672b7c524 boot_aggregate 10 2c7020ad8cab6b7419e4973171cb704bdbf52f77 ima e09e048c48301268ff38645f4c006137e42951d0 /init 10 ef7a0aff83dd46603ebd13d1d789445365adb3b3 ima 0f8b3432535d5eab912ad3ba744507e35e3617c1 /init 10 247dba6fc82b346803660382d1973c019243e59f ima 747acb096b906392a62734916e0bb39cef540931 ld-2.9.so 10 341de30a46fa55976b26e55e0e19ad22b5712dcb ima 326045fc3d74d8c8b23ac8ec0a4d03fdacd9618a ld.so.cache PCR: default CONFIG_IMA_MEASURE_PCR_IDX is 10 template-hash: sha1 hash(filedata-hash, filename-hint) filedata-hash: sha1 hash(filedata) The first element in the runtime measurement list, shown above, is the boot_aggregate. The boot_aggregate is a SHA1 hash over tpm registers 0-7, assuming a TPM chip exists, and zeroes, if the TPM chip does not exist. - display the bios measurement list entries, used in calculating the boot aggregate $ su -c 'head /sys/kernel/security/tpm0/ascii_bios_measurements' 0 f797cb88c4b07745a129f35ea01b47c6c309cda9 08 [S-CRTM Version] 0 dca68da0707a9a52b24db82def84f26fa463b44d 01 [POST CODE] 0 dd9efa31c88f467c3d21d3b28de4c53b8d55f3bc 01 [POST CODE] 0 dd261ca7511a7daf9e16cb572318e8e5fbd22963 01 [POST CODE] 0 df22cabc0e09aabf938bcb8ff76853dbcaae670d 01 [POST CODE] 0 a0d023a7f94efcdbc8bb95ab415d839bdfd73e9e 01 [POST CODE] 0 38dd128dc93ff91df1291a1c9008dcf251a0ef39 01 [POST CODE] 0 dd261ca7511a7daf9e16cb572318e8e5fbd22963 01 [POST CODE] 0 df22cabc0e09aabf938bcb8ff76853dbcaae670d 01 [POST CODE] 0 a0d023a7f94efcdbc8bb95ab415d839bdfd73e9e 01 [POST CODE] ### Verifying IMA Measurements The IMA tests programs are part of the [Linux Test Project.](https://github.com/linux-test-project/ltp/wiki) - Download, compile, and install the standalone version of the IMA LTP test programs in /usr/local/bin. $ wget -O ltp-ima-standalone-v2.tar.gz http://downloads.sf.net/project/linux-ima/linux-ima/ltp-ima-standalone-v2.tar.gz $ tar -xvzf ltp-ima-standalone-v2.tar.gz ima-tests/Makefile ima-tests/README ima-tests/ima_boot_aggregate.c ima-tests/ima_measure.c ima-tests/ima_mmap.c ima-tests/ima_sigv2.c ima-tests/ltp-tst-replacement.c ima-tests/pkeys.c ima-tests/rsa_oid.c ima-tests/config.h ima-tests/debug.h ima-tests/hash_info.h ima-tests/ima_sigv2.h ima-tests/list.h ima-tests/pkeys.h ima-tests/rsa.h ima-tests/test.h $ cd ima-tests $ make $ su -c 'make install' - ima_boot_aggregate Using the TPM's binary bios measurement list, re-calculate the boot aggregate. $ su -c '/usr/local/bin/ima_boot_aggregate /sys/kernel/security/tpm0/binary_bios_measurements' 000 f797cb88c4b07745a129f35ea01b47c6c309cda9 000 dca68da0707a9a52b24db82def84f26fa463b44d < snip > 005 6895eb784cdaf843eaad522e639f75d24d4c1ff5 PCR-00: 07274edf7147abda49200100fd668ce2c3a374d7 PCR-01: 48dff4fbf3a34d56a08dfc1504a3a9d707678ff7 PCR-02: 53de584dcef03f6a7dac1a240a835893896f218d PCR-03: 3a3f780f11a4b49969fcaa80cd6e3957c33b2275 PCR-04: acb44e9dd4594d3f121df2848f572e4d891f0574 PCR-05: df72e880e68a2b52e6b6738bb4244b932e0f1c76 PCR-06: 585e579e48997fee8efd20830c6a841eb353c628 PCR-07: 3a3f780f11a4b49969fcaa80cd6e3957c33b2275 boot_aggregate:b5a166c10d153b7cc3e5b4f1eab1f71672b7c524 and compare the value with the ascii_runtime_measurement list value. $ su -c 'cat /sys/kernel/security/ima/ascii_runtime_measurements | grep boot_aggregate' 10 7971593a7ad22a7cce5b234e4bc5d71b04696af4 ima b5a166c10d153b7cc3e5b4f1eab1f71672b7c524 boot_aggregate
- ima_measure \[--validate\] \[--verify\] \[--verbose\] using the IMA binary measurement list, calculate the PCR aggregate value $ su -c '/usr/local/bin/ima_measure /sys/kernel/security/ima/binary_runtime_measurements --validate' PCRAggr (re-calculated): B4 D1 93 D8 FB 31 B4 DD 36 5D DA AD C1 51 AC 84 FA 88 78 1B and compare it against the PCR value $ cat /sys/devices/pnp0/00:0a/pcrs | grep PCR-10 PCR-10: B4 D1 93 D8 FB 31 B4 DD 36 5D DA AD C1 51 AC 84 FA 88 78 1B ### IMA re-measuring files Part of the TCG requirement is that all Trusted Computing Base (TCB) files be measured, and re-measured if the file has changed, before reading/executing the file. IMA detects file changes based on i_version. To re-measure a file after it has changed, the filesystem must support i_version and, if needed, be mounted with i_version (eg. ext3, ext4). Not all filesystems require the explicit mount option. With commit a2a2c3c8580a ("ima: Use i_version only when filesystem supports it") i_version is considered an optimization. If i_version is not enabled, either because the local filesystem does not support it or the filesystem was not mounted with i_version, the file will now always be re-measured, whether or not the file changed, but only new measurements will be added to the measurement list. - Attempt to mount a filesystem with i_version support. $ su -c 'mount -o remount,rw,iversion /home' mount: you must specify the filesystem type Attempt to remount '/home' with i_version support, shown above, failed. Please install a version of the [util-linux-ng-2.15-rc1](http://www.kernel.org/pub/linux/utils/util-linux-ng/v2.15/ "http://www.kernel.org/pub/linux/utils/util-linux-ng/v2.15/") package or later. - To automatically mount a filesystem with i_version support, update /etc/fstab. UUID=blah /home ext3 defaults,iversion - Mount the root filesystem with i_version. - For systems with /etc/rc.sysinit, update the mount options adding 'iversion': # Remount the root filesystem read-write. update_boot_stage RCmountfs if remount_needed ; then action $"Remounting root filesystem in read-write mode: " mount -n -o remount,rw,iversion / fi - For systems using dracut, root 'mount' options can be specified on the boot command line using 'rootflags'. Add 'rootflags=i_version'. Unlike 'mount', which expects 'iversion', notice that on the boot command line 'i_version' contains an underscore. ### Linux-audit support As of [Linux-audit](http://people.redhat.com/sgrubb/audit/ "http://people.redhat.com/sgrubb/audit/") 2.0, support for integrity auditing messages is available. ### Defining an LSM specific policy The ima_tcb default measurement policy in linux-2.6.30 measures all system sensitive files - executables, mmapped libraries, and files opened for read by root. These measurements, the measurement list and the aggregate integrity value, can be used to attest to a system's runtime integrity. Based on these measurements, a remote party can detect whether critical system files have been modified or if malicious software has been executed. Default policy dont_measure fsmagic=PROC_SUPER_MAGIC dont_measure fsmagic=SYSFS_MAGIC dont_measure fsmagic=DEBUGFS_MAGIC dont_measure fsmagic=TMPFS_MAGIC dont_measure fsmagic=SECURITYFS_MAGIC dont_measure fsmagic=SELINUX_MAGIC measure func=BPRM_CHECK measure func=FILE_MMAP mask=MAY_EXEC < add LSM specific rules here > measure func=PATH_CHECK mask=MAY_READ uid=0 But not all files opened by root for read, are necessarily part of the Trusted Computing Base (TCB), and therefore do not need to be measured. Linux Security Modules (LSM) maintain file metadata, which can be leveraged to limit the number of files measured. Examples: adding LSM specific rules SELinux: dont_measure obj_type=var_log_t dont_measure obj_type=auditd_log_t Smack: measure subj_user=_ func=INODE_PERM mask=MAY_READ To replace the default policy 'cat' the custom IMA measurement policy and redirect the output to "< securityfs >/ima/policy". Both dracut and systemd have been modified to load the custom IMA policy. If the IMA policy contains LSM labels, then the LSM policy must be loaded prior to the IMA policy. (eg. if systemd loads the SELinux policy, then systemd must also load the IMA policy.) systemd commit c8161158 adds support for loading a custom IMA measurement policy. Simply place the custom IMA policy in /etc/ima/ima-policy. systemd will automatically load the custom policy. dracut commit 0c71fb6 add initramfs support for loading the custom IMA measurement policy. Build and install dracut (git://git.kernel.org/pub/scm/boot/dracut/dracut.git), to load the custom IMA measurement policy(default: /etc/sysconfig/ima-policy). For more information on defining an LSM specific measurement/appraisal/audit policy, refer to the kernel Documentation/ABI/testing/ima_policy. ## IMA-appraisal IMA currently maintains an integrity measurement list used for remote attestation. The IMA-appraisal extension adds local integrity validation and enforcement of the measurement against a "good" value stored as an extended attribute 'security.ima'. The initial method for validating 'security.ima' are hashed based, which provides file data integrity, and digital signature based, which in addition to providing file data integrity, provides authenticity. ### Enabling IMA-appraisal IMA-appraisal was upstreamed in Linux 3.7. For distros that enable IMA-appraisal by default in their kernels, appraising file measurements requires rebooting the kernel first with the boot command line parameters 'ima_appraise_tcb' and ima_appraise='fix' to [label the filesystem](#labeling-the-filesystem-with-securityima-extended-attributes). Once labeled, reboot with just the 'ima_appraise_tcb' boot command line parameter. Refer to [compiling the kernel](#compiling-the-kernel-with-evmima-appraisal-enabled) for directions on configuring and building a new kernel with IMA-appraisal support enabled. ### Understanding the IMA-appraisal policy The IMA-appraisal policy extends the measurement policy ABI with two new keywords: appraise/dont_appraise. The default appraise policy appraises all files owned by root. Like the default measurement policy, the default appraisal policy does not appraise pseudo filesystem files (eg. debugfs, tmpfs, securityfs, or selinuxfs.) Additional rules can be added to the default IMA measurement/appraisal policy, which take advantage of the SELinux labels, for a more fine grained policy. Refer to Documentation/ABI/testing/ima_policy. ### Labeling the filesystem with 'security.ima' extended attributes A new boot parameter 'ima_appraise=' has been defined in order to label existing file systems with the 'security.ima' extended attribute. - ima_appraise= appraise integrity measurements\ Format: { "off" | "log" | "fix" } \ off - is a runtime parameter that turns off integrity appraisal verification. enforce - verifies and enforces runtime file integrity. \[default\] fix - for non-digitally signed files, updates the 'security.ima' xattr to reflect the existing file hash. After building a kernel with IMA-appraisal enabled and verified that the filesystems are mounted with [i_version](#ima-re-measuring-files) support, to label the filesystem, reboot with the boot command line options 'ima_appraise_tcb' and 'ima_appraise=fix'. Opening a file owned by root, will cause the 'security.ima' extended attributes to be written. For example, to label the entire filesystem, execute: `find / \\( -fstype rootfs -o ext4 -type f \\) -uid 0 -exec head -n 1 '{}' >/dev/null \\;` ### Labeling 'immutable' files with digital signatures 'Immutable' files, such as ELF executables, can be digitally signed, storing the digital signature in the 'security.ima' xattr. Creating the digital signature requires generating an RSA private/public key pair. The private key is used to sign the file, while the public key is used to verify the signature. For example, to digitally sign all kernel modules, replace , below, with the pathname to your RSA private key, and execute: `find /lib/modules -name "\*.ko" -type f -uid 0 -exec evmctl sign --imasig '{}' \;` evmctl manual page is here [evmctl.1.html](http://linux-ima.sourceforge.net/evmctl.1.html) ### Running with IMA-appraisal Once the filesystem has been properly labeled, before rebooting, re-install the new labeled kernel. Modify the [initramfs](#building-an-initramfs-to-load-keys) to load the RSA public key on the IMA keyring, using evmctl. Reboot with the 'ima_appraise_tcb' and, possibly, the 'rootflags=i_version' options. ## Extending trusted and secure boot to the OS ( Place holder ) ### Including file signatures in the measurement list The 'ima-sig' template, in addition to the file data hash and the full pathname, includes the file signature, as stored in the 'security.ima' extended attribute. 10 d27747646f317e3ca1205287d0615073fe676bc6 ima-sig sha1:08f8f20c14e89da468bb238 d2012c9458ae67f6a /usr/bin/mkdir 030202afab451100802b22e3ed9f6a70fb5babf030d1181 8152b493bd6bfd916005fad7fdcfd7f88d43f6cffaf6fd1ea3b75032dd702b661d4717729e4a3fa4 ee95a47f239955491fc8064eca8cb96302d305d59750ae4ffde0a5f615f910475eee72ae0306e4ae 0269d7d04af2a485898eec3286795d621e83b7dedc99f5019b7ee49b189f3ded0a2 # getfattr -m ^security --dump -e hex /usr/bin/mkdir # file: usr/bin/mkdir security.evm=0x0238b0cdd9e97d5bed3bcde5a4793ef8da6fe7c7cc security.ima=0x030202afab451100802b22e3ed9f6a70fb5babf030d11818152b493bd6bfd916005fad 7fdcfd7f88d43f6cffaf6fd1ea3b75032dd702b661d4717729e4a3fa4ee95a47f239955491fc8064eca8cb 96302d305d59750ae4ffde0a5f615f910475eee72ae0306e4ae0269d7d04af2a485898eec3286795d621e8 3b7dedc99f5019b7ee49b189f3ded0a2 ### Signing IMA-appraisal keys ( Place holder ) ## IMA-audit IMA-audit includes file hashes in the audit log, which can be used to augment existing system security analytics/forensics. IMA-audit extends the IMA policy ABI with the policy action keyword - "audit". Example policy to audit executable file hashes audit func=BPRM_CHECK ## Linux Extended Verification Module (EVM) EVM detects offline tampering of the security extended attributes (e.g. security.selinux, security.SMACK64, security.ima), which is the basis for LSM permission decisions and, with the IMA-appraisal extension, integrity appraisal decisions. EVM provides a framework, and two methods for detecting offline tampering of the security extended attributes. The initial method maintains an HMAC-sha1 across a set of security extended attributes, storing the HMAC as the extended attribute 'security.evm'. The other method is based on a digital signature of the security extended attributes hash. To verify the integrity of an extended attribute, EVM exports evm_verifyxattr(), which re-calculates either the HMAC or the hash, and compares it with the version stored in 'security.evm'. ### Enabling EVM EVM was upstreamed in Linux 3.2. EVM-digital-signatures is currently in the Linux 3.3 release candidate. Refer to [compiling the kernel](#compiling-the-kernel-with-evmima-appraisal-enabled), for directions on configuring and building a new kernel with EVM support. ### Running EVM EVM is configured automatically to protect standard “security” extended attributes: - security.ima (IMA's stored “good” hash for the file) - security.selinux (the selinux label/context on the file) - security.SMACK64 (Smack's label on the file) - security.capability (Capability's label on executables) EVM protects the configured extended attributes with an HMAC across their data, keyed with an EVM key provided at boot time. EVM looks for this key named 'evm-key' on root's key ring. Refer to [trusted and EVM encrypted keys](#creating-trusted-and-evm-encrypted-keys), for directions on creating EVM keys. Once loaded, EVM can be activated by writing a '1' to the evm securityfs file: `**echo "1" >/sys/kernel/security/evm**` Before EVM is activated, any requested integrity appraisals are unknown, so the EVM startup should be done early in the boot process, preferably entirely within the kernel and initramfs (which are measured by trusted grub) and before any reference to the real root filesystem. To build an initramfs with EVM enabled, build and install dracut (git://git.kernel.org/pub/scm/boot/dracut/dracut.git), which contains the trusted and EVM dracut modules. ### Labeling the filesystem with 'security.evm' A new boot parameter 'evm=fix' has been defined in order to label existing file systems with the 'security.evm' extended attribute. After building a kernel with EVM, IMA-appraisal, and trusted and encrypted keys enabled, installed the trusted and EVM dracut modules, created the EVM key, and verified that the filesystems are mounted, including root, with [i_version](#ima-re-measuring-files) support, to label the filesystem, reboot with the command line options 'ima_tcb', 'ima_appraise_tcb', 'ima_appraise=fix', 'evm=fix' and, possibly, 'rootflags=i_version'. Once EVM is started, as existing file metadata changes or as new files are created, EVM assumes that the LSM has approved such changes, and automatically updates the HMACs accordingly, assuming the existing value is valid. In fix mode, opening a file owned by root, will fix the 'security.ima' extended attribute, causing the 'security.evm' extended attribute to be written as well, regardless if the existing security 'ima' or 'evm' extended attributes are valid. To label the entire filesystem, execute: `find / -fstype ext4 -type f -uid 0 -exec head -n 1 '{}' >/dev/null \;` The following sign_file script can be used to label all 'ELF' files with EVM and IMA digital signatures, and all other files with just an EVM digital signature. sign_file: #!/bin/sh #label "immutable" files with EVM/IMA digital signatures #label everything else with just EVM digital signatures file $1 | grep 'ELF' > /dev/null if [ $? -eq 0 ]; then evmctl sign --imasig $1 /home/zohar/privkey_evm.pem else evmctl sign --imahash $1 /home/zohar/privkey_evm.pem fi Instead of opening the file using head, digitally sign the files: `find / \( -fstype rootfs -o -fstype ext3 -o -fstype ext4 \) -type f -exec sign_file.sh {} \;` Once the filesystem has been properly labeled, before rebooting, re-install the new labeled kernel. Modify the initramfs to load the RSA public keys on the EVM and IMA keyring. Reboot with just the 'ima_tcb', 'ima_appraise_tcb' and, possibly, 'rootflags=i_version' options. ## Compiling the kernel with EVM/IMA-appraisal enabled For those unfamiliar with building a linux kernel, here is a short list of existing websites. - [http://kernelnewbies.org/KernelBuild](http://kernelnewbies.org/KernelBuild "http://kernelnewbies.org/KernelBuild") - [http://fedoraproject.org/wiki/BuildingUpstreamKernel](http://fedoraproject.org/wiki/BuildingUpstreamKernel "http://fedoraproject.org/wiki/BuildingUpstreamKernel") - [https://wiki.ubuntu.com/KernelTeam/GitKernelBuild](https://wiki.ubuntu.com/KernelTeam/GitKernelBuild "https://wiki.ubuntu.com/KernelTeam/GitKernelBuild") ### Configuring the kernel Depending on the distro, some of these options might already be enabled, but not necessarily as builtin. For distros with recent kernels, download the distro's kernel source and recompile the kernel with the additional .config options, below. (Refer to the distro's documentation for building and installing the kernel from source.) For IMA, enable the following .config options: CONFIG_INTEGRITY=y CONFIG_IMA=y CONFIG_IMA_MEASURE_PCR_IDX=10 CONFIG_IMA_AUDIT=y CONFIG_IMA_LSM_RULES=y For IMA-appraisal, enable the following .config options: CONFIG_INTEGRITY_SIGNATURE=y CONFIG_INTEGRITY=y CONFIG_IMA_APPRAISE=y EVM has a dependency on encrypted keys, which should be encrypted/decrypted using a trusted key. For those systems without a TPM, the EVM key could be encrypted/decrypted with a user-defined key instead. For EVM, enable the following .config options: CONFIG_TCG_TPM=y CONFIG_KEYS=y CONFIG_TRUSTED_KEYS=y CONFIG_ENCRYPTED_KEYS=y CONFIG_INTEGRITY_SIGNATURE=y CONFIG_INTEGRITY=y CONFIG_EVM=y For the new 'ima-ng'/'ima-sig' template support(linux 3.13), clone the stable tree. $ cd ~/src/kernel $ git clone git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git $ cd linux-stable $ git remote update $ git checkout --track -b linux-3.13.y origin/linux-3.13.y and enable these additional .config options: CONFIG_IMA_NG_TEMPLATE=y CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" CONFIG_IMA_DEFAULT_HASH_SHA256=y ### Installing the new kernel If enabling EVM, before installing the new kernel, follow the directions for creating the EVM encrypted key (#creating_trusted_and_evm_encrypted keys) and EVM/IMA public keys (#creating_and_loading_the_evm_and_ima_publicprivate_keypairs). Install the kernel as normal. $ su -c "make modules_install install" ## Creating trusted and EVM encrypted keys Trusted and encrypted keys are two new key types (upstreamed in 2.6.38) added to the existing kernel key ring service. Both of these new types are variable length symmetic keys and, in both cases, are created in the kernel. User space sees, stores, and loads only encrypted blobs. Trusted Keys require the availability of a Trusted Platform Module (TPM) chip for greater security, while encrypted keys can be used on any system. All user level blobs, are displayed and loaded in hex ascii for convenience, and are integrity verified. Depending on the distro, trusted and encrypted keys might not be enabled. Refer to [compiling the kernel](#compiling-the-kernel-with-evmima-appraisal_enabled), for directions on configuring and building a new kernel with trusted and encrypted key support. The trusted and EVM dracut modules, by default, looks for the trusted and EVM encrypted keys in /etc/keys. To create and save the kernel master and EVM keys, $ su -c 'mkdir -p /etc/keys' # To create and save the kernel master key (trusted type): $ su -c 'modprobe trusted encrypted' $ su -c 'keyctl add trusted kmk-trusted "new 32" @u' $ su -c 'keyctl pipe `keyctl search @u trusted kmk-trusted` >/etc/keys/kmk-trusted.blob' # Create the EVM encrypted key $ su -c 'keyctl add encrypted evm-key "new trusted:kmk-trusted 32" @u' $ su -c 'keyctl pipe `keyctl search @u encrypted evm-key` >/etc/keys/evm-trusted.blob' For those systems which don't have a TPM, but want to experiment with EVM, create a user key of 32 random bytes, and an EVM user encrypted key. Unlike trusted/encrypted keys, user type key data is visible to userspace. $ su -c 'mkdir -p /etc/keys' # To create and save the kernel master key (user type): $ su -c 'modprobe trusted encrypted' $ su -c 'keyctl add user kmk-user "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u' $ su -c 'keyctl pipe `keyctl search @u user kmk-user` > /etc/keys/kmk-user.blob' # Create the EVM encrypted key $ su -c 'keyctl add encrypted evm-key "new user:kmk-user 32" @u' $ su -c 'keyctl pipe `keyctl search @u encrypted evm-key` >/etc/keys/evm-user.blob' Update /etc/sysconfig/masterkey to reflect using a 'user-defined' master key type. MULTIKERNELMODE="NO" MASTERKEYTYPE="user" MASTERKEY="/etc/keys/kmk-${MASTERKEYTYPE}.blob" Similarly update /etc/sysconfig/evm or on the boot command line specify the EVM key filename (eg. 'evmkey=/etc/keys/evm-user.blob'.)
## Creating and loading the EVM and IMA public/private keypairs ### Digital Signatures: generating an RSA public/private key pair # generate unencrypted private key openssl genrsa -out privkey_evm.pem 1024 # or generate encrypted (password protected) private key openssl genrsa -des3 -out privkey_evm.pem 1024 # or convert unencrypted key to encrypted on openssl rsa -in /etc/keys/privkey_evm.pem -out privkey_evm_enc.pem -des3 or openssl pkcs8 -topk8 -in /etc/keys/privkey_evm.pem -out privkey_evm_enc.pem openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem ### ima-evm-utils: installing the package from source ima-evem-utils is used to sign files, using the private key, and to load the public keys on the ima/evm keyrings. ima-evm-utils can be cloned from git repo with the following command: git clone git://linux-ima.git.sourceforge.net/gitroot/linux-ima/ima-evm-utils.git cd ima-evm-utils ./autogen.sh ./configure make sudo make install evmctl manual page is here [evmctl.1.html](http://linux-ima.sourceforge.net/evmctl.1.html) ### IMA/EVM keyrings: loading the public keys ima_id=`keyctl newring _ima @u` evmctl import /etc/keys/pubkey_ima.pem $ima_id evm_id=`keyctl newring _evm @u` evmctl import /etc/keys/pubkey_evm.pem $evm_id ## Building an initramfs to load keys Modify the initramfs to load the EVM encrypted key and the EVM/IMA public keys on their respective keyrings. ### dracut Dracut commits 0c71fb6 and e1ed2a2 add support for loading the masterkey and the EVM encrypted key, not the EVM/IMA public keys (todo). 0c71fb6 dracut: added new module integrityy e1ed2a2 dracut: added new module masterkey Clone dracut (git://git.kernel.org/pub/scm/boot/dracut/dracut.git). By default, the masterkey and integrity modules are not enabled in the dracut git tree. Edit module-setup in both directories, changing the check() return value to 0. 'make' and 'install' dracut. Create an initramfs: # dracut -H -f /boot/initramfs- -M And add a grub2 menu entry: # grub2-mkconfig -o /boot/grub2/grub.cfg ### initramfs-tools To enable IMA/EVM in initramfs-tools it is necessary to add just 2 files to /etc/initramfs-tools directory. /etc/initramfs-tools/hooks/ima.sh: #!/bin/sh echo "Adding IMA binaries" . /usr/share/initramfs-tools/hook-functions copy_exec /etc/keys/evm-key copy_exec /etc/keys/pubkey_evm.pem copy_exec /etc/ima_policy copy_exec /bin/keyctl copy_exec /usr/bin/evmctl /bin/evmctl /etc/initramfs-tools/scripts/local-top/ima.sh: #!/bin/sh -e PREREQ="" # Output pre-requisites prereqs() { echo "$PREREQ" } case "$1" in prereqs) prereqs exit 0 ;; esac grep -q "ima=off" /proc/cmdline && exit 1 mount -n -t securityfs securityfs /sys/kernel/security IMA_POLICY=/sys/kernel/security/ima/policy LSM_POLICY=/etc/ima_policy grep -v "^#" $LSM_POLICY >$IMA_POLICY # import EVM HMAC key keyctl show |grep -q kmk || keyctl add user kmk "testing123" @u keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u #keyctl revoke kmk # import Module public key mod_id=`keyctl newring _module @u` evmctl import /etc/keys/pubkey_evm.pem $mod_id # import IMA public key ima_id=`keyctl newring _ima @u` evmctl import /etc/keys/pubkey_evm.pem $ima_id # import EVM public key evm_id=`keyctl newring _evm @u` evmctl import /etc/keys/pubkey_evm.pem $evm_id # enable EVM echo "1" > /sys/kernel/security/evm # enable module checking #echo "1" > /sys/kernel/security/module_check generate new initramfs: update-initramfs -k 3.4.0-rc5-kds+ -u Edit GRUB bootloader /boot/grub/custom.cfg: menuentry 'IMA' { set gfxpayload=$linux_gfx_mode insmod gzio insmod part_msdos insmod ext2 set root='(hd0,msdos1)' # add following string to kernel command line to enable "fix" mode: "ima_appraise=fix evm=fix" linux /boot/vmlinuz-3.4.0-rc5-kds+ root=/dev/sda1 ro nosplash ima_audit=1 ima_tcb=1 ima_appraise_tcb=1 initrd /boot/initrd.img-3.4.0-rc5-kds+ } ## IMA policy examples ### Builtin policys **Enabled on the boot command line:** *ima_tcb* - measures all files read as root and all files executed *ima_appraise_tcb* - appraises all files owned by root ### audit log all executables # audit log all executables audit func=BPRM_CHECK mask=MAY_EXEC ### Measure nothing, appraise everything # # Integrity measure policy # # Do not measure anything, but appraise everything # # PROC_SUPER_MAGIC dont_appraise fsmagic=0x9fa0 # SYSFS_MAGIC dont_appraise fsmagic=0x62656572 # DEBUGFS_MAGIC dont_appraise fsmagic=0x64626720 # TMPFS_MAGIC dont_appraise fsmagic=0x01021994 # RAMFS_MAGIC dont_appraise fsmagic=0x858458f6 # DEVPTS_SUPER_MAGIC dont_appraise fsmagic=0x1cd1 # BIFMT dont_appraise fsmagic=0x42494e4d # SECURITYFS_MAGIC dont_appraise fsmagic=0x73636673 # SELINUXFS_MAGIC dont_appraise fsmagic=0xf97cff8c appraise ## ima-evm-utils ima-evm-utils package provides the *evmctl* utility that can be used for producing and verifying digital signatures, which are used by Linux kernel integrity subsystem. It can be also used to import keys into the kernel keyring. evmctl manual page is located here: [http://linux-ima.sourceforge.net/evmctl.1.html](http://linux-ima.sourceforge.net/evmctl.1.html)
## Using IMA/EVM on Android Enabling IMA/EVM is not very difficult task but involves few tricky steps related to file system creation and labeling. Android source code is kept in GIT repositories and usually downloaded using 'repo' tool. IMA/EVM support was implemented using Android 5.0.2 source tree and tested on Huawei P8. Set of patches is located [here](https://sourceforge.net/projects/linux-ima/files/Android%20patches/). ### Kernel configuration Kernel source code is usually located in the 'kernel' folder in the root of the Android source tree. Huawei P8 runs on HiSilicon Kirin 930/935 64 bit ARM CPU. Default kernel configuration file is 'kernel/arch/arm64/configs/hisi_3635_defconfig' Following lines were added: # Integrity CONFIG_INTEGRITY=y CONFIG_IMA=y CONFIG_IMA_MEASURE_PCR_IDX=10 CONFIG_IMA_AUDIT=y CONFIG_IMA_LSM_RULES=y CONFIG_INTEGRITY_SIGNATURE=y CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_IMA_APPRAISE=y CONFIG_EVM=y # Keys CONFIG_KEYS=y CONFIG_KEYS_DEBUG_PROC_KEYS=y CONFIG_TRUSTED_KEYS=y CONFIG_ENCRYPTED_KEYS=y ### Kernel command line parameters Kernel command line parameters are usually specified in board configuration files, such as BoardConfig.mk, for example, 'device/hisi/hi3635/BoardConfig.mk Add following lines to the file: BOARD_KERNEL_CMDLINE += ima_audit=1 BOARD_KERNEL_CMDLINE += ima_tcb ima_appraise_tcb # enable fix mode while testing BOARD_KERNEL_CMDLINE += ima_appraise=fix evm=fix ### IMA boot initialization To boot Android, devices usually have boot partition which is flashed with boot.img. boot.img consist of the kernel and compressed ramdisk which includes Android root filesystem. boot.img is usually protected using digital signature which is verified by the Android bootloader as a part of Secure Boot process. Root filesystem contains Android 'init' system and minimal set of tools, which is required to initialize and mount rest of filesystems, including '/system' and '/data'. Android uses own 'init' system (system/core/init) which reads configuration from '/init.rc' and multiple sourced '/init.*.rc' scripts located in the root folder. We used to use shell scripts to load IMA/EVM keys and policy. On desktop systems there is no limitation on ramdisk size, but on Android devices it is limited by the size of the boot partition. Android ramdisk/root filesystem does not include shell, but including adding shell, keyctl, evmctl makes ramdisk so big so that boot.img does not fit to the boot partition. For that reason it was necessary to implement IMA/EVM initialization functionality as native program 'ima-init'. This patch ([0004-ima_init-tool-to-load-IMA-EVM-keys-and-policy.patch](http://sourceforge.net/projects/linux-ima/files/Android%20patches/0004-ima_init-tool-to-load-IMA-EVM-keys-and-policy.patch/view)) adds 'system/extras/ima-init' project to the Android source tree. It builds '/ima-init' initialization program and generates private and public keys to sign filesystem image usign EVM signatures and verify them during runtime. ima-init project also includes 'ima_key_gen.sh' script to generate keys and certificates and also basic 'ima_policy', which needs to be changed based on the particular need. ima-init and public keys are included in the ramdisk root filesystem. In order to initialize IMA/EVM it is necessary add like following configuration to relevant init.rc file: service ima /sbin/ima_init class main user root group root disabled seclabel u:r:init:s0 oneshot Above example add 'ima' service which is used to initialize IMA. IMA service needs to be started using 'start ima' before mounting any real filesystem. For example it was added to the 'on fs' target before mounting 'system' partition. on fs mount securityfs none /sys/kernel/security start ima wait /dev/block/mmcblk0p38 mount ext4 /dev/block/mmcblk0p38 /system ro wait /dev/block/mmcblk0p40 mount ext4 /dev/block/mmcblk0p40 /data nosuid nodev noatime data=ordered,i_version ### Mounting filesystems (with iversion) In order IMA would update 'security.ima' when file changes, it is necessary to mount filesystems with i_version support. Android usually mounts all filesystems in init.rc scripts using 'mount' command. Notice in the example above that '/data' partition is mounted using 'i_version' options. Desktop mount tool from mount package recognizes iversion option and pass necessary flag to mount system call. Unrecognized options are passed as a string in the last argument of the mount system call to the kernel filesystem module. Kernel filesystem modules recognize 'i_version' option instead of 'iversion'. Thus on the desktop systems it is possible to use both iversion and i_version options. Android tools do not recognize 'iversion' option. It is necessary to use 'i_version' option. init.rc 'mount' command options are located after the mount point. All except last are 'init' builtin options and *only* the last option is passed as a string to the mount system call. Thus it is necessary to put 'i_version' option as a last option or to add it to the comma separated option list as above. ### Filesystem labeling Filesystem labeling with digital signatures has to be done during image creation process. It can be done using two approaches. The easiest approach is to label ready image. It requires following steps: 1. convert sparse image to normal image using simg2img tool 1. 'loop mount' the image 1. label filesystem using evmctl tool 1. unmount image 1. convert image back to sparse image using img2simg tool But mount operation would require root privileges to mount filesystem. Android 'make_ext4fs' tool is used to create filesystem image. It provides support for labeling filesystem using 'security labels' (SELinux). We extended make_ext4fs to compute and set IMA/EVM signatures while creating a filesystem. It uses extended version of 'evmctl' to compute signatures by passing all relevant file metadata using evmctl command line parameters. Here is a patch that adds IMA/EVM support to the make_ext4fs ([0003-IMA-EVM-labelling-support.patch](http://sourceforge.net/projects/linux-ima/files/Android%20patches/0003-IMA-EVM-labelling-support.patch/view)). ### Additional tools It is convenient for testing and debugging to have additional tools such as keyctl and getfattr tools on the device. #### evmctl For Android, 'evmct' is a host only tool to compute IMA/EVM signatures and convert RSA keys to the kernel binary format. 'evmctl' was extended to pass file metadata using command line parameters: --ino use custom inode for EVM --uid use custom UID for EVM --gid use custom GID for EVM --mode use custom Mode for EVM --generation use custom Generation for EVM(unspecified: from FS, empty: use 0) --ima use custom IMA signature for EVM --selinux use custom Selinux label for EVM --caps use custom Capabilities for EVM(unspecified: from FS, empty: do not use) #### keyctl This patch ([0002-keyctl-tool.patch](http://sourceforge.net/projects/linux-ima/files/Android%20patches/0002-keyctl-tool.patch/view)) adds project system/extras/keyctl. #### getfattr This patch ([0001-getfattr-tool.patch](http://sourceforge.net/projects/linux-ima/files/Android%20patches/0001-getfattr-tool.patch/view)) adds project system/extras/getfattr.
## Frequently asked questions - Why is the first entry in the IMA measurement list (/sys/kernel/security ima/ascii_runtime_measurements) are 0's? The first entry is the TPM boot aggregate containing PCR values 0 - 7. Enable the TPM in BIOS and take ownership. - How do I take ownership of the TPM? To take ownership of the TPM, download the tpm-tools, start tcsd (eg. 'service tcsd start'), and execute "tpm_takeownership -u -z". This will set the SRK key to the well-known secret(20 zeroes) and prompt for the TPM owner password. - Why are there 0x00 entries in the measurement list? The measurement list is invalidated, when a regular file is opened for read and, at the same time, opened for write. In the majority of cases, these files should not have been measured in the first place (eg. log files). In other cases, the application needs to be fixed. - Why aren't files re-measured and added to the IMA measurement list after being updated? To detect files changing, the filesystem needs to be mounted with i_version support. For the root filesystem, either update /etc/rc.sysinit or add 'rootflags=i_version' boot command line option. For all other filesystems, modify /etc/fstab. - Why doesn't the measurement list verify? On some systems, after a suspend/resume, the TPM measurement list does not verify. On those systems, add the boot command line option "tpm.suspend_pcr=< unused PCR >". - Why are there two /init entries in the measurement list? The first '/init' is from the initramfs. The second /init is from the root filesystem (eg. /sbin/init). The IMA ng/nglong template patches will provide additional metadata to help correlate measurement entries and files. - Why am I unable to boot the new EVM/IMA-appraisal enabled kernel? After building a new kernel with EVM/IMA-appraisal enabled, the filesystem must be labeled with 'security.evm' and 'security.ima' extended attributes. After creating an [EVM key](#creating_trusted_and_evm_encrypted_keys), boot the new kernel with the 'ima_tcb', 'evm=fix', 'ima_appraise_tcb', 'ima_appraise=fix', and, possibly, 'rootflags=i_version' boot command line options. Refer to [labeling the filesystem](#labeling-the-filesystem-with-securityima-extended-attributes) with 'security.evm'. - How do I enable the measurement policy for local/remote attestation, without enabling IMA-appraisal? Boot with the 'ima_tcb' command line option. - How do I enable the appraise policy, without the measurement policy? Boot with the 'ima_appraise_tcb' command line option. ## Links - IMA/EVM utils man page: [http://linux-ima.sourceforge.net/evmctl.1.html](http://linux-ima.sourceforge.net/evmctl.1.html) - Linux IMA project page: [https://sourceforge.net/projects/linux-ima/](https://sourceforge.net/projects/linux-ima/ "https://sourceforge.net/projects/linux-ima/") - Old web site: [http://linux-ima.sourceforge.net/](http://linux-ima.sourceforge.net/ "http://linux-ima.sourceforge.net/") - GIT repositories: [https://sourceforge.net/p/linux-ima/ima-evm-utils](https://sourceforge.net/p/linux-ima/ima-evm-utils/) [Old](/apps/mediawiki/linux-ima/index.php?title=Main_Page_OLD "Old") Converted from http://sourceforge.net/apps/mediawiki/linux-ima/index.php?title=Main_Page_OLD [[project_screenshots]] [[project_admins]] [[download_button]] ima-evm-utils-1.5/examples/000077500000000000000000000000001440135744700156775ustar00rootroot00000000000000ima-evm-utils-1.5/examples/ima-gen-local-ca.sh000077500000000000000000000012111440135744700212170ustar00rootroot00000000000000#!/bin/sh GENKEY=ima-local-ca.genkey cat << __EOF__ >$GENKEY [ req ] default_bits = 2048 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only x509_extensions = v3_ca [ req_distinguished_name ] O = IMA-CA CN = IMA/EVM certificate signing key emailAddress = ca@ima-ca [ v3_ca ] basicConstraints=CA:TRUE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer # keyUsage = cRLSign, keyCertSign __EOF__ openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \ -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem ima-evm-utils-1.5/examples/ima-genkey-self.sh000077500000000000000000000011651440135744700212160ustar00rootroot00000000000000#!/bin/sh GENKEY=x509_evm.genkey cat << __EOF__ >$GENKEY [ req ] default_bits = 1024 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only x509_extensions = myexts [ req_distinguished_name ] O = `hostname` CN = `whoami` signing key emailAddress = `whoami`@`hostname` [ myexts ] basicConstraints=critical,CA:FALSE keyUsage=digitalSignature subjectKeyIdentifier=hash authorityKeyIdentifier=keyid __EOF__ openssl req -x509 -new -nodes -utf8 -sha1 -days 3650 -batch -config $GENKEY \ -outform DER -out x509_evm.der -keyout privkey_evm.pem openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem ima-evm-utils-1.5/examples/ima-genkey.sh000077500000000000000000000015211440135744700202630ustar00rootroot00000000000000#!/bin/sh GENKEY=ima.genkey cat << __EOF__ >$GENKEY [ req ] default_bits = 1024 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only x509_extensions = v3_usr [ req_distinguished_name ] O = `hostname` CN = `whoami` signing key emailAddress = `whoami`@`hostname` [ v3_usr ] basicConstraints=critical,CA:FALSE #basicConstraints=CA:FALSE keyUsage=digitalSignature #keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectKeyIdentifier=hash authorityKeyIdentifier=keyid #authorityKeyIdentifier=keyid,issuer __EOF__ openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \ -out csr_ima.pem -keyout privkey_ima.pem openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \ -CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \ -outform DER -out x509_ima.der ima-evm-utils-1.5/kernel-configs/000077500000000000000000000000001440135744700167675ustar00rootroot00000000000000ima-evm-utils-1.5/kernel-configs/base000066400000000000000000000124121440135744700176240ustar00rootroot00000000000000CONFIG_LOCALVERSION="-dont-use" CONFIG_WATCH_QUEUE=y CONFIG_AUDIT=y CONFIG_AUDITSYSCALL=y CONFIG_HZ_PERIODIC=y CONFIG_LOG_BUF_SHIFT=17 CONFIG_USER_NS=y CONFIG_PID_NS=y CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y CONFIG_KALLSYMS_ALL=y CONFIG_SYSTEM_DATA_VERIFICATION=y CONFIG_TRACEPOINTS=y CONFIG_CON_CHAN="xterm" CONFIG_SSL_CHAN="pty" CONFIG_MODULE_SIG_FORMAT=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA1=y CONFIG_MODULE_SIG_HASH="sha1" CONFIG_MODULES_TREE_LOOKUP=y CONFIG_BLK_DEBUG_FS=y CONFIG_ASN1=y CONFIG_UNINLINE_SPIN_UNLOCK=y CONFIG_SLUB=y CONFIG_COMPACTION=y CONFIG_COMPACT_UNEVICTABLE_DEFAULT=1 CONFIG_MIGRATION=y CONFIG_BLK_DEV_LOOP=y CONFIG_LEGACY_PTY_COUNT=256 CONFIG_NULL_TTY=y CONFIG_SERIAL_DEV_BUS=y CONFIG_SERIAL_DEV_CTRL_TTYPORT=y CONFIG_VALIDATE_FS_PARSER=y CONFIG_EXT4_FS_POSIX_ACL=y CONFIG_EXT4_FS_SECURITY=y CONFIG_EXT4_DEBUG=y CONFIG_REISERFS_FS_XATTR=y CONFIG_REISERFS_FS_POSIX_ACL=y CONFIG_REISERFS_FS_SECURITY=y CONFIG_FS_POSIX_ACL=y CONFIG_FS_VERITY=y CONFIG_FS_VERITY_BUILTIN_SIGNATURES=y CONFIG_TMPFS_POSIX_ACL=y CONFIG_TMPFS_XATTR=y CONFIG_CONFIGFS_FS=y CONFIG_KEYS=y CONFIG_ENCRYPTED_KEYS=y CONFIG_SECURITY=y CONFIG_SECURITYFS=y CONFIG_SECURITY_NETWORK=y CONFIG_SECURITY_PATH=y CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,bpf" CONFIG_CRYPTO_AEAD2=y CONFIG_CRYPTO_SKCIPHER=y CONFIG_CRYPTO_SKCIPHER2=y CONFIG_CRYPTO_RNG=y CONFIG_CRYPTO_RNG2=y CONFIG_CRYPTO_RNG_DEFAULT=y CONFIG_CRYPTO_AKCIPHER2=y CONFIG_CRYPTO_AKCIPHER=y CONFIG_CRYPTO_KPP2=y CONFIG_CRYPTO_ACOMP2=y CONFIG_CRYPTO_MANAGER=y CONFIG_CRYPTO_MANAGER2=y CONFIG_CRYPTO_NULL2=y CONFIG_CRYPTO_RSA=y CONFIG_CRYPTO_ECC=y CONFIG_CRYPTO_ECDSA=y CONFIG_CRYPTO_AES=y CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_HMAC=y CONFIG_CRYPTO_MD5=y CONFIG_CRYPTO_SHA1=y CONFIG_CRYPTO_SHA256=y CONFIG_CRYPTO_SHA512=y CONFIG_CRYPTO_WP512=y CONFIG_CRYPTO_LZO=y CONFIG_CRYPTO_ZSTD=y CONFIG_CRYPTO_DRBG_MENU=y CONFIG_CRYPTO_DRBG_HMAC=y CONFIG_CRYPTO_DRBG=y CONFIG_CRYPTO_JITTERENTROPY=y CONFIG_CRYPTO_HASH_INFO=y CONFIG_ASYMMETRIC_KEY_TYPE=y CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y CONFIG_X509_CERTIFICATE_PARSER=y CONFIG_PKCS8_PRIVATE_KEY_PARSER=y CONFIG_PKCS7_MESSAGE_PARSER=y CONFIG_PKCS7_TEST_KEY=y CONFIG_SIGNED_PE_FILE_VERIFICATION=y CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" CONFIG_MODULE_SIG_KEY_TYPE_RSA=y CONFIG_SYSTEM_TRUSTED_KEYRING=y CONFIG_SYSTEM_TRUSTED_KEYS="" CONFIG_SYSTEM_EXTRA_CERTIFICATE=y CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096 CONFIG_SECONDARY_TRUSTED_KEYRING=y CONFIG_SYSTEM_BLACKLIST_KEYRING=y CONFIG_SYSTEM_BLACKLIST_HASH_LIST="" CONFIG_SYSTEM_REVOCATION_LIST=y CONFIG_SYSTEM_REVOCATION_KEYS="" CONFIG_SYSTEM_BLACKLIST_AUTH_UPDATE=y CONFIG_BINARY_PRINTF=y CONFIG_CRYPTO_LIB_AES=y CONFIG_CRYPTO_LIB_SHA256=y CONFIG_CRC_CCITT=y CONFIG_XXHASH=y CONFIG_AUDIT_GENERIC=y CONFIG_LZO_COMPRESS=y CONFIG_LZO_DECOMPRESS=y CONFIG_ZSTD_COMMON=y CONFIG_ZSTD_COMPRESS=y CONFIG_ZSTD_DECOMPRESS=y CONFIG_ASSOCIATIVE_ARRAY=y CONFIG_SGL_ALLOC=y CONFIG_GLOB=y CONFIG_CLZ_TAB=y CONFIG_MPILIB=y CONFIG_SIGNATURE=y CONFIG_OID_REGISTRY=y CONFIG_STACKDEPOT=y CONFIG_STACKDEPOT_ALWAYS_INIT=y CONFIG_PRINTK_TIME=y CONFIG_PRINTK_CALLER=y CONFIG_DYNAMIC_DEBUG=y CONFIG_DYNAMIC_DEBUG_CORE=y CONFIG_DEBUG_INFO_DWARF5=y CONFIG_GDB_SCRIPTS=y CONFIG_FRAME_WARN=2048 CONFIG_READABLE_ASM=y CONFIG_DEBUG_SECTION_MISMATCH=y CONFIG_DEBUG_FS=y CONFIG_DEBUG_FS_ALLOW_ALL=y CONFIG_UBSAN=y CONFIG_CC_HAS_UBSAN_BOUNDS=y CONFIG_UBSAN_BOUNDS=y CONFIG_UBSAN_ONLY_BOUNDS=y CONFIG_UBSAN_SHIFT=y CONFIG_UBSAN_DIV_ZERO=y CONFIG_UBSAN_BOOL=y CONFIG_UBSAN_ENUM=y CONFIG_UBSAN_ALIGNMENT=y CONFIG_PAGE_EXTENSION=y CONFIG_DEBUG_PAGEALLOC=y CONFIG_DEBUG_PAGEALLOC_ENABLE_DEFAULT=y CONFIG_SLUB_DEBUG=y CONFIG_SLUB_DEBUG_ON=y CONFIG_PAGE_OWNER=y CONFIG_PAGE_POISONING=y CONFIG_DEBUG_OBJECTS=y CONFIG_DEBUG_OBJECTS_FREE=y CONFIG_DEBUG_OBJECTS_TIMERS=y CONFIG_DEBUG_OBJECTS_WORK=y CONFIG_DEBUG_OBJECTS_RCU_HEAD=y CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER=y CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1 CONFIG_DEBUG_KMEMLEAK=y CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE=16000 CONFIG_DEBUG_KMEMLEAK_AUTO_SCAN=y CONFIG_DEBUG_STACK_USAGE=y CONFIG_SCHED_STACK_END_CHECK=y CONFIG_DEBUG_SHIRQ=y CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_ON_OOPS_VALUE=1 CONFIG_LOCKUP_DETECTOR=y CONFIG_SOFTLOCKUP_DETECTOR=y CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC=y CONFIG_DETECT_HUNG_TASK=y CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120 CONFIG_BOOTPARAM_HUNG_TASK_PANIC=y CONFIG_WQ_WATCHDOG=y CONFIG_DEBUG_TIMEKEEPING=y CONFIG_PROVE_LOCKING=y CONFIG_PROVE_RAW_LOCK_NESTING=y CONFIG_LOCK_STAT=y CONFIG_DEBUG_RT_MUTEXES=y CONFIG_DEBUG_SPINLOCK=y CONFIG_DEBUG_MUTEXES=y CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y CONFIG_DEBUG_RWSEMS=y CONFIG_DEBUG_LOCK_ALLOC=y CONFIG_LOCKDEP=y CONFIG_LOCKDEP_BITS=15 CONFIG_LOCKDEP_CHAINS_BITS=16 CONFIG_LOCKDEP_STACK_TRACE_BITS=19 CONFIG_LOCKDEP_STACK_TRACE_HASH_BITS=14 CONFIG_LOCKDEP_CIRCULAR_QUEUE_BITS=12 CONFIG_WW_MUTEX_SELFTEST=y CONFIG_CSD_LOCK_WAIT_DEBUG=y CONFIG_TRACE_IRQFLAGS=y CONFIG_DEBUG_IRQFLAGS=y CONFIG_DEBUG_LIST=y CONFIG_DEBUG_PLIST=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_PROVE_RCU=y CONFIG_RCU_TRACE=y CONFIG_NOP_TRACER=y CONFIG_TRACE_CLOCK=y CONFIG_RING_BUFFER=y CONFIG_EVENT_TRACING=y CONFIG_CONTEXT_SWITCH_TRACER=y CONFIG_PREEMPTIRQ_TRACEPOINTS=y CONFIG_TRACING=y CONFIG_DRM=n CONFIG_USB=n CONFIG_SOUND=n CONFIG_9P_FS=y CONFIG_9P_FS_POSIX_ACL=y CONFIG_9P_FS_SECURITY=y CONFIG_ETHERNET=n CONFIG_WLAN=n ima-evm-utils-1.5/kernel-configs/integrity000066400000000000000000000015101440135744700207250ustar00rootroot00000000000000CONFIG_INTEGRITY=y CONFIG_INTEGRITY_SIGNATURE=y CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_TRUSTED_KEYRING=y CONFIG_INTEGRITY_AUDIT=y CONFIG_IMA=y CONFIG_IMA_MEASURE_PCR_IDX=10 CONFIG_IMA_NG_TEMPLATE=y CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_DEFAULT_HASH="sha256" CONFIG_IMA_WRITE_POLICY=y CONFIG_IMA_READ_POLICY=y CONFIG_IMA_APPRAISE=y CONFIG_IMA_ARCH_POLICY=y CONFIG_IMA_APPRAISE_BUILD_POLICY=y CONFIG_IMA_APPRAISE_BOOTPARAM=y CONFIG_IMA_APPRAISE_MODSIG=y CONFIG_IMA_TRUSTED_KEYRING=y CONFIG_IMA_BLACKLIST_KEYRING=y CONFIG_IMA_LOAD_X509=y CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der" CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y CONFIG_EVM=y CONFIG_EVM_ATTR_FSUUID=y CONFIG_EVM_ADD_XATTRS=y CONFIG_EVM_LOAD_X509=y CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der" ima-evm-utils-1.5/m4/000077500000000000000000000000001440135744700144015ustar00rootroot00000000000000ima-evm-utils-1.5/m4/default-hash-algo.m4000066400000000000000000000023131440135744700201270ustar00rootroot00000000000000dnl Copyright (c) 2021 Bruno Meneguele dnl Check hash algorithm availability in the kernel dnl dnl $1 - $KERNEL_HEADERS AC_DEFUN([AX_DEFAULT_HASH_ALGO], [ HASH_INFO_HEADER="$1/include/uapi/linux/hash_info.h" AC_ARG_WITH([default_hash], AS_HELP_STRING([--with-default-hash=ALGORITHM], [specifies the default hash algorithm to be used]), [HASH_ALGO=$withval], [HASH_ALGO=sha256]) AC_PROG_SED() HASH_ALGO="$(echo $HASH_ALGO | $SED 's/\(.*\)/\L\1\E/')" AC_CHECK_HEADER([$HASH_INFO_HEADER], [HAVE_HASH_INFO_HEADER=yes], [AC_MSG_WARN([$HASH_INFO_HEADER not found.])]) if test "x$HAVE_HASH_INFO_HEADER" = "x"; then AC_MSG_RESULT([using $HASH_ALGO algorithm as default hash algorith]) AC_DEFINE_UNQUOTED(DEFAULT_HASH_ALGO, "$HASH_ALGO", [Define default hash algorithm]) else AC_PROG_GREP() $SED -n 's/HASH_ALGO_\(.*\),/\L\1\E/p' $HASH_INFO_HEADER | $GREP -w $HASH_ALGO > /dev/null have_hash=$? if test $have_hash -ne 0; then AC_MSG_ERROR([$HASH_ALGO algorithm specified, but not provided by the kernel], 1) else AC_MSG_NOTICE([using $HASH_ALGO as default hash algorithm]) AC_DEFINE_UNQUOTED(DEFAULT_HASH_ALGO, "$HASH_ALGO", [Define default hash algorithm]) fi fi ]) ima-evm-utils-1.5/m4/manpage-docbook-xsl.m4000066400000000000000000000031101440135744700204700ustar00rootroot00000000000000dnl Copyright (c) 2018-2020 Petr Vorel dnl Find docbook manpage stylesheet AC_DEFUN([EVMCTL_MANPAGE_DOCBOOK_XSL], [ DOCBOOK_XSL_URI="http://docbook.sourceforge.net/release/xsl/current" DOCBOOK_XSL_PATH="manpages/docbook.xsl" AC_PATH_PROGS(XMLCATALOG, xmlcatalog) AC_ARG_WITH([xml-catalog], AS_HELP_STRING([--with-xml-catalog=CATALOG], [path to xml catalog to use]),, [with_xml_catalog=/etc/xml/catalog]) XML_CATALOG_FILE="$with_xml_catalog" AC_SUBST([XML_CATALOG_FILE]) if test "x${XMLCATALOG}" = "x"; then AC_MSG_WARN([xmlcatalog not found, cannot search for $DOCBOOK_XSL_PATH]) else AC_MSG_CHECKING([for XML catalog ($XML_CATALOG_FILE)]) if test -f "$XML_CATALOG_FILE"; then have_xmlcatalog_file=yes AC_MSG_RESULT([found]) else AC_MSG_RESULT([not found, cannot search for $DOCBOOK_XSL_PATH]) fi fi if test "x${XMLCATALOG}" != "x" -a "x$have_xmlcatalog_file" = "xyes"; then MANPAGE_DOCBOOK_XSL=$(${XMLCATALOG} ${XML_CATALOG_FILE} ${DOCBOOK_XSL_URI}/${DOCBOOK_XSL_PATH} | sed 's|^file:/\+|/|') fi if test "x${MANPAGE_DOCBOOK_XSL}" = "x"; then MANPAGE_DOCBOOK_XSL="/usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl" AC_MSG_WARN([trying a default path for $DOCBOOK_XSL_PATH]) fi if test -f "$MANPAGE_DOCBOOK_XSL"; then have_doc=yes AC_MSG_NOTICE([using $MANPAGE_DOCBOOK_XSL for generating doc]) else AC_MSG_WARN([$DOCBOOK_XSL_PATH not found, generating doc will be skipped]) MANPAGE_DOCBOOK_XSL= have_doc=no fi AM_CONDITIONAL(MANPAGE_DOCBOOK_XSL, test "x$have_doc" = xyes) AC_SUBST(MANPAGE_DOCBOOK_XSL) ]) ima-evm-utils-1.5/packaging/000077500000000000000000000000001440135744700160055ustar00rootroot00000000000000ima-evm-utils-1.5/packaging/ima-evm-utils.spec000066400000000000000000000015221440135744700213520ustar00rootroot00000000000000Name: ima-evm-utils Version: 1.5 Release: 1%{?dist} Summary: ima-evm-utils - IMA/EVM control utility Group: System/Libraries License: GPLv2 #URL: Source0: %{name}-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: autoconf BuildRequires: automake BuildRequires: openssl-devel BuildRequires: keyutils-libs-devel %description This package provide IMA/EVM control utility %prep %setup -q %build ./autogen.sh %configure --prefix=/usr make %install rm -rf %{buildroot} make DESTDIR=%{buildroot} install %clean rm -rf %{buildroot} %post /sbin/ldconfig exit 0 %preun -p /sbin/ldconfig %postun /sbin/ldconfig %files %defattr(-,root,root,-) %{_bindir}/* %{_libdir}/libimaevm.* %{_includedir}/* %changelog * Thu Apr 05 2012 Dmitry Kasatkin - Initial RPM spec file ima-evm-utils-1.5/packaging/ima-evm-utils.spec.in000066400000000000000000000015421440135744700217610ustar00rootroot00000000000000Name: @PACKAGE_NAME@ Version: @PACKAGE_VERSION@ Release: 1%{?dist} Summary: @PACKAGE_NAME@ - IMA/EVM control utility Group: System/Libraries License: GPLv2 #URL: Source0: %{name}-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: autoconf BuildRequires: automake BuildRequires: openssl-devel BuildRequires: keyutils-libs-devel %description This package provide IMA/EVM control utility %prep %setup -q %build ./autogen.sh %configure --prefix=/usr make %install rm -rf %{buildroot} make DESTDIR=%{buildroot} install %clean rm -rf %{buildroot} %post /sbin/ldconfig exit 0 %preun -p /sbin/ldconfig %postun /sbin/ldconfig %files %defattr(-,root,root,-) %{_bindir}/* %{_libdir}/libimaevm.* %{_includedir}/* %changelog * Thu Apr 05 2012 Dmitry Kasatkin - Initial RPM spec file ima-evm-utils-1.5/src/000077500000000000000000000000001440135744700146505ustar00rootroot00000000000000ima-evm-utils-1.5/src/.gitignore000066400000000000000000000000341440135744700166350ustar00rootroot00000000000000hash_info.h tmp_hash_info.h ima-evm-utils-1.5/src/Makefile.am000066400000000000000000000025761440135744700167160ustar00rootroot00000000000000lib_LTLIBRARIES = libimaevm.la libimaevm_la_SOURCES = libimaevm.c libimaevm_la_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS) # current[:revision[:age]] # result: [current-age].age.revision libimaevm_la_LDFLAGS = -version-info 4:0:0 libimaevm_la_LIBADD = $(LIBCRYPTO_LIBS) if CONFIG_SIGV1 libimaevm_la_CFLAGS = -DCONFIG_SIGV1 endif if CONFIG_IMA_EVM_ENGINE libimaevm_la_CFLAGS = -DCONFIG_IMA_EVM_ENGINE endif include_HEADERS = imaevm.h nodist_libimaevm_la_SOURCES = hash_info.h BUILT_SOURCES = hash_info.h EXTRA_DIST = hash_info.gen hash_info.h: Makefile $(srcdir)/hash_info.gen $(KERNEL_HEADERS) >$@ bin_PROGRAMS = evmctl evmctl_SOURCES = evmctl.c utils.c evmctl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS) evmctl_LDFLAGS = $(LDFLAGS_READLINE) evmctl_LDADD = $(LIBCRYPTO_LIBS) -lkeyutils libimaevm.la # Enable IMA signature version 1 if CONFIG_SIGV1 evmctl_CFLAGS = -DCONFIG_SIGV1 endif # Enable "--engine" support if CONFIG_IMA_EVM_ENGINE evmctl_CFLAGS = -DCONFIG_IMA_EVM_ENGINE endif # USE_PCRTSS uses the Intel TSS if USE_PCRTSS evmctl_SOURCES += pcr_tss.c # USE_IBMTSS uses the IBM TSS else if USE_IBMTSS evmctl_SOURCES += pcr_ibmtss.c evmctl_LDADD += -libmtss # uses the IBM TSS command line utilities else evmctl_SOURCES += pcr_tsspcrread.c endif endif AM_CPPFLAGS = -I$(top_srcdir) -include config.h CLEANFILES = hash_info.h tmp_hash_info.h DISTCLEANFILES = @DISTCLEANFILES@ ima-evm-utils-1.5/src/evmctl.c000066400000000000000000002233231440135744700163130ustar00rootroot00000000000000/* * ima-evm-utils - IMA/EVM support utilities * * Copyright (C) 2011 Nokia Corporation * Copyright (C) 2011,2012,2013 Intel Corporation * Copyright (C) 2013,2014 Samsung Electronics * * Authors: * Dmitry Kasatkin * * * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * version 2 as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . * * As a special exception, the copyright holders give permission to link the * code of portions of this program with the OpenSSL library under certain * conditions as described in each individual source file and distribute * linked combinations including the program with the OpenSSL library. You * must comply with the GNU General Public License in all respects * for all of the code used other than as permitted herein. If you modify * file(s) with this exception, you may extend this exception to your * version of the file(s), but you are not obligated to do so. If you do not * wish to do so, delete this exception statement from your version. If you * delete this exception statement from all source files in the program, * then also delete it in the license file. * * File: evmctl.c * IMA/EVM control program */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #if CONFIG_IMA_EVM_ENGINE #include #endif #include #include "hash_info.h" #include "pcr.h" #include "utils.h" #ifndef XATTR_APPAARMOR_SUFFIX #define XATTR_APPARMOR_SUFFIX "apparmor" #define XATTR_NAME_APPARMOR XATTR_SECURITY_PREFIX XATTR_APPARMOR_SUFFIX #endif #define USE_FPRINTF #include "imaevm.h" static char *evm_default_xattrs[] = { XATTR_NAME_SELINUX, XATTR_NAME_SMACK, XATTR_NAME_APPARMOR, XATTR_NAME_IMA, XATTR_NAME_CAPS, NULL }; static char *evm_extra_smack_xattrs[] = { XATTR_NAME_SELINUX, XATTR_NAME_SMACK, XATTR_NAME_SMACKEXEC, XATTR_NAME_SMACKTRANSMUTE, XATTR_NAME_SMACKMMAP, XATTR_NAME_APPARMOR, XATTR_NAME_IMA, XATTR_NAME_CAPS, NULL }; static char **evm_config_xattrnames = evm_default_xattrs; struct command { char *name; int (*func)(struct command *cmd); int cmd; char *arg; char *msg; /* extra info message */ }; static int g_argc; static char **g_argv; static int xattr = 1; static bool check_xattr; static int sigdump; static int digest; static int digsig; static int sigfile; static char *uuid_str; static char *ino_str; static char *uid_str; static char *gid_str; static char *mode_str; static char *generation_str; static char *caps_str; static char *ima_str; static char *selinux_str; static char *search_type; static char *verify_bank; static int verify_list_sig; static int recursive; static int msize; static dev_t fs_dev; static bool evm_immutable; static bool evm_portable; static bool veritysig; static bool hwtpm; #define HMAC_FLAG_NO_UUID 0x0001 #define HMAC_FLAG_CAPS_SET 0x0002 static unsigned long hmac_flags; typedef int (*find_cb_t)(const char *path); static int find(const char *path, int dts, find_cb_t func); #define REG_MASK (1 << DT_REG) struct command cmds[]; static void print_usage(struct command *cmd); static const char *xattr_ima = "security.ima"; static const char *xattr_evm = "security.evm"; struct tpm_bank_info { int digest_size; int supported; const char *algo_name; uint8_t digest[MAX_DIGEST_SIZE]; uint8_t pcr[NUM_PCRS][MAX_DIGEST_SIZE]; }; /* One --pcrs file per hash-algorithm/bank */ #define MAX_PCRFILE 2 static char *pcrfile[MAX_PCRFILE]; static unsigned npcrfile; #define log_errno_reset(level, fmt, args...) \ {do_log(level, fmt " (errno: %s)\n", ##args, strerror(errno)); errno = 0; } static int bin2file(const char *file, const char *ext, const unsigned char *data, int len) { FILE *fp; char name[strlen(file) + (ext ? strlen(ext) : 0) + 2]; int err; if (ext) sprintf(name, "%s.%s", file, ext); else sprintf(name, "%s", file); log_info("Writing to %s\n", name); fp = fopen(name, "w"); if (!fp) { log_err("Failed to open: %s\n", name); return -1; } err = fwrite(data, len, 1, fp); fclose(fp); return err; } static unsigned char *file2bin(const char *file, const char *ext, int *size) { FILE *fp; size_t len; unsigned char *data; char name[strlen(file) + (ext ? strlen(ext) : 0) + 2]; struct stat stats; if (ext) sprintf(name, "%s.%s", file, ext); else sprintf(name, "%s", file); log_info("Reading to %s\n", name); fp = fopen(name, "r"); if (!fp) { log_err("Failed to open: %s\n", name); return NULL; } if (fstat(fileno(fp), &stats) == -1) { log_err("Failed to fstat: %s (%s)\n", name, strerror(errno)); fclose(fp); return NULL; } len = stats.st_size; data = malloc(len); if (!data) { log_err("Failed to malloc %zu bytes: %s\n", len, name); fclose(fp); return NULL; } if (fread(data, len, 1, fp) != 1) { log_err("Failed to fread %zu bytes: %s\n", len, name); fclose(fp); free(data); return NULL; } fclose(fp); *size = (int)len; return data; } static int find_xattr(const char *list, int list_size, const char *xattr) { int len; for (; list_size > 0; len++, list_size -= len, list += len) { len = strlen(list); if (!strcmp(list, xattr)) return 1; } return 0; } #define hex_asc_lo(x) hex_asc[((x) & 0x0f)] #define hex_asc_hi(x) hex_asc[((x) & 0xf0) >> 4] const char hex_asc[] = "0123456789abcdef"; /* this is faster than fprintf - makes sense? */ static void bin2hex(uint8_t *buf, size_t buflen, FILE *stream) { char asciihex[2]; for (; buflen--; buf++) { asciihex[0] = hex_asc_hi(*buf); asciihex[1] = hex_asc_lo(*buf); fwrite(asciihex, 2, 1, stream); } } static int pack_uuid(const char *uuid_str, char *uuid) { int i; char *to = uuid; for (i = 0; i < 16; ++i) { if (!uuid_str[0] || !uuid_str[1]) { log_err("wrong UUID format\n"); return -1; } *to++ = (hex_to_bin(*uuid_str) << 4) | (hex_to_bin(*(uuid_str + 1))); uuid_str += 2; switch (i) { case 3: case 5: case 7: case 9: if (*uuid_str != '-') { log_err("wrong UUID format\n"); return -1; } uuid_str++; continue; } } log_info("uuid: "); log_dump(uuid, 16); return 0; } static int get_uuid(struct stat *st, char *uuid) { uint32_t dev; unsigned minor, major; char path[PATH_MAX], _uuid[37]; FILE *fp; size_t len; if (uuid_str) return pack_uuid(uuid_str, uuid); dev = st->st_dev; major = (dev & 0xfff00) >> 8; minor = (dev & 0xff) | ((dev >> 12) & 0xfff00); log_debug("dev: %u:%u\n", major, minor); sprintf(path, "blkid -s UUID -o value /dev/block/%u:%u", major, minor); fp = popen(path, "r"); if (!fp) goto err; len = fread(_uuid, 1, sizeof(_uuid), fp); pclose(fp); if (len != sizeof(_uuid)) goto err; return pack_uuid(_uuid, uuid); err: log_err("Failed to read UUID. Root access might require.\n"); return -1; } /* * calc_evm_hash - calculate the file metadata hash * * Returns 0 for EVP_ function failures. Return -1 for other failures. * Return hash algorithm size on success. */ static int calc_evm_hash(const char *file, unsigned char *hash) { const EVP_MD *md; struct stat st; int err = -1; uint32_t generation = 0; EVP_MD_CTX *pctx; unsigned int mdlen; char **xattrname; char xattr_value[1024]; char list[1024]; ssize_t list_size; char uuid[16]; struct h_misc_64 hmac_misc; int hmac_size; #if OPENSSL_VERSION_NUMBER < 0x10100000 EVP_MD_CTX ctx; pctx = &ctx; #endif if (lstat(file, &st)) { log_errno_reset(LOG_ERR, "Failed to stat: %s", file); return -1; } if (generation_str) generation = strtoul(generation_str, NULL, 10); if (ino_str) st.st_ino = strtoul(ino_str, NULL, 10); if (uid_str) st.st_uid = strtoul(uid_str, NULL, 10); if (gid_str) st.st_gid = strtoul(gid_str, NULL, 10); if (mode_str) st.st_mode = strtoul(mode_str, NULL, 10); if (!evm_immutable) { if (S_ISREG(st.st_mode) && !generation_str) { int fd = open(file, 0); if (fd < 0) { log_err("Failed to open: %s\n", file); return -1; } if (ioctl(fd, FS_IOC_GETVERSION, &generation)) { log_err("ioctl() failed\n"); close(fd); return -1; } close(fd); } log_info("generation: %u\n", generation); } list_size = llistxattr(file, list, sizeof(list)); if (list_size < 0) { log_errno_reset(LOG_ERR, "llistxattr() failed"); return -1; } #if OPENSSL_VERSION_NUMBER >= 0x10100000 pctx = EVP_MD_CTX_new(); if (!pctx) { log_err("EVP_MD_CTX_new() failed\n"); return 0; } #endif md = EVP_get_digestbyname(imaevm_params.hash_algo); if (!md) { log_err("EVP_get_digestbyname(%s) failed\n", imaevm_params.hash_algo); err = 0; goto out; } err = EVP_DigestInit(pctx, md); if (!err) { log_err("EVP_DigestInit() failed\n"); goto out; } for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) { int use_xattr_ima = 0; if (!strcmp(*xattrname, XATTR_NAME_SELINUX) && selinux_str) { err = strlen(selinux_str) + 1; if (err > sizeof(xattr_value)) { log_err("selinux[%u] value is too long to fit into xattr[%zu]\n", err, sizeof(xattr_value)); err = -1; goto out; } strcpy(xattr_value, selinux_str); } else if (!strcmp(*xattrname, XATTR_NAME_IMA) && ima_str) { err = strlen(ima_str) / 2; if (err > sizeof(xattr_value)) { log_err("ima[%u] value is too long to fit into xattr[%zu]\n", err, sizeof(xattr_value)); err = -1; goto out; } hex2bin(xattr_value, ima_str, err); } else if (!strcmp(*xattrname, XATTR_NAME_IMA) && evm_portable){ err = lgetxattr(file, xattr_ima, xattr_value, sizeof(xattr_value)); if (err < 0) { log_err("EVM portable sig: %s required\n", xattr_ima); goto out; } use_xattr_ima = 1; } else if (!strcmp(*xattrname, XATTR_NAME_CAPS) && (hmac_flags & HMAC_FLAG_CAPS_SET)) { if (!caps_str) continue; err = strlen(caps_str); if (err >= sizeof(xattr_value)) { log_err("caps[%u] value is too long to fit into xattr[%zu]\n", err + 1, sizeof(xattr_value)); err = -1; goto out; } strcpy(xattr_value, caps_str); } else { err = lgetxattr(file, *xattrname, xattr_value, sizeof(xattr_value)); if (err < 0) { log_info("no xattr: %s\n", *xattrname); continue; } if (!find_xattr(list, list_size, *xattrname)) { log_info("skipping xattr: %s\n", *xattrname); continue; } } /*log_debug("name: %s, value: %s, size: %d\n", *xattrname, xattr_value, err);*/ log_info("name: %s, size: %d\n", use_xattr_ima ? xattr_ima : *xattrname, err); log_debug_dump(xattr_value, err); err = EVP_DigestUpdate(pctx, xattr_value, err); if (!err) { log_err("EVP_DigestUpdate() failed\n"); goto out; } } memset(&hmac_misc, 0, sizeof(hmac_misc)); if (evm_immutable) { struct h_misc_digsig *hmac = (struct h_misc_digsig *)&hmac_misc; hmac_size = sizeof(*hmac); hmac->uid = st.st_uid; hmac->gid = st.st_gid; hmac->mode = st.st_mode; } else if (msize == 0) { struct h_misc *hmac = (struct h_misc *)&hmac_misc; hmac_size = sizeof(*hmac); if (!evm_portable) { hmac->ino = st.st_ino; hmac->generation = generation; } hmac->uid = st.st_uid; hmac->gid = st.st_gid; hmac->mode = st.st_mode; } else if (msize == 64) { struct h_misc_64 *hmac = (struct h_misc_64 *)&hmac_misc; hmac_size = sizeof(*hmac); if (!evm_portable) { hmac->ino = st.st_ino; hmac->generation = generation; } hmac->uid = st.st_uid; hmac->gid = st.st_gid; hmac->mode = st.st_mode; } else { struct h_misc_32 *hmac = (struct h_misc_32 *)&hmac_misc; hmac_size = sizeof(*hmac); if (!evm_portable) { hmac->ino = st.st_ino; hmac->generation = generation; } hmac->uid = st.st_uid; hmac->gid = st.st_gid; hmac->mode = st.st_mode; } log_debug("hmac_misc (%d): ", hmac_size); log_debug_dump(&hmac_misc, hmac_size); err = EVP_DigestUpdate(pctx, &hmac_misc, hmac_size); if (!err) { log_err("EVP_DigestUpdate() failed\n"); goto out; } if (!evm_immutable && !evm_portable && !(hmac_flags & HMAC_FLAG_NO_UUID)) { err = get_uuid(&st, uuid); if (err) goto out; err = EVP_DigestUpdate(pctx, (const unsigned char *)uuid, sizeof(uuid)); if (!err) { log_err("EVP_DigestUpdate() failed\n"); goto out; } } err = EVP_DigestFinal(pctx, hash, &mdlen); if (!err) log_err("EVP_DigestFinal() failed\n"); out: #if OPENSSL_VERSION_NUMBER >= 0x10100000 EVP_MD_CTX_free(pctx); #endif if (err == 1) return mdlen; return err; } static int sign_evm(const char *file, const char *key) { unsigned char hash[MAX_DIGEST_SIZE]; unsigned char sig[MAX_SIGNATURE_SIZE]; int len, err; len = calc_evm_hash(file, hash); if (len <= 1) return len; assert(len <= sizeof(hash)); len = sign_hash(imaevm_params.hash_algo, hash, len, key, NULL, sig + 1); if (len <= 1) return len; assert(len < sizeof(sig)); /* add header */ len++; if (evm_portable) sig[0] = EVM_XATTR_PORTABLE_DIGSIG; else sig[0] = EVM_IMA_XATTR_DIGSIG; if (evm_immutable) sig[1] = 3; /* immutable signature version */ if (sigdump || imaevm_params.verbose >= LOG_INFO) imaevm_hexdump(sig, len); if (xattr) { err = lsetxattr(file, xattr_evm, sig, len, 0); if (err < 0) { log_errno_reset(LOG_ERR, "Setting EVM xattr failed: %s", file); return err; } } return 0; } static int hash_ima(const char *file) { unsigned char hash[MAX_DIGEST_SIZE + 2]; /* +2 byte xattr header */ int len, err, offset; int algo = imaevm_get_hash_algo(imaevm_params.hash_algo); if (algo < 0) { log_err("Unknown hash algo: %s\n", imaevm_params.hash_algo); return -1; } if (algo > PKEY_HASH_SHA1) { hash[0] = IMA_XATTR_DIGEST_NG; hash[1] = algo; offset = 2; } else { hash[0] = IMA_XATTR_DIGEST; offset = 1; } len = ima_calc_hash(file, hash + offset); if (len <= 1) return len; assert(len + offset <= sizeof(hash)); len += offset; if (imaevm_params.verbose >= LOG_INFO) log_info("hash(%s): ", imaevm_params.hash_algo); if (sigdump || imaevm_params.verbose >= LOG_INFO) imaevm_hexdump(hash, len); if (xattr) { err = lsetxattr(file, xattr_ima, hash, len, 0); if (err < 0) { log_errno_reset(LOG_ERR, "Setting IMA hash xattr failed: %s", file); return err; } } return 0; } static int sign_ima(const char *file, const char *key) { unsigned char hash[MAX_DIGEST_SIZE]; unsigned char sig[MAX_SIGNATURE_SIZE]; int len, err; len = ima_calc_hash(file, hash); if (len <= 1) return len; assert(len <= sizeof(hash)); len = sign_hash(imaevm_params.hash_algo, hash, len, key, NULL, sig + 1); if (len <= 1) return len; assert(len < sizeof(sig)); /* add header */ len++; sig[0] = EVM_IMA_XATTR_DIGSIG; if (sigdump || imaevm_params.verbose >= LOG_INFO) imaevm_hexdump(sig, len); if (sigfile) bin2file(file, "sig", sig, len); if (xattr) { err = lsetxattr(file, xattr_ima, sig, len, 0); if (err < 0) { log_errno_reset(LOG_ERR, "Setting IMA sig xattr failed: %s", file); return err; } } return 0; } static int get_file_type(const char *path, const char *search_type) { int err, dts = 0, i; struct stat st; for (i = 0; search_type[i]; i++) { switch (search_type[i]) { case 'f': dts |= REG_MASK; break; case 'x': check_xattr = true; break; case 'm': /* stay within the same filesystem*/ err = lstat(path, &st); if (err < 0) { log_err("Failed to stat: %s\n", path); return err; } fs_dev = st.st_dev; /* filesystem to start from */ break; } } return dts; } static int do_cmd(struct command *cmd, find_cb_t func) { char *path = g_argv[optind++]; int err, dts = REG_MASK; /* only regular files by default */ if (!path) { log_err("Parameters missing\n"); print_usage(cmd); return -1; } if (recursive) { if (search_type) { dts = get_file_type(path, search_type); if (dts < 0) return dts; } err = find(path, dts, func); } else { err = func(path); } return err; } static int cmd_hash_ima(struct command *cmd) { return do_cmd(cmd, hash_ima); } static int sign_ima_file(const char *file) { const char *key; key = imaevm_params.keyfile ? : "/etc/keys/privkey_evm.pem"; return sign_ima(file, key); } static int cmd_sign_ima(struct command *cmd) { return do_cmd(cmd, sign_ima_file); } /* * Sign file hash(es) provided in the format as produced by either * sha*sum or "fsverity digest". * * sha*sum format: * fsverity digest format: : * * To disambiguate the resulting file signatures, a new signature format * version 3 (sigv3) was defined as the hash of the xattr type (enum * evm_ima_xattr_type), the hash algorithm (enum hash_algo), and the hash. * * Either directly sign the sha*sum hash or indirectly sign the fsverity * hash (sigv3). * * The output is the same format as the input with the resulting file * signature appended. */ static int cmd_sign_hash(struct command *cmd) { unsigned char sigv3_hash[MAX_DIGEST_SIZE]; unsigned char sig[MAX_SIGNATURE_SIZE]; unsigned char hash[MAX_DIGEST_SIZE]; int siglen, algolen = 0, hashlen = 0; char *line = NULL, *token, *hashp; size_t line_len = 0; const char *key; char algo[7]; /* Current maximum fsverity hash algo name length */ ssize_t len; int ret; key = imaevm_params.keyfile ? : "/etc/keys/privkey_evm.pem"; while ((len = getline(&line, &line_len, stdin)) > 0) { /* remove end of line */ if (line[len - 1] == '\n') line[--len] = '\0'; /* * Before either directly or indirectly signing the hash, * convert the hex-ascii hash representation to binary. */ if (veritysig) { /* * Split the hash algorithm from the hash * example format: sha256:51dda1..d7c6 */ hashp = strpbrk(line, ":"); if (hashp) /* pointer to the delimiter */ algolen = hashp - line; if (!hashp || algolen <= 0 || algolen >= sizeof(algo)) { log_err("Missing/invalid fsverity hash algorithm\n"); continue; } strncpy(algo, line, algolen); algo[algolen] = '\0'; /* Nul terminate algorithm */ hashp++; token = strpbrk(line, " "); if (!token) { log_err("Missing fsverity hash\n"); continue; } hashlen = token - hashp; if (hashlen <= 0) { log_err("Missing fsverity hash\n"); continue; } assert(hashlen / 2 <= sizeof(hash)); hex2bin(hash, hashp, hashlen / 2); ret = calc_hash_sigv3(IMA_VERITY_DIGSIG, algo, hash, sigv3_hash); if (ret < 0 || ret == 1) { log_info("Failure to calculate fs-verity hash\n"); continue; } siglen = sign_hash(algo, sigv3_hash, hashlen / 2, key, NULL, sig + 1); sig[0] = IMA_VERITY_DIGSIG; sig[1] = DIGSIG_VERSION_3; /* sigv3 */ } else { /* Parse the shaXsum output */ token = strpbrk(line, " \t"); hashlen = token ? token - line : strlen(line); assert(hashlen / 2 <= sizeof(hash)); hex2bin(hash, line, hashlen / 2); siglen = sign_hash(imaevm_params.hash_algo, hash, hashlen / 2, key, NULL, sig + 1); sig[0] = EVM_IMA_XATTR_DIGSIG; } if (siglen <= 1) return siglen; assert(siglen < sizeof(sig)); fwrite(line, len, 1, stdout); fprintf(stdout, " "); bin2hex(sig, siglen + 1, stdout); fprintf(stdout, "\n"); } if (!hashlen) { log_err("Parameters missing\n"); print_usage(cmd); return -1; } return 0; } static int sign_evm_path(const char *file) { const char *key; int err; key = imaevm_params.keyfile ? : "/etc/keys/privkey_evm.pem"; if (digsig) { err = sign_ima(file, key); if (err) return err; } if (digest) { err = hash_ima(file); if (err) return err; } return sign_evm(file, key); } static int cmd_sign_evm(struct command *cmd) { return do_cmd(cmd, sign_evm_path); } static int verify_evm(const char *file) { unsigned char hash[MAX_DIGEST_SIZE]; unsigned char sig[MAX_SIGNATURE_SIZE]; int sig_hash_algo; int mdlen; int len; len = lgetxattr(file, xattr_evm, sig, sizeof(sig)); if (len < 0) { log_err("getxattr failed: %s\n", file); return len; } if ((sig[0] != EVM_IMA_XATTR_DIGSIG) && (sig[0] != EVM_XATTR_PORTABLE_DIGSIG)) { log_err("%s has no signature\n", xattr_evm); return -1; } if (sig[0] == EVM_XATTR_PORTABLE_DIGSIG) { if (sig[1] != DIGSIG_VERSION_2) { log_err("Portable sig: invalid type\n"); return -1; } evm_portable = true; } sig_hash_algo = imaevm_hash_algo_from_sig(sig + 1); if (sig_hash_algo < 0) { log_err("unknown hash algo: %s\n", file); return -1; } imaevm_params.hash_algo = imaevm_hash_algo_by_id(sig_hash_algo); mdlen = calc_evm_hash(file, hash); if (mdlen <= 1) return mdlen; assert(mdlen <= sizeof(hash)); return verify_hash(file, hash, mdlen, sig, len); } static int cmd_verify_evm(struct command *cmd) { char *file = g_argv[optind++]; int err; if (!file) { log_err("Parameters missing\n"); print_usage(cmd); return -1; } if (imaevm_params.x509) { if (imaevm_params.keyfile) /* Support multiple public keys */ init_public_keys(imaevm_params.keyfile); else /* assume read pubkey from x509 cert */ init_public_keys("/etc/keys/x509_evm.der"); } err = verify_evm(file); if (!err && imaevm_params.verbose >= LOG_INFO) log_info("%s: verification is OK\n", file); return err; } static int verify_ima(const char *file) { unsigned char sig[MAX_SIGNATURE_SIZE]; int len; if (sigfile) { void *tmp = file2bin(file, "sig", &len); if (!tmp) { log_err("Failed reading: %s\n", file); return -1; } if (len > sizeof(sig)) { log_err("Signature file is too big: %s\n", file); free(tmp); return -1; } memcpy(sig, tmp, len); free(tmp); } else { len = lgetxattr(file, xattr_ima, sig, sizeof(sig)); if (len < 0) { log_err("getxattr failed: %s\n", file); return len; } } return ima_verify_signature(file, sig, len, NULL, 0); } static int cmd_verify_ima(struct command *cmd) { char *file = g_argv[optind++]; int err, fails = 0; if (imaevm_params.x509) { if (imaevm_params.keyfile) /* Support multiple public keys */ init_public_keys(imaevm_params.keyfile); else /* assume read pubkey from x509 cert */ init_public_keys("/etc/keys/x509_evm.der"); } if (!file) { log_err("Parameters missing\n"); print_usage(cmd); return -1; } do { err = verify_ima(file); if (err) fails++; if (!err && imaevm_params.verbose >= LOG_INFO) log_info("%s: verification is OK\n", file); } while ((file = g_argv[optind++])); return fails > 0; } #if CONFIG_SIGV1 static int cmd_convert(struct command *cmd) { char *inkey; unsigned char _pub[1024], *pub = _pub; int len, err = 0; char name[20]; uint8_t keyid[8]; RSA *key; imaevm_params.x509 = 0; inkey = g_argv[optind++]; if (!inkey) { inkey = imaevm_params.x509 ? "/etc/keys/x509_evm.der" : "/etc/keys/pubkey_evm.pem"; } key = read_pub_key(inkey, imaevm_params.x509); if (!key) return 1; len = key2bin(key, pub); calc_keyid_v1(keyid, name, pub, len); bin2file(inkey, "bin", pub, len); bin2file(inkey, "keyid", (const unsigned char *)name, strlen(name)); RSA_free(key); return err; } #endif static int cmd_import(struct command *cmd) { char *inkey, *ring = NULL; unsigned char _pub[1024], *pub = _pub; int id, len, err = 0; char name[20]; uint8_t keyid[8]; inkey = g_argv[optind++]; if (!inkey) { inkey = imaevm_params.x509 ? "/etc/keys/x509_evm.der" : "/etc/keys/pubkey_evm.pem"; } else ring = g_argv[optind++]; id = KEY_SPEC_USER_KEYRING; /* default keyring */ if (ring) { if (ring[0] != '@') { int base = 10; if (ring[0] == '0' && ring[1] == 'x') base = 16; id = strtoul(ring, NULL, base); } else { if (strcmp(ring, "@t") == 0) id = -1; else if (strcmp(ring, "@p") == 0) id = -2; else if (strcmp(ring, "@s") == 0) id = -3; else if (strcmp(ring, "@u") == 0) id = -4; else if (strcmp(ring, "@us") == 0) id = -5; else if (strcmp(ring, "@g") == 0) id = -6; } } if (imaevm_params.x509) { EVP_PKEY *pkey = read_pub_pkey(inkey, imaevm_params.x509); if (!pkey) return 1; pub = file2bin(inkey, NULL, &len); if (!pub) { EVP_PKEY_free(pkey); return 1; } calc_keyid_v2((uint32_t *)keyid, name, pkey); EVP_PKEY_free(pkey); } else { #if CONFIG_SIGV1 RSA *key = read_pub_key(inkey, imaevm_params.x509); if (!key) return 1; len = key2bin(key, pub); calc_keyid_v1(keyid, name, pub, len); RSA_free(key); #else log_info("Importing public RSA key is not supported\n"); return 1; #endif } log_info("Importing public key %s from file %s into keyring %d\n", name, inkey, id); id = add_key(imaevm_params.x509 ? "asymmetric" : "user", imaevm_params.x509 ? NULL : name, pub, len, id); if (id < 0) { log_err("add_key failed\n"); err = id; } else { log_info("keyid: %d\n", id); printf("%d\n", id); } if (pub != _pub) free(pub); return err; } static int setxattr_ima(const char *file, char *sig_file) { unsigned char *sig; int len, err; if (sig_file) sig = file2bin(sig_file, NULL, &len); else sig = file2bin(file, "sig", &len); if (!sig) return 0; err = lsetxattr(file, xattr_ima, sig, len, 0); if (err < 0) log_errno_reset(LOG_ERR, "Setting IMA sig xattr failed: %s", file); free(sig); return err; } static int cmd_setxattr_ima(struct command *cmd) { char *file, *sig = NULL; if (sigfile) sig = g_argv[optind++]; file = g_argv[optind++]; if (!file) { log_err("Parameters missing\n"); print_usage(cmd); return -1; } return setxattr_ima(file, sig); } #define MAX_KEY_SIZE 128 static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *sig) { size_t siglen = MAX_DIGEST_SIZE; EVP_MD_CTX *pctx; EVP_PKEY *pkey = NULL; struct stat st; int err = -1; uint32_t generation = 0; char **xattrname; unsigned char xattr_value[1024]; unsigned char *key; int keylen; unsigned char evmkey[MAX_KEY_SIZE]; char list[1024]; ssize_t list_size; struct h_misc_64 hmac_misc; int hmac_size; #if OPENSSL_VERSION_NUMBER < 0x10100000 EVP_MD_CTX ctx; pctx = &ctx; #endif key = file2bin(keyfile, NULL, &keylen); if (!key) { log_err("Failed to read a key: %s\n", keyfile); return -1; } if (keylen > sizeof(evmkey)) { log_err("key is too long: %d\n", keylen); goto out; } /* EVM key is 128 bytes */ memcpy(evmkey, key, keylen); if (keylen < sizeof(evmkey)) memset(evmkey + keylen, 0, sizeof(evmkey) - keylen); if (lstat(file, &st)) { log_err("Failed to stat: %s\n", file); goto out; } if (S_ISREG(st.st_mode)) { int fd = open(file, 0); if (fd < 0) { log_err("Failed to open %s\n", file); goto out; } if (ioctl(fd, FS_IOC_GETVERSION, &generation)) { log_err("ioctl() failed\n"); close(fd); goto out; } close(fd); } log_info("generation: %u\n", generation); list_size = llistxattr(file, list, sizeof(list)); if (list_size <= 0) { log_err("llistxattr() failed: %s\n", file); goto out; } #if OPENSSL_VERSION_NUMBER >= 0x10100000 pctx = EVP_MD_CTX_new(); if (!pctx) { log_err("EVP_MD_CTX_new failed\n"); goto out; } #endif pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, evmkey, sizeof(evmkey)); if (!pkey) { log_err("EVP_PKEY_new_mac_key() failed\n"); goto out; } err = EVP_DigestSignInit(pctx, NULL, EVP_sha1(), NULL, pkey); if (err != 1) { log_err("EVP_DigestSignInit() failed\n"); goto out; } for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) { err = lgetxattr(file, *xattrname, xattr_value, sizeof(xattr_value)); if (err < 0) { log_info("no xattr: %s\n", *xattrname); continue; } if (!find_xattr(list, list_size, *xattrname)) { log_info("skipping xattr: %s\n", *xattrname); continue; } log_info("name: %s, size: %d\n", *xattrname, err); log_debug_dump(xattr_value, err); err = EVP_DigestSignUpdate(pctx, xattr_value, err); if (err != 1) { log_err("EVP_DigestSignUpdate() failed\n"); goto out_ctx_cleanup; } } memset(&hmac_misc, 0, sizeof(hmac_misc)); if (msize == 0) { struct h_misc *hmac = (struct h_misc *)&hmac_misc; hmac_size = sizeof(*hmac); hmac->ino = st.st_ino; hmac->generation = generation; hmac->uid = st.st_uid; hmac->gid = st.st_gid; hmac->mode = st.st_mode; } else if (msize == 64) { struct h_misc_64 *hmac = (struct h_misc_64 *)&hmac_misc; hmac_size = sizeof(*hmac); hmac->ino = st.st_ino; hmac->generation = generation; hmac->uid = st.st_uid; hmac->gid = st.st_gid; hmac->mode = st.st_mode; } else { struct h_misc_32 *hmac = (struct h_misc_32 *)&hmac_misc; hmac_size = sizeof(*hmac); hmac->ino = st.st_ino; hmac->generation = generation; hmac->uid = st.st_uid; hmac->gid = st.st_gid; hmac->mode = st.st_mode; } log_debug("hmac_misc (%d): ", hmac_size); log_debug_dump(&hmac_misc, hmac_size); err = EVP_DigestSignUpdate(pctx, &hmac_misc, hmac_size); if (err != 1) { log_err("EVP_DigestSignUpdate() failed\n"); goto out_ctx_cleanup; } err = EVP_DigestSignFinal(pctx, sig, &siglen); if (err != 1) log_err("EVP_DigestSignFinal() failed\n"); out_ctx_cleanup: EVP_PKEY_free(pkey); #if OPENSSL_VERSION_NUMBER >= 0x10100000 EVP_MD_CTX_free(pctx); #endif out: free(key); if (err == 1) return siglen; return err; } static int hmac_evm(const char *file, const char *key) { unsigned char hash[MAX_DIGEST_SIZE]; unsigned char sig[MAX_SIGNATURE_SIZE]; int len, err; len = calc_evm_hmac(file, key, hash); if (len <= 1) return len; assert(len <= sizeof(hash)); log_info("hmac: "); log_dump(hash, len); assert(len < sizeof(sig)); memcpy(sig + 1, hash, len); if (xattr) { sig[0] = EVM_XATTR_HMAC; err = lsetxattr(file, xattr_evm, sig, len + 1, 0); if (err < 0) { log_errno_reset(LOG_ERR, "Setting EVM hmac xattr failed: %s", file); return err; } } return 0; } static int cmd_hmac_evm(struct command *cmd) { const char *key, *file = g_argv[optind++]; int err; if (!file) { log_err("Parameters missing\n"); print_usage(cmd); return -1; } key = imaevm_params.keyfile ? : "/etc/keys/privkey_evm.pem"; if (digsig) { err = sign_ima(file, key); if (err) return err; } if (digest) { err = hash_ima(file); if (err) return err; } return hmac_evm(file, "/etc/keys/evm-key-plain"); } static int ima_fix(const char *path) { int fd, size, len, ima = 0, evm = 0; char buf[1024], *list = buf; log_info("%s\n", path); if (check_xattr) { /* re-measuring takes a time * in some cases we can skip labeling if xattrs exists */ size = llistxattr(path, list, sizeof(buf)); if (size < 0) { log_errno("Failed to read xattrs (llistxattr): %s\n", path); return -1; } for (; size > 0; len++, size -= len, list += len) { len = strlen(list); if (!strcmp(list, xattr_ima)) ima = 1; else if (!strcmp(list, xattr_evm)) evm = 1; } if (ima && evm) return 0; } fd = open(path, O_RDONLY); if (fd < 0) { log_errno("Failed to open file: %s", path); return -1; } close(fd); return 0; } static int find(const char *path, int dts, find_cb_t func) { struct dirent *de; DIR *dir; if (fs_dev) { struct stat st; int err = lstat(path, &st); if (err < 0) { log_err("Failed to stat: %s\n", path); return err; } if (st.st_dev != fs_dev) return 0; } dir = opendir(path); if (!dir) { log_err("Failed to open directory %s\n", path); return -1; } if (fchdir(dirfd(dir))) { log_err("Failed to chdir %s\n", path); return -1; } while ((de = readdir(dir))) { if (!strcmp(de->d_name, "..") || !strcmp(de->d_name, ".")) continue; log_debug("path: %s, type: %u\n", de->d_name, de->d_type); if (de->d_type == DT_DIR) find(de->d_name, dts, func); else if (dts & (1 << de->d_type)) func(de->d_name); } if (chdir("..")) { log_err("Failed to chdir: %s\n", path); return -1; } closedir(dir); return 0; } static int cmd_ima_fix(struct command *cmd) { return do_cmd(cmd, ima_fix); } static int ima_clear(const char *path) { log_info("%s\n", path); lremovexattr(path, xattr_ima); lremovexattr(path, xattr_evm); return 0; } static int cmd_ima_clear(struct command *cmd) { return do_cmd(cmd, ima_clear); } #define TCG_EVENT_NAME_LEN_MAX 255 struct template_entry { struct { uint32_t pcr; uint8_t digest[SHA_DIGEST_LENGTH]; uint32_t name_len; } header __packed; char name[TCG_EVENT_NAME_LEN_MAX + 1]; uint32_t template_buf_len; uint32_t template_len; uint8_t *template; }; static uint8_t zero[MAX_DIGEST_SIZE]; static int ignore_violations = 0; static int ima_verify_template_hash(struct template_entry *entry) { uint8_t digest[SHA_DIGEST_LENGTH]; static int line = 0; line++; if (!memcmp(zero, entry->header.digest, sizeof(digest))) return 0; SHA1(entry->template, entry->template_len, digest); if (memcmp(digest, entry->header.digest, sizeof(digest))) { if (imaevm_params.verbose > LOG_INFO) log_info("Failed to verify template data digest(line %d).\n", line); return 1; } return 0; } void ima_show(struct template_entry *entry) { if (imaevm_params.verbose <= LOG_INFO) return; log_info("%d ", entry->header.pcr); log_dump_n(entry->header.digest, sizeof(entry->header.digest)); log_info(" %s ", entry->name); log_dump_n(entry->template, SHA_DIGEST_LENGTH); log_info(" %s\n", entry->template + SHA_DIGEST_LENGTH); } /* * Keep track of unknown or malformed template names. * * Return 1 for found, return 0 for not found. */ static int lookup_template_name_entry(char *template_name) { struct template_name_entry { struct template_name_entry *next; char name[]; } *entry; static struct template_name_entry *template_names = NULL; for (entry = template_names; entry != NULL; entry = entry->next) { if (strcmp(entry->name, template_name) == 0) return 1; } entry = malloc(sizeof(struct template_name_entry) + strlen(template_name) + 1); if (entry) { strcpy(entry->name, template_name); entry->next = template_names; template_names = entry; } return 0; } void ima_ng_show(struct template_entry *entry) { uint8_t *fieldp = entry->template; uint32_t field_len; int total_len = entry->template_len, digest_len, len, fbuf_len; uint8_t *digest, *sig = NULL, *fbuf = NULL; int sig_len = 0; char *algo, *path; int found; int err; /* get binary digest */ field_len = *(uint32_t *)fieldp; fieldp += sizeof(field_len); total_len -= sizeof(field_len); if (total_len < 0) { log_err("Template \"%s\" invalid template data\n", entry->name); return; } algo = (char *)fieldp; len = strnlen(algo, field_len - 1) + 1; digest_len = field_len - len; if (digest_len < SHA_DIGEST_LENGTH || digest_len > MAX_DIGEST_SIZE) { log_err("Template \"%s\" invalid digest length\n", entry->name); return; } digest = fieldp + len; /* move to next field */ fieldp += field_len; total_len -= field_len; if (total_len < 0) { log_err("Template \"%s\" invalid template data\n", entry->name); return; } /* get path */ field_len = *(uint32_t *)fieldp; fieldp += sizeof(field_len); total_len -= sizeof(field_len); if (field_len == 0 || field_len > PATH_MAX || total_len < field_len) { log_err("Template \"%s\" invalid file pathname\n", entry->name); return; } path = (char *)fieldp; /* move to next field */ fieldp += field_len; total_len -= field_len; if (total_len < 0) { log_err("Template \"%s\" invalid template data\n", entry->name); return; } if (!strcmp(entry->name, "ima-sig") || !strcmp(entry->name, "ima-sigv2")) { /* get signature, if it exists */ field_len = *(uint32_t *)fieldp; fieldp += sizeof(field_len); if (field_len > MAX_SIGNATURE_SIZE) { log_err("Template \"%s\" invalid file signature size\n", entry->name); return; } total_len -= sizeof(field_len); if (total_len < 0) { log_err("Template \"%s\" invalid template data\n", entry->name); return; } if (field_len) { sig = fieldp; sig_len = field_len; /* move to next field */ fieldp += field_len; total_len -= field_len; } } else if (!strcmp(entry->name, "ima-buf")) { field_len = *(uint32_t *)fieldp; fieldp += sizeof(field_len); total_len -= sizeof(field_len); if (field_len) { fbuf = fieldp; fbuf_len = field_len; /* move to next field */ fieldp += field_len; total_len -= field_len; } } if (total_len < 0) { log_err("Template \"%s\" invalid template data\n", entry->name); return; } /* ascii_runtime_measurements */ if (imaevm_params.verbose > LOG_INFO) { log_info("%d ", entry->header.pcr); log_dump_n(entry->header.digest, sizeof(entry->header.digest)); log_info(" %s %s", entry->name, algo); log_dump_n(digest, digest_len); log_info(" %s", path); if (fbuf) { log_info(" "); log_dump_n(fbuf, fbuf_len); } } if (sig) { if (imaevm_params.verbose > LOG_INFO) { log_info(" "); log_dump(sig, sig_len); } /* * Either verify the signature against the hash contained in * the measurement list or calculate the hash. */ if (verify_list_sig) err = ima_verify_signature(path, sig, sig_len, digest, digest_len); else err = ima_verify_signature(path, sig, sig_len, NULL, 0); if (!err && imaevm_params.verbose > LOG_INFO) log_info("%s: verification is OK\n", path); } else { if (imaevm_params.verbose > LOG_INFO) log_info("\n"); } if (total_len) { found = lookup_template_name_entry(entry->name); if (!found) log_err("Template \"%s\" contains unprocessed data: " "%d bytes\n", entry->name, total_len); } } static void set_bank_info(struct tpm_bank_info *bank, const char *algo_name) { const EVP_MD *md; bank->algo_name = algo_name; md = EVP_get_digestbyname(bank->algo_name); if (!md) return; bank->supported = 1; bank->digest_size = EVP_MD_size(md); } static struct tpm_bank_info *init_tpm_banks(int *num_banks) { struct tpm_bank_info *banks = NULL; const char *default_algos[] = {"sha1", "sha256"}; int num_algos = sizeof(default_algos) / sizeof(default_algos[0]); int i, j; banks = calloc(num_algos, sizeof(struct tpm_bank_info)); if (!banks) { log_err("Out of memory\n"); return NULL; } /* re-calculate the PCRs digests for only known algorithms */ *num_banks = num_algos; for (i = 0; i < num_algos; i++) { for (j = 0; j < HASH_ALGO__LAST; j++) { if (!strcmp(default_algos[i], hash_algo_name[j])) set_bank_info(&banks[i], hash_algo_name[j]); } assert(banks[i].algo_name); } return banks; } /* * Compare the calculated TPM PCR banks against the PCR values read. * The banks_mask parameter allows to select which banks to consider. * A banks_maks of 0x3 would consider banks 1 and 2, 0x2 would only * consider the 2nd bank, ~0 would consider all banks. * * On failure to match any TPM bank, fail comparison. */ static int compare_tpm_banks(int num_banks, struct tpm_bank_info *bank, struct tpm_bank_info *tpm_bank, unsigned int banks_mask, unsigned long entry_num) { int i, j; int ret = 0; for (i = 0; i < num_banks; i++) { if (!bank[i].supported || !tpm_bank[i].supported) continue; /* do we need to look at the n-th bank ? */ if ((banks_mask & (1 << i)) == 0) continue; for (j = 0; j < NUM_PCRS; j++) { if (memcmp(bank[i].pcr[j], zero, bank[i].digest_size) == 0) continue; if (memcmp(bank[i].pcr[j], tpm_bank[i].pcr[j], bank[i].digest_size) != 0) ret = 1; if ((!ret && imaevm_params.verbose <= LOG_INFO) || (ret && imaevm_params.verbose <= LOG_DEBUG)) continue; log_info("%s: PCRAgg %d: ", bank[i].algo_name, j); log_dump(bank[i].pcr[j], bank[i].digest_size); log_info("%s: TPM PCR-%d: ", tpm_bank[i].algo_name, j); log_dump(tpm_bank[i].pcr[j], tpm_bank[i].digest_size); if (!ret) log_info("%s PCR-%d: succeed at entry %lu\n", bank[i].algo_name, j, entry_num); else log_info("%s: PCRAgg %d does not match TPM PCR-%d\n", bank[i].algo_name, j, j); } } return ret; } /* Calculate the template hash for a particular hash algorithm */ static int calculate_template_digest(EVP_MD_CTX *pctx, const EVP_MD *md, struct template_entry *entry, struct tpm_bank_info *bank) { unsigned int mdlen; int err; err = EVP_DigestInit(pctx, md); if (!err) { printf("EVP_DigestInit() failed\n"); goto out; } err = EVP_DigestUpdate(pctx, entry->template, entry->template_len); if (!err) { printf("EVP_DigestUpdate() failed\n"); goto out; } err = EVP_DigestFinal(pctx, bank->digest, &mdlen); if (!err) printf("EVP_DigestUpdate() failed\n"); out: if (!err) err = 1; return err; } /* Extend a specific TPM bank with the template hash */ static int extend_tpm_bank(EVP_MD_CTX *pctx, const EVP_MD *md, struct template_entry *entry, struct tpm_bank_info *bank) { unsigned int mdlen; int err; err = EVP_DigestInit(pctx, md); if (!err) { printf("EVP_DigestInit() failed\n"); goto out; } err = EVP_DigestUpdate(pctx, bank->pcr[entry->header.pcr], bank->digest_size); if (!err) { printf("EVP_DigestUpdate() failed\n"); goto out; } err = EVP_DigestUpdate(pctx, bank->digest, bank->digest_size); if (!err) { printf("EVP_DigestUpdate() failed\n"); goto out; } err = EVP_DigestFinal(pctx, bank->pcr[entry->header.pcr], &mdlen); if (!err) printf("EVP_DigestFinal() failed\n"); out: if (!err) err = 1; return err; } /* Calculate and extend the template hash for multiple hash algorithms */ static void extend_tpm_banks(struct template_entry *entry, int num_banks, struct tpm_bank_info *bank, struct tpm_bank_info *padded_bank) { EVP_MD_CTX *pctx; const EVP_MD *md; #if OPENSSL_VERSION_NUMBER < 0x10100000 EVP_MD_CTX ctx; pctx = &ctx; #else pctx = EVP_MD_CTX_new(); #endif int err; int i; for (i = 0; i < num_banks; i++) { if (!bank[i].supported) continue; md = EVP_get_digestbyname(bank[i].algo_name); if (!md) { printf("EVP_get_digestbyname(%s) failed\n", bank[i].algo_name); bank[i].supported = 0; continue; } /* * Measurement violations are 0x00 digests, which are extended * into the TPM as 0xff. Verifying the IMA measurement list * will fail, unless the 0x00 digests are converted to 0xff's. * * Initially the sha1 digest, including violations, was padded * with zeroes before being extended into the TPM. With the * per TPM bank digest, violations are the full per bank digest * size. */ if (memcmp(entry->header.digest, zero, SHA_DIGEST_LENGTH) == 0) { if (!ignore_violations) { memset(bank[i].digest, 0x00, bank[i].digest_size); memset(padded_bank[i].digest, 0x00, padded_bank[i].digest_size); } else { memset(bank[i].digest, 0xff, bank[i].digest_size); memset(padded_bank[i].digest, 0x00, padded_bank[i].digest_size); memset(padded_bank[i].digest, 0xff, SHA_DIGEST_LENGTH); } } else { err = calculate_template_digest(pctx, md, entry, &bank[i]); if (!err) { bank[i].supported = 0; continue; } /* * calloc set the memory to zero, so just copy the * sha1 digest. */ memcpy(padded_bank[i].digest, entry->header.digest, SHA_DIGEST_LENGTH); } /* extend TPM BANK with template digest */ err = extend_tpm_bank(pctx, md, entry, &bank[i]); if (!err) bank[i].supported = 0; /* extend TPM BANK with zero padded sha1 template digest */ err = extend_tpm_bank(pctx, md, entry, &padded_bank[i]); if (!err) padded_bank[i].supported = 0; } #if OPENSSL_VERSION_NUMBER >= 0x10100000 EVP_MD_CTX_free(pctx); #endif } static int read_one_bank(struct tpm_bank_info *tpm_bank, FILE *fp) { char *p, pcr_str[8], buf[MAX_DIGEST_SIZE * 2 + 8]; int i = 0; int result = -1; for (;;) { p = fgets(buf, sizeof(buf), fp); if (!p || i >= NUM_PCRS) break; sprintf(pcr_str, "PCR-%2.2d", i); if (!strncmp(p, pcr_str, 6)) hex2bin(tpm_bank->pcr[i++], p + 7, tpm_bank->digest_size); result = 0; } return result; } static char *pcrs = "/sys/class/tpm/tpm0/device/pcrs"; /* Kernels >= 4.0 */ static char *misc_pcrs = "/sys/class/misc/tpm0/device/pcrs"; /* Read one of the TPM 1.2 sysfs files if present */ static int read_sysfs_pcrs(int num_banks, struct tpm_bank_info *tpm_banks) { FILE *fp; int i, result; fp = fopen(pcrs, "r"); if (!fp) fp = fopen(misc_pcrs, "r"); if (!fp) { log_errno_reset(LOG_DEBUG, "Failed to read TPM 1.2 PCRs"); return -1; } result = read_one_bank(&tpm_banks[0], fp); fclose(fp); if (result < 0) return result; tpm_banks[0].supported = 1; for (i = 1; i < num_banks; i++) tpm_banks[i].supported = 0; return 0; } static int read_tpm2_one_bank(struct tpm_bank_info *tpm_bank) { FILE *fp; char digest[MAX_DIGEST_SIZE + 1]; char file_name[NAME_MAX]; char *p; int i; for (i = 0; i < NUM_PCRS; i++) { sprintf(file_name, "/sys/class/tpm/tpm0/pcr-%s/%d", tpm_bank->algo_name, i); fp = fopen(file_name, "r"); if (!fp) { log_errno_reset(LOG_DEBUG, "Failed to read TPM 2.0 PCRs via sysfs"); return -1; } p = fgets(digest, tpm_bank->digest_size * 2 + 1, fp); if (!p) { fclose(fp); return -1; } hex2bin(tpm_bank->pcr[i], digest, tpm_bank->digest_size); fclose(fp); } return 0; } static int read_sysfs_tpm2_pcrs(int num_banks, struct tpm_bank_info *tpm_banks) { int tpm_enabled = 0; int rt, j; if (imaevm_params.verbose > LOG_INFO) log_info("Trying to read TPM 2.0 PCRs via sysfs\n"); for (j = 0; j < num_banks; j++) { rt = read_tpm2_one_bank(&tpm_banks[j]); if (rt < 0) { tpm_banks[j].supported = 0; continue; } tpm_enabled = 1; } /* On failure to read any TPM bank PCRs, re-initialize the TPM banks*/ if (tpm_enabled == 0) { for (j = 0; j < num_banks; j++) tpm_banks[j].supported = 1; return 1; } return 0; } /* Read PCRs from per-bank file(s) specified via --pcrs */ static int read_file_pcrs(int num_banks, struct tpm_bank_info *tpm_banks) { struct stat s; FILE *fp; char *p; const char *alg, *path; int i, j, bank, result; for (i = 0; i < num_banks; i++) tpm_banks[i].supported = 0; for (i = 0; i < npcrfile; i++) { p = strchr(pcrfile[i], ','); if (p) { *p = 0; alg = pcrfile[i]; path = ++p; } else { alg = "sha1"; path = pcrfile[i]; } bank = -1; for (j = 0; j < num_banks; j++) { if (!strcmp(tpm_banks[j].algo_name, alg)) { bank = j; break; } } if (bank < 0) { log_err("Unknown algorithm '%s'\n", alg); return -1; } if (stat(path, &s) == -1) { log_err("Could not stat '%s'\n", path); return -1; } if (!S_ISREG(s.st_mode)) { log_err("PCR file: not a regular file or link to regular file\n"); return -1; } fp = fopen(path, "r"); if (!fp) { log_err("Could not open '%s'\n", path); return -1; } result = read_one_bank(&tpm_banks[bank], fp); fclose(fp); if (result < 0) return result; tpm_banks[bank].supported = 1; } return 0; } /* * Attempt to read TPM PCRs from either TPM 1.2 or multiple TPM 2.0 banks. * * On success reading from any TPM bank, return 0. */ static int read_tpm_banks(int num_banks, struct tpm_bank_info *bank) { int tpm_enabled = 0; char *errmsg = NULL; int i; uint32_t pcr_handle; int err; /* If --pcrs was specified, read only from the specified file(s) */ if (npcrfile) return read_file_pcrs(num_banks, bank); /* Else try reading PCRs from the sysfs file if present */ if (read_sysfs_pcrs(num_banks, bank) == 0) return 0; if (hwtpm && read_sysfs_tpm2_pcrs(num_banks, bank) == 0) return 0; /* Any userspace applications available for reading TPM 2.0 PCRs? */ if (!tpm2_pcr_supported()) { log_debug("Failed to read TPM 2.0 PCRs\n"); return 1; } /* Read PCRs from multiple TPM 2.0 banks */ for (i = 0; i < num_banks; i++) { err = 0; for (pcr_handle = 0; pcr_handle < NUM_PCRS && !err; pcr_handle++) { err = tpm2_pcr_read(bank[i].algo_name, pcr_handle, bank[i].pcr[pcr_handle], bank[i].digest_size, &errmsg); if (err) { log_debug("Failed to read %s PCRs: (%s)\n", bank[i].algo_name, errmsg); free(errmsg); errmsg = NULL; bank[i].supported = 0; } } if (bank[i].supported) tpm_enabled = 1; } return tpm_enabled ? 0 : 1; } static int ima_measurement(const char *file) { struct tpm_bank_info *pseudo_padded_banks; struct tpm_bank_info *pseudo_banks = NULL; struct tpm_bank_info *tpm_banks = NULL; int is_ima_template, cur_template_fmt; int num_banks = 0; int tpmbanks = 1; int first_record = 1; unsigned int pseudo_padded_banks_mask, pseudo_banks_mask; unsigned long entry_num = 0; int c; struct template_entry entry = { .template = NULL }; FILE *fp; int invalid_template_digest = 0; int err_padded = -1; int err = -1; memset(zero, 0, MAX_DIGEST_SIZE); pseudo_padded_banks = init_tpm_banks(&num_banks); if (!pseudo_padded_banks) return -1; pseudo_banks = init_tpm_banks(&num_banks); if (!pseudo_banks) goto out_free; tpm_banks = init_tpm_banks(&num_banks); if (!tpm_banks) goto out_free; fp = fopen(file, "rb"); if (!fp) { log_err("Failed to open measurement file: %s\n", file); goto out; } if (imaevm_params.keyfile) /* Support multiple public keys */ init_public_keys(imaevm_params.keyfile); else /* assume read pubkey from x509 cert */ init_public_keys("/etc/keys/x509_evm.der"); if (errno) log_errno_reset(LOG_DEBUG, "Failure in initializing public keys"); /* * Reading the PCRs before walking the IMA measurement list * guarantees that all of the measurements are included in * the PCRs. */ if (read_tpm_banks(num_banks, tpm_banks) != 0) tpmbanks = 0; /* A mask where each bit represents the banks to check against */ pseudo_banks_mask = (1 << num_banks) - 1; pseudo_padded_banks_mask = pseudo_banks_mask; /* Instead of verifying all the banks, only verify a single bank */ for (c = 0; c < num_banks; c++) { if (verify_bank && strcmp(pseudo_padded_banks[c].algo_name, verify_bank)) { pseudo_banks_mask ^= (1 << c); pseudo_padded_banks_mask ^= (1 << c); break; } } while (fread(&entry.header, sizeof(entry.header), 1, fp) == 1) { entry_num++; if (entry.header.pcr >= NUM_PCRS) { log_err("Invalid PCR %d.\n", entry.header.pcr); fclose(fp); exit(1); } if (entry.header.name_len > TCG_EVENT_NAME_LEN_MAX) { log_err("%d ERROR: event name too long!\n", entry.header.name_len); fclose(fp); exit(1); } memset(entry.name, 0x00, sizeof(entry.name)); if (fread(entry.name, entry.header.name_len, 1, fp) != 1) { log_err("Unable to read template name\n"); goto out; } /* * The "ima" template format can not be mixed with other * template formats records. */ if (!first_record) { cur_template_fmt = strcmp(entry.name, "ima") == 0 ? 1 : 0; if ((is_ima_template && !cur_template_fmt) || (!is_ima_template && cur_template_fmt)) { log_err("Mixed measurement list containing \"ima\" and other template formats not supported.\n"); goto out; } } else { first_record = 0; is_ima_template = strcmp(entry.name, "ima") == 0 ? 1 : 0; } /* The "ima" template data is not length prefixed. Skip it. */ if (!is_ima_template) { if (fread(&entry.template_len, sizeof(entry.template_len), 1, fp) != 1) { log_err("Unable to read template length\n"); goto out; } if (entry.template_len == 0 || entry.template_len > MAX_TEMPLATE_SIZE) { log_err("Invalid template data len\n"); goto out; } } else { entry.template_len = SHA_DIGEST_LENGTH + TCG_EVENT_NAME_LEN_MAX + 1; } if (entry.template_buf_len < entry.template_len) { free(entry.template); entry.template_buf_len = entry.template_len; entry.template = malloc(entry.template_len); if (!entry.template) { log_err("Out of memory\n"); goto out; } } if (!is_ima_template) { if (fread(entry.template, entry.template_len, 1, fp) != 1) { log_errno("Unable to read template\n"); goto out; } } else { uint32_t field_len; uint32_t len; /* * The "ima" template data format is digest, * filename length, filename. */ if (fread(entry.template, SHA_DIGEST_LENGTH, 1, fp) != 1) { log_errno("Unable to read file data hash\n"); goto out; } /* * Read the filename length, but it isn't included * in the template data hash calculation. */ len = fread(&field_len, sizeof(field_len), 1, fp); if (len <= 0) { log_errno("Failed reading file name length\n"); goto out; } if (field_len > TCG_EVENT_NAME_LEN_MAX) { log_err("file pathname is too long\n"); goto out; } len = fread(entry.template + SHA_DIGEST_LENGTH, field_len, 1, fp); if (len != 1) { log_errno("Failed reading file name\n"); goto out; } /* * The template data is fixed sized, zero out * the remaining memory. */ len = SHA_DIGEST_LENGTH + field_len; memset(entry.template + len, 0x00, entry.template_buf_len - len); } extend_tpm_banks(&entry, num_banks, pseudo_banks, pseudo_padded_banks); /* Recalculate and verify template data digest */ err = ima_verify_template_hash(&entry); if (err) invalid_template_digest = 1; if (is_ima_template) ima_show(&entry); else ima_ng_show(&entry); if (!tpmbanks) continue; for (c = 0; c < num_banks; c++) { if ((pseudo_banks_mask & (1 << c)) == 0) continue; /* The measurement list might contain too many entries, * compare the re-calculated TPM PCR values after each * extend. */ err = compare_tpm_banks(num_banks, pseudo_banks, tpm_banks, 1 << c, entry_num); if (!err) pseudo_banks_mask ^= (1 << c); } if (pseudo_banks_mask == 0) break; for (c = 0; c < num_banks; c++) { if ((pseudo_padded_banks_mask & (1 << c)) == 0) continue; /* Compare against original SHA1 zero padded TPM PCR values */ err_padded = compare_tpm_banks(num_banks, pseudo_padded_banks, tpm_banks, 1 << c, entry_num); if (!err_padded) pseudo_padded_banks_mask ^= (1 << c); } if (pseudo_padded_banks_mask == 0) break; } if (tpmbanks == 0) log_info("Failed to read any TPM PCRs\n"); else { if (!err) log_info("Matched per TPM bank calculated digest(s).\n"); else if (!err_padded) { log_info("Matched SHA1 padded TPM digest(s).\n"); err = 0; } else log_info("Failed to match per TPM bank or SHA1 padded TPM digest(s).\n"); } if (invalid_template_digest) { log_info("Failed to verify template data digest.\n"); err = 1; } out: fclose(fp); out_free: free(tpm_banks); free(pseudo_banks); free(pseudo_padded_banks); free(entry.template); return err; } static int cmd_ima_measurement(struct command *cmd) { char *file = g_argv[optind++]; if (!file) { log_err("Parameters missing\n"); print_usage(cmd); return -1; } return ima_measurement(file); } /* * read_binary_bios_measurements - read the TPM 1.2 event log * * Returns 0 on success, 1 on failure. */ #define MAX_EVENT_DATA_SIZE 200000 static int read_binary_bios_measurements(char *file, struct tpm_bank_info *bank) { struct { struct { uint32_t pcr; int type; unsigned char digest[SHA_DIGEST_LENGTH]; uint32_t len; } header; unsigned char data[MAX_EVENT_DATA_SIZE]; } event; EVP_MD_CTX *mdctx; const EVP_MD *md; unsigned int mdlen; int evp_err = 1; /* success */ struct stat s; FILE *fp; int err = 0; int len; int i; #if OPENSSL_VERSION_NUMBER < 0x10100000 EVP_MD_CTX ctx; mdctx = &ctx; #endif if (stat(file, &s) == -1) return 1; if (!S_ISREG(s.st_mode)) { log_info("Bios event log: not a regular file or link to regular file\n"); return 1; } fp = fopen(file, "r"); if (!fp) return 1; if (imaevm_params.verbose > LOG_INFO) log_info("Reading the TPM 1.2 event log (%s)\n", file); md = EVP_get_digestbyname(bank->algo_name); if (!md) { log_err("Unknown message digest %s\n", bank->algo_name); fclose(fp); return 1; } #if OPENSSL_VERSION_NUMBER >= 0x10100000 mdctx = EVP_MD_CTX_new(); if (!mdctx) { log_err("EVP_MD_CTX_new failed\n"); fclose(fp); return 1; } #endif /* Extend the pseudo TPM PCRs with the event digest */ while (fread(&event, sizeof(event.header), 1, fp) == 1) { if (imaevm_params.verbose > LOG_INFO) { log_info("%02u ", event.header.pcr); log_dump(event.header.digest, SHA_DIGEST_LENGTH); } if (event.header.pcr >= NUM_PCRS) { log_err("Invalid PCR %d.\n", event.header.pcr); break; } evp_err = EVP_DigestInit(mdctx, md); if (evp_err == 0) { log_err("EVP_DigestInit() failed\n"); break; } evp_err = EVP_DigestUpdate(mdctx, bank->pcr[event.header.pcr], 20); if (evp_err == 0) { log_err("EVP_DigestUpdate() failed\n"); break; } evp_err = EVP_DigestUpdate(mdctx, event.header.digest, 20); if (evp_err == 0) { log_err("EVP_DigestUpdate() failed\n"); break; } evp_err = EVP_DigestFinal(mdctx, bank->pcr[event.header.pcr], &mdlen); if (evp_err == 0) { log_err("EVP_DigestFinal() failed\n"); break; } if (event.header.len > MAX_EVENT_DATA_SIZE) { log_err("Event data event too long.\n"); err = 1; break; } len = fread(event.data, event.header.len, 1, fp); if (len != 1) { log_errno("Failed reading event data (short read)\n"); err = 1; break; } } if (evp_err == 0) /* EVP_ functions return 1 on success, 0 on failure */ err = 1; fclose(fp); #if OPENSSL_VERSION_NUMBER >= 0x10100000 EVP_MD_CTX_free(mdctx); #endif if (imaevm_params.verbose <= LOG_INFO) return err; for (i = 0; i < NUM_PCRS; i++) { log_info("PCR-%2.2x ", i); log_dump(bank->pcr[i], SHA_DIGEST_LENGTH); } return err; } static void calc_bootaggr(struct tpm_bank_info *bank) { EVP_MD_CTX *pctx; unsigned int mdlen; const EVP_MD *md; #if OPENSSL_VERSION_NUMBER < 0x10100000 EVP_MD_CTX ctx; pctx = &ctx; #else pctx = EVP_MD_CTX_new(); #endif int err = 0; int i; md = EVP_get_digestbyname(bank->algo_name); err = EVP_DigestInit(pctx, md); if (!err) { printf("EVP_DigestInit() failed\n"); goto out; } for (i = 0; i < 8; i++) { err = EVP_DigestUpdate(pctx, bank->pcr[i], bank->digest_size); if (!err) { log_err("EVP_DigestUpdate() failed\n"); goto out; } } if (strcmp(bank->algo_name, "sha1") != 0) { for (i = 8; i < 10; i++) { err = EVP_DigestUpdate(pctx, bank->pcr[i], bank->digest_size); if (!err) { log_err("EVP_DigestUpdate() failed\n"); goto out; } } } err = EVP_DigestFinal(pctx, bank->digest, &mdlen); if (!err) { log_err("EVP_DigestFinal() failed\n"); goto out; } out: #if OPENSSL_VERSION_NUMBER >= 0x10100000 EVP_MD_CTX_free(pctx); #endif return; } /* * The "boot_aggregate" format is the TPM PCR bank algorithm, a colon * separator, followed by a per bank TPM PCR bank specific digest. * Store the TPM PCR bank specific "boot_aggregate" value as a newline * terminated string in the provided buffer. */ static int append_bootaggr(char *bootaggr, struct tpm_bank_info *tpm_banks) { uint8_t *buf; int j; strcpy(bootaggr, tpm_banks->algo_name); j = strlen(tpm_banks->algo_name); bootaggr[j++] = ':'; for (buf = tpm_banks->digest; buf < (tpm_banks->digest + tpm_banks->digest_size); buf++) { bootaggr[j++] = hex_asc_hi(*buf); bootaggr[j++] = hex_asc_lo(*buf); } bootaggr[j++] = '\n'; return j; } /* * The IMA measurement list boot_aggregate is the link between the preboot * event log and the IMA measurement list. Read and calculate all the * possible per TPM bank boot_aggregate digests based on the existing PCRs * 0 - 9 to validate against the IMA boot_aggregate record. If the digest * algorithm is SHA1, only PCRs 0 - 7 are considered to avoid ambiguity. */ static int cmd_ima_bootaggr(struct command *cmd) { struct tpm_bank_info *tpm_banks; int bootaggr_len = 0; char *bootaggr; int num_banks = 0; int offset = 0; int err = 0; int i; char *file = g_argv[optind++]; /* * Instead of just reading the TPM 1.2 PCRs, walk the exported * TPM 1.2 SHA1 event log, calculating the PCRs. */ if (file) { tpm_banks = init_tpm_banks(&num_banks); if (!tpm_banks) return -1; /* TPM 1.2 only supports SHA1.*/ for (i = 1; i < num_banks; i++) tpm_banks[i].supported = 0; err = read_binary_bios_measurements(file, tpm_banks); if (err) { log_err("Failed reading the TPM 1.2 event log (%s)\n", file); free(tpm_banks); return -1; } } else { tpm_banks = init_tpm_banks(&num_banks); if (!tpm_banks) return -1; if (read_tpm_banks(num_banks, tpm_banks) != 0) { log_info("Failed to read any TPM PCRs\n"); free(tpm_banks); return -1; } } /* * Allocate enough memory for the per TPM 2.0 PCR bank algorithm, * the colon separator, the boot_aggregate digest and newline. * * Format: :\n ... */ for (i = 0; i < num_banks; i++) { if (!tpm_banks[i].supported) continue; bootaggr_len += strlen(tpm_banks[i].algo_name) + 1; bootaggr_len += (tpm_banks[i].digest_size * 2) + 1; } /* Make room for the trailing null */ bootaggr = malloc(bootaggr_len + 1); /* * Calculate and convert the per TPM 2.0 PCR bank algorithm * "boot_aggregate" digest from binary to asciihex. Store the * "boot_aggregate" values as a list of newline terminated * strings. */ for (i = 0; i < num_banks; i++) { if (!tpm_banks[i].supported) continue; calc_bootaggr(&tpm_banks[i]); offset += append_bootaggr(bootaggr + offset, tpm_banks + i); } bootaggr[bootaggr_len] = '\0'; printf("%s", bootaggr); free(bootaggr); free(tpm_banks); return 0; } static void print_usage(struct command *cmd) { printf("usage: %s %s\n", cmd->name, cmd->arg ? cmd->arg : ""); } static void print_full_usage(struct command *cmd) { if (cmd->name) printf("usage: %s %s\n", cmd->name, cmd->arg ? cmd->arg : ""); if (cmd->msg) printf("%s", cmd->msg); } static int print_command_usage(struct command *cmds, char *command) { struct command *cmd; for (cmd = cmds; cmd->name; cmd++) { if (strcmp(cmd->name, command) == 0) { print_full_usage(cmd); return 0; } } printf("invalid command: %s\n", command); return -1; } static void print_all_usage(struct command *cmds) { struct command *cmd; printf("commands:\n"); for (cmd = cmds; cmd->name; cmd++) { if (cmd->arg) printf(" %s %s\n", cmd->name, cmd->arg); else if (cmd->msg) printf(" %s", cmd->msg); } } static int call_command(struct command *cmds, char *command) { struct command *cmd; for (cmd = cmds; cmd->name; cmd++) { if (strcasecmp(cmd->name, command) == 0) return cmd->func(cmd); } printf("Invalid command: %s\n", command); return -1; } static int cmd_help(struct command *cmd) { if (!g_argv[optind]) { print_usage(cmd); return 0; } else return print_command_usage(cmds, g_argv[optind]); } static void usage(void) { printf("Usage: evmctl [-v] [OPTIONS]\n"); print_all_usage(cmds); printf( "\n" " -a, --hashalgo sha1, sha224, sha256, sha384, sha512, streebog256, streebog512 (default: %s)\n" " -s, --imasig make IMA signature\n" " --veritysig sign an fs-verity file digest hash\n" " -d, --imahash make IMA hash\n" " -f, --sigfile store IMA signature in .sig file instead of xattr\n" " --xattr-user store xattrs in user namespace (for testing purposes)\n" #if CONFIG_SIGV1 " --rsa use RSA key type and signing scheme v1 (deprecated)\n" #endif " -k, --key path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem)\n" " or a pkcs11 URI\n" " --keyid n overwrite signature keyid with a 32-bit value in hex (for signing)\n" " --keyid-from-cert file\n" " read keyid value from SKID of a x509 cert file\n" " -o, --portable generate portable EVM signatures\n" " -p, --pass password for encrypted signing key\n" " -r, --recursive recurse into directories (sign)\n" " -t, --type file types to fix 'fxm' (f: file)\n" " x - skip fixing if both ima and evm xattrs exist (use with caution)\n" " m - stay on the same filesystem (like 'find -xdev')\n" " -n print result to stdout instead of setting xattr\n" " -u, --uuid use custom FS UUID for EVM (unspecified: from FS, empty: do not use)\n" " --smack use extra SMACK xattrs for EVM\n" " --m32 force EVM hmac/signature for 32 bit target system\n" " --m64 force EVM hmac/signature for 64 bit target system\n" " --ino use custom inode for EVM\n" " --uid use custom UID for EVM\n" " --gid use custom GID for EVM\n" " --mode use custom Mode for EVM\n" " --generation use custom Generation for EVM(unspecified: from FS, empty: use 0)\n" " --ima use custom IMA signature for EVM\n" " --selinux use custom Selinux label for EVM\n" " --caps use custom Capabilities for EVM(unspecified: from FS, empty: do not use)\n" " --verify-sig verify measurement list signatures\n" #if CONFIG_IMA_EVM_ENGINE " --engine e preload OpenSSL engine e (such as: gost) is deprecated\n" #endif " --ignore-violations ignore ToMToU measurement violations\n" " -v increase verbosity level\n" " -h, --help display this help and exit\n" "\n" "Environment variables:\n\n" "EVMCTL_KEY_PASSWORD : Private key password to use; do not use --pass option\n" "\n", DEFAULT_HASH_ALGO); } struct command cmds[] = { {"--version", NULL, 0, ""}, {"help", cmd_help, 0, ""}, #if CONFIG_SIGV1 {"import", cmd_import, 0, "[--rsa (deprecated)] pubkey keyring", "Import public key into the keyring.\n"}, {"convert", cmd_convert, 0, "key", "convert public key into the keyring. (deprecated)\n"}, #else {"import", cmd_import, 0, "pubkey keyring", "Import public key into the keyring.\n"}, #endif {"sign", cmd_sign_evm, 0, "[-r] [--imahash | --imasig ] [--key key] [--pass[=]] file", "Sign file metadata.\n"}, {"verify", cmd_verify_evm, 0, "file", "Verify EVM signature (for debugging).\n"}, {"ima_sign", cmd_sign_ima, 0, "[--sigfile] [--key key] [--pass[=]] file", "Make file content signature.\n"}, {"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"}, {"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"}, {"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"}, {"ima_measurement", cmd_ima_measurement, 0, "[--ignore-violations] [--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] [--verify-bank hash-algorithm] file", "Verify measurement list (experimental).\n"}, {"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log] [--hwtpm]", "Calculate per TPM bank boot_aggregate digests\n"}, {"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"}, {"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"}, {"sign_hash", cmd_sign_hash, 0, "[--veritysig] [--key key] [--pass[=]]", "Sign hashes from either shaXsum or \"fsverity digest\" output.\n"}, #ifdef DEBUG {"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig ] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"}, #endif {0, 0, 0, NULL} }; static struct option opts[] = { {"help", 0, 0, 'h'}, {"imasig", 0, 0, 's'}, {"imahash", 0, 0, 'd'}, {"hashalgo", 1, 0, 'a'}, {"pass", 2, 0, 'p'}, {"sigfile", 0, 0, 'f'}, {"uuid", 2, 0, 'u'}, {"rsa", 0, 0, '1'}, {"key", 1, 0, 'k'}, {"type", 1, 0, 't'}, {"recursive", 0, 0, 'r'}, {"m32", 0, 0, '3'}, {"m64", 0, 0, '6'}, {"portable", 0, 0, 'o'}, {"smack", 0, 0, 128}, {"version", 0, 0, 129}, {"inode", 1, 0, 130}, {"uid", 1, 0, 131}, {"gid", 1, 0, 132}, {"mode", 1, 0, 133}, {"generation", 1, 0, 134}, {"ima", 1, 0, 135}, {"selinux", 1, 0, 136}, {"caps", 2, 0, 137}, {"verify-sig", 0, 0, 138}, #if CONFIG_IMA_EVM_ENGINE {"engine", 1, 0, 139}, #endif {"xattr-user", 0, 0, 140}, {"ignore-violations", 0, 0, 141}, {"pcrs", 1, 0, 142}, {"verify-bank", 2, 0, 143}, {"keyid", 1, 0, 144}, {"keyid-from-cert", 1, 0, 145}, {"veritysig", 0, 0, 146}, {"hwtpm", 0, 0, 147}, {} }; static char *get_password(void) { struct termios flags, tmp_flags; char *password, *pwd; int passlen = 64; password = malloc(passlen); if (!password) { perror("malloc"); return NULL; } tcgetattr(fileno(stdin), &flags); tmp_flags = flags; tmp_flags.c_lflag &= ~ECHO; tmp_flags.c_lflag |= ECHONL; if (tcsetattr(fileno(stdin), TCSANOW, &tmp_flags) != 0) { perror("tcsetattr"); free(password); return NULL; } printf("PEM password: "); pwd = fgets(password, passlen, stdin); /* restore terminal */ if (tcsetattr(fileno(stdin), TCSANOW, &flags) != 0) { perror("tcsetattr"); free(password); return NULL; } if (pwd == NULL) { free(password); return NULL; } return password; } #if CONFIG_IMA_EVM_ENGINE static ENGINE *setup_engine(const char *engine_id) { ENGINE *eng = ENGINE_by_id(engine_id); if (!eng) { log_err("engine %s isn't available\n", optarg); ERR_print_errors_fp(stderr); } else if (!ENGINE_init(eng)) { log_err("engine %s init failed\n", optarg); ERR_print_errors_fp(stderr); ENGINE_free(eng); eng = NULL; } if (eng) ENGINE_set_default(eng, ENGINE_METHOD_ALL); return eng; } #endif int main(int argc, char *argv[]) { int err = 0, c, lind; unsigned long keyid; char *eptr; errno = 0; /* initialize global errno */ #if !(OPENSSL_VERSION_NUMBER < 0x10100000) OPENSSL_init_crypto( #ifndef DISABLE_OPENSSL_CONF OPENSSL_INIT_LOAD_CONFIG | #endif OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL); #endif g_argv = argv; g_argc = argc; while (1) { c = getopt_long(argc, argv, "hvnsda:op::fu::k:t:ri", opts, &lind); if (c == -1) break; switch (c) { case 'h': usage(); exit(0); break; case 'v': imaevm_params.verbose++; break; case 'd': digest = 1; break; case 's': digsig = 1; break; case 'n': /* do not set Extended Attributes... just print signature */ xattr = 0; sigdump = 1; break; case 'a': imaevm_params.hash_algo = optarg; break; case 'p': if (optarg) imaevm_params.keypass = optarg; else imaevm_params.keypass = get_password(); break; case 'f': sigfile = 1; break; case 'u': uuid_str = optarg; if (!uuid_str) hmac_flags |= HMAC_FLAG_NO_UUID; break; case '1': imaevm_params.x509 = 0; break; case 'k': imaevm_params.keyfile = optarg; break; case 'i': if (evm_portable) log_err("Portable and immutable options are exclusive, ignoring immutable option."); else evm_immutable = true; break; case 'o': if (evm_immutable) log_err("Portable and immutable options are exclusive, ignoring portable option."); else evm_portable = true; break; case 't': search_type = optarg; break; case 'r': recursive = 1; break; case '3': msize = 32; break; case '6': msize = 64; break; case 128: evm_config_xattrnames = evm_extra_smack_xattrs; break; case 129: printf("evmctl %s\n", VERSION); exit(0); break; case 130: ino_str = optarg; break; case 131: uid_str = optarg; break; case 132: gid_str = optarg; break; case 133: mode_str = optarg; break; case 134: generation_str = optarg; break; case 135: ima_str = optarg; break; case 136: selinux_str = optarg; break; case 137: caps_str = optarg; hmac_flags |= HMAC_FLAG_CAPS_SET; break; case 138: verify_list_sig = 1; break; #if CONFIG_IMA_EVM_ENGINE case 139: /* --engine e */ imaevm_params.eng = setup_engine(optarg); if (!imaevm_params.eng) { log_info("setup_engine failed\n"); goto error; } break; #endif case 140: /* --xattr-user */ xattr_ima = "user.ima"; xattr_evm = "user.evm"; break; case 141: /* --ignore-violations */ ignore_violations = 1; break; case 142: if (npcrfile >= MAX_PCRFILE) { log_err("too many --pcrfile options\n"); exit(1); } pcrfile[npcrfile++] = optarg; break; case 143: verify_bank = optarg; break; case 144: errno = 0; keyid = strtoul(optarg, &eptr, 16); /* * ULONG_MAX is error from strtoul(3), * UINT_MAX is `imaevm_params.keyid' maximum value, * 0 is reserved for keyid being unset. */ if (errno || eptr - optarg != strlen(optarg) || keyid == ULONG_MAX || keyid > UINT_MAX || keyid == 0) { log_err("Invalid keyid value.\n"); exit(1); } imaevm_params.keyid = keyid; break; case 145: keyid = imaevm_read_keyid(optarg); if (keyid == 0) { log_err("Error reading keyid.\n"); exit(1); } imaevm_params.keyid = keyid; break; case 146: veritysig = 1; break; case 147: hwtpm = 1; break; case '?': exit(1); break; default: log_err("getopt() returned: %d (%c)\n", c, c); } } if (!imaevm_params.keypass) imaevm_params.keypass = getenv("EVMCTL_KEY_PASSWORD"); if (imaevm_params.keyfile != NULL && imaevm_params.eng == NULL && !strncmp(imaevm_params.keyfile, "pkcs11:", 7)) { #if CONFIG_IMA_EVM_ENGINE imaevm_params.eng = setup_engine("pkcs11"); #endif if (!imaevm_params.eng) goto error; } if (argv[optind] == NULL) usage(); else err = call_command(cmds, argv[optind++]); if (err) { unsigned long error; if (errno) log_err("errno: %s (%d)\n", strerror(errno), errno); for (;;) { error = ERR_get_error(); if (!error) break; log_err("%s\n", ERR_error_string(error, NULL)); } if (err < 0) err = 125; } error: #if CONFIG_IMA_EVM_ENGINE if (imaevm_params.eng) { ENGINE_finish(imaevm_params.eng); ENGINE_free(imaevm_params.eng); #if OPENSSL_API_COMPAT < 0x10100000L ENGINE_cleanup(); #endif } #endif ERR_free_strings(); EVP_cleanup(); BIO_free(NULL); return err; } ima-evm-utils-1.5/src/hash_info.gen000077500000000000000000000047341440135744700173140ustar00rootroot00000000000000#!/bin/sh # # Generate hash_info.h from kernel headers # # Copyright (C) 2018 # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. KERNEL_HEADERS=$1 HASH_INFO_H=uapi/linux/hash_info.h HASH_INFO=$KERNEL_HEADERS/include/$HASH_INFO_H TMPHASHINFO="./tmp_hash_info.h" gen_hashinfo() { cat << __EOF__ >$TMPHASHINFO /* SPDX-License-Identifier: GPL-2.0+ WITH Linux-syscall-note */ /* * Hash Info: Hash algorithms information * * Copyright (c) 2013 Dmitry Kasatkin * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the Free * Software Foundation; either version 2 of the License, or (at your option) * any later version. * */ enum hash_algo { HASH_ALGO_MD4, HASH_ALGO_MD5, HASH_ALGO_SHA1, HASH_ALGO_RIPE_MD_160, HASH_ALGO_SHA256, HASH_ALGO_SHA384, HASH_ALGO_SHA512, HASH_ALGO_SHA224, HASH_ALGO_RIPE_MD_128, HASH_ALGO_RIPE_MD_256, HASH_ALGO_RIPE_MD_320, HASH_ALGO_WP_256, HASH_ALGO_WP_384, HASH_ALGO_WP_512, HASH_ALGO_TGR_128, HASH_ALGO_TGR_160, HASH_ALGO_TGR_192, HASH_ALGO_SM3_256, HASH_ALGO__LAST }; __EOF__ } # Allow to specify kernel-headers past include/ if [ ! -e $HASH_INFO ]; then HASH_INFO2=$KERNEL_HEADERS/$HASH_INFO_H if [ -e $HASH_INFO2 ]; then HASH_INFO=$HASH_INFO2 else gen_hashinfo HASH_INFO="$TMPHASHINFO" fi fi if [ ! -e $HASH_INFO ]; then echo "/* $HASH_INFO is not found */" HASH_INFO=/dev/null else echo "/* $HASH_INFO is found */" fi echo "enum hash_algo {" grep HASH_ALGO_.*, $HASH_INFO printf "\tHASH_ALGO__LAST\n" echo "};" echo "const char *const hash_algo_name[HASH_ALGO__LAST] = {" sed -n 's/HASH_ALGO_\(.*\),/\1 \L\1\E/p' $HASH_INFO | \ while read a b; do # Normalize text hash name: sm3 algorithm name is different from # the macro definition, which is also the only special case of an # underscore between digits. Remove all other underscores. b=$(echo "$b" | sed "s/sm3_256/sm3/g;s/_//g") printf '\t%-26s = "%s",\n' "[HASH_ALGO_$a]" "$b" done echo "};" ima-evm-utils-1.5/src/imaevm.h000066400000000000000000000164321440135744700163050ustar00rootroot00000000000000/* * ima-evm-utils - IMA/EVM support utilities * * Copyright (C) 2011 Nokia Corporation * Copyright (C) 2011,2012,2013 Intel Corporation * Copyright (C) 2013,2014 Samsung Electronics * * Authors: * Dmitry Kasatkin * * * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * version 2 as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . * * As a special exception, the copyright holders give permission to link the * code of portions of this program with the OpenSSL library under certain * conditions as described in each individual source file and distribute * linked combinations including the program with the OpenSSL library. You * must comply with the GNU General Public License in all respects * for all of the code used other than as permitted herein. If you modify * file(s) with this exception, you may extend this exception to your * version of the file(s), but you are not obligated to do so. If you do not * wish to do so, delete this exception statement from your version. If you * delete this exception statement from all source files in the program, * then also delete it in the license file. * * File: imaevm.h * IMA/EVM header file */ #ifndef _LIBIMAEVM_H #define _LIBIMAEVM_H #include #include #include #include #include #include #include #ifdef CONFIG_IMA_EVM_ENGINE #include #endif #if defined(OPENSSL_NO_ENGINE) || defined(OPENSSL_NO_DYNAMIC_ENGINE) #undef CONFIG_IMA_EVM_ENGINE #endif #ifdef USE_FPRINTF #define do_log(level, fmt, args...) \ ({ if (level <= imaevm_params.verbose) fprintf(stderr, fmt, ##args); }) #define do_log_dump(level, p, len, cr) \ ({ if (level <= imaevm_params.verbose) imaevm_do_hexdump(stderr, p, len, cr); }) #else #define do_log(level, fmt, args...) syslog(level, fmt, ##args) #define do_log_dump(level, p, len, cr) #endif #ifdef DEBUG #define log_debug(fmt, args...) do_log(LOG_DEBUG, "%s:%d " fmt, __func__ , __LINE__ , ##args) #define log_debug_dump(p, len) do_log_dump(LOG_DEBUG, p, len, true) #define log_debug_dump_n(p, len) do_log_dump(LOG_DEBUG, p, len, false) #else #define log_debug(fmt, args...) #define log_debug_dump(p, len) #endif #define log_dump(p, len) do_log_dump(LOG_INFO, p, len, true) #define log_dump_n(p, len) do_log_dump(LOG_INFO, p, len, false) #define log_info(fmt, args...) do_log(LOG_INFO, fmt, ##args) #define log_err(fmt, args...) do_log(LOG_ERR, fmt, ##args) #define log_errno(fmt, args...) do_log(LOG_ERR, fmt ": errno: %s (%d)\n", ##args, strerror(errno), errno) #ifndef DEFAULT_HASH_ALGO #define DEFAULT_HASH_ALGO "sha256" #endif #define DATA_SIZE 4096 #define SHA1_HASH_LEN 20 #define MAX_DIGEST_SIZE 64 #define MAX_SIGNATURE_SIZE 1024 /* * The maximum template data size is dependent on the template format. For * example the 'ima-modsig' template includes two signatures - one for the * entire file, the other without the appended signature - and other fields * (e.g. file digest, file name, file digest without the appended signature). * * Other template formats are much smaller. */ #define MAX_TEMPLATE_SIZE (MAX_SIGNATURE_SIZE * 4) #define __packed __attribute__((packed)) enum evm_ima_xattr_type { IMA_XATTR_DIGEST = 0x01, EVM_XATTR_HMAC, EVM_IMA_XATTR_DIGSIG, IMA_XATTR_DIGEST_NG, EVM_XATTR_PORTABLE_DIGSIG, IMA_VERITY_DIGSIG, }; struct h_misc { unsigned long ino; uint32_t generation; uid_t uid; gid_t gid; unsigned short mode; }; struct h_misc_32 { uint32_t ino; uint32_t generation; uid_t uid; gid_t gid; unsigned short mode; }; struct h_misc_64 { uint64_t ino; uint32_t generation; uid_t uid; gid_t gid; unsigned short mode; }; struct h_misc_digsig { uid_t uid; gid_t gid; unsigned short mode; }; enum pubkey_algo { PUBKEY_ALGO_RSA, PUBKEY_ALGO_MAX, }; enum digest_algo { DIGEST_ALGO_SHA1, DIGEST_ALGO_SHA256, DIGEST_ALGO_MAX }; enum digsig_version { DIGSIG_VERSION_1 = 1, DIGSIG_VERSION_2, DIGSIG_VERSION_3 /* hash of ima_file_id struct (portion used) */ }; struct pubkey_hdr { uint8_t version; /* key format version */ uint32_t timestamp; /* key made, always 0 for now */ uint8_t algo; uint8_t nmpi; char mpi[0]; } __packed; struct signature_hdr { uint8_t version; /* signature format version */ uint32_t timestamp; /* signature made */ uint8_t algo; uint8_t hash; uint8_t keyid[8]; uint8_t nmpi; char mpi[0]; } __packed; /* reflect enum hash_algo from include/uapi/linux/hash_info.h */ enum pkey_hash_algo { PKEY_HASH_MD4, PKEY_HASH_MD5, PKEY_HASH_SHA1, PKEY_HASH_RIPE_MD_160, PKEY_HASH_SHA256, PKEY_HASH_SHA384, PKEY_HASH_SHA512, PKEY_HASH_SHA224, PKEY_HASH_RIPE_MD_128, PKEY_HASH_RIPE_MD_256, PKEY_HASH_RIPE_MD_320, PKEY_HASH_WP_256, PKEY_HASH_WP_384, PKEY_HASH_WP_512, PKEY_HASH_TGR_128, PKEY_HASH_TGR_160, PKEY_HASH_TGR_192, PKEY_HASH_SM3_256, PKEY_HASH_STREEBOG_256, PKEY_HASH_STREEBOG_512, PKEY_HASH__LAST }; /* * signature format v2 - for using with asymmetric keys */ struct signature_v2_hdr { uint8_t version; /* signature format version */ uint8_t hash_algo; /* Digest algorithm [enum pkey_hash_algo] */ uint32_t keyid; /* IMA key identifier - not X509/PGP specific*/ uint16_t sig_size; /* signature size */ uint8_t sig[0]; /* signature payload */ } __packed; struct libimaevm_params { int verbose; int x509; const char *hash_algo; const char *keyfile; const char *keypass; uint32_t keyid; /* keyid overriding value, unless 0. (Host order.) */ ENGINE *eng; }; struct RSA_ASN1_template { const uint8_t *data; size_t size; }; #define NUM_PCRS 24 #define DEFAULT_PCR 10 extern struct libimaevm_params imaevm_params; void imaevm_do_hexdump(FILE *fp, const void *ptr, int len, bool cr); void imaevm_hexdump(const void *ptr, int len); int ima_calc_hash(const char *file, uint8_t *hash); int imaevm_get_hash_algo(const char *algo); RSA *read_pub_key(const char *keyfile, int x509); EVP_PKEY *read_pub_pkey(const char *keyfile, int x509); void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len); void calc_keyid_v2(uint32_t *keyid, char *str, EVP_PKEY *pkey); int key2bin(RSA *key, unsigned char *pub); uint32_t imaevm_read_keyid(const char *certfile); int sign_hash(const char *algo, const unsigned char *hash, int size, const char *keyfile, const char *keypass, unsigned char *sig); int verify_hash(const char *file, const unsigned char *hash, int size, unsigned char *sig, int siglen); int ima_verify_signature(const char *file, unsigned char *sig, int siglen, unsigned char *digest, int digestlen); void init_public_keys(const char *keyfiles); int imaevm_hash_algo_from_sig(unsigned char *sig); const char *imaevm_hash_algo_by_id(int algo); int calc_hash_sigv3(enum evm_ima_xattr_type type, const char *algo, const unsigned char *in_hash, unsigned char *out_hash); #endif ima-evm-utils-1.5/src/libimaevm.c000066400000000000000000000731731440135744700167740ustar00rootroot00000000000000/* * ima-evm-utils - IMA/EVM support utilities * * Copyright (C) 2011 Nokia Corporation * Copyright (C) 2011,2012,2013 Intel Corporation * Copyright (C) 2013,2014 Samsung Electronics * * Authors: * Dmitry Kasatkin * * * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * version 2 as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . * * As a special exception, the copyright holders give permission to link the * code of portions of this program with the OpenSSL library under certain * conditions as described in each individual source file and distribute * linked combinations including the program with the OpenSSL library. You * must comply with the GNU General Public License in all respects * for all of the code used other than as permitted herein. If you modify * file(s) with this exception, you may extend this exception to your * version of the file(s), but you are not obligated to do so. If you do not * wish to do so, delete this exception statement from your version. If you * delete this exception statement from all source files in the program, * then also delete it in the license file. * * File: libimaevm.c * IMA/EVM library */ /* should we use logger instead for library? */ #define USE_FPRINTF #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "imaevm.h" #include "hash_info.h" /* Names that are primary for OpenSSL. */ static const char *const pkey_hash_algo[PKEY_HASH__LAST] = { [PKEY_HASH_MD4] = "md4", [PKEY_HASH_MD5] = "md5", [PKEY_HASH_SHA1] = "sha1", [PKEY_HASH_RIPE_MD_160] = "rmd160", [PKEY_HASH_SHA256] = "sha256", [PKEY_HASH_SHA384] = "sha384", [PKEY_HASH_SHA512] = "sha512", [PKEY_HASH_SHA224] = "sha224", [PKEY_HASH_SM3_256] = "sm3", [PKEY_HASH_STREEBOG_256] = "md_gost12_256", [PKEY_HASH_STREEBOG_512] = "md_gost12_512", }; /* Names that are primary for the kernel. */ static const char *const pkey_hash_algo_kern[PKEY_HASH__LAST] = { [PKEY_HASH_STREEBOG_256] = "streebog256", [PKEY_HASH_STREEBOG_512] = "streebog512", }; struct libimaevm_params imaevm_params = { .verbose = LOG_INFO, .x509 = 1, .hash_algo = DEFAULT_HASH_ALGO, }; static void __attribute__ ((constructor)) libinit(void); void imaevm_do_hexdump(FILE *fp, const void *ptr, int len, bool newline) { int i; uint8_t *data = (uint8_t *) ptr; for (i = 0; i < len; i++) fprintf(fp, "%02x", data[i]); if (newline) fprintf(fp, "\n"); } void imaevm_hexdump(const void *ptr, int len) { imaevm_do_hexdump(stdout, ptr, len, true); } const char *imaevm_hash_algo_by_id(int algo) { if (algo < PKEY_HASH__LAST) return pkey_hash_algo[algo]; if (algo < HASH_ALGO__LAST) return hash_algo_name[algo]; log_err("digest %d not found\n", algo); return NULL; } /* Output all remaining openssl error messages. */ static void output_openssl_errors(void) { while (ERR_peek_error()) { char buf[256]; /* buf must be at least 256 bytes long according to man */ ERR_error_string(ERR_get_error(), buf); log_err("openssl: %s\n", buf); } } static int add_file_hash(const char *file, EVP_MD_CTX *ctx) { uint8_t *data; int err = -1, bs = DATA_SIZE; off_t size, len; FILE *fp; struct stat stats; fp = fopen(file, "r"); if (!fp) { log_err("Failed to open: %s\n", file); return -1; } data = malloc(bs); if (!data) { log_err("malloc failed\n"); goto out; } if (fstat(fileno(fp), &stats) == -1) { log_err("Failed to fstat: %s (%s)\n", file, strerror(errno)); goto out; } for (size = stats.st_size; size; size -= len) { len = MIN(size, bs); if (fread(data, len, 1, fp) != 1) { if (ferror(fp)) { log_err("fread() failed\n\n"); goto out; } break; } if (!EVP_DigestUpdate(ctx, data, len)) { log_err("EVP_DigestUpdate() failed\n"); err = 1; goto out; } } err = 0; out: fclose(fp); free(data); return err; } int ima_calc_hash(const char *file, uint8_t *hash) { const EVP_MD *md; struct stat st; EVP_MD_CTX *pctx; unsigned int mdlen; int err; #if OPENSSL_VERSION_NUMBER < 0x10100000 EVP_MD_CTX ctx; pctx = &ctx; #else pctx = EVP_MD_CTX_new(); #endif /* Need to know the file length */ err = lstat(file, &st); if (err < 0) { log_err("Failed to stat: %s\n", file); goto err; } md = EVP_get_digestbyname(imaevm_params.hash_algo); if (!md) { log_err("EVP_get_digestbyname(%s) failed\n", imaevm_params.hash_algo); err = 1; goto err; } err = EVP_DigestInit(pctx, md); if (!err) { log_err("EVP_DigestInit() failed\n"); err = 1; goto err; } switch (st.st_mode & S_IFMT) { case S_IFREG: err = add_file_hash(file, pctx); break; default: log_err("Unsupported file type (0x%x)", st.st_mode & S_IFMT); err = -1; goto err; } if (err) goto err; err = EVP_DigestFinal(pctx, hash, &mdlen); if (!err) { log_err("EVP_DigestFinal() failed\n"); err = 1; goto err; } err = mdlen; err: if (err == 1) output_openssl_errors(); #if OPENSSL_VERSION_NUMBER >= 0x10100000 EVP_MD_CTX_free(pctx); #endif return err; } EVP_PKEY *read_pub_pkey(const char *keyfile, int x509) { FILE *fp; EVP_PKEY *pkey = NULL; struct stat st; if (!keyfile) return NULL; fp = fopen(keyfile, "r"); if (!fp) { if (imaevm_params.verbose > LOG_INFO) log_info("Failed to open keyfile: %s\n", keyfile); return NULL; } if (fstat(fileno(fp), &st) == -1) { log_err("Failed to fstat key file: %s\n", keyfile); goto out; } if ((st.st_mode & S_IFMT) != S_IFREG) { if (imaevm_params.verbose > LOG_INFO) log_err("Key file is not regular file: %s\n", keyfile); goto out; } if (x509) { X509 *crt = d2i_X509_fp(fp, NULL); if (!crt) { log_err("Failed to d2i_X509_fp key file: %s\n", keyfile); goto out; } pkey = X509_extract_key(crt); X509_free(crt); if (!pkey) { log_err("Failed to X509_extract_key key file: %s\n", keyfile); goto out; } } else { pkey = PEM_read_PUBKEY(fp, NULL, NULL, NULL); if (!pkey) log_err("Failed to PEM_read_PUBKEY key file: %s\n", keyfile); } out: if (!pkey) output_openssl_errors(); fclose(fp); return pkey; } #if CONFIG_SIGV1 RSA *read_pub_key(const char *keyfile, int x509) { EVP_PKEY *pkey; RSA *key; pkey = read_pub_pkey(keyfile, x509); if (!pkey) return NULL; key = EVP_PKEY_get1_RSA(pkey); EVP_PKEY_free(pkey); if (!key) { log_err("read_pub_key: unsupported key type\n"); output_openssl_errors(); return NULL; } return key; } static int verify_hash_v1(const char *file, const unsigned char *hash, int size, unsigned char *sig, int siglen, const char *keyfile) { int err, len; SHA_CTX ctx; unsigned char out[1024]; RSA *key; unsigned char sighash[20]; struct signature_hdr *hdr = (struct signature_hdr *)sig; log_info("hash-v1: "); log_dump(hash, size); key = read_pub_key(keyfile, 0); if (!key) return 1; SHA1_Init(&ctx); SHA1_Update(&ctx, hash, size); SHA1_Update(&ctx, hdr, sizeof(*hdr)); SHA1_Final(sighash, &ctx); log_info("sighash: "); log_dump(sighash, sizeof(sighash)); err = RSA_public_decrypt(siglen - sizeof(*hdr) - 2, sig + sizeof(*hdr) + 2, out, key, RSA_PKCS1_PADDING); RSA_free(key); if (err < 0) { log_err("%s: RSA_public_decrypt() failed: %d\n", file, err); output_openssl_errors(); return 1; } len = err; if (len != sizeof(sighash) || memcmp(out, sighash, len) != 0) { log_err("%s: verification failed: %d\n", file, err); return -1; } return 0; } #endif /* CONFIG_SIGV1 */ struct public_key_entry { struct public_key_entry *next; uint32_t keyid; char name[9]; EVP_PKEY *key; }; static struct public_key_entry *public_keys = NULL; static EVP_PKEY *find_keyid(uint32_t keyid) { struct public_key_entry *entry, *tail = public_keys; int i = 1; for (entry = public_keys; entry != NULL; entry = entry->next) { if (entry->keyid == keyid) return entry->key; i++; tail = entry; } /* add unknown keys to list */ entry = calloc(1, sizeof(struct public_key_entry)); if (!entry) { perror("calloc"); return 0; } entry->keyid = keyid; if (tail) tail->next = entry; else public_keys = entry; log_err("key %d: %x (unknown keyid)\n", i, __be32_to_cpup(&keyid)); return 0; } void init_public_keys(const char *keyfiles) { struct public_key_entry *entry; char *tmp_keyfiles, *keyfiles_free; char *keyfile; int i = 1; tmp_keyfiles = strdup(keyfiles); keyfiles_free = tmp_keyfiles; while ((keyfile = strsep(&tmp_keyfiles, ", \t")) != NULL) { if ((*keyfile == '\0') || (*keyfile == ' ') || (*keyfile == '\t')) continue; entry = malloc(sizeof(struct public_key_entry)); if (!entry) { perror("malloc"); break; } entry->key = read_pub_pkey(keyfile, 1); if (!entry->key) { free(entry); continue; } calc_keyid_v2(&entry->keyid, entry->name, entry->key); sprintf(entry->name, "%x", __be32_to_cpup(&entry->keyid)); log_info("key %d: %s %s\n", i++, entry->name, keyfile); entry->next = public_keys; public_keys = entry; } free(keyfiles_free); } /* * Verify a signature, prefixed with the signature_v2_hdr, either based * directly or indirectly on the file data hash. * * version 2: directly based on the file data hash (e.g. sha*sum) * version 3: indirectly based on the hash of the struct ima_file_id, which * contains the xattr type (enum evm_ima_xattr_type), the hash * algorithm (enum hash_algo), and the file data hash * (e.g. fsverity digest). * * Return: 0 verification good, 1 verification bad, -1 error. * * (Note: signature_v2_hdr struct does not contain the 'type'.) */ static int verify_hash_common(const char *file, const unsigned char *hash, int size, unsigned char *sig, int siglen) { int ret = -1; EVP_PKEY *pkey, *pkey_free = NULL; struct signature_v2_hdr *hdr = (struct signature_v2_hdr *)sig; EVP_PKEY_CTX *ctx; const EVP_MD *md; const char *st; if (imaevm_params.verbose > LOG_INFO) { log_info("hash(%s): ", imaevm_params.hash_algo); log_dump(hash, size); } pkey = find_keyid(hdr->keyid); if (!pkey) { uint32_t keyid = hdr->keyid; if (imaevm_params.verbose > LOG_INFO) log_info("%s: verification failed: unknown keyid %x\n", file, __be32_to_cpup(&keyid)); return -1; } #if defined(EVP_PKEY_SM2) && OPENSSL_VERSION_NUMBER < 0x30000000 /* If EC key are used, check whether it is SM2 key */ if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) { EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); if (curve == NID_sm2) EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2); } #endif st = "EVP_PKEY_CTX_new"; if (!(ctx = EVP_PKEY_CTX_new(pkey, NULL))) goto err; st = "EVP_PKEY_verify_init"; if (!EVP_PKEY_verify_init(ctx)) goto err; st = "EVP_get_digestbyname"; if (!(md = EVP_get_digestbyname(imaevm_params.hash_algo))) goto err; st = "EVP_PKEY_CTX_set_signature_md"; if (!EVP_PKEY_CTX_set_signature_md(ctx, md)) goto err; st = "EVP_PKEY_verify"; ret = EVP_PKEY_verify(ctx, sig + sizeof(*hdr), siglen - sizeof(*hdr), hash, size); if (ret == 1) ret = 0; else if (ret == 0) { log_err("%s: verification failed: %d (%s)\n", file, ret, ERR_reason_error_string(ERR_get_error())); output_openssl_errors(); ret = 1; } err: if (ret < 0 || ret > 1) { log_err("%s: verification failed: %d (%s) in %s\n", file, ret, ERR_reason_error_string(ERR_peek_error()), st); output_openssl_errors(); ret = -1; } EVP_PKEY_CTX_free(ctx); EVP_PKEY_free(pkey_free); return ret; } /* * Verify a signature, prefixed with the signature_v2_hdr, directly based * on the file data hash. * * Return: 0 verification good, 1 verification bad, -1 error. */ static int verify_hash_v2(const char *file, const unsigned char *hash, int size, unsigned char *sig, int siglen) { /* note: signature_v2_hdr does not contain 'type', use sig + 1 */ return verify_hash_common(file, hash, size, sig + 1, siglen - 1); } /* * Verify a signature, prefixed with the signature_v2_hdr, indirectly based * on the file data hash. * * Return: 0 verification good, 1 verification bad, -1 error. */ static int verify_hash_v3(const char *file, const unsigned char *hash, int size, unsigned char *sig, int siglen) { unsigned char sigv3_hash[MAX_DIGEST_SIZE]; int ret; ret = calc_hash_sigv3(sig[0], NULL, hash, sigv3_hash); if (ret < 0) return ret; /* note: signature_v2_hdr does not contain 'type', use sig + 1 */ return verify_hash_common(file, sigv3_hash, size, sig + 1, siglen - 1); } #define HASH_MAX_DIGESTSIZE 64 /* kernel HASH_MAX_DIGESTSIZE is 64 bytes */ struct ima_file_id { __u8 hash_type; /* xattr type [enum evm_ima_xattr_type] */ __u8 hash_algorithm; /* Digest algorithm [enum hash_algo] */ __u8 hash[HASH_MAX_DIGESTSIZE]; } __packed; /* * Calculate the signature format version 3 hash based on the portion * of the ima_file_id structure used, not the entire structure. * * On success, return the hash length, otherwise for openssl errors * return 1, other errors return -EINVAL. */ int calc_hash_sigv3(enum evm_ima_xattr_type type, const char *algo, const unsigned char *in_hash, unsigned char *out_hash) { struct ima_file_id file_id = { .hash_type = IMA_VERITY_DIGSIG }; uint8_t *data = (uint8_t *) &file_id; const EVP_MD *md; EVP_MD_CTX *pctx; unsigned int mdlen; int err; #if OPENSSL_VERSION_NUMBER < 0x10100000 EVP_MD_CTX ctx; pctx = &ctx; #else pctx = EVP_MD_CTX_new(); #endif int hash_algo; int hash_size; unsigned int unused; if (type != IMA_VERITY_DIGSIG) { log_err("Only fsverity supports signature format v3 (sigv3)\n"); return -EINVAL; } if (!algo) algo = imaevm_params.hash_algo; if ((hash_algo = imaevm_get_hash_algo(algo)) < 0) { log_err("Hash algorithm %s not supported\n", algo); return -EINVAL; } file_id.hash_algorithm = hash_algo; md = EVP_get_digestbyname(algo); if (!md) { log_err("EVP_get_digestbyname(%s) failed\n", algo); err = 1; goto err; } hash_size = EVP_MD_size(md); memcpy(file_id.hash, in_hash, hash_size); err = EVP_DigestInit(pctx, md); if (!err) { log_err("EVP_DigestInit() failed\n"); err = 1; goto err; } unused = HASH_MAX_DIGESTSIZE - hash_size; if (!EVP_DigestUpdate(pctx, data, sizeof(file_id) - unused)) { log_err("EVP_DigestUpdate() failed\n"); err = 1; goto err; } err = EVP_DigestFinal(pctx, out_hash, &mdlen); if (!err) { log_err("EVP_DigestFinal() failed\n"); err = 1; goto err; } err = mdlen; err: if (err == 1) output_openssl_errors(); #if OPENSSL_VERSION_NUMBER >= 0x10100000 EVP_MD_CTX_free(pctx); #endif return err; } int imaevm_get_hash_algo(const char *algo) { int i; /* first iterate over builtin algorithms */ for (i = 0; i < PKEY_HASH__LAST; i++) if (pkey_hash_algo[i] && !strcmp(algo, pkey_hash_algo[i])) return i; for (i = 0; i < PKEY_HASH__LAST; i++) if (pkey_hash_algo_kern[i] && !strcmp(algo, pkey_hash_algo_kern[i])) return i; /* iterate over algorithms provided by kernel-headers */ for (i = 0; i < HASH_ALGO__LAST; i++) if (hash_algo_name[i] && !strcmp(algo, hash_algo_name[i])) return i; return -1; } int imaevm_hash_algo_from_sig(unsigned char *sig) { uint8_t hashalgo; if (sig[0] == DIGSIG_VERSION_1) { hashalgo = ((struct signature_hdr *)sig)->hash; if (hashalgo >= DIGEST_ALGO_MAX) return -1; switch (hashalgo) { case DIGEST_ALGO_SHA1: return PKEY_HASH_SHA1; case DIGEST_ALGO_SHA256: return PKEY_HASH_SHA256; default: return -1; } } else if (sig[0] == DIGSIG_VERSION_2 || sig[0] == DIGSIG_VERSION_3) { hashalgo = ((struct signature_v2_hdr *)sig)->hash_algo; if (hashalgo >= PKEY_HASH__LAST) return -1; return hashalgo; } else return -1; } int verify_hash(const char *file, const unsigned char *hash, int size, unsigned char *sig, int siglen) { /* Get signature type from sig header */ if (sig[1] == DIGSIG_VERSION_1) { #if CONFIG_SIGV1 const char *key = NULL; /* Read pubkey from RSA key */ if (!imaevm_params.keyfile) key = "/etc/keys/pubkey_evm.pem"; else key = imaevm_params.keyfile; return verify_hash_v1(file, hash, size, sig + 1, siglen - 1, key); #else log_info("Signature version 1 deprecated."); return -1; #endif } else if (sig[1] == DIGSIG_VERSION_2) { return verify_hash_v2(file, hash, size, sig, siglen); } else if (sig[1] == DIGSIG_VERSION_3) { return verify_hash_v3(file, hash, size, sig, siglen); } else return -1; } int ima_verify_signature(const char *file, unsigned char *sig, int siglen, unsigned char *digest, int digestlen) { unsigned char hash[MAX_DIGEST_SIZE]; int hashlen, sig_hash_algo; if (sig[0] != EVM_IMA_XATTR_DIGSIG && sig[0] != IMA_VERITY_DIGSIG) { log_err("%s: xattr ima has no signature\n", file); return -1; } if (!digest && sig[0] == IMA_VERITY_DIGSIG) { log_err("%s: calculating the fs-verity digest is not supported\n", file); return -1; } sig_hash_algo = imaevm_hash_algo_from_sig(sig + 1); if (sig_hash_algo < 0) { log_err("%s: Invalid signature\n", file); return -1; } /* Use hash algorithm as retrieved from signature */ imaevm_params.hash_algo = imaevm_hash_algo_by_id(sig_hash_algo); /* * Validate the signature based on the digest included in the * measurement list, not by calculating the local file digest. */ if (digest && digestlen > 0) return verify_hash(file, digest, digestlen, sig, siglen); hashlen = ima_calc_hash(file, hash); if (hashlen <= 1) return hashlen; assert(hashlen <= sizeof(hash)); return verify_hash(file, hash, hashlen, sig, siglen); } #if CONFIG_SIGV1 /* * Create binary key representation suitable for kernel */ int key2bin(RSA *key, unsigned char *pub) { int len, b, offset = 0; struct pubkey_hdr *pkh = (struct pubkey_hdr *)pub; const BIGNUM *n, *e; #if OPENSSL_VERSION_NUMBER < 0x10100000 n = key->n; e = key->e; #else RSA_get0_key(key, &n, &e, NULL); #endif /* add key header */ pkh->version = 1; pkh->timestamp = 0; /* PEM has no timestamp?? */ pkh->algo = PUBKEY_ALGO_RSA; pkh->nmpi = 2; offset += sizeof(*pkh); len = BN_num_bytes(n); b = BN_num_bits(n); pub[offset++] = b >> 8; pub[offset++] = b & 0xff; BN_bn2bin(n, &pub[offset]); offset += len; len = BN_num_bytes(e); b = BN_num_bits(e); pub[offset++] = b >> 8; pub[offset++] = b & 0xff; BN_bn2bin(e, &pub[offset]); offset += len; return offset; } void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len) { uint8_t sha1[SHA_DIGEST_LENGTH]; uint64_t id; SHA1(pkey, len, sha1); /* sha1[12 - 19] is exactly keyid from gpg file */ memcpy(keyid, sha1 + 12, 8); log_debug("keyid: "); log_debug_dump(keyid, 8); id = __be64_to_cpup((__be64 *) keyid); sprintf(str, "%llX", (unsigned long long)id); if (imaevm_params.verbose > LOG_INFO) log_info("keyid-v1: %s\n", str); } #endif /* CONFIG_SIGV1 */ /* * Calculate keyid of the public_key part of EVP_PKEY */ void calc_keyid_v2(uint32_t *keyid, char *str, EVP_PKEY *pkey) { X509_PUBKEY *pk = NULL; const unsigned char *public_key = NULL; int len; /* This is more generic than i2d_PublicKey() */ if (X509_PUBKEY_set(&pk, pkey) && X509_PUBKEY_get0_param(NULL, &public_key, &len, NULL, pk)) { uint8_t sha1[SHA_DIGEST_LENGTH]; SHA1(public_key, len, sha1); /* sha1[12 - 19] is exactly keyid from gpg file */ memcpy(keyid, sha1 + 16, 4); } else *keyid = 0; log_debug("keyid: "); log_debug_dump(keyid, 4); sprintf(str, "%x", __be32_to_cpup(keyid)); if (imaevm_params.verbose > LOG_INFO) log_info("keyid: %s\n", str); X509_PUBKEY_free(pk); } /* * Extract SKID from x509 in openssl portable way. */ static const unsigned char *x509_get_skid(X509 *x, int *len) { #if OPENSSL_VERSION_NUMBER < 0x10100000 ASN1_STRING *skid; /* * This will cache extensions. * OpenSSL uses this method itself. */ if (X509_check_purpose(x, -1, -1) != 1) return NULL; skid = x->skid; #else const ASN1_OCTET_STRING *skid = X509_get0_subject_key_id(x); #endif if (len) *len = ASN1_STRING_length(skid); #if OPENSSL_VERSION_NUMBER < 0x10100000 return ASN1_STRING_data(x->skid); #else return ASN1_STRING_get0_data(skid); #endif } /* * read_keyid_from_cert() - Read keyid from SKID from x509 certificate file * @keyid_be: Output 32-bit keyid in network order (BE); * @certfile: Input filename. * @try_der: true: try to read in DER from if there is no PEM, * cert is considered mandatory and error will be issued * if there is no cert; * false: only try to read in PEM form, cert is considered * optional. * Return: 0 on success, -1 on error. */ static int read_keyid_from_cert(uint32_t *keyid_be, const char *certfile, int try_der) { X509 *x = NULL; FILE *fp; const unsigned char *skid; int skid_len; if (!(fp = fopen(certfile, "r"))) { log_err("Cannot open %s: %s\n", certfile, strerror(errno)); return -1; } if (!PEM_read_X509(fp, &x, NULL, NULL)) { if (ERR_GET_REASON(ERR_peek_last_error()) == PEM_R_NO_START_LINE) { ERR_clear_error(); if (try_der) { rewind(fp); d2i_X509_fp(fp, &x); } else { /* * Cert is optional and there is just no PEM * header, then issue debug message and stop * trying. */ log_debug("%s: x509 certificate not found\n", certfile); fclose(fp); return -1; } } } fclose(fp); if (!x) { ERR_print_errors_fp(stderr); log_err("read keyid: %s: Error reading x509 certificate\n", certfile); return -1; } if (!(skid = x509_get_skid(x, &skid_len))) { log_err("read keyid: %s: SKID not found\n", certfile); goto err_free; } if (skid_len < sizeof(*keyid_be)) { log_err("read keyid: %s: SKID too short (len %d)\n", certfile, skid_len); goto err_free; } memcpy(keyid_be, skid + skid_len - sizeof(*keyid_be), sizeof(*keyid_be)); log_info("keyid %04x (from %s)\n", ntohl(*keyid_be), certfile); X509_free(x); return 0; err_free: X509_free(x); return -1; } /* * imaevm_read_keyid() - Read 32-bit keyid from the cert file * @certfile: File with certificate in PEM or DER form. * * Try to read keyid from Subject Key Identifier (SKID) of x509 certificate. * Autodetect if cert is in PEM (tried first) or DER encoding. * * Return: 0 on error or 32-bit keyid in host order otherwise. */ uint32_t imaevm_read_keyid(const char *certfile) { uint32_t keyid_be = 0; read_keyid_from_cert(&keyid_be, certfile, true); /* On error keyid_be will not be set, returning 0. */ return ntohl(keyid_be); } static EVP_PKEY *read_priv_pkey(const char *keyfile, const char *keypass) { FILE *fp; EVP_PKEY *pkey = NULL; if (!strncmp(keyfile, "pkcs11:", 7)) { #ifdef CONFIG_IMA_EVM_ENGINE if (!imaevm_params.keyid) { log_err("When using a pkcs11 URI you must provide the keyid with an option\n"); return NULL; } if (keypass) { if (!ENGINE_ctrl_cmd_string(imaevm_params.eng, "PIN", keypass, 0)) { log_err("Failed to set the PIN for the private key\n"); goto err_engine; } } pkey = ENGINE_load_private_key(imaevm_params.eng, keyfile, NULL, NULL); if (!pkey) { log_err("Failed to load private key %s\n", keyfile); goto err_engine; } #else log_err("OpenSSL \"engine\" support is disabled\n"); goto err_engine; #endif } else { fp = fopen(keyfile, "r"); if (!fp) { log_err("Failed to open keyfile: %s\n", keyfile); return NULL; } pkey = PEM_read_PrivateKey(fp, NULL, NULL, (void *)keypass); if (!pkey) { log_err("Failed to PEM_read_PrivateKey key file: %s\n", keyfile); output_openssl_errors(); } fclose(fp); } return pkey; err_engine: output_openssl_errors(); return NULL; } #if CONFIG_SIGV1 static RSA *read_priv_key(const char *keyfile, const char *keypass) { EVP_PKEY *pkey; RSA *key; pkey = read_priv_pkey(keyfile, keypass); if (!pkey) return NULL; key = EVP_PKEY_get1_RSA(pkey); EVP_PKEY_free(pkey); if (!key) { log_err("read_priv_key: unsupported key type\n"); output_openssl_errors(); return NULL; } return key; } static int get_hash_algo_v1(const char *algo) { if (!strcmp(algo, "sha1")) return DIGEST_ALGO_SHA1; else if (!strcmp(algo, "sha256")) return DIGEST_ALGO_SHA256; return -1; } static int sign_hash_v1(const char *hashalgo, const unsigned char *hash, int size, const char *keyfile, unsigned char *sig) { int len = -1, hashalgo_idx; SHA_CTX ctx; unsigned char pub[1024]; RSA *key; char name[20]; unsigned char sighash[20]; struct signature_hdr *hdr; uint16_t *blen; if (!hash) { log_err("sign_hash_v1: hash is null\n"); return -1; } if (size < 0) { log_err("sign_hash_v1: size is negative: %d\n", size); return -1; } if (!hashalgo) { log_err("sign_hash_v1: hashalgo is null\n"); return -1; } if (!sig) { log_err("sign_hash_v1: sig is null\n"); return -1; } log_info("hash(%s): ", hashalgo); log_dump(hash, size); key = read_priv_key(keyfile, imaevm_params.keypass); if (!key) return -1; hdr = (struct signature_hdr *)sig; /* now create a new hash */ hdr->version = (uint8_t) DIGSIG_VERSION_1; hdr->timestamp = time(NULL); hdr->algo = PUBKEY_ALGO_RSA; hashalgo_idx = get_hash_algo_v1(hashalgo); if (hashalgo_idx < 0) { log_err("Signature version 1 does not support hash algo %s\n", hashalgo); goto out; } hdr->hash = (uint8_t) hashalgo_idx; len = key2bin(key, pub); calc_keyid_v1(hdr->keyid, name, pub, len); hdr->nmpi = 1; SHA1_Init(&ctx); SHA1_Update(&ctx, hash, size); SHA1_Update(&ctx, hdr, sizeof(*hdr)); SHA1_Final(sighash, &ctx); log_info("sighash: "); log_dump(sighash, sizeof(sighash)); len = RSA_private_encrypt(sizeof(sighash), sighash, sig + sizeof(*hdr) + 2, key, RSA_PKCS1_PADDING); if (len < 0) { log_err("RSA_private_encrypt() failed: %d\n", len); output_openssl_errors(); goto out; } /* we add bit length of the signature to make it gnupg compatible */ blen = (uint16_t *) (sig + sizeof(*hdr)); *blen = __cpu_to_be16(len << 3); len += sizeof(*hdr) + 2; log_info("evm/ima signature-v1: %d bytes\n", len); out: RSA_free(key); return len; } #endif /* CONFIG_SIGV1 */ /* * @sig is assumed to be of (MAX_SIGNATURE_SIZE - 1) size * Return: -1 signing error, >0 length of signature */ static int sign_hash_v2(const char *algo, const unsigned char *hash, int size, const char *keyfile, unsigned char *sig) { struct signature_v2_hdr *hdr; int len = -1; EVP_PKEY *pkey; char name[20]; EVP_PKEY_CTX *ctx = NULL; const EVP_MD *md; size_t sigsize; const char *st; uint32_t keyid; if (!hash) { log_err("sign_hash_v2: hash is null\n"); return -1; } if (size < 0) { log_err("sign_hash_v2: size is negative: %d\n", size); return -1; } if (!sig) { log_err("sign_hash_v2: sig is null\n"); return -1; } if (!algo) { log_err("sign_hash_v2: algo is null\n"); return -1; } log_info("hash(%s): ", algo); log_dump(hash, size); pkey = read_priv_pkey(keyfile, imaevm_params.keypass); if (!pkey) return -1; hdr = (struct signature_v2_hdr *)sig; hdr->version = (uint8_t) DIGSIG_VERSION_2; hdr->hash_algo = imaevm_get_hash_algo(algo); if (hdr->hash_algo == (uint8_t)-1) { log_err("sign_hash_v2: hash algo is unknown: %s\n", algo); return -1; } #if defined(EVP_PKEY_SM2) && OPENSSL_VERSION_NUMBER < 0x30000000 /* If EC key are used, check whether it is SM2 key */ if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) { EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); if (curve == NID_sm2) EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2); } #endif if (imaevm_params.keyid) keyid = htonl(imaevm_params.keyid); else { int keyid_read_failed = read_keyid_from_cert(&keyid, keyfile, false); if (keyid_read_failed) calc_keyid_v2(&keyid, name, pkey); } hdr->keyid = keyid; st = "EVP_PKEY_CTX_new"; if (!(ctx = EVP_PKEY_CTX_new(pkey, NULL))) goto err; st = "EVP_PKEY_sign_init"; if (!EVP_PKEY_sign_init(ctx)) goto err; st = "EVP_get_digestbyname"; if (!(md = EVP_get_digestbyname(algo))) goto err; st = "EVP_PKEY_CTX_set_signature_md"; if (!EVP_PKEY_CTX_set_signature_md(ctx, md)) goto err; st = "EVP_PKEY_sign"; sigsize = MAX_SIGNATURE_SIZE - sizeof(struct signature_v2_hdr) - 1; if (!EVP_PKEY_sign(ctx, hdr->sig, &sigsize, hash, size)) goto err; len = (int)sigsize; /* we add bit length of the signature to make it gnupg compatible */ hdr->sig_size = __cpu_to_be16(len); len += sizeof(*hdr); log_info("evm/ima signature: %d bytes\n", len); err: if (len == -1) { log_err("sign_hash_v2: signing failed: (%s) in %s\n", ERR_reason_error_string(ERR_peek_error()), st); output_openssl_errors(); } EVP_PKEY_CTX_free(ctx); EVP_PKEY_free(pkey); return len; } int sign_hash(const char *hashalgo, const unsigned char *hash, int size, const char *keyfile, const char *keypass, unsigned char *sig) { if (keypass) imaevm_params.keypass = keypass; if (imaevm_params.x509) return sign_hash_v2(hashalgo, hash, size, keyfile, sig); #if CONFIG_SIGV1 else return sign_hash_v1(hashalgo, hash, size, keyfile, sig); #endif log_info("Signature version 1 deprecated."); return -1; } static void libinit() { #if OPENSSL_VERSION_NUMBER < 0x10100000 OpenSSL_add_all_algorithms(); OPENSSL_add_all_algorithms_conf(); #else OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS, NULL); ERR_load_crypto_strings(); #endif } ima-evm-utils-1.5/src/pcr.h000066400000000000000000000002101440135744700155760ustar00rootroot00000000000000int tpm2_pcr_supported(void); int tpm2_pcr_read(const char *algo_name, uint32_t pcr_handle, uint8_t *hwpcr, int len, char **errmsg); ima-evm-utils-1.5/src/pcr_ibmtss.c000066400000000000000000000104751440135744700171700ustar00rootroot00000000000000// SPDX-License-Identifier: GPL-2.0 /* * Support PCR reading implementation based on IBM TSS2 * * Copyright (C) 2021 IBM Ken Goldman */ #include #include #include #include #include #include #define USE_FPRINTF #include "utils.h" #include "imaevm.h" #define TPM_POSIX /* use Posix, not Windows constructs in TSS */ #undef MAX_DIGEST_SIZE /* imaevm uses a different value than the TSS */ #include int tpm2_pcr_supported(void) { if (imaevm_params.verbose > LOG_INFO) log_info("Using ibmtss to read PCRs\n"); return 1; } /* Table mapping C strings to TCG algorithm identifiers */ typedef struct tdAlgorithm_Map { const char *algorithm_string; TPMI_ALG_HASH algid; } Algorithm_Map; Algorithm_Map algorithm_map[] = { { "sha1", TPM_ALG_SHA1}, { "sha256", TPM_ALG_SHA256}, #if 0 /* uncomment as these digest algorithms are supported */ { "", TPM_ALG_SHA384}, { "", TPM_ALG_SHA512}, { "", TPM_ALG_SM3_256}, { "", TPM_ALG_SHA3_256}, { "", TPM_ALG_SHA3_384}, { "", TPM_ALG_SHA3_512}, #endif }; /* * algorithm_string_to_algid() converts a digest algorithm from a C string to a * TCG algorithm identifier as defined in the TCG Algorithm Regisrty.. * * Returns TPM_ALG_ERROR if the string has an unsupported value. */ static TPMI_ALG_HASH algorithm_string_to_algid(const char *algorithm_string) { size_t i; for (i=0 ; i < sizeof(algorithm_map)/sizeof(Algorithm_Map) ; i++) { if (strcmp(algorithm_string, algorithm_map[i].algorithm_string) == 0) { return algorithm_map[i].algid; /* if match */ } } return TPM_ALG_ERROR; } /* * tpm2_pcr_read - read the PCR * * algo_name: PCR digest algorithm (the PCR bank) as a C string * pcr_handle: PCR number to read * hwpcr: buffer for the PCR output in binary * len: allocated size of hwpcr and should match the digest algorithm */ int tpm2_pcr_read(const char *algo_name, uint32_t pcr_handle, uint8_t *hwpcr, int len, char **errmsg) { int ret = 0; /* function return code */ TPM_RC rc = 0; /* TCG return code */ TPM_RC rc1 = 0; /* secondary return code */ PCR_Read_In pcr_read_in; /* command input */ PCR_Read_Out pcr_read_out; /* response output */ TSS_CONTEXT *tss_context = NULL; TPMI_ALG_HASH alg_id; /* PCR algorithm */ alg_id = algorithm_string_to_algid(algo_name); if (alg_id == TPM_ALG_ERROR) { ret = asprintf(errmsg, "tpm2_pcr_read: unknown algorithm %s", algo_name); if (ret == -1) /* the contents of errmsg is undefined */ *errmsg = NULL; rc = 1; goto end; } rc = TSS_Create(&tss_context); if (rc != 0) goto end; /* call TSS to execute the command */ pcr_read_in.pcrSelectionIn.count = 1; pcr_read_in.pcrSelectionIn.pcrSelections[0].hash = alg_id; pcr_read_in.pcrSelectionIn.pcrSelections[0].sizeofSelect = 3; pcr_read_in.pcrSelectionIn.pcrSelections[0].pcrSelect[0] = 0; pcr_read_in.pcrSelectionIn.pcrSelections[0].pcrSelect[1] = 0; pcr_read_in.pcrSelectionIn.pcrSelections[0].pcrSelect[2] = 0; pcr_read_in.pcrSelectionIn.pcrSelections[0].pcrSelect[pcr_handle / 8] = 1 << (pcr_handle % 8); rc = TSS_Execute(tss_context, (RESPONSE_PARAMETERS *)&pcr_read_out, (COMMAND_PARAMETERS *)&pcr_read_in, NULL, TPM_CC_PCR_Read, TPM_RH_NULL, NULL, 0); if (rc != 0) goto end; /* nothing read, bank missing */ if (pcr_read_out.pcrValues.count == 0) { ret = asprintf(errmsg, "tpm2_pcr_read: returned count 0 for %s", algo_name); if (ret == -1) /* the contents of errmsg is undefined */ *errmsg = NULL; rc = 1; goto end; } /* len parameter did not match the digest algorithm */ else if (pcr_read_out.pcrValues.digests[0].t.size != len) { ret = asprintf(errmsg, "tpm2_pcr_read: " "expected length %d actual %u for %s", len, pcr_read_out.pcrValues.digests[0].t.size, algo_name); if (ret == -1) /* the contents of errmsg is undefined */ *errmsg = NULL; rc = 1; goto end; } else { memcpy(hwpcr, pcr_read_out.pcrValues.digests[0].t.buffer, pcr_read_out.pcrValues.digests[0].t.size); } end: /* Call delete even on errors to free context resources */ rc1 = TSS_Delete(tss_context); /* map TCG return code to function return code */ if ((rc == 0) && (rc1 == 0)) return 0; else return -1; } ima-evm-utils-1.5/src/pcr_tss.c000066400000000000000000000123111440135744700164670ustar00rootroot00000000000000/* * ima-evm-utils - IMA/EVM support utilities * * Copyright (C) 2011 Nokia Corporation * Copyright (C) 2011,2012,2013 Intel Corporation * Copyright (C) 2013,2014 Samsung Electronics * * Authors: * Dmitry Kasatkin * * * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * version 2 as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . * * As a special exception, the copyright holders give permission to link the * code of portions of this program with the OpenSSL library under certain * conditions as described in each individual source file and distribute * linked combinations including the program with the OpenSSL library. You * must comply with the GNU General Public License in all respects * for all of the code used other than as permitted herein. If you modify * file(s) with this exception, you may extend this exception to your * version of the file(s), but you are not obligated to do so. If you do not * wish to do so, delete this exception statement from your version. If you * delete this exception statement from all source files in the program, * then also delete it in the license file. * * File: pcr_tss.c * PCR reading implementation based on Intel TSS2 */ #include #include #include #ifdef HAVE_LIBTSS2_ESYS # include # ifdef HAVE_LIBTSS2_RC # include # define LIB "tss2-rc-decode" # else # define LIB "tss2-esys" # endif #endif /* HAVE_LIBTSS2_ESYS */ #define USE_FPRINTF #include "imaevm.h" int tpm2_pcr_supported(void) { if (imaevm_params.verbose > LOG_INFO) log_info("Using %s to read PCRs.\n", LIB); return 1; } static int pcr_selections_match(TPML_PCR_SELECTION *a, TPML_PCR_SELECTION *b) { int i, j; if (a->count != b->count) return 0; for (i = 0; i < a->count; i++) { if (a->pcrSelections[i].hash != b->pcrSelections[i].hash) return 0; if (a->pcrSelections[i].sizeofSelect != b->pcrSelections[i].sizeofSelect) return 0; for (j = 0; j < a->pcrSelections[i].sizeofSelect; j++) { if (a->pcrSelections[i].pcrSelect[j] != b->pcrSelections[i].pcrSelect[j]) return 0; } } return 1; } static inline int tpm2_set_errmsg(char **errmsg, const char *message, TSS2_RC ret) { #ifdef HAVE_LIBTSS2_RC return asprintf(errmsg, "%s: %s", message, Tss2_RC_Decode(ret)); #else return asprintf(errmsg, "%s: #%d", message, ret); #endif } static TPM2_ALG_ID algo_to_tss2(const char *algo_name) { if (!strcmp(algo_name, "sha1")) return TPM2_ALG_SHA1; else if (!strcmp(algo_name, "sha256")) return TPM2_ALG_SHA256; return TPM2_ALG_ERROR; } int tpm2_pcr_read(const char *algo_name, uint32_t pcr_handle, uint8_t *hwpcr, int len, char **errmsg) { TSS2_ABI_VERSION abi_version = { .tssCreator = 1, .tssFamily = 2, .tssLevel = 1, .tssVersion = 108, }; ESYS_CONTEXT *ctx = NULL; TSS2_RC ret = 0; TPML_PCR_SELECTION *pcr_select_out; TPML_DIGEST *pcr_digests; UINT32 pcr_update_counter; TPM2_ALG_ID algid = algo_to_tss2(algo_name); if (algid == TPM2_ALG_ERROR) { ret = asprintf(errmsg, "unsupported tss2 algorithm"); if (ret == -1) /* the contents of errmsg are undefined */ *errmsg = NULL; return -1; } TPML_PCR_SELECTION pcr_select_in = { .count = 1, .pcrSelections = { { .hash = algid, .sizeofSelect = 3, .pcrSelect = { 0x00, 0x00, 0x00 }, } } }; pcr_select_in.pcrSelections[0].pcrSelect[pcr_handle / 8] = (1 << (pcr_handle % 8)); ret = Esys_Initialize(&ctx, NULL, &abi_version); if (ret != TPM2_RC_SUCCESS) { ret = tpm2_set_errmsg(errmsg, "esys initialize failed", ret); if (ret == -1) /* the contents of errmsg are undefined */ *errmsg = NULL; return -1; } ret = Esys_PCR_Read(ctx, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, &pcr_select_in, &pcr_update_counter, &pcr_select_out, &pcr_digests); Esys_Finalize(&ctx); if (ret != TPM2_RC_SUCCESS) { ret = tpm2_set_errmsg(errmsg, "esys PCR reading failed", ret); if (ret == -1) /* the contents of errmsg is undefined */ *errmsg = NULL; return -1; } if (!pcr_selections_match(&pcr_select_in, pcr_select_out)) { Esys_Free(pcr_select_out); Esys_Free(pcr_digests); ret = asprintf(errmsg, "TPM returned incorrect PCRs"); if (ret == -1) /* the contents of errmsg are undefined */ *errmsg = NULL; return -1; } Esys_Free(pcr_select_out); if (pcr_digests->count != 1 || pcr_digests->digests[0].size != len) { Esys_Free(pcr_digests); ret = asprintf(errmsg, "TPM returned incorrect digests"); if (ret == -1) /* the contents of errmsg is undefined */ *errmsg = NULL; return -1; } memcpy(hwpcr, pcr_digests->digests[0].buffer, len); Esys_Free(pcr_digests); return 0; } ima-evm-utils-1.5/src/pcr_tsspcrread.c000066400000000000000000000063751440135744700200450ustar00rootroot00000000000000/* * ima-evm-utils - IMA/EVM support utilities * * Copyright (C) 2011 Nokia Corporation * Copyright (C) 2011,2012,2013 Intel Corporation * Copyright (C) 2013,2014 Samsung Electronics * * Authors: * Dmitry Kasatkin * * * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * version 2 as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . * * As a special exception, the copyright holders give permission to link the * code of portions of this program with the OpenSSL library under certain * conditions as described in each individual source file and distribute * linked combinations including the program with the OpenSSL library. You * must comply with the GNU General Public License in all respects * for all of the code used other than as permitted herein. If you modify * file(s) with this exception, you may extend this exception to your * version of the file(s), but you are not obligated to do so. If you do not * wish to do so, delete this exception statement from your version. If you * delete this exception statement from all source files in the program, * then also delete it in the license file. * * File: pcr_tsspcrread.c * PCR reading implementation based on IBM TSS2 */ #include #include #include #include #include #include #define USE_FPRINTF #include "utils.h" #include "imaevm.h" #define CMD "tsspcrread" static char path[PATH_MAX]; int tpm2_pcr_supported(void) { if (imaevm_params.verbose > LOG_INFO) log_info("Using %s to read PCRs.\n", CMD); if (get_cmd_path(CMD, path, sizeof(path))) { log_info("Couldn't find '%s' in %s\n", CMD, path); return 0; } log_debug("Found '%s' in %s\n", CMD, path); return 1; } int tpm2_pcr_read(const char *algo_name, uint32_t pcr_handle, uint8_t *hwpcr, int len, char **errmsg) { FILE *fp; char pcr[100]; /* may contain an error */ char cmd[PATH_MAX + 50]; int ret; sprintf(cmd, "%s -halg %s -ha %u -ns 2> /dev/null", path, algo_name, pcr_handle); fp = popen(cmd, "r"); if (!fp) { ret = asprintf(errmsg, "popen failed: %s", strerror(errno)); if (ret == -1) /* the contents of errmsg is undefined */ *errmsg = NULL; return -1; } if (fgets(pcr, sizeof(pcr), fp) == NULL) { ret = asprintf(errmsg, "tsspcrread failed: %s", strerror(errno)); if (ret == -1) /* the contents of errmsg is undefined */ *errmsg = NULL; ret = pclose(fp); return -1; } /* get the popen "cmd" return code */ ret = pclose(fp); /* Treat an unallocated bank as an error */ if (!ret && (strlen(pcr) < SHA_DIGEST_LENGTH)) ret = -1; if (!ret) hex2bin(hwpcr, pcr, len); else *errmsg = strndup(pcr, strlen(pcr) - 1); /* remove newline */ return ret; } ima-evm-utils-1.5/src/utils.c000066400000000000000000000040771440135744700161640ustar00rootroot00000000000000// SPDX-License-Identifier: GPL-2.0 /* * utils: set of common functions * * Copyright (C) 2020 Patrick Uiterwijk * Copyright (C) 2010 Cyril Hrubis */ #include #include #include #include #include #include #include "utils.h" #ifndef MIN # define MIN(a, b) ({ \ typeof(a) _a = (a); \ typeof(b) _b = (b); \ _a < _b ? _a : _b; \ }) #endif /* MIN */ static int file_exist(const char *path) { struct stat st; if (!access(path, R_OK) && !stat(path, &st) && S_ISREG(st.st_mode)) return 1; return 0; } int get_cmd_path(const char *prog_name, char *buf, size_t buf_len) { const char *path = (const char *)getenv("PATH"); const char *start = path; const char *end; size_t size, ret; if (path == NULL) return -1; do { end = strchr(start, ':'); if (end != NULL) snprintf(buf, MIN(buf_len, (size_t) (end - start + 1)), "%s", start); else snprintf(buf, buf_len, "%s", start); size = strlen(buf); /* * "::" inside $PATH, $PATH ending with ':' or $PATH starting * with ':' should be expanded into current working directory. */ if (size == 0) { snprintf(buf, buf_len, "."); size = strlen(buf); } /* * If there is no '/' ad the end of path from $PATH add it. */ if (buf[size - 1] != '/') ret = snprintf(buf + size, buf_len - size, "/%s", prog_name); else ret = snprintf(buf + size, buf_len - size, "%s", prog_name); if (buf_len - size > ret && file_exist(buf)) return 0; if (end != NULL) start = end + 1; } while (end != NULL); return -1; } int hex_to_bin(char ch) { if ((ch >= '0') && (ch <= '9')) return ch - '0'; ch = tolower(ch); if ((ch >= 'a') && (ch <= 'f')) return ch - 'a' + 10; return -1; } int hex2bin(void *dst, const char *src, size_t count) { int hi, lo; while (count--) { if (*src == ' ') src++; hi = hex_to_bin(*src++); lo = hex_to_bin(*src++); if ((hi < 0) || (lo < 0)) return -1; *(uint8_t *)dst++ = (hi << 4) | lo; } return 0; } ima-evm-utils-1.5/src/utils.h000066400000000000000000000002771440135744700161670ustar00rootroot00000000000000#include #include int get_cmd_path(const char *prog_name, char *buf, size_t buf_len); int hex_to_bin(char ch); int hex2bin(void *dst, const char *src, size_t count); ima-evm-utils-1.5/tests/000077500000000000000000000000001440135744700152235ustar00rootroot00000000000000ima-evm-utils-1.5/tests/.gitignore000066400000000000000000000002351440135744700172130ustar00rootroot00000000000000# Generated by test driver *.log *.trs # Generated by tests *.txt *.out *.sig *.sig2 # Generated certs and keys (by gen-keys.sh) *.cer *.pub *.key *.conf ima-evm-utils-1.5/tests/Makefile.am000066400000000000000000000012261440135744700172600ustar00rootroot00000000000000check_SCRIPTS = TESTS = $(check_SCRIPTS) check_SCRIPTS += ima_hash.test sign_verify.test boot_aggregate.test \ fsverity.test portable_signatures.test ima_policy_check.test \ mmap_check.test check_PROGRAMS := test_mmap .PHONY: check_logs check_logs: @for log in $(TEST_LOGS); do \ echo -e "\n***" $$log "***" ; \ case $$log in \ ima_hash.log | sign_verify.log ) \ tail -3 $$log ; \ grep "skipped" $$log && grep "skipped" $$log | wc -l ;; \ *) \ cat $$log ;; \ esac ; \ done clean-local: -rm -f *.txt *.out *.sig *.sig2 distclean: distclean-keys .PHONY: distclean-keys distclean-keys: ./gen-keys.sh clean ima-evm-utils-1.5/tests/boot_aggregate.test000077500000000000000000000133031440135744700211000ustar00rootroot00000000000000#!/bin/bash # # Calculate the boot_aggregate for each TPM bank, verifying that the # boot_aggregate in the IMA measurement list matches one of them. # # A software TPM may be used to verify the boot_aggregate. If a # software TPM is not already running on the system, this test # starts one and initializes the TPM PCR banks by walking the sample # binary_bios_measurements event log, included in this directory, and # extending the TPM PCRs. The associated ascii_runtime_measurements # for verifying the calculated boot_aggregate is included in this # directory as well. trap '_report_exit_and_cleanup cleanup' SIGINT SIGTERM EXIT # Base VERBOSE on the environment variable, if set. VERBOSE="${VERBOSE:-0}" cd "$(dirname "$0")" export PATH=../src:$PATH export LD_LIBRARY_PATH=$LD_LIBRARY_PATH . ./functions.sh _require evmctl TSSDIR="$(dirname -- "$(which tssstartup)")" PCRFILE="/sys/class/tpm/tpm0/device/pcrs" MISC_PCRFILE="/sys/class/misc/tpm0/device/pcrs" # Only stop this test's software TPM cleanup() { if [ -n "${SWTPM_PID}" ]; then kill -SIGTERM "${SWTPM_PID}" elif [ -n "${TPMSERVER_PID}" ]; then "${TSSDIR}/tsstpmcmd" -stop fi } # Try to start a software TPM if needed. swtpm_start() { local tpm_server swtpm tpm_server="$(which tpm_server)" swtpm="$(which swtpm)" if [ -z "${tpm_server}" ] && [ -z "${swtpm}" ]; then echo "${CYAN}SKIP: Software TPM (tpm_server and swtpm) not found${NORM}" return "$SKIP" fi if [ -n "${swtpm}" ]; then pgrep swtpm if [ $? -eq 0 ]; then echo "INFO: Software TPM (swtpm) already running" return 114 else echo "INFO: Starting software TPM: ${swtpm}" mkdir -p ./myvtpm ${swtpm} socket --tpmstate dir=./myvtpm --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init > /dev/null 2>&1 & SWTPM_PID=$! fi elif [ -n "${tpm_server}" ]; then # tpm_server uses the Microsoft simulator encapsulated packet format export TPM_SERVER_TYPE="mssim" pgrep tpm_server if [ $? -eq 0 ]; then echo "INFO: Software TPM (tpm_server) already running" return 114 else echo "INFO: Starting software TPM: ${tpm_server}" ${tpm_server} > /dev/null 2>&1 & TPMSERVER_PID=$! fi fi return 0 } # Initialize the software TPM using the sample binary_bios_measurements log. swtpm_init() { if [ ! -f "${TSSDIR}/tssstartup" ] || [ ! -f "${TSSDIR}/tsseventextend" ]; then echo "${CYAN}SKIP: tssstartup and tsseventextend needed for test${NORM}" return "$SKIP" fi echo "INFO: Sending software TPM startup" "${TSSDIR}/tssstartup" if [ $? -ne 0 ]; then echo "INFO: Retry sending software TPM startup" sleep 1 "${TSSDIR}/tssstartup" fi if [ $? -ne 0 ]; then echo "INFO: Software TPM startup failed" return "$SKIP" fi echo "INFO: Walking ${BINARY_BIOS_MEASUREMENTS} initializing the software TPM" # $(${TSSDIR}/tsseventextend -tpm -if "${BINARY_BIOS_MEASUREMENTS}" -v) 2>&1 > /dev/null "${TSSDIR}/tsseventextend" -tpm -if "${BINARY_BIOS_MEASUREMENTS}" -v > /dev/null 2>&1 } # In VERBOSE mode, display the calculated TPM PCRs for the different banks. display_pcrs() { local PCRMAX=9 local banks=("sha1" "sha256") local i; for bank in "${banks[@]}"; do echo "INFO: Displaying ${bank} TPM bank (PCRs 0 - 9)" for i in $(seq 0 $PCRMAX); do rc=0 pcr=$("${TSSDIR}/tsspcrread" -halg "${bank}" -ha "${i}" -ns) if [ $rc -ne 0 ]; then echo "INFO: tsspcrread failed: $pcr" break fi echo "$i: $pcr" done done } # The first entry in the IMA measurement list is the "boot_aggregate". # For each kexec, an additional "boot_aggregate" will appear in the # measurement list, assuming the previous measurement list is carried # across the kexec. # # Verify that the last "boot_aggregate" record in the IMA measurement # list matches. check() { local options=$1 echo "INFO: Calculating the boot_aggregate (PCRs 0 - 9) for multiple banks" bootaggr=$(evmctl ima_boot_aggregate ${options}) if [ $? -ne 0 ]; then echo "${CYAN}SKIP: evmctl ima_boot_aggregate: $bootaggr${NORM}" exit "$SKIP" fi boot_aggr=( $bootaggr ) echo "INFO: Searching for the boot_aggregate in ${ASCII_RUNTIME_MEASUREMENTS}" for hash in "${boot_aggr[@]}"; do if [ "$VERBOSE" != "0" ]; then echo "$hash" fi if grep -e " boot_aggregate$" -e " boot_aggregate.$" "${ASCII_RUNTIME_MEASUREMENTS}" | tail -n 1 | grep -q "${hash}"; then echo "${GREEN}SUCCESS: boot_aggregate ${hash} found${NORM}" return "$OK" fi done echo "${RED}FAILURE: boot_aggregate not found${NORM}" echo "$bootaggr" return "$FAIL" } if [ "$(id -u)" = 0 ] && [ -c "/dev/tpm0" ]; then BOOTAGGR_OPTIONS="--hwtpm" ASCII_RUNTIME_MEASUREMENTS="/sys/kernel/security/ima/ascii_runtime_measurements" if [ ! -d "/sys/kernel/security/ima" ]; then echo "${CYAN}SKIP: CONFIG_IMA not enabled${NORM}" exit "$SKIP" fi else BINARY_BIOS_MEASUREMENTS="./sample-binary_bios_measurements-pcrs-8-9" ASCII_RUNTIME_MEASUREMENTS="./sample-ascii_runtime_measurements-pcrs-8-9" export TPM_INTERFACE_TYPE="socsim" export TPM_COMMAND_PORT=2321 export TPM_PLATFORM_PORT=2322 export TPM_SERVER_NAME="localhost" # swtpm uses the raw, unencapsulated packet format export TPM_SERVER_TYPE="raw" fi # Start and initialize a software TPM as needed if [ "$(id -u)" != 0 ] || [ ! -c "/dev/tpm0" ]; then if [ -f "$PCRFILE" ] || [ -f "$MISC_PCRFILE" ]; then echo "${CYAN}SKIP: system has discrete TPM 1.2, sample TPM 2.0 event log test not supported.${NORM}" exit "$SKIP" fi swtpm_start error=$? if [ $error -eq "$SKIP" ]; then echo "skip: swtpm not installed" exit "$SKIP" fi if [ $error -eq 0 ]; then swtpm_init if [ $? -eq "$SKIP" ]; then echo "testing boot_aggregate without entries" exit "$SKIP" fi fi if [ "$VERBOSE" != "0" ]; then display_pcrs fi fi expect_pass check $BOOTAGGR_OPTIONS ima-evm-utils-1.5/tests/fsverity.test000077500000000000000000000241701440135744700200060ustar00rootroot00000000000000#!/bin/bash # SPDX-License-Identifier: GPL-2.0 # # Test IMA support for including fs-verity enabled files measurements # in the IMA measurement list. # # Define policy rules showing the different types of IMA and fs-verity # records in the IMA measurement list. Include examples of files that # are suppose to be fs-verity enabled, but aren't. # # test 1: IMA policy rule using the new ima-ngv2 template # - Hash prefixed with "ima:" # # test 2: fs-verity IMA policy rule using the new ima-ngv2 template # - fs-verity hash prefixed with "verity:" # - Non fs-verity enabled file, zeros prefixed with "verity:" # # test 3: IMA policy rule using the new ima-sigv2 template # - Hash prefixed with "ima:" # - Appended signature, when available. # # test 4: fs-verity IMA policy rule using the new ima-sigv2 template # - fs-verity hash prefixed with "verity:" # - Non fs-verity enabled file, zeros prefixed with "verity:" # - Appended IMA signature of fs-verity file hash, when available. # To avoid affecting the system's IMA custom policy or requiring a # reboot between tests, define policy rules based on UUID. However, # since the policy rules are walked sequentially, the system's IMA # custom policy rules might take precedence. cd "$(dirname "$0")" || exit 1 PATH=../src:../fsverity-utils:$PATH source ./functions.sh # Base VERBOSE on the environment variable, if set. VERBOSE="${VERBOSE:-0}" IMA_POLICY_FILE="/sys/kernel/security/integrity/ima/policy" IMA_MEASUREMENT_LIST="/sys/kernel/security/integrity/ima/ascii_runtime_measurements" TST_MNT="/tmp/fsverity-test" TST_IMG="/tmp/test.img" LOOPBACK_MOUNTED=0 FSVERITY="$(which fsverity)" _require dd mkfs blkid e2fsck tune2fs evmctl setfattr ./gen-keys.sh >/dev/null 2>&1 trap '_report_exit_and_cleanup _cleanup_env cleanup' SIGINT SIGTERM EXIT cleanup() { if [ -e $TST_MNT ]; then if [ $LOOPBACK_MOUNTED -eq 1 ]; then umount $TST_MNT fi if [ -f "$TST_IMG" ]; then rm "$TST_IMG" fi fi } # Loopback mount a file mount_loopback_file() { local ret if [ ! -d $TST_MNT ]; then mkdir $TST_MNT fi # if modprobe loop; then # echo "${CYAN}INFO: modprobe loop failed${NORM}" # fi if ! losetup -f &> /dev/null; then echo "${RED}FAILURE: losetup${NORM}" exit "$FAIL" fi mount -v -o loop ${TST_IMG} $TST_MNT ret=$? if [ "${ret}" -eq 0 ]; then LOOPBACK_MOUNTED=1 fi return "$ret" } # Change the loopback mounted filesystem's UUID in between tests change_loopback_file_uuid() { echo " " [ "$VERBOSE" -ge 1 ] && echo "INFO: Changing loopback file uuid" umount $TST_MNT if ! e2fsck -y -f ${TST_IMG} &> /dev/null; then echo "${RED}FAILURE: e2fsck${NORM}" exit "$FAIL" fi if ! tune2fs -f ${TST_IMG} -U random &> /dev/null; then echo "${RED}FAILURE: change UUID${NORM}" exit "$FAIL" fi [ "$VERBOSE" -ge 1 ] && echo "INFO: Remounting loopback filesystem" if ! mount_loopback_file; then echo "${RED}FAILURE: re-mounting loopback filesystem${NORM}" exit "$FAIL" fi return 0 } # Create a file to be loopback mounted create_loopback_file() { local fs_type=$1 local options="" echo "INFO: Creating loopback filesystem" case $fs_type in ext4|f2fs) options="-O verity" ;; btrfs) ;; *) echo "${RED}FAILURE: unsupported fs-verity filesystem${NORM}" exit "${FAIL}" ;; esac [ "$VERBOSE" -ge 2 ] && echo "INFO: Creating a file to be loopback mounted with options: $options" if ! dd if=/dev/zero of="${TST_IMG}" bs=100M count=6 &> /dev/null; then echo "${RED}FAILURE: creating ${TST_IMG}${NORM}" exit "$FAIL" fi echo "INFO: Building an $fs_type filesystem" if ! mkfs -t "$fs_type" -q "${TST_IMG}" "$options"; then echo "${RED}FAILURE: Creating $fs_type filesystem${NORM}" exit "$FAIL" fi echo "INFO: Mounting loopback filesystem" if ! mount_loopback_file; then echo "${RED}FAILURE: mounting loopback filesystem${NORM}" exit "$FAIL" fi return 0 } get_current_uuid() { [ "$VERBOSE" -ge 2 ] && echo "INFO: Getting loopback file uuid" if ! UUID=$(blkid -s UUID -o value ${TST_IMG}); then echo "${RED}FAILURE: to get UUID${NORM}" return "$FAIL" fi return 0 } unqualified_bprm_rule() { local test=$1 local rule=$2 local rule_match="measure func=BPRM_CHECK" local rule_dontmatch="fsuuid" if [ -z "${rule##*$digest_type=verity*}" ]; then if grep "$rule_match" $IMA_POLICY_FILE | grep -v "$rule_dontmatch" &> /dev/null; then return "$SKIP" fi fi return 0 } load_policy_rule() { local test=$1 local rule=$2 if ! get_current_uuid; then echo "${RED}FAILURE:FAILED getting uuid${NORM}" exit "$FAIL" fi unqualified_bprm_rule "${test}" "${rule}" if [ $? -eq "${SKIP}" ]; then echo "${CYAN}SKIP: fsuuid unqualified \"BPRM_CHECK\" rule exists${NORM}" return "$SKIP" fi echo "$test: rule: $rule fsuuid=$UUID" if ! echo "$rule fsuuid=$UUID" > $IMA_POLICY_FILE; then echo "${CYAN}SKIP: Loading policy rule failed, skipping test${NORM}" return "$SKIP" fi return 0 } create_file() { local test=$1 local type=$2 TST_FILE=$(mktemp -p $TST_MNT -t "${type}".XXXXXX) [ "$VERBOSE" -ge 1 ] && echo "INFO: creating $TST_FILE" # heredoc to create a script cat <<-EOF > "$TST_FILE" #!/bin/bash echo "Hello" &> /dev/null EOF chmod a+x "$TST_FILE" } measure-verity() { local test=$1 local verity="${2:-disabled}" local digest_filename local error="$OK" local KEY=$PWD/test-rsa2048.key create_file "$test" verity-hash if [ "$verity" = "enabled" ]; then msg="Measuring fs-verity enabled file $TST_FILE" if ! "$FSVERITY" enable "$TST_FILE" &> /dev/null; then echo "${CYAN}SKIP: Failed enabling fs-verity on $TST_FILE${NORM}" return "$SKIP" fi else msg="Measuring non fs-verity enabled file $TST_FILE" fi # Sign the fsverity digest and write it as security.ima xattr. # "evmctl sign_hash" input: # "evmctl sign_hash" output: [ "$VERBOSE" -ge 2 ] && echo "INFO: Signing the fsverity digest" xattr=$("$FSVERITY" digest "$TST_FILE" | evmctl sign_hash --veritysig --key "$KEY" 2> /dev/null) sig=$(echo "$xattr" | cut -d' ' -f3) # On failure to write security.ima xattr, the signature will simply # not be appended to the measurement list record. if ! setfattr -n security.ima -v "0x$sig" "$TST_FILE"; then echo "${CYAN}INFO: Failed to write security.ima xattr${NORM}" fi "$TST_FILE" # "fsverity digest" calculates the fsverity hash, even for # non fs-verity enabled files. digest_filename=$("$FSVERITY" digest "$TST_FILE") [ "$VERBOSE" -ge 2 ] && echo "INFO: verity:$digest_filename" grep "verity:$digest_filename" $IMA_MEASUREMENT_LIST &> /dev/null ret=$? # Not finding the "fsverity digest" result in the IMA measurement # list is expected for non fs-verity enabled files. The measurement # list will contain zeros for the file hash. if [ $ret -eq 1 ]; then error="$FAIL" if [ "$verity" = "enabled" ]; then echo "${RED}FAILURE: ${msg} ${NORM}" else echo "${GREEN}SUCCESS: ${msg}, fsverity digest not found${NORM}" fi else if [ "$verity" = "enabled" ]; then echo "${GREEN}SUCCESS: ${msg} ${NORM}" else error="$FAIL" echo "${RED}FAILURE: ${msg} ${NORM}" fi fi return "$error" } measure-ima() { local test=$1 local digest_filename local error="$OK" local hashalg local digestsum create_file "$test" ima-hash "$TST_FILE" hashalg=$(grep "${TST_FILE}" $IMA_MEASUREMENT_LIST | cut -d':' -f2) if [ -z "${hashalg}" ]; then echo "${CYAN}SKIP: Measurement record with algorithm not found${NORM}" return "$SKIP" fi digestsum=$(which "${hashalg}"sum) if [ -z "${digestsum}" ]; then echo "${CYAN}SKIP: ${hashalg}sum is not installed${NORM}" return "$SKIP" fi # sha1sum,sha256sum return: <2 spaces> # Remove the extra space before the filename digest_filename=$(${digestsum} "$TST_FILE" | sed "s/\ \ /\ /") [ "$VERBOSE" -ge 2 ] && echo "$test: $digest_filename" if grep "$digest_filename" $IMA_MEASUREMENT_LIST &> /dev/null; then echo "${GREEN}SUCCESS: Measuring $TST_FILE ${NORM}" else error="$FAIL" echo "${RED}FAILURE: Measuring $TST_FILE ${NORM}" fi return "$error" } # Run in the new environment if TST_ENV is set. _run_env "$TST_KERNEL" "$PWD/$(basename "$0")" "TST_ENV=$TST_ENV TST_KERNEL=$TST_KERNEL PATH=$PATH LD_LIBRARY_PATH=$LD_LIBRARY_PATH VERBOSE=$VERBOSE" # Exit from the creator of the new environment. _exit_env "$TST_KERNEL" # Mount filesystems in the new environment. _init_env # Dependency on being able to read and write the IMA policy file. # Requires both CONFIG_IMA_WRITE_POLICY, CONFIG_IMA_READ_POLICY be # enabled. if [ -e "$IMA_POLICY_FILE" ]; then mode=$(stat -c "%a" $IMA_POLICY_FILE) if [ "$mode" != "600" ]; then echo "${CYAN}SKIP: IMA policy file must be read-write${NORM}" exit "$SKIP" fi else echo "${CYAN}SKIP: $IMA_POLICY_FILE does not exist${NORM}" exit "$SKIP" fi # Skip the test if fsverity is not found; using _require fails the test. if [ -z "$FSVERITY" ]; then echo "${CYAN}SKIP: fsverity is not installed${NORM}" exit "$SKIP" fi if [ "x$(id -u)" != "x0" ]; then echo "${CYAN}SKIP: Must be root to execute this test${NORM}" exit "$SKIP" fi create_loopback_file ext4 # Commit 989dc72511f7 ("ima: define a new template field named 'd-ngv2' and # templates") introduced ima-ngv2 and ima-sigv2 in linux-5.19. __skip() { return "$SKIP"; } # IMA policy rule using the ima-ngv2 template if load_policy_rule test1 "measure func=BPRM_CHECK template=ima-ngv2"; then expect_pass measure-ima test1 else expect_pass __skip fi # fsverity IMA policy rule using the ima-ngv2 template change_loopback_file_uuid if load_policy_rule test2 "measure func=BPRM_CHECK template=ima-ngv2 digest_type=verity"; then expect_fail measure-verity test2 expect_pass measure-verity test2 enabled else expect_pass __skip expect_pass __skip fi # IMA policy rule using the ima-sigv2 template change_loopback_file_uuid if load_policy_rule test3 "measure func=BPRM_CHECK template=ima-sigv2"; then expect_pass measure-ima test3 else expect_pass __skip fi # fsverity IMA policy rule using the ima-sigv2 template change_loopback_file_uuid if load_policy_rule test4 "measure func=BPRM_CHECK template=ima-sigv2 digest_type=verity"; then expect_fail measure-verity test4 expect_pass measure-verity test4 enabled else expect_pass __skip expect_pass __skip fi exit ima-evm-utils-1.5/tests/functions.sh000077500000000000000000000253071440135744700176010ustar00rootroot00000000000000#!/bin/bash # SPDX-License-Identifier: GPL-2.0 # # ima-evm-utils tests bash functions # # Copyright (C) 2020 Vitaly Chikunov # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # Tests accounting declare -i testspass=0 testsfail=0 testsskip=0 # Exit codes (compatible with automake) declare -r OK=0 declare -r FAIL=1 declare -r HARDFAIL=99 # hard failure no matter testing mode declare -r SKIP=77 # You can set env VERBOSE=1 to see more output from evmctl VERBOSE=${VERBOSE:-0} V=vvvv V=${V:0:$VERBOSE} V=${V:+-$V} # Exit if env FAILEARLY is defined. # Used in expect_{pass,fail}. exit_early() { if [ "$FAILEARLY" ]; then exit "$1" fi } # Require particular executables to be present _require() { ret= for i; do if ! type $i; then echo "$i is required for test" ret=1 fi done [ $ret ] && exit "$HARDFAIL" } # Non-TTY output is never colored if [ -t 1 ]; then RED=$'\e[1;31m' GREEN=$'\e[1;32m' YELLOW=$'\e[1;33m' BLUE=$'\e[1;34m' CYAN=$'\e[1;36m' NORM=$'\e[m' export RED GREEN YELLOW BLUE CYAN NORM fi # Test mode determined by TFAIL variable: # undefined: to success testing # defined: failure testing TFAIL= TMODE=+ # mode character to prepend running command in log declare -i TNESTED=0 # just for sanity checking # Run positive test (one that should pass) and account its result expect_pass() { local -i ret if [ -n "$TST_LIST" ] && [ "${TST_LIST/$1/}" = "$TST_LIST" ]; then [ "$VERBOSE" -gt 1 ] && echo "____ SKIP test: $*" testsskip+=1 return "$SKIP" fi if [ $TNESTED -gt 0 ]; then echo $RED"expect_pass should not be run nested"$NORM testsfail+=1 exit "$HARDFAIL" fi TFAIL= TMODE=+ TNESTED+=1 [ "$VERBOSE" -gt 1 ] && echo "____ START positive test: $*" "$@" ret=$? [ "$VERBOSE" -gt 1 ] && echo "^^^^ STOP ($ret) positive test: $*" TNESTED+=-1 case $ret in 0) testspass+=1 ;; 77) testsskip+=1 ;; 99) testsfail+=1; exit_early 1 ;; *) testsfail+=1; exit_early 2 ;; esac return $ret } expect_pass_if() { local indexes="$1" local ret idx shift expect_pass "$@" ret=$? if [ $ret -ne 0 ] && [ $ret -ne 77 ] && [ -n "$PATCHES" ]; then echo $YELLOW"Possibly missing patches:"$NORM for idx in $indexes; do echo $YELLOW" - ${PATCHES[$((idx))]}"$NORM done fi return $ret } # Eval negative test (one that should fail) and account its result expect_fail() { local ret if [ -n "$TST_LIST" ] && [ "${TST_LIST/$1/}" = "$TST_LIST" ]; then [ "$VERBOSE" -gt 1 ] && echo "____ SKIP test: $*" testsskip+=1 return "$SKIP" fi if [ $TNESTED -gt 0 ]; then echo $RED"expect_fail should not be run nested"$NORM testsfail+=1 exit "$HARDFAIL" fi TFAIL=yes TMODE=- TNESTED+=1 [ "$VERBOSE" -gt 1 ] && echo "____ START negative test: $*" "$@" ret=$? [ "$VERBOSE" -gt 1 ] && echo "^^^^ STOP ($ret) negative test: $*" TNESTED+=-1 case $ret in 0) testsfail+=1; exit_early 3 ;; 77) testsskip+=1 ;; 99) testsfail+=1; exit_early 4 ;; *) testspass+=1 ;; esac # Restore defaults (as in positive tests) # for tests to run without wrappers TFAIL= TMODE=+ return $ret } expect_fail_if() { local indexes="$1" local ret idx shift expect_fail "$@" ret=$? if { [ $ret -eq 0 ] || [ $ret -eq 99 ]; } && [ -n "$PATCHES" ]; then echo $YELLOW"Possibly missing patches:"$NORM for idx in $indexes; do echo $YELLOW" - ${PATCHES[$((idx))]}"$NORM done fi return $ret } # return true if current test is positive _test_expected_to_pass() { [ ! $TFAIL ] } # return true if current test is negative _test_expected_to_fail() { [ $TFAIL ] } # Show blank line and color following text to red # if it's real error (ie we are in expect_pass mode). color_red_on_failure() { if _test_expected_to_pass; then echo "$RED" COLOR_RESTORE=true fi } # For hard errors color_red() { echo "$RED" COLOR_RESTORE=true } color_restore() { [ $COLOR_RESTORE ] && echo "$NORM" COLOR_RESTORE= } ADD_DEL= ADD_TEXT_FOR= # _evmctl_run should be run as `_evmctl_run ... || return' _evmctl_run() { local op=$1 out=$1-$$.out local text_for=${FOR:+for $ADD_TEXT_FOR} # Additional parameters: # ADD_DEL: additional files to rm on failure # ADD_TEXT_FOR: append to text as 'for $ADD_TEXT_FOR' cmd="evmctl $V $EVMCTL_ENGINE $*" echo $YELLOW$TMODE "$cmd"$NORM $cmd >"$out" 2>&1 ret=$? # Shell special and signal exit codes (except 255) if [ $ret -ge 126 ] && [ $ret -lt 255 ]; then color_red echo "evmctl $op failed hard with ($ret) $text_for" sed 's/^/ /' "$out" color_restore rm "$out" $ADD_DEL ADD_DEL= ADD_TEXT_FOR= return "$HARDFAIL" elif [ $ret -gt 0 ]; then color_red_on_failure echo "evmctl $op failed" ${TFAIL:+properly} "with ($ret) $text_for" # Show evmctl output only in verbose mode or if real failure. if _test_expected_to_pass || [ "$VERBOSE" ]; then sed 's/^/ /' "$out" fi color_restore rm "$out" $ADD_DEL ADD_DEL= ADD_TEXT_FOR= return "$FAIL" elif _test_expected_to_fail; then color_red echo "evmctl $op wrongly succeeded $text_for" sed 's/^/ /' "$out" color_restore else [ "$VERBOSE" ] && sed 's/^/ /' "$out" fi rm "$out" ADD_DEL= ADD_TEXT_FOR= return "$OK" } # Extract xattr $attr from $file into $out file skipping $pref'ix _extract_xattr() { local file=$1 attr=$2 out=$3 pref=$4 getfattr -n "$attr" -e hex "$file" \ | grep "^$attr=" \ | sed "s/^$attr=$pref//" \ | xxd -r -p > "$out" } # Test if xattr $attr in $file matches $prefix # Show error and fail otherwise. _test_xattr() { local file=$1 attr=$2 prefix=$3 local text_for=${ADD_TEXT_FOR:+ for $ADD_TEXT_FOR} if ! getfattr -n "$attr" -e hex "$file" | egrep -qx "$attr=$prefix"; then color_red_on_failure echo "Did not find expected hash$text_for:" echo " $attr=$prefix" echo "" echo "Actual output below:" getfattr -n "$attr" -e hex "$file" | sed 's/^/ /' color_restore rm "$file" ADD_TEXT_FOR= return "$FAIL" fi ADD_TEXT_FOR= } # Try to enable gost-engine if needed. _enable_gost_engine() { # Do not enable if it's already working (enabled by user) if ! openssl md_gost12_256 /dev/null >/dev/null 2>&1 \ && openssl engine gost >/dev/null 2>&1; then export EVMCTL_ENGINE="--engine gost" export OPENSSL_ENGINE="-engine gost" fi } # Show test stats and exit into automake test system # with proper exit code (same as ours). Do cleanups. _report_exit_and_cleanup() { local exit_code=$? if [ -n "${WORKDIR}" ]; then rm -rf "${WORKDIR}" fi "$@" if [ $testsfail -gt 0 ]; then echo "=================================" echo " Run with FAILEARLY=1 $0 $*" echo " To stop after first failure" echo "=================================" fi [ $testspass -gt 0 ] && echo -n "$GREEN" || echo -n "$NORM" echo -n "PASS: $testspass" [ $testsskip -gt 0 ] && echo -n "$YELLOW" || echo -n "$NORM" echo -n " SKIP: $testsskip" [ $testsfail -gt 0 ] && echo -n "$RED" || echo -n "$NORM" echo " FAIL: $testsfail" echo "$NORM" # Signal failure to the testing environment creator with an unclean shutdown. if [ -n "$TST_ENV" ] && [ $$ -eq 1 ]; then if [ -z "$(command -v poweroff)" ]; then echo "Warning: cannot properly shutdown system" fi # If no test was executed and the script was successful, # do a clean shutdown. if [ $testsfail -eq 0 ] && [ $testspass -eq 0 ] && [ $testsskip -eq 0 ] && [ $exit_code -ne "$FAIL" ] && [ $exit_code -ne "$HARDFAIL" ]; then poweroff -f fi # If tests were executed and no test failed, do a clean shutdown. if { [ $testspass -gt 0 ] || [ $testsskip -gt 0 ]; } && [ $testsfail -eq 0 ]; then poweroff -f fi fi if [ $testsfail -gt 0 ]; then exit "$FAIL" elif [ $testspass -gt 0 ]; then exit "$OK" elif [ $testsskip -gt 0 ]; then exit "$SKIP" else exit "$exit_code" fi } # Setup SoftHSM for local testing by calling the softhsm_setup script. # Use the provided workdir as the directory where SoftHSM will store its state # into. # Upon successfully setting up SoftHSM, this function sets the global variables # OPENSSL_ENGINE and OPENSSL_KEYFORM so that the openssl command line tool can # use SoftHSM. Also the PKCS11_KEYURI global variable is set to the test key's # pkcs11 URI. _softhsm_setup() { local workdir="$1" local msg export SOFTHSM_SETUP_CONFIGDIR="${workdir}/softhsm" export SOFTHSM2_CONF="${workdir}/softhsm/softhsm2.conf" mkdir -p "${SOFTHSM_SETUP_CONFIGDIR}" msg=$(./softhsm_setup setup 2>&1) if [ $? -eq 0 ]; then echo "softhsm_setup setup succeeded: $msg" PKCS11_KEYURI=$(echo $msg | sed -n 's|^keyuri: \(.*\)|\1|p') export EVMCTL_ENGINE="--engine pkcs11" export OPENSSL_ENGINE="-engine pkcs11" export OPENSSL_KEYFORM="-keyform engine" else echo "softhsm_setup setup failed: ${msg}" fi } # Tear down the SoftHSM setup and clean up the environment _softhsm_teardown() { ./softhsm_setup teardown &>/dev/null rm -rf "${SOFTHSM_SETUP_CONFIGDIR}" unset SOFTHSM_SETUP_CONFIGDIR SOFTHSM2_CONF PKCS11_KEYURI \ EVMCTL_ENGINE OPENSSL_ENGINE OPENSSL_KEYFORM } # Syntax: _run_env _run_env() { if [ -z "$TST_ENV" ]; then return fi if [ $$ -eq 1 ]; then return fi if [ "$TST_ENV" = "um" ]; then expect_pass "$1" rootfstype=hostfs rw init="$2" quiet mem=2048M "$3" else echo $RED"Testing environment $TST_ENV not supported"$NORM exit "$FAIL" fi } # Syntax: _exit_env _exit_env() { if [ -z "$TST_ENV" ]; then return fi if [ $$ -eq 1 ]; then return fi exit "$OK" } # Syntax: _init_env _init_env() { if [ -z "$TST_ENV" ]; then return fi if [ $$ -ne 1 ]; then return fi mount -t tmpfs tmpfs /tmp mount -t proc proc /proc mount -t sysfs sysfs /sys mount -t securityfs securityfs /sys/kernel/security if [ -n "$(command -v haveged 2> /dev/null)" ]; then $(command -v haveged) -w 1024 &> /dev/null fi pushd "$PWD" > /dev/null || exit "$FAIL" } # Syntax: _cleanup_env _cleanup_env() { if [ -z "$TST_ENV" ]; then $1 return fi if [ $$ -ne 1 ]; then return fi $1 umount /sys/kernel/security umount /sys umount /proc umount /tmp } ima-evm-utils-1.5/tests/gen-keys.sh000077500000000000000000000107661440135744700173160ustar00rootroot00000000000000#!/bin/bash # SPDX-License-Identifier: GPL-2.0 # # Generate keys for the tests # # Copyright (C) 2020 Vitaly Chikunov # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. cd "$(dirname "$0")" || exit 1 PATH=../src:$PATH type openssl log() { echo >&2 - "$*" eval "$@" } if [ "$1" = clean ]; then rm -f test-ca.conf elif [ "$1" = force ] || [ ! -e test-ca.conf ] \ || [ gen-keys.sh -nt test-ca.conf ]; then cat > test-ca.conf <<- EOF [ req ] distinguished_name = req_distinguished_name prompt = no string_mask = utf8only x509_extensions = v3_ca [ req_distinguished_name ] O = IMA-CA CN = IMA/EVM certificate signing key emailAddress = ca@ima-ca [ v3_ca ] basicConstraints=CA:TRUE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer [ skid ] basicConstraints=CA:TRUE subjectKeyIdentifier=12345678 authorityKeyIdentifier=keyid:always,issuer EOF fi # RSA # Second key will be used for wrong key tests. for m in 1024 1024_skid 2048; do if [ "$1" = clean ] || [ "$1" = force ] \ || [ gen-keys.sh -nt test-rsa$m.key ]; then rm -f test-rsa$m.cer test-rsa$m.key test-rsa$m.pub fi if [ "$1" = clean ]; then continue fi if [ -z "${m%%*_*}" ]; then # Add named extension. bits=${m%_*} ext="-extensions ${m#*_}" else bits=$m ext= fi if [ ! -e test-rsa$m.key ]; then log openssl req -verbose -new -nodes -utf8 -sha256 -days 10000 -batch -x509 $ext \ -config test-ca.conf \ -newkey rsa:$bits \ -out test-rsa$m.cer -outform DER \ -keyout test-rsa$m.key # for v1 signatures log openssl pkey -in test-rsa$m.key -out test-rsa$m.pub -pubout if [ $m = 1024_skid ]; then # Create combined key+cert. log openssl x509 -inform DER -in test-rsa$m.cer >> test-rsa$m.key fi fi done for curve in prime192v1 prime256v1; do if [ "$1" = clean ] || [ "$1" = force ]; then rm -f test-$curve.cer test-$curve.key test-$curve.pub fi if [ "$1" = clean ]; then continue fi if [ ! -e test-$curve.key ]; then log openssl req -verbose -new -nodes -utf8 -sha256 -days 10000 -batch -x509 \ -config test-ca.conf \ -newkey ec \ -pkeyopt ec_paramgen_curve:$curve \ -out test-$curve.cer -outform DER \ -keyout test-$curve.key if [ -s test-$curve.key ]; then log openssl pkey -in test-$curve.key -out test-$curve.pub -pubout fi fi done # EC-RDSA for m in \ gost2012_256:A \ gost2012_256:B \ gost2012_256:C \ gost2012_512:A \ gost2012_512:B; do IFS=':' read -r algo param <<< "$m" if [ "$1" = clean ] || [ "$1" = force ]; then rm -f "test-$algo-$param.key" "test-$algo-$param.cer" "test-$algo-$param.pub" fi if [ "$1" = clean ]; then continue fi [ -e "test-$algo-$param.key" ] && continue log openssl req -nodes -x509 -utf8 -days 10000 -batch \ -config test-ca.conf \ -newkey "$algo" \ -pkeyopt "paramset:$param" \ -out "test-$algo-$param.cer" -outform DER \ -keyout "test-$algo-$param.key" if [ -s "test-$algo-$param.key" ]; then log openssl pkey -in "test-$algo-$param.key" -out "test-$algo-$param.pub" -pubout fi done # SM2, If openssl 3.0 is installed, gen SM2 keys using if [ -x /opt/openssl3/bin/openssl ]; then (PATH=/opt/openssl3/bin:$PATH LD_LIBRARY_PATH=/opt/openssl3/lib for curve in sm2; do if [ "$1" = clean ] || [ "$1" = force ]; then rm -f test-$curve.cer test-$curve.key test-$curve.pub fi if [ "$1" = clean ]; then continue fi if [ ! -e test-$curve.key ]; then log openssl req -verbose -new -nodes -utf8 -days 10000 -batch -x509 \ -sm3 -sigopt "distid:1234567812345678" \ -config test-ca.conf \ -copy_extensions copyall \ -newkey $curve \ -out test-$curve.cer -outform DER \ -keyout test-$curve.key if [ -s test-$curve.key ]; then log openssl pkey -in test-$curve.key -out test-$curve.pub -pubout fi fi done) fi # This script leaves test-ca.conf, *.cer, *.pub, *.key files for sing/verify tests. # They are never deleted except by `make distclean'. ima-evm-utils-1.5/tests/ima_hash.test000077500000000000000000000065121440135744700177040ustar00rootroot00000000000000#!/bin/bash # SPDX-License-Identifier: GPL-2.0 # # evmctl ima_hash tests # # Copyright (C) 2020 Vitaly Chikunov # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. cd "$(dirname "$0")" || exit 1 PATH=../src:$PATH source ./functions.sh _require evmctl openssl getfattr trap _report_exit_and_cleanup EXIT set -f # disable globbing check() { local alg=$1 prefix=$2 chash=$3 hash local file=$alg-hash.txt rm -f "$file" touch "$file" # Generate hash with openssl, if it failed skip test, # unless it's negative test, then pass to evmctl cmd="openssl dgst $OPENSSL_ENGINE -$alg $file" echo - "$cmd" hash=$(set -o pipefail; $cmd 2>/dev/null | cut -d' ' -f2) if [ $? -ne 0 ] && _test_expected_to_pass; then echo "${CYAN}$alg test is skipped$NORM" rm "$file" return "$SKIP" fi if [ "$chash" ] && [ "$chash" != "$hash" ]; then color_red echo "Invalid hash for $alg from openssl" echo "Expected: $chash" echo "Returned: $hash" color_restore rm "$file" return "$HARDFAIL" fi ADD_TEXT_FOR=$alg ADD_DEL=$file \ _evmctl_run ima_hash --hashalgo "$alg" --xattr-user "$file" || return ADD_TEXT_FOR=$alg \ _test_xattr "$file" user.ima "$prefix$hash" || return rm "$file" return "$OK" } # check args: algo hdr-prefix canonic-hash expect_pass check md4 0x01 31d6cfe0d16ae931b73c59d7e0c089c0 expect_pass check md5 0x01 d41d8cd98f00b204e9800998ecf8427e expect_pass check sha1 0x01 da39a3ee5e6b4b0d3255bfef95601890afd80709 expect_fail check SHA1 0x01 # uppercase expect_fail check sha512-224 0x01 # valid for pkcs1 expect_fail check sha512-256 0x01 # valid for pkcs1 expect_fail check unknown 0x01 # nonexistent expect_pass check sha224 0x0407 d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f expect_pass check sha256 0x0404 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 expect_pass check sha384 0x0405 38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b expect_pass check sha512 0x0406 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e expect_pass check rmd160 0x0403 9c1185a5c5e9fc54612808977ee8f548b2258d31 expect_pass check sm3 0x0411 1ab21d8355cfa17f8e61194831e81a8f22bec8c728fefb747ed035eb5082aa2b _enable_gost_engine expect_pass check md_gost12_256 0x0412 3f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb expect_pass check streebog256 0x0412 3f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb expect_pass check md_gost12_512 0x0413 8e945da209aa869f0455928529bcae4679e9873ab707b55315f56ceb98bef0a7362f715528356ee83cda5f2aac4c6ad2ba3a715c1bcd81cb8e9f90bf4c1c1a8a expect_pass check streebog512 0x0413 8e945da209aa869f0455928529bcae4679e9873ab707b55315f56ceb98bef0a7362f715528356ee83cda5f2aac4c6ad2ba3a715c1bcd81cb8e9f90bf4c1c1a8a ima-evm-utils-1.5/tests/ima_policy_check.awk000077500000000000000000000154141440135744700212210ustar00rootroot00000000000000#! /usr/bin/gawk -f # SPDX-License-Identifier: GPL-2.0 # # Copyright (C) 2023 Roberto Sassu # # Check a new rule against the loaded IMA policy. # # Documentation/ABI/testing/ima_policy (Linux kernel) # base: [[func=] [mask=] [fsmagic=] [fsuuid=] [fsname=] # [uid=] [euid=] [gid=] [egid=] # [fowner=] [fgroup=]] # lsm: [[subj_user=] [subj_role=] [subj_type=] # [obj_user=] [obj_role=] [obj_type=]] # option: [digest_type=] [template=] [permit_directio] # [appraise_type=] [appraise_flag=] # [appraise_algos=] [keyrings=] # # Rules don't overlap if their actions are unrelated (cannot be matched without # dont_) and there is no combination of appraise with another do action (e.g. # measure, audit, hash). The second condition is due to the fact that appraise # might still forbid other actions expected to be performed by a test that did # not setup appraisal. Checking appraise for new rules is not sufficient, # because that rule could be added anyway. By checking existing rules as well, # a warning will be displayed when tests inserting rules with other do actions # are reexecuted. # # Also, rules don't overlap if both include the same policy keyword(s) (in base # or lsm, except func), at least one, with a different value. Different func # values don't imply non-overlap, due to the fact that a test command might # cause the execution of multiple hooks (e.g. FILE_CHECK in addition to # MMAP_CHECK). Despite one test is willing to test a particular hook, this could # have side effects on other tests (e.g. one test sets: appraise func=MMAP_CHECK # and another: measure func=FILE_CHECK; the second test might see an unexpected # measurement due to the first test being executed; or the second test cannot # unexpectedly do mmap). # # Currently, the < > operators are not supported and overlapping is asserted # even if intervals are disjoint. If supported, non-overlapping conditions could # be found. With the ^ modifier, no disjoint intervals can be found. Overlapping # is always reported. # # Rule equivalence is determined by checking each key/value pair, regardless of # their order. However, the action must always be at the beginning of the rules. # Rules with aliases are considered equivalent to those with their source (e.g. # rules with PATH_CHECK and FILE_MMAP are considered as equivalent to rules with # FILE_CHECK and MMAP_CHECK). # # Return a bit mask with the following values: # - 1: invalid new rule; # - 2: overlap of the new rule with an existing rule in the IMA policy; # - 4: new rule exists in the IMA policy. BEGIN { # Policy definitions. actions_str="measure dont_measure appraise dont_appraise audit hash dont_hash" split(actions_str, actions_array); keywords_str="func mask fsmagic fsuuid fsname uid euid gid egid fowner fgroup subj_user subj_role subj_type obj_user obj_role obj_type"; split(keywords_str, keywords_array); options_str="digest_type template permit_directio appraise_type appraise_flag appraise_algos keyrings"; split(options_str, options_array); # Key types. key_type_unknown=0; key_type_action=1; key_type_keyword=2; key_type_option=3; # Result values. ret_invalid_rule=1; ret_rule_overlap=2; ret_same_rule_exists=4; for (action_idx in actions_array) key_types[actions_array[action_idx]]=key_type_action; for (keyword_idx in keywords_array) key_types[keywords_array[keyword_idx]]=key_type_keyword; for (option_idx in options_array) key_types[options_array[option_idx]]=key_type_option; new_rule=1; result=0; } { # Delete arrays from previous rule. if (!new_rule) { delete current_rule_array; delete current_rule_operator_array; } # Check empty rules. if (!length($0)) { if (new_rule) { result=or(result, ret_invalid_rule); exit; } next; } for (i=1; i<=NF; i++) { # Parse key/value pair. split($i, key_value_array, /[=,>,<]/, separator_array); key=key_value_array[1]; value=key_value_array[2]; if (key == "func") { # Normalize values of IMA hooks to what IMA will print. if (value == "FILE_MMAP") value="MMAP_CHECK"; else if (value == "PATH_CHECK") value="FILE_CHECK"; } # Basic validity check (not necessary in general for the IMA policy, but useful to find typos in the tests). if (key_types[key] == key_type_unknown || (i == 1 && key_types[key] != key_type_action)) { result=or(result, ret_invalid_rule); exit; } # Store key/value pair and operator into an array. if (new_rule) { new_rule_array[key]=value; new_rule_operator_array[key]=separator_array[1]; } else { current_rule_array[key]=value; current_rule_operator_array[key]=separator_array[1]; } # Store original action and action without dont_. if (i == 1) { if (new_rule) { new_rule_action=key; new_rule_action_sub=key; gsub(/dont_/, "", new_rule_action_sub); } else { current_rule_action=key; current_rule_action_sub=key; gsub(/dont_/, "", current_rule_action_sub); } } } # Go to the next line, to compare the new rule with rules in the IMA policy. if (new_rule) { new_rule=0; next; } # No overlap by action (unrelated rules and no combination appraise - ), new rule safe to add to the IMA policy. if (current_rule_action_sub != new_rule_action_sub && (current_rule_action != "appraise" || new_rule_action ~ /^dont_/) && (new_rule_action != "appraise" || current_rule_action ~ /^dont_/)) next; same_rule=1; overlap_rule=1; for (key in key_types) { if (!(key in new_rule_array)) { # Key in current rule but not in new rule. if (key in current_rule_array) same_rule=0; # Key not in new rule and not in current rule. continue; } if (!(key in current_rule_array)) { # Key in new rule but not in current rule. if (key in new_rule_array) same_rule=0; # Key not in current rule and not in new rule. continue; } # Same value and operator. if (new_rule_array[key] == current_rule_array[key] && new_rule_operator_array[key] == current_rule_operator_array[key]) continue; # Different value and/or operator. same_rule=0; # Not a policy keyword, not useful to determine overlap. if (key_types[key] != key_type_keyword) continue; # > < operators are not supported, cannot determine overlap. if (new_rule_operator_array[key] != "=" || current_rule_operator_array[key] != "=") continue; # ^ modifier does not make disjoint sets, cannot determine overlap. if (new_rule_array[key] ~ /^\^/ || current_rule_array[key] ~ /^\^/) continue; # One test command can invoke multiple hooks, cannot determine overlap from func. if (key == "func") continue; # No overlap by policy keyword, new rule safe to add to the IMA policy. overlap_rule=0; next; } if (same_rule) result=or(result, ret_same_rule_exists); else if (overlap_rule) result=or(result, ret_rule_overlap); } END { exit result; } ima-evm-utils-1.5/tests/ima_policy_check.test000077500000000000000000000231471440135744700214200ustar00rootroot00000000000000#!/bin/bash # SPDX-License-Identifier: GPL-2.0 # # Copyright (C) 2023 Roberto Sassu # # Test for ima_policy_check.awk trap '_report_exit_and_cleanup' SIGINT SIGTERM EXIT cd "$(dirname "$0")" || exit 1 . ./functions.sh export PATH=$PWD:$PATH check_result() { local result echo -e "\nTest: $1" echo "New rule: $2" echo "IMA policy: $3" echo -n "Result (expect $4): " echo -e "$2\n$3" | ima_policy_check.awk result=$? if [ "$result" -ne "$4" ]; then echo "${RED}$result${NORM}" return "$FAIL" fi echo "${GREEN}$result${NORM}" return "$OK" } # ima_policy_check.awk returns a bit mask with the following values: # - 1: invalid new rule; # - 2: overlap of the new rule with an existing rule in the IMA policy; # - 4: new rule exists in the IMA policy. # Basic checks. desc="empty IMA policy" rule="measure func=FILE_CHECK" ima_policy="" expect_pass check_result "$desc" "$rule" "$ima_policy" 0 desc="Empty new rule" rule="" ima_policy="" expect_pass check_result "$desc" "$rule" "$ima_policy" 1 desc="Unknown policy keyword fun" rule="measure fun=FILE_CHECK" ima_policy="" expect_pass check_result "$desc" "$rule" "$ima_policy" 1 desc="Missing action" rule="func=FILE_CHECK" ima_policy="" expect_pass check_result "$desc" "$rule" "$ima_policy" 1 # Non-overlapping rules. desc="Non-overlapping by action measure/dont_appraise, same func" rule="measure func=FILE_CHECK" ima_policy="dont_appraise func=FILE_CHECK" expect_pass check_result "$desc" "$rule" "$ima_policy" 0 desc="Non-overlapping by action audit/dont_appraise, same func" rule="audit func=FILE_CHECK" ima_policy="dont_appraise func=FILE_CHECK" expect_pass check_result "$desc" "$rule" "$ima_policy" 0 desc="Non-overlapping by action appraise/dont_measure, same func" rule="appraise func=FILE_CHECK" ima_policy="dont_measure func=FILE_CHECK" expect_pass check_result "$desc" "$rule" "$ima_policy" 0 desc="Non-overlapping by action dont_measure/hash, same func" rule="dont_measure func=FILE_CHECK" ima_policy="hash func=FILE_CHECK" expect_pass check_result "$desc" "$rule" "$ima_policy" 0 desc="Non-overlapping by uid, func is equal" rule="measure func=FILE_CHECK uid=0" ima_policy="measure uid=1 func=FILE_CHECK" expect_pass check_result "$desc" "$rule" "$ima_policy" 0 desc="Non-overlapping by uid, func is equal, same policy options" rule="measure func=FILE_CHECK uid=0 permit_directio" ima_policy="measure uid=1 func=FILE_CHECK permit_directio" expect_pass check_result "$desc" "$rule" "$ima_policy" 0 desc="Non-overlapping by mask, func and uid are equal, same policy options" rule="measure func=FILE_CHECK uid=0 permit_directio mask=MAY_READ" ima_policy="measure uid=0 mask=MAY_EXEC func=FILE_CHECK permit_directio" expect_pass check_result "$desc" "$rule" "$ima_policy" 0 desc="Non-overlapping by mask, func and uid are equal, different policy options" rule="measure func=FILE_CHECK uid=0 permit_directio mask=MAY_READ" ima_policy="measure uid=0 mask=MAY_EXEC func=FILE_CHECK" expect_pass check_result "$desc" "$rule" "$ima_policy" 0 # Overlapping and different rules. desc="same actions, different keywords" rule="appraise func=FILE_CHECK" ima_policy="appraise uid=0" expect_pass check_result "$desc" "$rule" "$ima_policy" 2 desc="unrelated actions with appraise and a do action, same func" rule="appraise func=FILE_CHECK" ima_policy="measure func=FILE_CHECK" expect_pass check_result "$desc" "$rule" "$ima_policy" 2 desc="unrelated actions with appraise and a do action, different func" rule="appraise func=FILE_CHECK" ima_policy="measure func=MMAP_CHECK" expect_pass check_result "$desc" "$rule" "$ima_policy" 2 desc="related actions, same func" rule="measure func=FILE_CHECK" ima_policy="dont_measure func=FILE_CHECK" expect_pass check_result "$desc" "$rule" "$ima_policy" 2 desc="related actions, same func, different policy options" rule="measure func=FILE_CHECK" ima_policy="dont_measure func=FILE_CHECK permit_directio" expect_pass check_result "$desc" "$rule" "$ima_policy" 2 desc="related actions, same func, different policy options" rule="measure func=FILE_CHECK permit_directio" ima_policy="dont_measure func=FILE_CHECK" expect_pass check_result "$desc" "$rule" "$ima_policy" 2 desc="same actions, same func, same mask with different modifier (no disjoint sets with the ^ modifier)" rule="measure func=FILE_CHECK mask=MAY_EXEC" ima_policy="measure func=FILE_CHECK mask=^MAY_EXEC" expect_pass check_result "$desc" "$rule" "$ima_policy" 2 desc="same actions, same func, different mask with same modifier (no disjoint sets with the ^ modifier)" rule="measure func=FILE_CHECK mask=^MAY_READ" ima_policy="measure func=FILE_CHECK mask=^MAY_EXEC" expect_pass check_result "$desc" "$rule" "$ima_policy" 2 desc="same actions, same func, different policy options" rule="measure func=FILE_CHECK" ima_policy="measure func=FILE_CHECK permit_directio" expect_pass check_result "$desc" "$rule" "$ima_policy" 2 desc="same actions, same func, different policy options" rule="measure func=FILE_CHECK permit_directio" ima_policy="measure func=FILE_CHECK" expect_pass check_result "$desc" "$rule" "$ima_policy" 2 desc="same actions, MMAP_CHECK and MMAP_CHECK_REQPROT hooks" rule="measure func=MMAP_CHECK" ima_policy="measure func=MMAP_CHECK_REQPROT" expect_pass check_result "$desc" "$rule" "$ima_policy" 2 desc="related actions, same func, same mask with same modifier" rule="measure func=FILE_CHECK mask=^MAY_EXEC" ima_policy="dont_measure func=FILE_CHECK mask=^MAY_EXEC" expect_pass check_result "$desc" "$rule" "$ima_policy" 2 desc="same actions, same func, different uid with same operator (overlap because operators are not supported)" rule="measure func=FILE_CHECK uid>0" ima_policy="measure func=FILE_CHECK uid>1" expect_pass check_result "$desc" "$rule" "$ima_policy" 2 desc="same actions, same func, same uid with different operator (overlap because operators are not supported)" rule="measure func=FILE_CHECK uid>1" ima_policy="measure func=FILE_CHECK uid<1" expect_pass check_result "$desc" "$rule" "$ima_policy" 2 # Overlapping and same rules. desc="same actions, same func" rule="appraise func=FILE_CHECK" ima_policy="appraise func=FILE_CHECK" expect_pass check_result "$desc" "$rule" "$ima_policy" 4 desc="same actions, same func, same mask" rule="appraise mask=MAY_READ func=FILE_CHECK" ima_policy="appraise func=FILE_CHECK mask=MAY_READ" expect_pass check_result "$desc" "$rule" "$ima_policy" 4 desc="same actions, same func, same mask, same policy options" rule="appraise mask=MAY_READ func=FILE_CHECK permit_directio appraise_type=imasig" ima_policy="appraise func=FILE_CHECK mask=MAY_READ permit_directio appraise_type=imasig" expect_pass check_result "$desc" "$rule" "$ima_policy" 4 desc="same actions, same func" rule="measure func=MMAP_CHECK_REQPROT" ima_policy="measure func=MMAP_CHECK_REQPROT" expect_pass check_result "$desc" "$rule" "$ima_policy" 4 desc="same actions, same func with alias (PATH_CHECK = FILE_CHECK)" rule="measure func=FILE_CHECK" ima_policy="measure func=PATH_CHECK" expect_pass check_result "$desc" "$rule" "$ima_policy" 4 desc="same actions, same func with alias (PATH_CHECK = FILE_CHECK), same mask with same modifiers" rule="measure mask=^MAY_READ func=FILE_CHECK" ima_policy="measure func=PATH_CHECK mask=^MAY_READ" expect_pass check_result "$desc" "$rule" "$ima_policy" 4 desc="same actions, same func with alias (PATH_CHECK = FILE_CHECK) and same mask with same modifiers, same uid with same operators" rule="measure mask=^MAY_READ uid>0 func=FILE_CHECK" ima_policy="measure func=PATH_CHECK mask=^MAY_READ uid>0" expect_pass check_result "$desc" "$rule" "$ima_policy" 4 desc="same actions, same func with alias (PATH_CHECK = FILE_CHECK) and same mask with same modifiers, same uid with same operators" rule="measure mask=^MAY_READ uid<1 func=FILE_CHECK" ima_policy="measure func=PATH_CHECK mask=^MAY_READ uid<1" expect_pass check_result "$desc" "$rule" "$ima_policy" 4 # Overlapping and two rules (one same, one different). desc="first: same actions, same func, second: unrelated actions with appraise and a do action" rule="appraise func=FILE_CHECK" ima_policy="appraise func=FILE_CHECK\nmeasure func=FILE_CHECK" expect_pass check_result "$desc" "$rule" "$ima_policy" 6 desc="first: unrelated actions with appraise and a do action, same func, second: same actions" rule="appraise func=FILE_CHECK" ima_policy="measure func=FILE_CHECK\nappraise func=FILE_CHECK" expect_pass check_result "$desc" "$rule" "$ima_policy" 6 desc="first: same actions, same func, same mask, second: different policy options" rule="appraise mask=MAY_READ func=FILE_CHECK" ima_policy="appraise func=FILE_CHECK mask=MAY_READ\nappraise func=FILE_CHECK mask=MAY_READ permit_directio" expect_pass check_result "$desc" "$rule" "$ima_policy" 6 desc="first: same actions, same func with alias (PATH_CHECK = FILE_CHECK), same mask, second: different policy options" rule="appraise mask=MAY_READ func=FILE_CHECK" ima_policy="appraise func=PATH_CHECK mask=MAY_READ\nappraise func=FILE_CHECK mask=MAY_READ permit_directio" expect_pass check_result "$desc" "$rule" "$ima_policy" 6 # Non-overlapping and three rules. desc="same actions, same func and mask, different uid" rule="appraise mask=MAY_READ func=FILE_CHECK uid=0" ima_policy="appraise mask=MAY_READ func=FILE_CHECK uid=1\nappraise mask=MAY_READ func=FILE_CHECK uid=2\nappraise mask=MAY_READ func=FILE_CHECK uid=3" expect_pass check_result "$desc" "$rule" "$ima_policy" 0 desc="same actions, same func and mask, different uid, except one that is the same" rule="appraise mask=MAY_READ func=FILE_CHECK uid=0" ima_policy="appraise mask=MAY_READ func=FILE_CHECK uid=1\nappraise mask=MAY_READ func=FILE_CHECK uid=0\nappraise mask=MAY_READ func=FILE_CHECK uid=3" expect_pass check_result "$desc" "$rule" "$ima_policy" 4 ima-evm-utils-1.5/tests/install-fsverity.sh000077500000000000000000000002021440135744700210730ustar00rootroot00000000000000#!/bin/sh git clone https://git.kernel.org/pub/scm/fs/fsverity/fsverity-utils.git cd fsverity-utils CC=gcc make -j$(nproc) cd .. ima-evm-utils-1.5/tests/install-mount-idmapped.sh000077500000000000000000000002021440135744700221430ustar00rootroot00000000000000#!/bin/sh git clone https://github.com/brauner/mount-idmapped.git cd mount-idmapped gcc -o mount-idmapped mount-idmapped.c cd .. ima-evm-utils-1.5/tests/install-openssl3.sh000077500000000000000000000012511440135744700207730ustar00rootroot00000000000000#!/bin/bash set -ex if [ -z "$COMPILE_SSL" ]; then echo "Missing \$COMPILE_SSL!" >&2 exit 1 fi version=${COMPILE_SSL} wget --no-check-certificate https://github.com/openssl/openssl/archive/refs/tags/${version}.tar.gz tar --no-same-owner -xzf ${version}.tar.gz cd openssl-${version} if [ "$VARIANT" = "i386" ]; then echo "32-bit compilation" FLAGS="-m32 linux-generic32" fi ./Configure $FLAGS no-engine no-dynamic-engine --prefix=/opt/openssl3 --openssldir=/opt/openssl3 # Uncomment for debugging # perl configdata.pm --dump | grep engine make -j$(nproc) # only install apps and library sudo make install_sw cd .. rm -rf ${version}.tar.gz rm -rf openssl-${version} ima-evm-utils-1.5/tests/install-swtpm.sh000077500000000000000000000010231440135744700203740ustar00rootroot00000000000000#!/bin/sh -ex # No need to run via sudo if we already have permissions. # Also, some distros do not have sudo configured for root: # `root is not in the sudoers file. This incident will be reported.' if [ -w /usr/local/bin ]; then SUDO= else SUDO=sudo fi version=1682 wget --no-check-certificate https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm${version}.tar.gz/download mkdir ibmtpm$version cd ibmtpm$version tar --no-same-owner -xvzf ../download cd src make -j$(nproc) $SUDO cp tpm_server /usr/local/bin/ cd ../.. ima-evm-utils-1.5/tests/install-tss.sh000077500000000000000000000003061440135744700200360ustar00rootroot00000000000000#!/bin/sh set -ex git clone https://git.code.sf.net/p/ibmtpm20tss/tss cd tss autoreconf -i && ./configure --disable-tpm-1.2 --disable-hwtpm && make -j$(nproc) && sudo make install cd .. rm -rf tss ima-evm-utils-1.5/tests/mmap_check.test000077500000000000000000000264631440135744700202310ustar00rootroot00000000000000#!/bin/bash # SPDX-License-Identifier: GPL-2.0 # # Copyright (C) 2022-2023 Roberto Sassu # # Check the behavior of MMAP_CHECK and MMAP_CHECK_REQPROT trap '_report_exit_and_cleanup _cleanup_env cleanup' SIGINT SIGTERM SIGSEGV EXIT PATCHES=( 'ima: Align ima_file_mmap() parameters with mmap_file LSM hook' 'ima: Introduce MMAP_CHECK_REQPROT hook' ) RET_INVALID_RULE=$((0x0001)) RET_RULE_OVERLAP=$((0x0002)) RET_SAME_RULE_EXISTS=$((0x0004)) EVM_INIT_HMAC=$((0x0001)) EVM_INIT_X509=$((0x0002)) # Base VERBOSE on the environment variable, if set. VERBOSE="${VERBOSE:-0}" # Errors defined in test_mmap ERR_SETUP=1 ERR_TEST=2 cd "$(dirname "$0")" || exit 1 export PATH=$PWD/../src:$PWD:$PATH export LD_LIBRARY_PATH=$LD_LIBRARY_PATH . ./functions.sh _require evmctl cleanup() { if [ "$g_loop_mounted" = "1" ]; then popd > /dev/null || exit "$FAIL" umount "$g_mountpoint" fi if [ -n "$g_dev" ]; then losetup -d "$g_dev" fi if [ -n "$g_image" ]; then rm -f "$g_image" fi if [ -n "$g_mountpoint" ]; then rm -Rf "$g_mountpoint" fi if [ -n "$g_key_path_der" ]; then rm -f "$g_key_path_der" fi } # Use the fsuuid= IMA policy keyword to select only files created/used by the # tests below. Also use fowner= to differentiate between files created/used by # individual tests. IMA_UUID="28b23254-9467-44c0-b6ba-34b12e85a26e" MEASURE_MMAP_CHECK_FOWNER=2000 MEASURE_MMAP_CHECK_REQPROT_FOWNER=2001 MEASURE_MMAP_CHECK_RULE="measure func=MMAP_CHECK fsmagic=0xef53 fsuuid=$IMA_UUID fowner=$MEASURE_MMAP_CHECK_FOWNER" MEASURE_MMAP_CHECK_REQPROT_RULE="measure func=MMAP_CHECK_REQPROT fsmagic=0xef53 fsuuid=$IMA_UUID fowner=$MEASURE_MMAP_CHECK_REQPROT_FOWNER" APPRAISE_MMAP_CHECK_FOWNER=2002 APPRAISE_MMAP_CHECK_REQPROT_FOWNER=2003 APPRAISE_MMAP_CHECK_RULE="appraise func=MMAP_CHECK fsmagic=0xef53 fsuuid=$IMA_UUID fowner=$APPRAISE_MMAP_CHECK_FOWNER" APPRAISE_MMAP_CHECK_REQPROT_RULE="appraise func=MMAP_CHECK_REQPROT fsmagic=0xef53 fsuuid=$IMA_UUID fowner=$APPRAISE_MMAP_CHECK_REQPROT_FOWNER" check_load_ima_rule() { local result new_policy color echo -e "$1\n$(cat /sys/kernel/security/ima/policy)" | ima_policy_check.awk result=$? if [ $((result & RET_INVALID_RULE)) -eq $RET_INVALID_RULE ]; then echo "${RED}Invalid rule${NORM}" return "$HARDFAIL" fi if [ $((result & RET_RULE_OVERLAP)) -eq $RET_RULE_OVERLAP ]; then color=${YELLOW} if [ -n "$TST_ENV" ]; then color=${RED} fi echo "${color}Possible interference with existing IMA policy rule${NORM}" if [ -n "$TST_ENV" ]; then return "$HARDFAIL" fi fi if [ $((result & RET_SAME_RULE_EXISTS)) -eq $RET_SAME_RULE_EXISTS ]; then return "$OK" fi new_policy=$(mktemp -p "$g_mountpoint") echo "$1" > "$new_policy" echo "$new_policy" > /sys/kernel/security/ima/policy result=$? rm -f "$new_policy" if [ "$result" -ne 0 ]; then echo "${RED}Failed to set IMA policy${NORM}" return "$HARDFAIL" fi return "$OK" } check_mmap() { local hook="$1" local arg="$2" local test_file fowner rule result test_file_entry echo -e "\nTest: ${FUNCNAME[0]} (hook=\"$hook\", test_mmap arg: \"$arg\")" if ! test_file=$(mktemp -p "$PWD"); then echo "${RED}Cannot create $test_file${NORM}" return "$HARDFAIL" fi if ! echo "test" > "$test_file"; then echo "${RED}Cannot write $test_file${NORM}" return "$FAIL" fi fowner="$MEASURE_MMAP_CHECK_FOWNER" rule="$MEASURE_MMAP_CHECK_RULE" if [ "$hook" = "MMAP_CHECK_REQPROT" ]; then fowner="$MEASURE_MMAP_CHECK_REQPROT_FOWNER" rule="$MEASURE_MMAP_CHECK_REQPROT_RULE" fi if ! chown "$fowner" "$test_file"; then echo "${RED}Cannot change owner of $test_file${NORM}" return "$HARDFAIL" fi check_load_ima_rule "$rule" result=$? if [ $result -ne "$OK" ]; then return $result fi test_mmap "$test_file" "$arg" result=$? if [ $result -ne 0 ] && [ $result -ne "$ERR_TEST" ]; then echo "${RED}Unexpected exit status $result from test_mmap${NORM}" return "$HARDFAIL" fi if [ "$TFAIL" != "yes" ]; then echo -n "Result (expect found): " else echo -n "Result (expect not found): " fi test_file_entry=$(awk '$5 == "'"$test_file"'"' < /sys/kernel/security/ima/ascii_runtime_measurements) if [ -z "$test_file_entry" ]; then if [ "$TFAIL" != "yes" ]; then echo "${RED}not found${NORM}" else echo "${GREEN}not found${NORM}" fi return "$FAIL" fi if [ "$TFAIL" != "yes" ]; then echo "${GREEN}found${NORM}" else echo "${RED}found${NORM}" fi if [ "$VERBOSE" -gt 0 ]; then echo "$test_file_entry" fi return "$OK" } check_deny() { local hook="$1" local arg="$2" local test_file fowner rule result echo -e "\nTest: ${FUNCNAME[0]} (hook=\"$hook\", test_mmap arg: \"$arg\")" if ! test_file=$(mktemp -p "$PWD"); then echo "${RED}Cannot create $test_file${NORM}" return "$HARDFAIL" fi if ! echo "test" > "$test_file"; then echo "${RED}Cannot write $test_file${NORM}" return "$FAIL" fi if ! evmctl ima_sign -a sha256 --key "$g_key_path" "$test_file" &> /dev/null; then echo "${RED}Cannot sign $test_file${NORM}" return "$HARDFAIL" fi fowner="$APPRAISE_MMAP_CHECK_FOWNER" rule="$APPRAISE_MMAP_CHECK_RULE" if [ "$hook" = "MMAP_CHECK_REQPROT" ]; then fowner="$APPRAISE_MMAP_CHECK_REQPROT_FOWNER" rule="$APPRAISE_MMAP_CHECK_REQPROT_RULE" fi if ! chown "$fowner" "$test_file"; then echo "${RED}Cannot change owner of $test_file${NORM}" return "$HARDFAIL" fi check_load_ima_rule "$rule" result=$? if [ $result -ne "$OK" ]; then return $result fi test_mmap "$test_file" exec result=$? if [ $result -ne 0 ] && [ $result -ne "$ERR_TEST" ]; then echo "${RED}Unexpected exit status $result from test_mmap${NORM}" return "$HARDFAIL" fi test_mmap "$test_file" "$arg" result=$? if [ $result -ne 0 ] && [ $result -ne "$ERR_TEST" ]; then echo "${RED}Unexpected exit status $result from test_mmap${NORM}" return "$HARDFAIL" fi if [ "$TFAIL" != "yes" ]; then echo -n "Result (expect denied): " else echo -n "Result (expect allowed): " fi if [ $result -eq 0 ]; then if [ "$TFAIL" != "yes" ]; then echo "${RED}allowed${NORM}" else echo "${GREEN}allowed${NORM}" fi return "$FAIL" fi if [ "$TFAIL" != "yes" ]; then echo "${GREEN}denied${NORM}" else echo "${RED}denied${NORM}" fi return "$OK" } # Run in the new environment if TST_ENV is set. _run_env "$TST_KERNEL" "$PWD/$(basename "$0")" "TST_ENV=$TST_ENV TST_KERNEL=$TST_KERNEL PATH=$PATH LD_LIBRARY_PATH=$LD_LIBRARY_PATH VERBOSE=$VERBOSE TST_KEY_PATH=$TST_KEY_PATH" # Exit from the creator of the new environment. _exit_env "$TST_KERNEL" # Mount filesystems in the new environment. _init_env if [ "$(whoami)" != "root" ]; then echo "${CYAN}This script must be executed as root${NORM}" exit "$SKIP" fi if [ ! -f /sys/kernel/security/ima/policy ]; then echo "${CYAN}IMA policy file not found${NORM}" exit "$SKIP" fi if ! cat /sys/kernel/security/ima/policy &> /dev/null; then echo "${CYAN}IMA policy file is not readable${NORM}" exit "$SKIP" fi if [ -n "$TST_KEY_PATH" ]; then if [ "${TST_KEY_PATH:0:1}" != "/" ]; then echo "${RED}Absolute path required for the signing key${NORM}" exit "$FAIL" fi if [ ! -f "$TST_KEY_PATH" ]; then echo "${RED}Kernel signing key not found in $TST_KEY_PATH${NORM}" exit "$FAIL" fi g_key_path="$TST_KEY_PATH" elif [ -f "$PWD/../signing_key.pem" ]; then g_key_path="$PWD/../signing_key.pem" elif [ -f "/lib/modules/$(uname -r)/source/certs/signing_key.pem" ]; then g_key_path="/lib/modules/$(uname -r)/source/certs/signing_key.pem" elif [ -f "/lib/modules/$(uname -r)/build/certs/signing_key.pem" ]; then g_key_path="/lib/modules/$(uname -r)/build/certs/signing_key.pem" else echo "${CYAN}Kernel signing key not found${NORM}" exit "$SKIP" fi evm_value=$(cat /sys/kernel/security/evm) if [ $((evm_value & EVM_INIT_X509)) -eq "$EVM_INIT_X509" ]; then if [ $((evm_value & EVM_INIT_HMAC)) -ne "$EVM_INIT_HMAC" ]; then echo "${CYAN}Incompatible EVM mode $evm_value${NORM}" exit "$SKIP" fi fi g_key_path_der=$(mktemp) openssl x509 -in "$g_key_path" -out "$g_key_path_der" -outform der if ! keyctl padd asymmetric pubkey %keyring:.ima < "$g_key_path_der" &> /dev/null; then echo "${RED}Public key cannot be added to the IMA keyring${NORM}" exit "$FAIL" fi g_mountpoint=$(mktemp -d) g_image=$(mktemp) if [ -z "$g_mountpoint" ]; then echo "${RED}Mountpoint directory not created${NORM}" exit "$FAIL" fi if ! dd if=/dev/zero of="$g_image" bs=1M count=20 &> /dev/null; then echo "${RED}Cannot create test image${NORM}" exit "$FAIL" fi g_dev=$(losetup -f "$g_image" --show) if [ -z "$g_dev" ]; then echo "${RED}Cannot create loop device${NORM}" exit "$FAIL" fi if ! mkfs.ext4 -U "$IMA_UUID" -b 4096 "$g_dev" &> /dev/null; then echo "${RED}Cannot format $g_dev${NORM}" exit "$FAIL" fi if ! mount -o iversion "$g_dev" "$g_mountpoint"; then echo "${RED}Cannot mount loop device${NORM}" exit "$FAIL" fi g_loop_mounted=1 pushd "$g_mountpoint" > /dev/null || exit "$FAIL" # Ensure that IMA does not add a new measurement entry if an application calls # mmap() with PROT_READ, and a policy rule contains the MMAP_CHECK hook. # In this case, both the protections requested by the application and the final # protections applied by the kernel contain only PROT_READ, so there is no # match with the IMA rule, which expects PROT_EXEC to be set. expect_fail check_mmap "MMAP_CHECK" "" # Ensure that IMA adds a new measurement entry if an application calls mmap() # with PROT_READ | PROT_EXEC, and a policy rule contains the MMAP_CHECK hook. expect_pass check_mmap "MMAP_CHECK" "exec" # Same as in the first test, but in this case the application calls the # personality() system call with READ_IMPLIES_EXEC, which causes the kernel to # add PROT_EXEC in the final protections passed to the MMAP_CHECK hook. # # Ensure that the bug introduced by 98de59bfe4b2 ("take calculation of final # protections in security_mmap_file() into a helper") is fixed, by passing the # final protections again to the MMAP_CHECK hook. Due to the bug, the hook # received the protections requested by the application. Since those protections # don't have PROT_EXEC, IMA was not creating a measurement entry. expect_pass_if '0' check_mmap "MMAP_CHECK" "read_implies_exec" # Repeat the previous three tests, but with the new MMAP_CHECK_REQPROT hook, # which behaves like the buggy MMAP_CHECK hook. In the third test, expect that # no new measurement entry is created, since the MMAP_CHECK_REQPROT hook sees # the protections requested by the application (PROT_READ). expect_fail_if '1' check_mmap "MMAP_CHECK_REQPROT" "" expect_pass_if '1' check_mmap "MMAP_CHECK_REQPROT" "exec" expect_fail_if '1' check_mmap "MMAP_CHECK_REQPROT" "read_implies_exec" # Ensure that IMA refuses an mprotect() with PROT_EXEC on a memory area # obtained with an mmap() with PROT_READ. This is due to the inability of IMA # to measure/appraise the file for which mmap() was called (locking issue). expect_pass check_deny "MMAP_CHECK" "mprotect" # Ensure that MMAP_CHECK_REQPROT has the same behavior of MMAP_CHECK for the # previous test. expect_pass_if '1' check_deny "MMAP_CHECK_REQPROT" "mprotect" # Ensure that there cannot be an mmap() with PROT_EXEC on a file with writable # mappings, due to the inability of IMA to make a reliable measurement of that # file. expect_pass check_deny "MMAP_CHECK" "exec_on_writable" # Ensure that MMAP_CHECK_REQPROT has the same behavior of MMAP_CHECK for the # previous test. expect_pass_if '1' check_deny "MMAP_CHECK_REQPROT" "exec_on_writable" ima-evm-utils-1.5/tests/portable_signatures.test000077500000000000000000001024251440135744700222070ustar00rootroot00000000000000#!/bin/bash # SPDX-License-Identifier: GPL-2.0 # # Copyright (C) 2022-2023 Roberto Sassu # # Check if operations on files with EVM portable signatures succeed. trap '_report_exit_and_cleanup _cleanup_env cleanup' SIGINT SIGTERM SIGSEGV EXIT # Base VERBOSE on the environment variable, if set. VERBOSE="${VERBOSE:-0}" TST_EVM_CHANGE_MODE="${TST_EVM_CHANGE_MODE:-0}" # From security/integrity/evm/evm.h in kernel source directory. (( EVM_INIT_HMAC=0x0001 )) (( EVM_INIT_X509=0x0002 )) (( EVM_ALLOW_METADATA_WRITES=0x0004 )) (( EVM_SETUP_COMPLETE=0x80000000 )) cd "$(dirname "$0")" || exit "$FAIL" export PATH=$PWD/../src:$PWD/../mount-idmapped:$PATH export LD_LIBRARY_PATH=$LD_LIBRARY_PATH . ./functions.sh _require evmctl cleanup() { if [ "$g_loop_mounted" = "1" ]; then popd > /dev/null || exit "$FAIL" if [ -n "$g_mountpoint_idmapped" ]; then umount "$g_mountpoint_idmapped" fi umount "$g_mountpoint" fi if [ -n "$g_dev" ]; then losetup -d "$g_dev" fi if [ -n "$g_image" ]; then rm -f "$g_image" fi if [ -n "$key_path_der" ]; then rm -f "$key_path_der" fi if [ -n "$g_mountpoint" ]; then rm -Rf "$g_mountpoint" fi if [ -n "$g_mountpoint_idmapped" ]; then rm -Rf "$g_mountpoint_idmapped" fi } get_xattr() { local format="hex" if [ "$1" = "security.selinux" ]; then format="text" fi getfattr -n "$1" -e $format -d "$2" 2> /dev/null | awk -F "=" '$1 == "'"$1"'" {if ("'$format'" == "hex") v=substr($2, 3); else { split($2, temp, "\""); v=temp[2] }; print v}' } # Use the fsuuid= IMA policy keyword to select only files created/used by the # tests below. Also use fowner= to differentiate between files created/used by # individual tests. IMA_UUID="28b23254-9467-44c0-b6ba-34b12e85a26d" APPRAISE_DIGSIG_FOWNER=2000 APPRAISE_DIGSIG_RULE="appraise fsuuid=$IMA_UUID fowner=$APPRAISE_DIGSIG_FOWNER appraise_type=imasig" MEASURE_FOWNER=2001 MEASURE_RULE="measure fsuuid=$IMA_UUID fowner=$MEASURE_FOWNER template=ima-sig" APPRAISE_FOWNER=2002 APPRAISE_RULE="appraise fsuuid=$IMA_UUID fowner=$APPRAISE_FOWNER" METADATA_CHANGE_FOWNER=3001 METADATA_CHANGE_FOWNER_2=3002 check_load_ima_rule() { local rule_loaded local result local new_policy rule_loaded=$(grep "$1" /sys/kernel/security/ima/policy) if [ -z "$rule_loaded" ]; then new_policy=$(mktemp -p "$g_mountpoint") echo "$1" > "$new_policy" evmctl sign -o -a sha256 --imasig --key "$key_path" "$new_policy" &> /dev/null echo "$new_policy" > /sys/kernel/security/ima/policy result=$? rm -f "$new_policy" if [ "$result" -ne 0 ]; then echo "${RED}Failed to set IMA policy${NORM}" return "$FAIL" fi fi return "$OK" } # The purpose of this test is to verify that the patch 'ima: Allow imasig # requirement to be satisfied by EVM portable signatures' didn't break the # current behavior (IMA signatures still satisfy the imasig requirement). check_ima_sig_appraisal() { local result echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)" if [ $((evm_value & (EVM_INIT_X509 | EVM_INIT_HMAC))) -ne 0 ]; then echo "${CYAN}EVM mode 0 required${NORM}" return "$SKIP" fi if ! echo "test" > test-file; then echo "${RED}Cannot write test-file${NORM}" return "$FAIL" fi if ! evmctl ima_sign -a sha256 --key "$key_path" test-file &> /dev/null; then echo "${RED}Cannot sign test-file${NORM}" return "$FAIL" fi if ! chown "$APPRAISE_DIGSIG_FOWNER" test-file; then echo "${RED}Cannot change owner of test-file${NORM}" return "$FAIL" fi check_load_ima_rule "$APPRAISE_DIGSIG_RULE" result=$? if [ $result -ne "$OK" ]; then return $result fi # Check if appraisal works. if ! cat test-file > /dev/null; then echo "${RED}Cannot read test-file${NORM}" return "$FAIL" fi # Ensure that files with IMA signature cannot be updated (immutable). if echo "test" 2> /dev/null >> test-file; then echo "${RED}Write to test-file should not succeed (immutable file)${NORM}" return "$FAIL" fi return "$OK" } cleanup_ima_sig_appraisal() { rm -f test-file } # Requires: # - ima: Don't remove security.ima if file must not be appraised # # The purpose of this test is to verify that the patch 'ima: Introduce template # field evmsig and write to field sig as fallback' still allows IMA signatures # to be displayed in the measurement list. check_ima_sig_ima_measurement_list() { local result local ima_sig_fs local ima_sig_list echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)" if ! echo "test" > test-file; then echo "${RED}Cannot write test-file${NORM}" return "$FAIL" fi if ! evmctl ima_sign -a sha256 --imasig --key "$key_path" test-file &> /dev/null; then echo "${RED}Cannot sign test-file${NORM}" return "$FAIL" fi if ! chown "$MEASURE_FOWNER" test-file; then echo "${RED}Cannot change owner of test-file${NORM}" return "$FAIL" fi check_load_ima_rule "$MEASURE_RULE" result=$? if [ $result -ne "$OK" ]; then return $result fi # Read the file to add it to the measurement list. if ! cat test-file > /dev/null; then echo "${RED}Cannot read test-file${NORM}" return "$FAIL" fi ima_sig_fs=$(get_xattr security.ima test-file) if [ -z "$ima_sig_fs" ]; then echo "${RED}security.ima not found${NORM}" return "$FAIL" fi # Search security.ima in the measurement list. ima_sig_list=$(awk '$6 == "'"$ima_sig_fs"'"' < /sys/kernel/security/ima/ascii_runtime_measurements) if [ -z "$ima_sig_list" ]; then echo "${RED}security.ima mismatch (xattr != measurement list)${NORM}" return "$FAIL" fi return "$OK" } cleanup_ima_sig_ima_measurement_list() { rm -f test-file } # Requires: # - evm: Execute evm_inode_init_security() only when an HMAC key is loaded # # The purpose of this test is to verify that new files can be created when EVM # is initialized only with a public key. check_create_file() { echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)" # To trigger the bug we need to enable public key verification without HMAC key loaded. if [ $((evm_value & EVM_INIT_X509)) -ne "$EVM_INIT_X509" ]; then echo "${CYAN}EVM mode $EVM_INIT_X509 required${NORM}" return "$SKIP" fi if [ $((evm_value & EVM_INIT_HMAC)) -eq "$EVM_INIT_HMAC" ]; then echo "${CYAN}EVM mode $EVM_INIT_HMAC must be disabled${NORM}" return "$SKIP" fi if ! echo "test" > test-file; then echo "${RED}Cannot write test-file${NORM}" return "$FAIL" fi return "$OK" } cleanup_create_file() { rm -f test-file } # Requires: # - evm: Introduce evm_hmac_disabled() to safely ignore verification errors # - evm: Allow xattr/attr operations for portable signatures # - evm: Execute evm_inode_init_security() only when an HMAC key is loaded # # The purpose of this test is to verify that EVM with the patches above allows # metadata to copied one by one, even if the portable signature verification # temporarily fails until the copy is completed. check_cp_preserve_xattrs() { echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)" if [ "$evm_value" -ne "$EVM_INIT_X509" ]; then echo "${CYAN}EVM mode $EVM_INIT_X509 required${NORM}" return "$SKIP" fi if ! echo "test" > test-file; then echo "${RED}Cannot write test-file${NORM}" return "$FAIL" fi if ! evmctl sign -o -a sha256 --imahash --key "$key_path" test-file &> /dev/null; then echo "${RED}Cannot sign test-file${NORM}" return "$FAIL" fi # Check if cp is allowed to set metadata for the new file. if ! cp -a test-file test-file.copy; then echo "${RED}Cannot copy test-file with attrs/xattrs preserved${NORM}" return "$FAIL" fi return "$OK" } cleanup_cp_preserve_xattrs() { rm -f test-file test-file.copy } # Requires: # - evm: Introduce evm_hmac_disabled() to safely ignore verification errors # - evm: Allow xattr/attr operations for portable signatures # - evm: Execute evm_inode_init_security() only when an HMAC key is loaded # - ima: Don't remove security.ima if file must not be appraised # # The purpose of this test is similar to that of the previous test, with the # difference that tar is used instead of cp. One remark is that the owner is # intentionally different (or it should be) from the current owner, to # incrementally test the patches without 'evm: Allow setxattr() and setattr() # for unmodified metadata'. check_tar_extract_xattrs_different_owner() { echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)" if [ "$evm_value" -ne "$EVM_INIT_X509" ]; then echo "${CYAN}EVM mode $EVM_INIT_X509 required${NORM}" return "$SKIP" fi if ! mkdir in out; then echo "${RED}Cannot create directories${NORM}" return "$FAIL" fi if ! echo "test" > in/test-file; then echo "${RED}Cannot write test-file${NORM}" return "$FAIL" fi if ! chown 3000 in/test-file; then echo "${RED}Cannot change owner of test-file${NORM}" return "$FAIL" fi if ! chmod 600 in/test-file; then echo "${RED}Cannot change mode of test-file${NORM}" return "$FAIL" fi if ! evmctl sign -o -a sha256 --imahash --key "$key_path" in/test-file &> /dev/null; then echo "${RED}Cannot sign test-file${NORM}" return "$FAIL" fi if ! tar --xattrs-include=* -cf test-archive.tar in/test-file; then echo "${RED}Cannot create archive with xattrs${NORM}" return "$FAIL" fi # Check if tar is allowed to set metadata for the extracted file. # Ensure that the owner from the archive is different from the # owner of the extracted file to avoid that portable signature # verification succeeds before restoring original metadata # (a patch allows modification of immutable metadata if portable # signature verification fails). if ! tar --xattrs-include=* -xf test-archive.tar -C out; then echo "${RED}Cannot extract archive with xattrs${NORM}" return "$FAIL" fi return "$OK" } cleanup_tar_extract_xattrs_different_owner() { rm -Rf in out test-archive.tar } # Requires: # - evm: Introduce evm_hmac_disabled() to safely ignore verification errors # - evm: Allow xattr/attr operations for portable signatures # - evm: Pass user namespace to set/remove xattr hooks # - evm: Allow setxattr() and setattr() for unmodified metadata # - evm: Execute evm_inode_init_security() only when an HMAC key is loaded # - ima: Don't remove security.ima if file must not be appraised # # The purpose of this test is similar to that of the previous two tests. The # difference is that tar is used instead of cp, and the extracted files have # the same owner as the current one. Thus, this test requires 'evm: Allow # setxattr() and setattr() for unmodified metadata'. check_tar_extract_xattrs_same_owner() { echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)" if [ "$evm_value" -ne "$EVM_INIT_X509" ]; then echo "${CYAN}EVM mode $EVM_INIT_X509 required${NORM}" return "$SKIP" fi if ! mkdir in out; then echo "${RED}Cannot create directories${NORM}" return "$FAIL" fi if ! echo "test" > in/test-file; then echo "${RED}Cannot write test-file${NORM}" return "$FAIL" fi if ! evmctl sign -o -a sha256 --imahash --key "$key_path" in/test-file &> /dev/null; then echo "${RED}Cannot sign test-file${NORM}" return "$FAIL" fi if ! tar --xattrs-include=* -cf test-archive.tar in/test-file; then echo "${RED}Cannot create archive with xattrs${NORM}" return "$FAIL" fi # Check if tar is allowed to set metadata for the extracted file. # This test is different from the previous one, as the owner # from the archive is the same of the owner of the extracted # file. tar will attempt anyway to restore the original owner but # unlike the previous test, portable signature verification already # succeeds at the time the owner is set (another patch allows # metadata operations if those operations don't modify current # values). if ! tar --xattrs-include=* -xf test-archive.tar -C out; then echo "${RED}Cannot extract archive with xattrs${NORM}" return "$FAIL" fi return "$OK" } cleanup_tar_extract_xattrs_same_owner() { rm -Rf in out test-archive.tar } # Requires: # - evm: Introduce evm_hmac_disabled() to safely ignore verification errors # - evm: Allow xattr/attr operations for portable signatures # - evm: Pass user namespace to set/remove xattr hooks # - evm: Allow setxattr() and setattr() for unmodified metadata # - ima: Don't remove security.ima if file must not be appraised # - evm: Execute evm_inode_init_security() only when an HMAC key is loaded # # The purpose of this test is to further verify the patches above, by executing # commands to set the same or different metadata. Setting the same metadata # should be allowed, setting different metadata should be denied. check_metadata_change() { local ima_xattr local label local last_char local msg echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)" if [ "$evm_value" -ne "$EVM_INIT_X509" ]; then echo "${CYAN}EVM mode $EVM_INIT_X509 required${NORM}" return "$SKIP" fi if ! echo "test" > test-file; then echo "${RED}Cannot write test-file${NORM}" return "$FAIL" fi if ! chown "$METADATA_CHANGE_FOWNER" test-file; then echo "${RED}Cannot change owner of test-file${NORM}" return "$FAIL" fi if ! chgrp "$METADATA_CHANGE_FOWNER" test-file; then echo "${RED}Cannot change group of test-file${NORM}" return "$FAIL" fi if ! chmod 2644 test-file; then echo "${RED}Cannot change mode of test-file${NORM}" return "$FAIL" fi if ! evmctl sign -o -a sha256 --imahash --key "$key_path" test-file &> /dev/null; then echo "${RED}Cannot sign test-file${NORM}" return "$FAIL" fi # If metadata modification is not allowed, EVM should deny any # operation that modifies metadata. Check if setting the same # value is allowed. if ! chown "$METADATA_CHANGE_FOWNER" test-file; then echo "${RED}Cannot set same owner for test-file${NORM}" return "$FAIL" fi # Setting a different value should not be allowed. if chown "$METADATA_CHANGE_FOWNER_2" test-file 2> /dev/null; then echo "${RED}Owner change for test-file should not be allowed (immutable metadata)${NORM}" return "$FAIL" fi # Repeat the test for the file mode. if ! chmod 2644 test-file; then echo "${RED}Cannot set same mode for test-file${NORM}" return "$FAIL" fi if chmod 2666 test-file 2> /dev/null; then echo "${RED}Mode change for test-file should not be allowed (immutable metadata)${NORM}" return "$FAIL" fi if [ -n "$(command -v chcon 2> /dev/null)" ] && [ -n "$(command -v getenforce 2> /dev/null)" ] && [ "$(getenforce 2> /dev/null)" != "Disabled" ]; then # Repeat the test for the SELinux label. label=$(get_xattr security.selinux test-file) if [ -n "$label" ]; then if ! chcon "$label" test-file; then echo "${RED}Cannot set same security.selinux for test-file${NORM}" return "$FAIL" fi fi if chcon unconfined_u:object_r:null_device_t:s0 test-file 2> /dev/null; then echo "${RED}security.selinux change for test file should not be allowed (immutable metadata)${NORM}" return "$FAIL" fi fi # Repeat the test for the IMA signature. ima_xattr=$(get_xattr security.ima test-file) if [ -z "$ima_xattr" ]; then echo "${RED}security.ima not found${NORM}" return "$FAIL" fi if ! setfattr -n security.ima -v 0x"$ima_xattr" test-file; then echo "${RED}Cannot set same security.ima for test-file${NORM}" return "$FAIL" fi last_char=${ima_xattr: -1} ((last_char += 1)) ((last_char %= 10)) ima_xattr=${ima_xattr:0:-1}$last_char if setfattr -n security.ima -v 0x"$ima_xattr" test-file 2> /dev/null; then echo "${RED}Change of security.ima for test-file should not be allowed (immutable metadata)${NORM}" return "$FAIL" fi # Repeat the test for ACLs. if ! msg=$(exec 2>&1 && setfacl --set u::rw,g::r,o::r,m:r test-file); then if [ "${msg%not supported}" != "$msg" ]; then return "$OK" fi echo "${RED}Cannot preserve system.posix_acl_access for test-file${NORM}" return "$FAIL" fi if setfacl --set u::rw,g::r,o::r,m:rw test-file 2> /dev/null; then echo "${RED}Change of system.posix_acl_access for test-file should not be allowed (immutable metadata)${NORM}" return "$FAIL" fi if [ -n "$g_mountpoint_idmapped" ]; then pushd "$g_mountpoint_idmapped" > /dev/null || exit "$FAIL" # Repeat the test for ACLs on an idmapped mount. # # This test relies on the fact that the caller of this script (root) is in # the same owning group of test-file (in the idmapped mount the group is # root, not $METADATA_CHANGE_FOWNER and, for this reason, the S_ISGID bit # is not cleared. If EVM was not aware of the mapping, it would have # determined that root is not in the owning group of test-file and given # that also CAP_FSETID is cleared, the S_ISGID bit would have been cleared # and thus the operation would fail (file metadata changed). if ! capsh --drop='cap_fsetid' -- -c 'setfacl --set u::rw,g::r,o::r test-file'; then echo "${RED}Cannot preserve system.posix_acl_access for test-file${NORM}" popd || exit "$FAIL" return "$FAIL" fi popd > /dev/null || exit "$FAIL" fi return "$OK" } cleanup_metadata_change() { rm -f test-file } # Requires: # - evm: Introduce evm_revalidate_status() # - evm: Execute evm_inode_init_security() only when an HMAC key is loaded # # Note: # This test can be run if EVM_ALLOW_METADATA_WRITES is set in advance # before running this script. If it is not set before, this script sets # EVM_SETUP_COMPLETE, disabling further EVM mode modifications until reboot. # # Without EVM_ALLOW_METADATA_WRITES, EVM_SETUP_COMPLETE is necessary to ignore # the INTEGRITY_NOLABEL and INTEGRITY_NOXATTRS errors. # # The purpose of this test is to verify that IMA detected a metadata change # when EVM_ALLOW_METADATA_WRITES is set (metadata operations are always # allowed). After the first successful appraisal, the test intentionally changes # metadata and verifies that IMA revoked access to the file. The test also # verifies that IMA grants access again to the file after restoring the correct # metadata. check_evm_revalidate() { local result local ima_xattr local ima_xattr_new local evm_xattr local evm_xattr_new local label local last_char local msg echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)" if [ "$evm_value" -ne $((EVM_INIT_X509 | EVM_ALLOW_METADATA_WRITES)) ]; then echo "${CYAN}EVM mode $((EVM_INIT_X509 | EVM_ALLOW_METADATA_WRITES)) required, execute echo 4 > /sys/kernel/security/evm before running this test${NORM}" return "$SKIP" fi if ! echo "test" > test-file; then echo "${RED}Cannot write test-file${NORM}" return "$FAIL" fi if ! chmod 600 test-file; then echo "${RED}Cannot change mode of test-file${NORM}" return "$FAIL" fi # We need to defer setting the correct owner, as there could be # already an IMA policy rule preventing evmctl from reading the # file to calculate the digest. if ! evmctl sign -o -a sha256 --imahash --uid "$APPRAISE_FOWNER" --key "$key_path" test-file &> /dev/null; then echo "${RED}Cannot sign test-file${NORM}" return "$FAIL" fi if ! chown "$APPRAISE_FOWNER" test-file; then echo "${RED}Cannot change owner of test-file${NORM}" return "$FAIL" fi check_load_ima_rule "$APPRAISE_RULE" result=$? if [ $result -ne "$OK" ]; then return $result fi # Read the file so that IMA would not re-appraise it next time. if ! cat test-file &> /dev/null; then echo "${RED}Cannot read test-file${NORM}" return "$FAIL" fi # After enabling metadata modification, operations should succeed even # if the file has a portable signature. However, the previously cached # appraisal status should be invalidated. if ! chmod 644 test-file; then echo "${RED}Cannot change mode of test-file${NORM}" return "$FAIL" fi # Here check if IMA re-appraised the file. The read should fail # since now file metadata is invalid. if cat test-file &> /dev/null; then echo "${RED}Read of test-file should not succeed (invalid mode)${NORM}" return "$FAIL" fi # Restore metadata back to the original value. if ! chmod 600 test-file; then echo "${RED}Cannot restore original mode of test-file${NORM}" return "$FAIL" fi # Ensure that now IMA appraisal succeeds. if ! cat test-file > /dev/null; then echo "${RED}Cannot read test-file after restoring correct mode${NORM}" return "$FAIL" fi if [ -n "$(command -v chcon 2> /dev/null)" ] && [ -n "$(command -v getenforce 2> /dev/null)" ] && [ "$(getenforce 2> /dev/null)" != "Disabled" ]; then # Repeat the test for the SELinux label. label=$(get_xattr security.selinux test-file) if ! chcon unconfined_u:object_r:null_device_t:s0 test-file; then echo "${RED}Cannot change security.selinux of test-file${NORM}" return "$FAIL" fi if cat test-file &> /dev/null; then echo "${RED}Read of test-file should not succeed (invalid security.selinux)${NORM}" return "$FAIL" fi if [ -n "$label" ]; then if ! chcon "$label" test-file; then echo "${RED}Cannot restore original security.selinux of test-file${NORM}" return "$FAIL" fi else attr -S -r selinux test-file fi if ! cat test-file > /dev/null; then echo "${RED}Cannot read test-file after restoring correct security.selinux${NORM}" return "$FAIL" fi fi # Repeat the test for the IMA signature. ima_xattr=$(get_xattr security.ima test-file) if [ -z "$ima_xattr" ]; then echo "${RED}security.ima not found${NORM}" return "$FAIL" fi last_char=${ima_xattr: -1} ((last_char += 1)) ((last_char %= 10)) ima_xattr_new=${ima_xattr:0:-1}$last_char if ! setfattr -n security.ima -v 0x"$ima_xattr_new" test-file; then echo "${RED}Cannot set security.ima of test-file${NORM}" return "$FAIL" fi if cat test-file &> /dev/null; then echo "${RED}Read of test-file should not succeed (invalid security.ima)${NORM}" return "$FAIL" fi if ! setfattr -n security.ima -v 0x"$ima_xattr" test-file; then echo "${RED}Cannot restore original security.ima of test-file${NORM}" return "$FAIL" fi if ! cat test-file > /dev/null; then echo "${RED}Cannot read test-file after restoring correct security.ima${NORM}" return "$FAIL" fi # Repeat the test for the EVM signature. evm_xattr=$(get_xattr security.evm test-file) if [ -z "$evm_xattr" ]; then echo "${RED}security.evm not found${NORM}" return "$FAIL" fi last_char=${evm_xattr: -1} ((last_char += 1)) ((last_char %= 10)) evm_xattr_new=${evm_xattr:0:-1}$last_char if ! setfattr -n security.evm -v 0x"$evm_xattr_new" test-file; then echo "${RED}Cannot set security.evm of test-file${NORM}" return "$FAIL" fi if cat test-file &> /dev/null; then echo "${RED}Read of test-file should not succeed (invalid security.evm)${NORM}" return "$FAIL" fi if ! setfattr -n security.evm -v 0x"$evm_xattr" test-file; then echo "${RED}Cannot restore original security.evm of test-file${NORM}" return "$FAIL" fi if ! cat test-file > /dev/null; then echo "${RED}Cannot read test-file after restoring correct security.evm${NORM}" return "$FAIL" fi # Repeat the test for ACLs. if ! setfacl -m u::rwx test-file 2> /dev/null; then echo "${RED}Cannot change system.posix_acl_access${NORM}" return "$FAIL" fi if cat test-file &> /dev/null; then echo "${RED}Read of test-file should not succeed (invalid system.posix_acl_access)${NORM}" return "$FAIL" fi if ! setfacl -m u::rw test-file; then echo "${RED}Cannot restore original system.posix_acl_access for test-file${NORM}" return "$FAIL" fi if ! cat test-file > /dev/null; then echo "${RED}Cannot read test-file after restoring correct system.posix_acl_access${NORM}" return "$FAIL" fi return "$OK" } cleanup_evm_revalidate() { rm -f test-file } # Requires: # - evm: Introduce evm_hmac_disabled() to safely ignore verification errors # - evm: Introduce evm_revalidate_status() # - ima: Allow imasig requirement to be satisfied by EVM portable signatures # - evm: Execute evm_inode_init_security() only when an HMAC key is loaded # # The purpose of this test is to verify that IMA manages files with an EVM # portable signature similarly to those with an IMA signature: content can be # written to new files after adding the signature and files can be accessed # when the imasig requirement is specified in the IMA policy. check_evm_portable_sig_ima_appraisal() { local result local xattr_orig local xattr local mode local owner echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)" if [ $((evm_value & EVM_INIT_X509)) -ne "$EVM_INIT_X509" ]; then echo "${CYAN}EVM flag $EVM_INIT_X509 required${NORM}" return "$SKIP" fi if ! echo "test" > test-file; then echo "${RED}Cannot write test-file${NORM}" return "$FAIL" fi if ! chmod 600 test-file; then echo "${RED}Cannot change mode of test-file${NORM}" return "$FAIL" fi # We need to defer setting the correct owner, as there could be # already an IMA policy rule preventing evmctl from reading the # file to calculate the digest. if ! evmctl sign -o -a sha256 --imahash --uid "$APPRAISE_DIGSIG_FOWNER" --key "$key_path" test-file &> /dev/null; then echo "${RED}Cannot sign test-file${NORM}" return "$FAIL" fi if ! chown "$APPRAISE_DIGSIG_FOWNER" test-file; then echo "${RED}Cannot change owner of test-file${NORM}" return "$FAIL" fi check_load_ima_rule "$APPRAISE_DIGSIG_RULE" result=$? if [ "$result" -ne "$OK" ]; then return "$result" fi # Ensure that a file with a portable signature satisfies the # appraise_type=imasig requirement specified in the IMA policy. if ! cat test-file > /dev/null; then echo "${RED}Cannot read test-file${NORM}" return "$FAIL" fi # Even files with a portable signature should be considered as # immutable by IMA. Write should fail. if echo "test" 2> /dev/null >> test-file; then echo "${RED}Write to test-file should not succeed (immutable metadata)${NORM}" return "$FAIL" fi if ! tar --xattrs-include=* -cf test-archive.tar test-file; then echo "${RED}Cannot create archive with xattrs${NORM}" return "$FAIL" fi mkdir out # Appraisal of the new file, extracted by tar, should succeed # not only if the new file has an IMA signature but also if # it has a portable signature. if ! tar --xattrs-include=* -xf test-archive.tar -C out; then echo "${RED}Cannot extract archive with xattrs${NORM}" return "$FAIL" fi # Check if xattrs have been correctly set. xattr_orig=$(get_xattr security.selinux test-file) xattr=$(get_xattr security.selinux out/test-file) if [ "$xattr" != "$xattr_orig" ]; then echo "${RED}security.selinux mismatch between original and extracted file${NORM}" return "$FAIL" fi xattr_orig=$(get_xattr security.ima test-file) xattr=$(get_xattr security.ima out/test-file) if [ "$xattr" != "$xattr_orig" ]; then echo "${RED}security.ima mismatch between original and extracted file${NORM}" return "$FAIL" fi xattr_orig=$(get_xattr security.evm test-file) xattr=$(get_xattr security.evm out/test-file) if [ "$xattr" != "$xattr_orig" ]; then echo "${RED}security.evm mismatch between original and extracted file${NORM}" return "$FAIL" fi # Check if attrs have been correctly set. owner=$(stat -c "%u" out/test-file) if [ "$owner" != "$APPRAISE_DIGSIG_FOWNER" ]; then echo "${RED}owner mismatch between original and extracted file${NORM}" return "$FAIL" fi mode=$(stat -c "%a" out/test-file) if [ "$mode" != "600" ]; then echo "${RED}mode mismatch between original and extracted file${NORM}" return "$FAIL" fi return "$OK" } cleanup_evm_portable_sig_ima_appraisal() { rm -f test-file test-archive.tar rm -Rf out } # Requires: # - ima: Introduce template field evmsig and write to field sig as fallback # - evm: Execute evm_inode_init_security() only when an HMAC key is loaded # - ima: Don't remove security.ima if file must not be appraised # # The purpose of this test is to verify that the EVM portable signature is # displayed in the measurement list. check_evm_portable_sig_ima_measurement_list() { local result local evm_sig_fs local evm_sig_list echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)" if ! echo "test" > test-file; then echo "${RED}Cannot write test-file${NORM}" return "$FAIL" fi if ! chown "$MEASURE_FOWNER" test-file; then echo "${RED}Cannot change owner of test-file${NORM}" return "$FAIL" fi if ! evmctl sign -o -a sha256 --imahash --key "$key_path" test-file &> /dev/null; then echo "${RED}Cannot sign test-file${NORM}" return "$FAIL" fi check_load_ima_rule "$MEASURE_RULE" result=$? if [ "$result" -ne "$OK" ]; then return "$result" fi # Invalidate previous measurement to add new entry touch test-file # Read the file to add it to the measurement list. if ! cat test-file > /dev/null; then echo "${RED}Cannot read test-file${NORM}" return "$FAIL" fi evm_sig_fs=$(get_xattr security.evm test-file) if [ -z "$evm_sig_fs" ]; then echo "${RED}security.evm not found${NORM}" return "$FAIL" fi # Search security.evm in the measurement list. evm_sig_list=$(awk '$6 == "'"$evm_sig_fs"'"' < /sys/kernel/security/ima/ascii_runtime_measurements) if [ -z "$evm_sig_list" ]; then echo "${RED}security.evm mismatch (xattr != measurement list)${NORM}" return "$FAIL" fi return "$OK" } cleanup_evm_portable_sig_ima_measurement_list() { rm -f test-file } # Run in the new environment if TST_ENV is set. _run_env "$TST_KERNEL" "$PWD/$(basename "$0")" "TST_ENV=$TST_ENV TST_KERNEL=$TST_KERNEL PATH=$PATH LD_LIBRARY_PATH=$LD_LIBRARY_PATH VERBOSE=$VERBOSE TST_EVM_CHANGE_MODE=$TST_EVM_CHANGE_MODE TST_KEY_PATH=$TST_KEY_PATH" # Run in the new environment if TST_ENV is set (skipped test). _run_env "$TST_KERNEL" "$PWD/$(basename "$0")" "TST_ENV=$TST_ENV TST_KERNEL=$TST_KERNEL PATH=$PATH LD_LIBRARY_PATH=$LD_LIBRARY_PATH VERBOSE=$VERBOSE TST_EVM_CHANGE_MODE=$TST_EVM_CHANGE_MODE TST_KEY_PATH=$TST_KEY_PATH TST_LIST=check_evm_revalidate" # Exit from the creator of the new environment. _exit_env "$TST_KERNEL" # Mount filesystems in the new environment. _init_env g_mountpoint=$(mktemp -d) g_image=$(mktemp) if [ -z "$g_mountpoint" ]; then echo "${RED}Mountpoint directory not created${NORM}" exit "$FAIL" fi if [ "$(whoami)" != "root" ]; then echo "${CYAN}This script must be executed as root${NORM}" exit "$SKIP" fi if [ -n "$TST_KEY_PATH" ]; then if [ "${TST_KEY_PATH:0:1}" != "/" ]; then echo "${RED}Absolute path required for the signing key${NORM}" exit "$FAIL" fi if [ ! -f "$TST_KEY_PATH" ]; then echo "${RED}Kernel signing key not found in $TST_KEY_PATH${NORM}" exit "$FAIL" fi key_path="$TST_KEY_PATH" elif [ -f "$PWD/../signing_key.pem" ]; then key_path="$PWD/../signing_key.pem" elif [ -f "/lib/modules/$(uname -r)/source/certs/signing_key.pem" ]; then key_path="/lib/modules/$(uname -r)/source/certs/signing_key.pem" elif [ -f "/lib/modules/$(uname -r)/build/certs/signing_key.pem" ]; then key_path="/lib/modules/$(uname -r)/build/certs/signing_key.pem" else echo "${CYAN}Kernel signing key not found${NORM}" exit "$SKIP" fi key_path_der=$(mktemp) if [ ! -f "/sys/kernel/security/evm" ]; then echo "${CYAN}EVM support in the kernel disabled${NORM}" exit "$SKIP" fi # Assume that the EVM mode can be changed in a new environment. if [ -n "$TST_ENV" ]; then TST_EVM_CHANGE_MODE=1 fi evm_value=$(cat /sys/kernel/security/evm) openssl x509 -in "$key_path" -out "$key_path_der" -outform der if ! keyctl padd asymmetric pubkey %keyring:.ima < "$key_path_der" &> /dev/null; then echo "${RED}Public key cannot be added to the IMA keyring${NORM}" exit "$FAIL" fi if ! dd if=/dev/zero of="$g_image" bs=1M count=20 &> /dev/null; then echo "${RED}Cannot create test image${NORM}" exit "$FAIL" fi g_dev=$(losetup -f "$g_image" --show) if [ -z "$g_dev" ]; then echo "${RED}Cannot create loop device${NORM}" exit "$FAIL" fi if ! mkfs.ext4 -U "$IMA_UUID" -b 4096 "$g_dev" &> /dev/null; then echo "${RED}Cannot format $g_dev${NORM}" exit "$FAIL" fi if ! mount -o i_version "$g_dev" "$g_mountpoint"; then echo "${RED}Cannot mount loop device${NORM}" exit "$FAIL" fi if [ -n "$(command -v mount-idmapped 2> /dev/null)" ]; then echo "Found mount-idmapped at $(command -v mount-idmapped), testing idmapped mounts" g_mountpoint_idmapped=$(mktemp -d) if ! mount-idmapped --map-mount b:"$METADATA_CHANGE_FOWNER":0:1 "$g_mountpoint" "$g_mountpoint_idmapped"; then echo "${RED}mount-idmapped failed${NORM}" exit "$FAIL" fi fi g_loop_mounted=1 pushd "$g_mountpoint" > /dev/null || exit "$FAIL" expect_pass check_ima_sig_appraisal cleanup_ima_sig_appraisal expect_pass check_ima_sig_ima_measurement_list cleanup_ima_sig_ima_measurement_list if [ "$(echo -e "$(uname -r)\n5.12" | sort -V | head -n 1)" != "5.12" ]; then exit "$OK" fi if [ $((evm_value & EVM_INIT_X509)) -ne "$EVM_INIT_X509" ] && [ "$TST_EVM_CHANGE_MODE" -eq 1 ]; then if ! keyctl padd asymmetric pubkey %keyring:.evm < "$key_path_der" &> /dev/null; then echo "${RED}Public key cannot be added to the EVM keyring${NORM}" exit "$FAIL" fi echo "$EVM_INIT_X509" > /sys/kernel/security/evm 2> /dev/null fi if [ "$(expr index "$TST_LIST" "check_evm_revalidate")" -gt 0 ] && [ "$TST_EVM_CHANGE_MODE" -eq 1 ]; then echo "$EVM_ALLOW_METADATA_WRITES" > /sys/kernel/security/evm 2> /dev/null fi # We cannot determine from securityfs if EVM_SETUP_COMPLETE is set, so we set it unless EVM_ALLOW_METADATA_WRITES is set. if [ $((evm_value & EVM_ALLOW_METADATA_WRITES)) -ne "$EVM_ALLOW_METADATA_WRITES" ] && [ "$TST_EVM_CHANGE_MODE" -eq 1 ]; then echo "$EVM_SETUP_COMPLETE" > /sys/kernel/security/evm 2> /dev/null fi evm_value=$(cat /sys/kernel/security/evm) expect_pass check_create_file cleanup_create_file expect_pass check_cp_preserve_xattrs cleanup_cp_preserve_xattrs expect_pass check_tar_extract_xattrs_different_owner cleanup_tar_extract_xattrs_different_owner expect_pass check_tar_extract_xattrs_same_owner cleanup_tar_extract_xattrs_same_owner expect_pass check_metadata_change cleanup_metadata_change expect_pass check_evm_revalidate cleanup_evm_revalidate expect_pass check_evm_portable_sig_ima_appraisal cleanup_evm_portable_sig_ima_appraisal expect_pass check_evm_portable_sig_ima_measurement_list cleanup_evm_portable_sig_ima_measurement_list ima-evm-utils-1.5/tests/sample-ascii_runtime_measurements-pcrs-8-9000066400000000000000000000002121440135744700253230ustar00rootroot0000000000000010 2e03b3fdb0014fc8bae2a07ca33ae67125b290f3 ima-ng sha256:83d19723ef3b3c05bb8ae70d86b3886c158f2408f1b71ed265886a7b79eb700e boot_aggregate ima-evm-utils-1.5/tests/sample-binary_bios_measurements-pcrs-8-9000066400000000000000000001620161440135744700250030ustar00rootroot00000000000000%Spec ID Event03 HyimxYXQ<: R_jW- }$Z{M{ !N24ET56W =A 1긴X ၟo7&D~[DGacw c,^{2"QWxƾ:N=zQ#XJ< |MAUMG.ں:, VOCu@S \!#]^J?Ҧ *lͤC?Ǫ[#X)fC6f[Qqq ;04vi"9_Ĝ ?3 ACPI DATAF9XTrL ֭&kjo-E-h^N 5 ACPI DATAM@AIMɐSC'} K(EںU+b}4vv1A@5aʓ + SecureBootp!$j_h* COD IwUmuY|>aʓ +PKY䔧J\+rN<"Ac900 kn0  *H  0j1 0 UJP10U Kanagawa10U Yokohama10U Lenovo Ltd.10U Lenovo Ltd. PK CA 20120 120629103436Z 320624103436Z0j1 0 UJP10U Kanagawa10U Yokohama10U Lenovo Ltd.10U Lenovo Ltd. PK CA 20120"0  *H 0 ]bcwRf_"q:K TZIԡRlK` ¼}f|u2^Xfso*d4?,UNw!sl@1S$,mB\)BZ^pwYx3Fj?R <۔k]L s :E:޴0;1 M(ŵ>B&TX w=RN2.;zؓP0N0UwKLqt4=H0U#0wKLqt4=H0 U00  *H  pe%U֑ߑ2KՎC]=rN:O&g(Vj0a-}B; (aOO!ۦx(_ݵדrne򥷩ue2]e^lN(x0 pTXP"#>aO`Gri(O:>1 4}AAꞂT6_\LxAym,= l#`G+QQ|^`%Y}0U#0y@AF|KF>}0 U00  *H  m;D$i-"Uڧ[AMJr,SpVh_.>帄KzeRqfIԅ(:\@B) j4_Kr^t˼Ūze@ʧtTm\I&.WQ_|W|Y䔧J\+rwY2M`(xK00Р a ш0  *H  01 0 UUS10U Washington10URedmond10U Microsoft Corporation1;09U2Microsoft Corporation Third Party Marketplace Root0 110624204129Z 260624205129Z01 0 UUS10U Washington10URedmond10U Microsoft Corporation1*0(U!Microsoft Corporation KEK CA 20110"0  *H 0 赊W&&WzD] Jt*mZc2|O 8, 0HPdQȅO /Sjb: C%#pM/$JC ~Gl3*q<% /hvFOܭq*Xy=e;)*rY뮒5_̝vcy@yR{iO0K0 +70UbC͠>g[U{̶_0 +7  SubCA0 U0U00U#0EfRC~XN#U;:"j0\UU0S0QOMKhttp://crl.microsoft.com/pki/crl/products/MicCorThiParMarRoo_2010-10-05.crl0`+T0R0P+0Dhttp://www.microsoft.com/pki/certs/MicCorThiParMarRoo_2010-10-05.crt0  *H  Ԅ*<* נRfuz-vZy7jQ{ddgxΈXd W_iHK2]0x+4VʮA%pkז* K(){|vyo~l{E4Q9^VBwqV̟#˦X~ig~ <νC-j+Z|DR-R=`3e |N8/ o.9'B)FA;gCYe Ou;$PA@y-O j'vnRi{E­S076aJi4hl l"yF`!y2`ج"KK}?W5Ou`"Sy֛ATp 5|4r`;y뢲]%o8yi uk4`\WN62&Ri$Cٜ5c 7I5μ6}E8xRe\1˲:=EgeodbY䔧J\+rǬN]CE00 Ecz aRD0  *H  0l1 0 UJP10U Kanagawa10U Yokohama10U Lenovo Ltd.1!0U Lenovo Ltd. Root CA 20120 120629104731Z 320624104731Z0l1 0 UJP10U Kanagawa10U Yokohama10U Lenovo Ltd.1!0U ThinkPad Product CA 20120"0  *H 0 V7ۨpg_dgzqOL.$>tW_󥟒Y㘮f-uGqdt L)aA77^7jK0yb3͠>biC'Qsaǵ z% [X;&It_jsY54bps| wRW'T~b3RZ{7GD.b"2Tfm_H!_ʈJZ- $(*I9MAӏ+όn4,cP0N0UTUc_p@i&YI0U#0A hPnT~p͒ak0 U00  *H  N9<56ĎG(B("I8#CiXGŇ<%$Ϳm"@s_yDtK[;(B&s˚('&A/ -e$waa0x[#l&$OCT< [Ps'p'Lk@X$j1S XPB`߷1ќgK6 'Uԫ4-cP\QJ}MQ%MF\qFPd@Y䔧J\+rǬN]CE00k Hb4u4# M0  *H  0U1 0 UUS10U North Carolina10 U Lenovo10U Lenovo UEFI CA 20140 140124161424Z 340119161424Z0U1 0 UUS10U North Carolina10 U Lenovo10U Lenovo UEFI CA 20140"0  *H 0 ;pJ*ɱEe'< c >(|-PҊ"ٴ1T{e0'AQ`g,Wwg&jӞSgY=? Ԏad!g@ys?期'&/[\-8-B0Fn#1~`wXykk Uߞ6&$ݤJ[J.DGb ¹'0Q+k؛2 j(Sb=hK b}Π*?4˽gJD,ZܡY䔧J\+r@$wY2M`(xK00 a0  *H  01 0 UUS10U Washington10URedmond10U Microsoft Corporation1;09U2Microsoft Corporation Third Party Marketplace Root0 110627212245Z 260627213245Z01 0 UUS10U Washington10URedmond10U Microsoft Corporation1+0)U"Microsoft Corporation UEFI CA 20110"0  *H 0 lLE jK u CTd} s JEa-+MIA#/^Pƍ_A. lui!Mڭ,wS%27lRr5aj;PV2-B'UZ0TG%/&A\?[<>?GrU%"{*F 5'bq'Y7`8xpLEe¶~iuYXY䔧J\+rwY2M`(xK00 avV0  *H  01 0 UUS10U Washington10URedmond10U Microsoft Corporation1200U)Microsoft Root Certificate Authority 20100 111019184142Z 261019185142Z01 0 UUS10U Washington10URedmond10U Microsoft Corporation1.0,U%Microsoft Windows Production PCA 20110"0  *H 0  . i!i33T ҋ8-|byJ?5 pk6u1ݍp7tF([`#,GgQ'rɹ;S5|'# oFnhttp://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0  *H  |qQyn9>\` QfG=*hwLb{Ǻz4KbzJ7-W|=ܸZij:ni!7ށugӓW^)9-Es[zFX^gl5?$5 uVx,Јߺ~,c#!xlX6+̤-@EΊ\k>p* j_Gc 26*pZBYqKW~!<ŹE ŕ]b֠c uw}=EWo3wbY~Bp`qjc3 DJMʚȗV'ÅϹ +e[˲:=Egeodbx&LP@A6C(0wY2M`(xKi1 ORm@`MAe wY2M`(xK/֒r($E4[$k;}nzwY2M`(xKء- *o.s >d,NgyjwY2M`(xK63M. xbdYWC&`HXšvwY2M`(xK세Kle qR0! b h2۲ '%'߶=IҕrLwY2M`(xK^T`< k覃R8wY2M`(xKƨXdoy(#g+69ОwY2M`(xK _NQxmЁ%orxRYe&wY2M`(xK Cڬz0eu1{ 될ctwY2M`(xK 9v-6=cqZ9ϰF\`lk׽wY2M`(xK o)o3}rK H:*?OwY2M`(xK !Hʃ62u> [1R*[wY2M`(xKoN0;t􀠀Ѐ+ot!hwY2M`(xKN: [CƦ@O4=9bgΔ.#ڒ wY2M`(xK34)bퟗ>H-.ImTdwY2M`(xK+&B.6_K 'lKzoD/ki9wY2M`(xK+,'R*]IZ+R]fbUwY2M`(xK,s3%mԤ<[UYPPR}wY2M`(xK.pgsQpW2.#ӹ+Q}wY2M`(xK0f(Tw0W(JF}8zTiv^uҍwY2M`(xK6Awz/^g4g^Ù^i5 ҽwY2M`(xK8A!6\ !`9MlN g`b[wY2M`(xK?Λ>TR^·mt:syqUpj>swY2M`(xKCʃc| C-/&zKuwY2M`(xKGa':k,Zmk6!h,*Z߽wY2M`(xKQ1s>!"Ty 0a5wY2M`(xKZIU9[.B,/gg6A+\wY2M`(xKkxA{^`Gr̴/fwY2M`(xKlTGYQ&l+585rѓ.wY2M`(xKo(qկ.{˫d|eͶ& :x^wY2M`(xKqo"I~TFb$ whٿcuwY2M`(xKrk>Tj0=ppq-ĝ,#wY2M`(xKrg]V;ݼ2ت^/m(ؽwY2M`(xKx'6,q}䱿CqZH[ʤKŽwY2M`(xKeӇk)T̕SϪȣ;3佚wY2M`(xK;δCΝч͛YA=Xo+V7W_gwY2M`(xKZ~OG q"8b:ߒ=wY2M`(xKHY jagznFdr!YEwY2M`(xK4͐e;=<5P_{c!wY2M`(xK se(Q$Q?eYW5)@νwY2M`(xK5g+6~OIia]JlrMBwY2M`(xK,";VB\GYG8DoYwY2M`(xKn=)t=J2@ؽwY2M`(xKcOx,7`XbfnmwY2M`(xKϲ2.KmH],qgrRY\u"6wY2M`(xKaJ~UәnE AR'[wY2M`(xKU =HZ7?=|cwY2M`(xKw ^; b x  S^ˇ k/wY2M`(xK<9"`tFu7̔ܭZ˦G/4q9脽wY2M`(xK;S> #Aryę-æ6wY2M`(xKQ3@HΈrRjRç`IwY2M`(xKdW[x.V4Rk DxYuN-dEwY2M`(xKEȮu ϻH7R}ddMؑ<͊$MigߎixE (QsC>RRs ?a/@W-=HwRI$Q"}e8i"\J 8+HBs5J@z<7oE_ -M*AEo-4e LenovoConfig4%zr{cStc !B+MF5#RbW?9QQ "O LAӝILenovoSecurityConfig [B֤hHo9@w w ;m9WEt0u#@ D,J. gyUYKjY C`ϽbC;}#TEh)LH-Ts+Jaʓ + BootOrder$qC؏:3I ۫.E Ec<%vT EA*an!caʓ +vBoot0000bubuntu*#MEΛGE{4\EFI\ubuntu\shimx64.efi&'CfH9O Z ԅj {tz8⇉ =z kaʓ +;Boot001A)NVMe0 %8x`Mhy[2LN鎸K =7m8UR ݽs( 6a>3 @;Flaʓ +<Boot0017(USB CD $8x`Mhy[pZxHlԝӺjUMTte2fk! |YF@7gE[;,.Snaʓ +>Boot0018(USB FDD $8x`Mhy[o0Cd FI EX{r5< U4ww4aca%wW?XvMT.3+qaʓ +ABoot001B)ATA HDD0 %8x`Mhy[bYVDAO*j7΅gnS 8 P ܅5`7Sk2?qB~iHnaʓ +>Boot001C(USB HDD $8x`Mhy[3!3GA39 M҄N2")ʓg;Q $y N,:.#qJ4 kaʓ +;Boot0019)NVMe1 %8x`Mhy[2LN鎸ȩG<9O[) U 6'3hC <{6PAKR4naʓ +>Boot001D(PCI LAN $8x`Mhy[xJ+*N̏=8~l`huL V24kJD@JZbKV0 mqaʓ +ABoot001E)Other CD %8x`Mhy[ !N:^GVT -+o2יaܓM ;ߎ1iǺiw@u3saʓ +CBoot001F)Other HDD %8x`Mhy[bYVDAO* :~YJN5NJ.TY ?Vw+XS.Nn7XO0naʓ +>Boot0024 (PCI LAN $8x`Mhy[xJ+*N̏=8XSth%VJ57 b\0T0<6K&;{(l/+;<aʓ +Boot0001bLinux-Firmware-Updater*#MEΛGE{4\EFI\ubuntu\shimx64.efi\fwupdx64.efiE1A'S&7V =grNu*,L_rPo*ƝV3(Calling EFI Application from Boot OptionixE (QsC>RRs ?a/@W-=HwRI$ixE (QsC>RRs ?a/@W-=HwRI$ixE (QsC>RRs ?a/@W-=HwRI$ixE (QsC>RRs ?a/@W-=HwRI$ixE (QsC>RRs ?a/@W-=HwRI$ixE (QsC>RRs ?a/@W-=HwRI$ixE (QsC>RRs ?a/@W-=HwRI$XfL g A' MJ,t;۵u6`C.H˲:=Egeo$dbwY2M`(xK00 a0  *H  01 0 UUS10U Washington10URedmond10U Microsoft Corporation1;09U2Microsoft Corporation Third Party Marketplace Root0 110627212245Z 260627213245Z01 0 UUS10U Washington10URedmond10U Microsoft Corporation1+0)U"Microsoft Corporation UEFI CA 20110"0  *H 0 lLE jK u CTd} s JEa-+MIA#/^Pƍ_A. lui!Mڭ,wS%27lRr5aj;PV2-B'UZ0TG%/&A\?[<>?GrU%"{*F 5'bq'Y7`8xpLEe¶~iuYX[s!׽@lV }.s͓.H'碛KOcJ',dEFI PART\xJ2"2"A; FB$@ӎ(s*K>;#MEΛGE{EFI System Partition=rGy=iG}f9L#ɯC/90J_4gs+> LW >!f>-# X3#6تx ^ A %8K*#MEΛGE{4\EFI\ubuntu\shimx64.efi Kq~I(/sC IF ȋ[$Pj{usE>E MokListjx0|բP ~LԯcNhUyQ9q0(U+k)v]zD('Rfl pܠ@>.g+C00U *#eZ&4Zc0U#0 *#eZ&4Zc0U00 U0CU<0:08642http://www.canonical.com/secure-boot-master-ca.crl0  *H  ?}v+zmRPGwҮW2:UVv Qۚ\?sڔj8m9qtv>V#5UG[AL b s^ֵz~>~f[9HQS1S;upLF=hG}QĚϣ]풻3Qs fm'wBj oWLl%:S ^佃lh?$wznun(hd0,gpt1)/EFI/ubuntu/grub.cfg 0)b~cpQ]9+*Ԩ  (e<ŀN5[O06 K%Cgrub_cmd: search.fs_uuid 119f1a79-c391-4e37-905d-3a503284cadb root <;)qs͊̐vh 6Ƌ` j֥Q*\|*grub_cmd: set prefix=(hd0,gpt2)/boot/grub ~}W, Ӷ6: Q7%| ~ F/Iew,(hd0,gpt2)/boot/grub/x86_64-efi/command.lst e\z1N!Gbb 2] ~ 1~GU9zECܡlW'(hd0,gpt2)/boot/grub/x86_64-efi/fs.lst ҁ9R2: vo8I'{ 6>w'.uC+(hd0,gpt2)/boot/grub/x86_64-efi/crypto.lst f&K Ӕ(ꔓ F/6-`Bj1JZjCb%ߜ-(hd0,gpt2)/boot/grub/x86_64-efi/terminal.lst 6JE8l@Z i:9Z _ ȉqUgw3grub_cmd: configfile (hd0,gpt2)/boot/grub/grub.cfg ZHhssy^" YO{> 5 $PPbe=(hd0,gpt2)/boot/grub/grub.cfg $8gE45A+&[ 267m}1٩׺a>0IG!T".grub_cmd: [ -s (hd0,gpt2)/boot/grub/grubenv ] ~U1dZBD^nM .B4QQ5k{߆V?(hd0,gpt2)/boot/grub/grubenv k :@&u}6\uo2>uѼXgrub_cmd: set default=0 g?go複 Eh6X1-dZ40/B7R!]iYgrub_cmd: [ xy = xy ] R e*'~C# }MKbFc,!!%\46U#grub_cmd: menuentry_id_option=--id bHY x̽/A J7 ;y}L^2+RGkPm^%grub_cmd: export menuentry_id_option q #|A2Hǰ ΁$ G3DmynD: egrub_cmd: [ ] g?go複 Eh6X1-dZ40/B7R!]iYgrub_cmd: [ xy = xy ] v,$s6x: ;:~1,A~JQK93grub_cmd: font=unicode &G< 2gmӊĤ j~=K^ơMiޔ` Km8}grub_cmd: loadfont unicode q G"c D{@-Pm f1W)Ú𠵟 `wvBT  .-'(hd0,gpt2)/boot/grub/fonts/unicode.pf2 EaYC, UI gmHf -(O`#õT6kgrub_cmd: set gfxmode=auto f G$)SD v&ؾtBu6J>:;Sz VX ݐmPlqNgrub_cmd: insmod gfxterm Ar1lOC/ *  X XнA`)"|xiy5grub_cmd: set locale_dir=(hd0,gpt2)/boot/grub/locale S5؟֮lO弚 7j徔ߕʂYWؙ< ngrub_cmd: set lang=en_US Tv<̣-5\ r#rp+*ܳr%)7/grub_cmd: insmod gettext 8Rg#Cbcisn7ȅ ?=ȠDCk&N/t"AEXp],"grub_cmd: terminal_output gfxterm E+ (]8 NCac(] Z9`{, sz8+grub_cmd: [ = 1 ] g?go複 Eh6X1-dZ40/B7R!]iYgrub_cmd: [ xy = xy ]  +#LAnN V.JuםXE tQ/} !grub_cmd: set timeout_style=menu s,q:oL:8f$4՝P qÆ/@tZIáBIpe$ $˜grub_cmd: set timeout=5  WTZZ]P&'-cg |ڕVrE䀞e)},grub_cmd: set menu_color_normal=white/black ԥT ُ$:e7 oyĻL MɄ ;F>^DBF4*4grub_cmd: set menu_color_highlight=black/light-gray B2 K2f 1J,^sI07Agrub_cmd: [ != 1 ] X~~~.z0R^X"/ U؝-7ߊ},fuߤ 7grub_cmd: [ -e (hd0,gpt2)/boot/grub/gfxblacklist.txt ] [:*̢ B5JM,6J[}a\:grub_cmd: hwmatch (hd0,gpt2)/boot/grub/gfxblacklist.txt 3 kϩɕ*Kf@- mygt `\[K1/$4Igrub_cmd: [ = 0 ] hz'<^(6MbMԏ} IauBDL:Zq ;q  "grub_cmd: set linux_gfx_mode=keep DNYנa_%b& "A%N2p$WY>ӷzd}i`E grub_cmd: export linux_gfx_mode νeVG?6 V+Ů"{.|xcgrub_cmd: menuentry Ubuntu --class ubuntu --class gnu-linux --class gnu --class os --id gnulinux-simple-119f1a79-c391-4e37-905d-3a503284cadb { recordfail load_video gfxmode $linux_gfx_mode insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod ext2 if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb else search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb fi linux /boot/vmlinuz-5.7.0-rc2+ root=UUID=119f1a79-c391-4e37-905d-3a503284cadb ro quiet splash ima-policy=tcb $vt_handoff initrd /boot/initrd.img-5.7.0-rc2+ } t IR6),GAOgw* ʚwI/+XwUkyZL,grub_cmd: submenu Advanced options for Ubuntu --id gnulinux-advanced-119f1a79-c391-4e37-905d-3a503284cadb { menuentry 'Ubuntu, with Linux 5.7.0-rc2+' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.7.0-rc2+-advanced-119f1a79-c391-4e37-905d-3a503284cadb' { recordfail load_video gfxmode $linux_gfx_mode insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod ext2 if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb else search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb fi echo 'Loading Linux 5.7.0-rc2+ ...' linux /boot/vmlinuz-5.7.0-rc2+ root=UUID=119f1a79-c391-4e37-905d-3a503284cadb ro quiet splash ima-policy=tcb $vt_handoff echo 'Loading initial ramdisk ...' initrd /boot/initrd.img-5.7.0-rc2+ } menuentry 'Ubuntu, with Linux 5.7.0-rc2+ (recovery mode)' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.7.0-rc2+-recovery-119f1a79-c391-4e37-905d-3a503284cadb' { recordfail load_video insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod ext2 if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb else search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb fi echo 'Loading Linux 5.7.0-rc2+ ...' linux /boot/vmlinuz-5.7.0-rc2+ root=UUID=119f1a79-c391-4e37-905d-3a503284cadb ro recovery nomodeset echo 'Loading initial ramdisk ...' initrd /boot/initrd.img-5.7.0-rc2+ } menuentry 'Ubuntu, with Linux 5.7.0-rc2+.old' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.7.0-rc2+.old-advanced-119f1a79-c391-4e37-905d-3a503284cadb' { recordfail load_video gfxmode $linux_gfx_mode insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod ext2 if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb else search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb fi echo 'Loading Linux 5.7.0-rc2+.old ...' linux /boot/vmlinuz-5.7.0-rc2+.old root=UUID=119f1a79-c391-4e37-905d-3a503284cadb ro quiet splash ima-policy=tcb $vt_handoff echo 'Loading initial ramdisk ...' initrd /boot/initrd.img-5.7.0-rc2+ } menuentry 'Ubuntu, with Linux 5.7.0-rc2+.old (recovery mode)' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.7.0-rc2+.old-recovery-119f1a79-c391-4e37-905d-3a503284cadb' { recordfail load_video insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod ext2 if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb else search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb fi echo 'Loading Linux 5.7.0-rc2+.old ...' linux /boot/vmlinuz-5.7.0-rc2+.old root=UUID=119f1a79-c391-4e37-905d-3a503284cadb ro recovery nomodeset echo 'Loading initial ramdisk ...' initrd /boot/initrd.img-5.7.0-rc2+ } menuentry 'Ubuntu, with Linux 5.6.0-rc3+' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.6.0-rc3+-advanced-119f1a79-c391-4e37-905d-3a503284cadb' { recordfail load_video gfxmode $linux_gfx_mode insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod ext2 if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb else search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb fi echo 'Loading Linux 5.6.0-rc3+ ...' linux /boot/vmlinuz-5.6.0-rc3+ root=UUID=119f1a79-c391-4e37-905d-3a503284cadb ro quiet splash ima-policy=tcb $vt_handoff echo 'Loading initial ramdisk ...' initrd /boot/initrd.img-5.6.0-rc3+ } menuentry 'Ubuntu, with Linux 5.6.0-rc3+ (recovery mode)' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.6.0-rc3+-recovery-119f1a79-c391-4e37-905d-3a503284cadb' { recordfail load_video insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod ext2 if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb else search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb fi echo 'Loading Linux 5.6.0-rc3+ ...' linux /boot/vmlinuz-5.6.0-rc3+ root=UUID=119f1a79-c391-4e37-905d-3a503284cadb ro recovery nomodeset echo 'Loading initial ramdisk ...' initrd /boot/initrd.img-5.6.0-rc3+ } menuentry 'Ubuntu, with Linux 5.6.0-rc1+.signed' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.6.0-rc1+.signed-advanced-119f1a79-c391-4e37-905d-3a503284cadb' { recordfail load_video gfxmode $linux_gfx_mode insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod ext2 if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb else search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb fi echo 'Loading Linux 5.6.0-rc1+.signed ...' linux /boot/vmlinuz-5.6.0-rc1+.signed root=/dev/nvme0n1p2 ro quiet splash ima-policy=tcb $vt_handoff } menuentry 'Ubuntu, with Linux 5.6.0-rc1+.signed (recovery mode)' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.6.0-rc1+.signed-recovery-119f1a79-c391-4e37-905d-3a503284cadb' { recordfail load_video insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod ext2 if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb else search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb fi echo 'Loading Linux 5.6.0-rc1+.signed ...' linux /boot/vmlinuz-5.6.0-rc1+.signed root=/dev/nvme0n1p2 ro recovery nomodeset } menuentry 'Ubuntu, with Linux 5.6.0-rc1+' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.6.0-rc1+-advanced-119f1a79-c391-4e37-905d-3a503284cadb' { recordfail load_video gfxmode $linux_gfx_mode insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod ext2 if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb else search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb fi echo 'Loading Linux 5.6.0-rc1+ ...' linux /boot/vmlinuz-5.6.0-rc1+ root=UUID=119f1a79-c391-4e37-905d-3a503284cadb ro quiet splash ima-policy=tcb $vt_handoff echo 'Loading initial ramdisk ...' initrd /boot/initrd.img-5.6.0-rc1+ } menuentry 'Ubuntu, with Linux 5.6.0-rc1+ (recovery mode)' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.6.0-rc1+-recovery-119f1a79-c391-4e37-905d-3a503284cadb' { recordfail load_video insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod ext2 if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb else search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb fi echo 'Loading Linux 5.6.0-rc1+ ...' linux /boot/vmlinuz-5.6.0-rc1+ root=UUID=119f1a79-c391-4e37-905d-3a503284cadb ro recovery nomodeset echo 'Loading initial ramdisk ...' initrd /boot/initrd.img-5.6.0-rc1+ } menuentry 'Ubuntu, with Linux 5.4.0-37-generic' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.4.0-37-generic-advanced-119f1a79-c391-4e37-905d-3a503284cadb' { recordfail load_video gfxmode $linux_gfx_mode insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod ext2 if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb else search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb fi echo 'Loading Linux 5.4.0-37-generic ...' linux /boot/vmlinuz-5.4.0-37-generic root=UUID=119f1a79-c391-4e37-905d-3a503284cadb ro quiet splash ima-policy=tcb $vt_handoff echo 'Loading initial ramdisk ...' initrd /boot/initrd.img-5.4.0-37-generic } menuentry 'Ubuntu, with Linux 5.4.0-37-generic (recovery mode)' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.4.0-37-generic-recovery-119f1a79-c391-4e37-905d-3a503284cadb' { recordfail load_video insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod ext2 if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb else search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb fi echo 'Loading Linux 5.4.0-37-generic ...' linux /boot/vmlinuz-5.4.0-37-generic root=UUID=119f1a79-c391-4e37-905d-3a503284cadb ro recovery nomodeset echo 'Loading initial ramdisk ...' initrd /boot/initrd.img-5.4.0-37-generic } menuentry 'Ubuntu, with Linux 5.3.0-59-generic' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.3.0-59-generic-advanced-119f1a79-c391-4e37-905d-3a503284cadb' { recordfail load_video gfxmode $linux_gfx_mode insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod ext2 if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb else search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb fi echo 'Loading Linux 5.3.0-59-generic ...' linux /boot/vmlinuz-5.3.0-59-generic root=UUID=119f1a79-c391-4e37-905d-3a503284cadb ro quiet splash ima-policy=tcb $vt_handoff echo 'Loading initial ramdisk ...' initrd /boot/initrd.img-5.3.0-59-generic } menuentry 'Ubuntu, with Linux 5.3.0-59-generic (recovery mode)' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.3.0-59-generic-recovery-119f1a79-c391-4e37-905d-3a503284cadb' { recordfail load_video insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod ext2 if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb else search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb fi echo 'Loading Linux 5.3.0-59-generic ...' linux /boot/vmlinuz-5.3.0-59-generic root=UUID=119f1a79-c391-4e37-905d-3a503284cadb ro recovery nomodeset echo 'Loading initial ramdisk ...' initrd /boot/initrd.img-5.3.0-59-generic } } =F Mc" ql5v To hdPN}>YKgrub_cmd: menuentry UEFI Firmware Settings --id uefi-firmware { fwsetup } ,+ A}Pv̻Ks )정Ng, Cg+4ZPLiDB1grub_cmd: [ -f (hd0,gpt2)/boot/grub/custom.cfg ] Gմ`7|g|@Y CuF~`r+"ɭ`J:ЁLgrub_cmd: [ -z (hd0,gpt2)/boot/grub -a -f (hd0,gpt2)/boot/grub/custom.cfg ] O>?:Ku 4!b-LѬVk0grub_cmd: setparams Advanced options for Ubuntu #&- 8pRq05<'>hpO+grub_cmd: menuentry Ubuntu, with Linux 5.7.0-rc2+ --class ubuntu --class gnu-linux --class gnu --class os --id gnulinux-5.7.0-rc2+-advanced-119f1a79-c391-4e37-905d-3a503284cadb { recordfail load_video gfxmode $linux_gfx_mode insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod ext2 if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb else search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb fi echo 'Loading Linux 5.7.0-rc2+ ...' linux /boot/vmlinuz-5.7.0-rc2+ root=UUID=119f1a79-c391-4e37-905d-3a503284cadb ro quiet splash ima-policy=tcb $vt_handoff echo 'Loading initial ramdisk ...' initrd /boot/initrd.img-5.7.0-rc2+ } yu(Yh^U%Lx < Q|OL\m /&8 &!L grub_cmd: menuentry Ubuntu, with Linux 5.7.0-rc2+ (recovery mode) --class ubuntu --class gnu-linux --class gnu --class os --id gnulinux-5.7.0-rc2+-recovery-119f1a79-c391-4e37-905d-3a503284cadb { recordfail load_video insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod ext2 if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb else search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb fi echo 'Loading Linux 5.7.0-rc2+ ...' linux /boot/vmlinuz-5.7.0-rc2+ root=UUID=119f1a79-c391-4e37-905d-3a503284cadb ro recovery nomodeset echo 'Loading initial ramdisk ...' initrd /boot/initrd.img-5.7.0-rc2+ } Q>%s/te.myn`/- F~g.R~Y t03Xm;+grub_cmd: menuentry Ubuntu, with Linux 5.6.0-rc3+ --class ubuntu --class gnu-linux --class gnu --class os --id gnulinux-5.6.0-rc3+-advanced-119f1a79-c391-4e37-905d-3a503284cadb { recordfail load_video gfxmode $linux_gfx_mode insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod ext2 if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb else search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb fi echo 'Loading Linux 5.6.0-rc3+ ...' linux /boot/vmlinuz-5.6.0-rc3+ root=UUID=119f1a79-c391-4e37-905d-3a503284cadb ro quiet splash ima-policy=tcb $vt_handoff echo 'Loading initial ramdisk ...' initrd /boot/initrd.img-5.6.0-rc3+ } lBYl.Fb| b .e o:̀PU[8nd<( grub_cmd: menuentry Ubuntu, with Linux 5.6.0-rc3+ (recovery mode) --class ubuntu --class gnu-linux --class gnu --class os --id gnulinux-5.6.0-rc3+-recovery-119f1a79-c391-4e37-905d-3a503284cadb { recordfail load_video insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod ext2 if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb else search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb fi echo 'Loading Linux 5.6.0-rc3+ ...' linux /boot/vmlinuz-5.6.0-rc3+ root=UUID=119f1a79-c391-4e37-905d-3a503284cadb ro recovery nomodeset echo 'Loading initial ramdisk ...' initrd /boot/initrd.img-5.6.0-rc3+ } ]\ZX8 2Wut@1-V(ؗzSgrub_cmd: menuentry Ubuntu, with Linux 5.6.0-rc1+.signed --class ubuntu --class gnu-linux --class gnu --class os --id gnulinux-5.6.0-rc1+.signed-advanced-119f1a79-c391-4e37-905d-3a503284cadb { recordfail load_video gfxmode $linux_gfx_mode insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod ext2 if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb else search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb fi echo 'Loading Linux 5.6.0-rc1+.signed ...' linux /boot/vmlinuz-5.6.0-rc1+.signed root=/dev/nvme0n1p2 ro quiet splash ima-policy=tcb $vt_handoff } {ұPC04 aMs|f'V4!*SŚ &t?(1grub_cmd: menuentry Ubuntu, with Linux 5.6.0-rc1+.signed (recovery mode) --class ubuntu --class gnu-linux --class gnu --class os --id gnulinux-5.6.0-rc1+.signed-recovery-119f1a79-c391-4e37-905d-3a503284cadb { recordfail load_video insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod ext2 if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb else search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb fi echo 'Loading Linux 5.6.0-rc1+.signed ...' linux /boot/vmlinuz-5.6.0-rc1+.signed root=/dev/nvme0n1p2 ro recovery nomodeset } 5sVү.%ĠeKS'uH fxEwPZP 0c+grub_cmd: menuentry Ubuntu, with Linux 5.6.0-rc1+ --class ubuntu --class gnu-linux --class gnu --class os --id gnulinux-5.6.0-rc1+-advanced-119f1a79-c391-4e37-905d-3a503284cadb { recordfail load_video gfxmode $linux_gfx_mode insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod ext2 if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb else search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb fi echo 'Loading Linux 5.6.0-rc1+ ...' linux /boot/vmlinuz-5.6.0-rc1+ root=UUID=119f1a79-c391-4e37-905d-3a503284cadb ro quiet splash ima-policy=tcb $vt_handoff echo 'Loading initial ramdisk ...' initrd /boot/initrd.img-5.6.0-rc1+ } ZBǻ3etGJ(d Q甮>ɒ AEǁ grub_cmd: menuentry Ubuntu, with Linux 5.6.0-rc1+ (recovery mode) --class ubuntu --class gnu-linux --class gnu --class os --id gnulinux-5.6.0-rc1+-recovery-119f1a79-c391-4e37-905d-3a503284cadb { recordfail load_video insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod ext2 if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb else search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb fi echo 'Loading Linux 5.6.0-rc1+ ...' linux /boot/vmlinuz-5.6.0-rc1+ root=UUID=119f1a79-c391-4e37-905d-3a503284cadb ro recovery nomodeset echo 'Loading initial ramdisk ...' initrd /boot/initrd.img-5.6.0-rc1+ } SENZ=BC"[ 3!brzY.=~h94t!g@8sIgrub_cmd: menuentry Ubuntu, with Linux 5.4.0-37-generic --class ubuntu --class gnu-linux --class gnu --class os --id gnulinux-5.4.0-37-generic-advanced-119f1a79-c391-4e37-905d-3a503284cadb { recordfail load_video gfxmode $linux_gfx_mode insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod ext2 if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb else search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb fi echo 'Loading Linux 5.4.0-37-generic ...' linux /boot/vmlinuz-5.4.0-37-generic root=UUID=119f1a79-c391-4e37-905d-3a503284cadb ro quiet splash ima-policy=tcb $vt_handoff echo 'Loading initial ramdisk ...' initrd /boot/initrd.img-5.4.0-37-generic }  Bڄ;Fk1,= <$g8fY!$Zي͚w*grub_cmd: menuentry Ubuntu, with Linux 5.4.0-37-generic (recovery mode) --class ubuntu --class gnu-linux --class gnu --class os --id gnulinux-5.4.0-37-generic-recovery-119f1a79-c391-4e37-905d-3a503284cadb { recordfail load_video insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod ext2 if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb else search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb fi echo 'Loading Linux 5.4.0-37-generic ...' linux /boot/vmlinuz-5.4.0-37-generic root=UUID=119f1a79-c391-4e37-905d-3a503284cadb ro recovery nomodeset echo 'Loading initial ramdisk ...' initrd /boot/initrd.img-5.4.0-37-generic } rfQ6oeok2oJ h3s jF]Z`!$,V v+Igrub_cmd: menuentry Ubuntu, with Linux 5.3.0-59-generic --class ubuntu --class gnu-linux --class gnu --class os --id gnulinux-5.3.0-59-generic-advanced-119f1a79-c391-4e37-905d-3a503284cadb { recordfail load_video gfxmode $linux_gfx_mode insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod ext2 if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb else search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb fi echo 'Loading Linux 5.3.0-59-generic ...' linux /boot/vmlinuz-5.3.0-59-generic root=UUID=119f1a79-c391-4e37-905d-3a503284cadb ro quiet splash ima-policy=tcb $vt_handoff echo 'Loading initial ramdisk ...' initrd /boot/initrd.img-5.3.0-59-generic } 1| 4Z6 $ ΋Wur-Y8W$cj *grub_cmd: menuentry Ubuntu, with Linux 5.3.0-59-generic (recovery mode) --class ubuntu --class gnu-linux --class gnu --class os --id gnulinux-5.3.0-59-generic-recovery-119f1a79-c391-4e37-905d-3a503284cadb { recordfail load_video insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod ext2 if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb else search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb fi echo 'Loading Linux 5.3.0-59-generic ...' linux /boot/vmlinuz-5.3.0-59-generic root=UUID=119f1a79-c391-4e37-905d-3a503284cadb ro recovery nomodeset echo 'Loading initial ramdisk ...' initrd /boot/initrd.img-5.3.0-59-generic } ,qfU جJa=ѯ ]jhO"_(2grub_cmd: setparams Ubuntu, with Linux 5.7.0-rc2+ fF8魧) ~~(nNe@:8'{ gL.grub_cmd: recordfail p6b 6hDt d[׆HIf Pu Y@grub_cmd: set recordfail=1 z8gؕTqa- $6T}l&12YxHiHxgrub_cmd: [ -n ] f G$)SD v&ؾtBu6J>:;S?똢ogrub_cmd: set gfxpayload=keep RAߥy] _BKU ]^j5lN;fgrub_cmd: [ keep = keep ] n*~ k ;6oaq"|s(&grub_cmd: set vt_handoff=vt.handoff=7 Ph lFtRgbT nǔėgrub_cmd: insmod gzio -EݺFv2[ui Th佟 ݡ3_@]ߍosMgrub_cmd: [ xefi = xxen ] y|A!p#A bv t.FFݐa'WYGgrub_cmd: insmod part_gpt ?\V/ 2 8҆ z eY ; 1 grub_cmd: insmod ext2 g?go複 Eh6X1-dZ40/B7R!]iYgrub_cmd: [ xy = xy ] !epUS\ܠ /e'C6kΜ B4>M-MWgrub_cmd: search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb i ڛy w)+4 _*b]߅jRyp\9uMeΝ,grub_cmd: echo Loading Linux 5.7.0-rc2+ ... ,<#Ӟ!&K /Bm$hgjPˣۄgrub_cmd: linux /boot/vmlinuz-5.7.0-rc2+ root=UUID=119f1a79-c391-4e37-905d-3a503284cadb ro quiet splash ima-policy=tcb vt.handoff=7 y#kμ.3 Bl 4`8#Z@TiWjK3 Dv/boot/vmlinuz-5.7.0-rc2+iٝTXH7*G _"!ӹ'TlHBB)ny#kμ.3 Bl 4`8#Z@TiWjK3 Dv)n iMIV,zL*Pg! ŀT\ U-F3lR5Nȯ`+grub_cmd: echo Loading initial ramdisk ... ';bzg PiG :\6p%G\v\8-grub_cmd: initrd /boot/initrd.img-5.7.0-rc2+ ,qfU جJa=ѯ ]jhO"_(2grub_cmd: setparams Ubuntu, with Linux 5.7.0-rc2+ fF8魧) ~~(nNe@:8'{ gL.grub_cmd: recordfail p6b 6hDt d[׆HIf Pu Y@grub_cmd: set recordfail=1 z8gؕTqa- $6T}l&12YxHiHxgrub_cmd: [ -n ] f G$)SD v&ؾtBu6J>:;S?똢ogrub_cmd: set gfxpayload=keep RAߥy] _BKU ]^j5lN;fgrub_cmd: [ keep = keep ] n*~ k ;6oaq"|s(&grub_cmd: set vt_handoff=vt.handoff=7 Ph lFtRgbT nǔėgrub_cmd: insmod gzio -EݺFv2[ui Th佟 ݡ3_@]ߍosMgrub_cmd: [ xefi = xxen ] y|A!p#A bv t.FFݐa'WYGgrub_cmd: insmod part_gpt ?\V/ 2 8҆ z eY ; 1 grub_cmd: insmod ext2 g?go複 Eh6X1-dZ40/B7R!]iYgrub_cmd: [ xy = xy ] !epUS\ܠ /e'C6kΜ B4>M-MWgrub_cmd: search --no-floppy --fs-uuid --set=root 119f1a79-c391-4e37-905d-3a503284cadb i ڛy w)+4 _*b]߅jRyp\9uMeΝ,grub_cmd: echo Loading Linux 5.7.0-rc2+ ... ~K}ځ 8,O2!WNpJ#a0H~Qgrub_cmd: linux /boot/vmlinuz-5.7.0-rc2+.signed root=UUID=119f1a79-c391-4e37-905d-3a503284cadb ro quiet splash ima-policy=tcb vt.handoff=7 ⏝則S:dn Y`_ )9."WJCAZ?@ /boot/vmlinuz-5.7.0-rc2+.signediٝTXH7*G _"!ӹ'TlHBB)_⏝則S:dn Y`_ )9."WJCAZ?@)_sB{Ieߏ fuon|GᲖPwP]`FC=݋#CMokList0?0'w%VW ߫XTv0  *H  01 0 UUS1 0 U NY10U WhitePlains1 0 U IBM10U Secure Boot Signing1"0  *H  zohar@linux.ibm.com0  200311122912Z21200216122912Z01 0 UUS1 0 U NY10U WhitePlains1 0 U IBM10U Secure Boot Signing1"0  *H  zohar@linux.ibm.com0"0  *H 0 }} ~0?| 1A350ԑ-j+/lF)S)Ȏ^Jf .]3>hռw"GA*ힹߊ֋xU׹5K_3"zʫO!K~@ymj'WƖ9t;˥'kv?%1+6vWC刉['5~ pA.L$)+b q4櫪&\}Knj;*S|pjNщSM{bvvq00U y2T5Q;o0U#0 y2T5Q;o0 U00+U%$0"+ +7  +0, `HB OpenSSL Generated Certificate0  *H  è>Y.A;% ,Ԍ(9#Z Ѹ4$%Kz,}BQ8`ƔGJwO9e<V%8s=qVޟ"4GqC5˅6"yWHߨ\a"&b`Lo$ p ƚzhvgKe\O^lVi.wӨ[w0b>Uެ41dӸ=SJkv-< yi[m`m)łǮ'Y;)D^eіזHm SbK\\bXĸ'y8=<"WRk]W(\]zJҍDZ^OAgF[>ƒ5-d8n--sf1dpT,2/ _Y㰰ʮo{y½睅hHP^!6଑z =۔&ki~bDpv|i"}FM7p ޘk!uZ0KVcP NDfnc̥&(MgzZkernel_cmdline: /boot/vmlinuz-5.7.0-rc2+.signed root=UUID=119f1a79-c391-4e37-905d-3a503284cadb ro quiet splash ima-policy=tcb vt.handoff=7 iMIV,zL*Pg! ŀT\ U-F3lR5Nȯ`+grub_cmd: echo Loading initial ramdisk ... ';bzg PiG :\6p%G\v\8-grub_cmd: initrd /boot/initrd.img-5.7.0-rc2+ E_ѩEM8Iɑ. PYPl0" ^rqjv*H//boot/initrd.img-5.7.0-rc2+ima-evm-utils-1.5/tests/sample-tpm-2.0-pcrs-8-9000066400000000000000000000021151440135744700210010ustar00rootroot00000000000000pcrread: tsspcrread -halg sha1 0: 92c1850372e9493929aa9a2e9ea953e21ff1be45 1: 41c54039ca2750ea60d8ab7c48b142b10aba5667 2: b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236 3: b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236 4: 4c1a19aad90f770956ff5ee00334a2d548b1a350 5: a1444a8a9904666165730168b3ae489447d3cef7 6: b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236 7: 5c6327a67ff36f138e0b7bb1d2eafbf8a6e52ebf 8: fed489d2e5f9f85136e5ff53553d5f8b978dbe1a 9: a2fa191f2622bb014702013bfebfca9fe210d9e5 10: 3134641a3e8a1f5f75fa850bb21c3104d6ab863b 11: 0000000000000000000000000000000000000000 12: 0000000000000000000000000000000000000000 13: 0000000000000000000000000000000000000000 14: 71161a5707051fa7d6f584d812240b2e80f61942 15: 0000000000000000000000000000000000000000 16: 0000000000000000000000000000000000000000 17: ffffffffffffffffffffffffffffffffffffffff 18: ffffffffffffffffffffffffffffffffffffffff 19: ffffffffffffffffffffffffffffffffffffffff 20: ffffffffffffffffffffffffffffffffffffffff 21: ffffffffffffffffffffffffffffffffffffffff 22: ffffffffffffffffffffffffffffffffffffffff 23: 0000000000000000000000000000000000000000 ima-evm-utils-1.5/tests/sign_verify.test000077500000000000000000000317221440135744700204600ustar00rootroot00000000000000#!/bin/bash # SPDX-License-Identifier: GPL-2.0 # # evmctl {,ima_}{sign,verify} tests # # Copyright (C) 2020 Vitaly Chikunov # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. cd "$(dirname "$0")" || exit 1 PATH=../src:$PATH # set the env SIGV1=1 to execute the signature v1 tests SIGV1=${SIGV1:-0} source ./functions.sh _require cmp evmctl getfattr openssl xxd if cmp -b 2>&1 | grep -q "invalid option"; then echo "cmp does not support -b (cmp from busybox?) Use cmp from diffutils" exit "$HARDFAIL" fi ./gen-keys.sh >/dev/null 2>&1 trap _report_exit_and_cleanup EXIT WORKDIR=$(mktemp -d) set -f # disable globbing # Determine keyid from a cert _keyid_from_cert() { local cer=${1%.*}.cer cmd local tmp cer=test-${cer#test-} # shellcheck disable=SC2086 cmd="openssl x509 $OPENSSL_ENGINE \ -in $cer -inform DER -pubkey -noout" id=$($cmd 2>/dev/null \ | openssl asn1parse \ | grep BIT.STRING \ | tail -n1 \ | cut -d: -f1) if [ -z "$id" ]; then echo - "$cmd" >&2 echo "Cannot asn1parse $cer to determine keyid" >&2 exit 1 fi tmp=$(mktemp) # shellcheck disable=SC2086 openssl x509 $OPENSSL_ENGINE \ -in "$cer" -inform DER -pubkey -noout 2>/dev/null \ | openssl asn1parse -strparse "$id" -out "$tmp" -noout # shellcheck disable=SC2002 cat "$tmp" \ | openssl dgst -c -sha1 \ | cut -d' ' -f2 \ | grep -o ":..:..:..:..$" \ | tr -d : rm -f "$tmp" } # Convert test $type into evmctl op prefix _op() { if [ "$1" = ima ]; then echo ima_ fi } # Convert test $type into xattr name _xattr() { if [ "$1" = ima ]; then echo user.ima else echo user.evm fi } # Check that detached signature matches xattr signature _test_sigfile() { local file=$1 attr=$2 file_sig=$3 file_sig2=$4 if [ ! -e "$file_sig" ]; then color_red echo "evmctl ima_sign: no detached signature $file_sig" color_restore rm "$file" return "$FAIL" fi _extract_xattr "$file" "$attr" "$file_sig2" if ! cmp -bl "$file_sig" "$file_sig2"; then color_red echo "evmctl ima_sign: xattr signature on $file differ from detached $file_sig" color_restore rm "$file" "$file_sig" "$file_sig2" return "$FAIL" fi # Leave '$file_sig' for ima_verify --sigfile test. rm "$file_sig2" } # Run single sign command _evmctl_sign() { local type=$1 key=$2 alg=$3 file=$4 opts=$5 # Can check --sigfile for ima_sign [ "$type" = ima ] && opts+=" --sigfile" # shellcheck disable=SC2086 ADD_TEXT_FOR="$alg ($key)" ADD_DEL=$file \ _evmctl_run "$(_op "$type")sign" $opts \ --hashalgo "$alg" --key "$key" --xattr-user "$file" || return if [ "$type" = ima ]; then _test_sigfile "$file" "$(_xattr "$type")" "$file.sig" "$file.sig2" fi } # Run and test {ima_,}sign operation check_sign() { # Arguments are passed via global vars: # TYPE (ima or evm), # KEY, # ALG (hash algo), # PREFIX (signature header prefix in hex), # OPTS (additional options for evmctl), # FILE (working file to sign). local "$@" local key verifykey local FILE=${FILE:-$ALG.txt} # Normalize key filename if it's not a pkcs11 URI if [ ${KEY:0:7} != pkcs11: ]; then key=${KEY%.*}.key key=test-${key#test-} else key=${KEY} fi # Append suffix to files for negative tests, because we may # leave only good files for verify tests. _test_expected_to_fail && FILE+='~' rm -f $FILE if ! touch $FILE; then color_red echo "Can't create test file: $FILE" color_restore return "$HARDFAIL" fi if _test_expected_to_pass; then # Can openssl work with this digest? cmd="openssl dgst $OPENSSL_ENGINE $OPENSSL_KEYFORM -$ALG $FILE" echo - "$cmd" if ! $cmd >/dev/null; then echo "${CYAN}$ALG ($key) test is skipped (openssl is unable to digest)$NORM" return "$SKIP" fi if [ "${key:0:7}" != pkcs11: ] && [ ! -e "$key" ]; then echo "${CYAN}$ALG ($key) test is skipped (key file not found)$NORM" return "$SKIP" fi # Can openssl sign with this digest and key? cmd="openssl dgst $OPENSSL_ENGINE $OPENSSL_KEYFORM -$ALG -sign $key -hex $FILE" echo - "$cmd" if ! $cmd >/dev/null; then echo "${CYAN}$ALG ($key) test is skipped (openssl is unable to sign)$NORM" return "$SKIP" fi fi # Insert keyid from cert into PREFIX in-place of marker `:K:' if [[ $PREFIX =~ :K: ]]; then keyid=$(_keyid_from_cert "$key") if [ $? -ne 0 ]; then color_red echo "Unable to determine keyid for $key" color_restore return "$HARDFAIL" fi [ "$VERBOSE" -gt 2 ] && echo " Expected keyid: $keyid" PREFIX=${PREFIX/:K:/$keyid} fi # Perform signing by evmctl _evmctl_sign "$TYPE" "$key" "$ALG" "$FILE" "$OPTS" || return # First simple pattern match the signature. ADD_TEXT_FOR=$ALG \ _test_xattr "$FILE" "$(_xattr "$TYPE")" "$PREFIX.*" || return # This is all we can do for v1 signatures. [[ "$OPTS" =~ --rsa ]] && return "$OK" # This is all we can do for evm. [[ "$TYPE" =~ evm ]] && return "$OK" # When using the SM2/3 algorithm, the openssl tool uses USERID for verify, # which is incompatible with calling API directly, so skip it. [[ "$ALG" == sm3 ]] && return "$OK" # Extract signature to a file _extract_xattr "$FILE" "$(_xattr "$TYPE")" "$FILE.sig2" "$PREFIX" # Verify extracted signature with openssl if [ "${key:0:7}" != pkcs11: ]; then verifykey=${key%.*}.pub else verifykey=${key} fi cmd="openssl dgst $OPENSSL_ENGINE $OPENSSL_KEYFORM -$ALG -verify ${verifykey} \ -signature $FILE.sig2 $FILE" echo - "$cmd" if ! $cmd; then color_red_on_failure echo "Signature v2 verification with openssl is failed." color_restore rm "$FILE.sig2" return "$FAIL" fi rm "$FILE.sig2" return "$OK" } # Test verify operation check_verify() { # Arguments are passed via global vars: # TYPE (ima or evm), # KEY, # ALG (hash algo), # OPTS (additional options for evmctl), # FILE (filename to verify). local "$@" # shellcheck disable=SC2086 if ! openssl dgst $OPENSSL_ENGINE -"$ALG" /dev/null >/dev/null 2>&1; then echo $CYAN"$ALG ($KEY) test is skipped (openssl does not support $ALG)"$NORM return $SKIP fi # shellcheck disable=SC2086 ADD_TEXT_FOR="$FILE ($KEY)" \ _evmctl_run "$(_op "$TYPE")verify" --key "$KEY" --xattr-user $OPTS "$FILE" } # Test runners # Perform sign and verify ima and evm testing sign_verify() { local key=$1 alg=$2 prefix="$3" opts="$4" local file=$alg.txt # Set defaults: # Public key is different for v1 and v2 (where x509 cert is used). if [[ $opts =~ --rsa ]]; then KEY=test-$key.pub else KEY=test-$key.cer fi ALG=$alg PREFIX=$prefix OPTS=$opts FILE=$file TYPE=ima if expect_pass check_sign; then # Normal verify with proper key should pass expect_pass check_verify expect_pass check_verify OPTS="--sigfile" # Multiple files and some don't verify expect_fail check_verify FILE="/dev/null $file" rm "$FILE.sig" fi TYPE=evm # Avoid running blkid for evm tests which may require root # No generation on overlayfs: # ioctl(3, FS_IOC_GETVERSION, 0x7ffd8e0bd628) = -1 ENOTTY (Inappropriate ioctl for device) OPTS="$opts --uuid --generation 0" if expect_pass check_sign; then # Normal verify with proper key expect_pass check_verify # Verify with wrong key expect_fail check_verify KEY=rsa2048 fi # Note: Leaving TYPE=evm and file is evm signed } # Test --keys try_different_keys() { # This run after sign_verify which leaves # TYPE=evm and file is evm signed # v2 signing can work with multiple keys in --key option if [[ ! $OPTS =~ --rsa ]]; then # Have correct key in the key list expect_pass check_verify KEY="test-rsa2048.cer,$KEY" expect_pass check_verify KEY="/dev/null,$KEY," fi # Try key that is not used for signing expect_fail check_verify KEY=rsa2048 # Try completely wrong key files expect_fail check_verify KEY=/dev/null expect_fail check_verify KEY=/dev/zero } try_different_sigs() { # TYPE=evm and file is evm signed # Test --imasig if expect_pass check_sign OPTS="$OPTS --imasig"; then # Verify both evm and ima sigs expect_pass check_verify expect_pass check_verify TYPE=ima fi # Test --imahash if expect_pass check_sign OPTS="$OPTS --imahash"; then expect_pass check_verify # IMA hash is not verifiable by ima_verify expect_fail check_verify TYPE=ima fi # Test --portable (only supported for V2 signatures) if expect_pass check_sign OPTS="$OPTS --portable --imahash" PREFIX=0x05; then if [[ "$OPTS" =~ --rsa ]]; then expect_fail check_verify else expect_pass check_verify fi fi # Test -i (immutable) expect_pass check_sign OPTS="$OPTS -i" PREFIX=0x0303 # Cannot be verified for now } # Single test args: type key hash signature-prefix "evmctl-options" # sign_verify args: key hash signature-prefix "evmctl-options" # Only single test can be prefixed with expect_{fail,pass} # `sign_verify' can not be prefixed with expect_{fail,pass} because # it runs multiple tests inside. See more tests there. # signature-prefix can contain `:K:' which will be resolved to keyid (v2 only) ## Test v1 signatures # Signature v1 only supports sha1 and sha256 so any other should fail if [ $SIGV1 -eq 0 ]; then __skip() { echo "IMA signature v1 tests are skipped: not supported"; return $SKIP; } expect_pass __skip else expect_fail \ check_sign TYPE=ima KEY=rsa1024 ALG=md5 PREFIX=0x0301 OPTS=--rsa sign_verify rsa1024 sha1 0x0301 --rsa sign_verify rsa1024 sha256 0x0301 --rsa try_different_keys try_different_sigs fi ## Test v2 signatures with RSA PKCS#1 # List of allowed hashes much greater but not all are supported. sign_verify rsa1024 md5 0x030201:K:0080 sign_verify rsa1024 sha1 0x030202:K:0080 sign_verify rsa1024 sha224 0x030207:K:0080 expect_pass check_sign TYPE=ima KEY=rsa1024 ALG=sha256 PREFIX=0x030204aabbccdd0080 OPTS=--keyid=aabbccdd expect_pass check_sign TYPE=ima KEY=rsa1024 ALG=sha256 PREFIX=0x030204:K:0080 OPTS=--keyid-from-cert=test-rsa1024.cer expect_pass check_sign TYPE=ima KEY=rsa1024_skid ALG=sha256 PREFIX=0x030204123456780080 sign_verify rsa1024 sha256 0x030204:K:0080 try_different_keys try_different_sigs sign_verify rsa1024 sha384 0x030205:K:0080 sign_verify rsa1024 sha512 0x030206:K:0080 sign_verify rsa1024 rmd160 0x030203:K:0080 # Test v2 signatures with ECDSA # Signature length is typically 0x34-0x38 bytes long, very rarely 0x33 sign_verify prime192v1 sha1 0x030202:K:003[345678] sign_verify prime192v1 sha224 0x030207:K:003[345678] sign_verify prime192v1 sha256 0x030204:K:003[345678] sign_verify prime192v1 sha384 0x030205:K:003[345678] sign_verify prime192v1 sha512 0x030206:K:003[345678] # Signature length is typically 0x44-0x48 bytes long, very rarely 0x43 sign_verify prime256v1 sha1 0x030202:K:004[345678] sign_verify prime256v1 sha224 0x030207:K:004[345678] sign_verify prime256v1 sha256 0x030204:K:004[345678] sign_verify prime256v1 sha384 0x030205:K:004[345678] sign_verify prime256v1 sha512 0x030206:K:004[345678] # If openssl 3.0 is installed, test the SM2/3 algorithm combination ssl_major_version=$(openssl version | sed -n 's/^OpenSSL \([^\.]\).*/\1/p') if [ "${ssl_major_version}" = 3 ]; then sign_verify sm2 sm3 0x030211:K:004[345678] else __skip() { echo "sm2/sm3 tests are skipped (ssl version)"; return $SKIP; } expect_pass __skip fi # Test v2 signatures with EC-RDSA _enable_gost_engine sign_verify gost2012_256-A md_gost12_256 0x030212:K:0040 sign_verify gost2012_256-B md_gost12_256 0x030212:K:0040 sign_verify gost2012_256-C md_gost12_256 0x030212:K:0040 sign_verify gost2012_512-A md_gost12_512 0x030213:K:0080 sign_verify gost2012_512-B md_gost12_512 0x030213:K:0080 # Test if signing with wrong key length does not work. expect_fail \ check_sign TYPE=ima KEY=gost2012_512-B ALG=md_gost12_256 PREFIX=0x0302 OPTS= expect_fail \ check_sign TYPE=ima KEY=gost2012_256-B ALG=md_gost12_512 PREFIX=0x0302 OPTS= # Test signing with key described by pkcs11 URI _softhsm_setup "${WORKDIR}" if [ -n "${PKCS11_KEYURI}" ]; then expect_pass check_sign FILE=pkcs11test TYPE=ima KEY=${PKCS11_KEYURI} ALG=sha256 PREFIX=0x030204aabbccdd0100 OPTS=--keyid=aabbccdd expect_pass check_sign FILE=pkcs11test TYPE=ima KEY=${PKCS11_KEYURI} ALG=sha1 PREFIX=0x030202aabbccdd0100 OPTS=--keyid=aabbccdd else # to have a constant number of tests, skip these two tests __skip() { echo "pkcs11 test is skipped: could not setup softhsm"; return $SKIP; } expect_pass __skip expect_pass __skip fi _softhsm_teardown "${WORKDIR}" ima-evm-utils-1.5/tests/softhsm_setup000077500000000000000000000141621440135744700200600ustar00rootroot00000000000000#!/usr/bin/env bash # SPDX-License-Identifier: GPL-2.0 and BSD-3-clause # This program originates from 'swtpm' project (https://github.com/stefanberger/swtpm/) if [ -z "$(type -P p11tool)" ]; then echo "Need p11tool from gnutls" exit 77 fi if [ -z "$(type -P softhsm2-util)" ]; then echo "Need softhsm2-util from softhsm2 package" exit 77 fi MAJOR=$(softhsm2-util -v | cut -d '.' -f1) MINOR=$(softhsm2-util -v | cut -d '.' -f2) if [ ${MAJOR} -lt 2 ] || [ ${MAJOR} -eq 2 -a ${MINOR} -lt 2 ]; then echo "Need softhsm v2.2.0 or later" exit 77 fi NAME=swtpm-test PIN=${PIN:-1234} SO_PIN=${SO_PIN:-1234} SOFTHSM_SETUP_CONFIGDIR=${SOFTHSM_SETUP_CONFIGDIR:-~/.config/softhsm2} export SOFTHSM2_CONF=${SOFTHSM_SETUP_CONFIGDIR}/softhsm2.conf UNAME_S="$(uname -s)" case "${UNAME_S}" in Darwin) msg=$(sudo -v -n) if [ $? -ne 0 ]; then echo "Need password-less sudo rights on OS X to change /etc/gnutls/pkcs11.conf" exit 1 fi ;; esac teardown_softhsm() { local configdir=${SOFTHSM_SETUP_CONFIGDIR} local configfile=${SOFTHSM2_CONF} local bakconfigfile=${configfile}.bak local tokendir=${configdir}/tokens softhsm2-util --token "${NAME}" --delete-token &>/dev/null case "${UNAME_S}" in Darwin*) if [ -f /etc/gnutls/pkcs11.conf.bak ]; then sudo rm -f /etc/gnutls/pkcs11.conf sudo mv /etc/gnutls/pkcs11.conf.bak \ /etc/gnutls/pkcs11.conf &>/dev/null fi ;; esac if [ -f "$bakconfigfile" ]; then mv "$bakconfigfile" "$configfile" else rm -f "$configfile" fi if [ -d "$tokendir" ]; then rm -rf "${tokendir}" fi return 0 } setup_softhsm() { local msg tokenuri keyuri local configdir=${SOFTHSM_SETUP_CONFIGDIR} local configfile=${SOFTHSM2_CONF} local bakconfigfile=${configfile}.bak local tokendir=${configdir}/tokens local rc case "${UNAME_S}" in Darwin*) if [ -f /etc/gnutls/pkcs11.conf.bak ]; then echo "/etc/gnutls/pkcs11.conf.bak already exists; need to 'teardown' first" return 1 fi sudo mv /etc/gnutls/pkcs11.conf \ /etc/gnutls/pkcs11.conf.bak &>/dev/null if [ $(id -u) -eq 0 ]; then SONAME="$(sudo -u nobody brew ls --verbose softhsm | \ grep -E "\.so$")" else SONAME="$(brew ls --verbose softhsm | \ grep -E "\.so$")" fi sudo mkdir -p /etc/gnutls &>/dev/null sudo bash -c "echo "load=${SONAME}" > /etc/gnutls/pkcs11.conf" ;; esac if ! [ -d $configdir ]; then mkdir -p $configdir fi mkdir -p ${tokendir} if [ -f $configfile ]; then mv "$configfile" "$bakconfigfile" fi if ! [ -f $configfile ]; then cat <<_EOF_ > $configfile directories.tokendir = ${tokendir} objectstore.backend = file log.level = DEBUG slots.removable = false _EOF_ fi msg=$(p11tool --list-tokens 2>&1 | grep "token=${NAME}" | tail -n1) if [ $? -ne 0 ]; then echo "Could not list existing tokens" echo "$msg" fi tokenuri=$(echo "$msg" | sed -n 's/.*URL: \([[:print:]*]\)/\1/p') if [ -z "$tokenuri" ]; then msg=$(softhsm2-util \ --init-token --pin ${PIN} --so-pin ${SO_PIN} \ --free --label ${NAME} 2>&1) if [ $? -ne 0 ]; then echo "Could not initialize token" echo "$msg" return 2 fi slot=$(echo "$msg" | \ sed -n 's/.* reassigned to slot \([0-9]*\)$/\1/p') if [ -z "$slot" ]; then slot=$(softhsm2-util --show-slots | \ grep -E "^Slot " | head -n1 | sed -n 's/Slot \([0-9]*\)/\1/p') if [ -z "$slot" ]; then echo "Could not parse slot number from output." echo "$msg" return 3 fi fi msg=$(p11tool --list-tokens 2>&1 | \ grep "token=${NAME}" | tail -n1) if [ $? -ne 0 ]; then echo "Could not list existing tokens" echo "$msg" fi tokenuri=$(echo "$msg" | sed -n 's/.*URL: \([[:print:]*]\)/\1/p') if [ -z "${tokenuri}" ]; then echo "Could not get tokenuri!" return 4 fi # more recent versions of p11tool have --generate-privkey ... msg=$(GNUTLS_PIN=$PIN p11tool \ --generate-privkey=rsa --bits 2048 --label mykey --login \ "${tokenuri}" 2>&1) if [ $? -ne 0 ]; then # ... older versions have --generate-rsa msg=$(GNUTLS_PIN=$PIN p11tool \ --generate-rsa --bits 2048 --label mykey --login \ "${tokenuri}" 2>&1) if [ $? -ne 0 ]; then echo "Could not create RSA key!" echo "$msg" return 5 fi fi fi getkeyuri_softhsm $slot rc=$? if [ $rc -ne 0 ]; then teardown_softhsm fi return $rc } _getkeyuri_softhsm() { local msg tokenuri keyuri msg=$(p11tool --list-tokens 2>&1 | grep "token=${NAME}") if [ $? -ne 0 ]; then echo "Could not list existing tokens" echo "$msg" return 5 fi tokenuri=$(echo "$msg" | sed -n 's/.*URL: \([[:print:]*]\)/\1/p') if [ -z "$tokenuri" ]; then echo "Could not get token URL" echo "$msg" return 6 fi msg=$(p11tool --list-all ${tokenuri} 2>&1) if [ $? -ne 0 ]; then echo "Could not list object under token $tokenuri" echo "$msg" softhsm2-util --show-slots return 7 fi keyuri=$(echo "$msg" | sed -n 's/.*URL: \([[:print:]*]\)/\1/p') if [ -z "$keyuri" ]; then echo "Could not get key URL" echo "$msg" return 8 fi echo "$keyuri" return 0 } getkeyuri_softhsm() { local keyuri rc keyuri=$(_getkeyuri_softhsm) rc=$? if [ $rc -ne 0 ]; then return $rc fi echo "keyuri: $keyuri?pin-value=${PIN}" #&module-name=softhsm2" return 0 } getpubkey_softhsm() { local keyuri rc keyuri=$(_getkeyuri_softhsm) rc=$? if [ $rc -ne 0 ]; then return $rc fi GNUTLS_PIN=${PIN} p11tool --export-pubkey "${keyuri}" --login 2>/dev/null return $? } usage() { cat <<_EOF_ Usage: $0 [command] Supported commands are: setup : Setup the user's account for softhsm and create a token and key with a test configuration getkeyuri : Get the key's URI; may only be called after setup getpubkey : Get the public key in PEM format; may only be called after setup teardown : Remove the temporary softhsm test configuration _EOF_ } main() { local ret if [ $# -lt 1 ]; then usage $0 echo -e "Missing command.\n\n" return 1 fi case "$1" in setup) setup_softhsm ret=$? ;; getkeyuri) getkeyuri_softhsm ret=$? ;; getpubkey) getpubkey_softhsm ret=$? ;; teardown) teardown_softhsm ret=$? ;; *) echo -e "Unsupported command: $1\n\n" usage $0 ret=1 esac return $ret } main "$@" exit $? ima-evm-utils-1.5/tests/test_ascii_runtime_measurements000066400000000000000000000006161440135744700236330ustar00rootroot0000000000000010 cf41b43c4031672fcc2bd358b309ad33b977424f ima-ng sha256:f1b4c7c9b27e94569f4c2b64051c452bc609c3cb891dd7fae06b758f8bc83d14 boot_aggregate 10 983dcd8e6f7c84a1a5f10e762d1850623966ceab ima-ng sha256:ae06e032a65fed8102aff5f8f31c678dcf2eb25b826f77ecb699faa0411f89e0 /init 10 b6e4d01c73f6e4b698eaf48e7d76a2bae0c02514 ima-ng sha256:4b1764ee112aa8b2a6ae9a3a2f1e272b6601681f610708497673cd49e5bd2f5c /bin/sh ima-evm-utils-1.5/tests/test_binary_bios_measurements000066400000000000000000000553201440135744700233020ustar00rootroot00000000000000%Spec ID Event03 HyimxYXQ<: R_jW- }$Z{M{ !N24ET56W =A 1긴X ၟo7&D~[DGacw c,^{2"QWxƾ:N=zQ#XJ< |MAUMG.ں:, VOCu@S \!#]^J?Ҧ *lͤC?Ǫ[#X)fC6f[Qqq ;04vi"9_Ĝ ?3 ACPI DATAF9XTrL ֭&kjo-E-h^N 5 ACPI DATAM@AIMɐSC'} K(EںU+b}4vv1A@5aʓ + SecureBootp!$j_h* COD IwUmuY|>aʓ +PKY䔧J\+rN<"Ac900 kn0  *H  0j1 0 UJP10U Kanagawa10U Yokohama10U Lenovo Ltd.10U Lenovo Ltd. PK CA 20120 120629103436Z 320624103436Z0j1 0 UJP10U Kanagawa10U Yokohama10U Lenovo Ltd.10U Lenovo Ltd. PK CA 20120"0  *H 0 ]bcwRf_"q:K TZIԡRlK` ¼}f|u2^Xfso*d4?,UNw!sl@1S$,mB\)BZ^pwYx3Fj?R <۔k]L s :E:޴0;1 M(ŵ>B&TX w=RN2.;zؓP0N0UwKLqt4=H0U#0wKLqt4=H0 U00  *H  pe%U֑ߑ2KՎC]=rN:O&g(Vj0a-}B; (aOO!ۦx(_ݵדrne򥷩ue2]e^lN(x0 pTXP"#>aO`Gri(O:>1 4}AAꞂT6_\LxAym,= l#`G+QQ|^`%Y}0U#0y@AF|KF>}0 U00  *H  m;D$i-"Uڧ[AMJr,SpVh_.>帄KzeRqfIԅ(:\@B) j4_Kr^t˼Ūze@ʧtTm\I&.WQ_|W|Y䔧J\+rwY2M`(xK00Р a ш0  *H  01 0 UUS10U Washington10URedmond10U Microsoft Corporation1;09U2Microsoft Corporation Third Party Marketplace Root0 110624204129Z 260624205129Z01 0 UUS10U Washington10URedmond10U Microsoft Corporation1*0(U!Microsoft Corporation KEK CA 20110"0  *H 0 赊W&&WzD] Jt*mZc2|O 8, 0HPdQȅO /Sjb: C%#pM/$JC ~Gl3*q<% /hvFOܭq*Xy=e;)*rY뮒5_̝vcy@yR{iO0K0 +70UbC͠>g[U{̶_0 +7  SubCA0 U0U00U#0EfRC~XN#U;:"j0\UU0S0QOMKhttp://crl.microsoft.com/pki/crl/products/MicCorThiParMarRoo_2010-10-05.crl0`+T0R0P+0Dhttp://www.microsoft.com/pki/certs/MicCorThiParMarRoo_2010-10-05.crt0  *H  Ԅ*<* נRfuz-vZy7jQ{ddgxΈXd W_iHK2]0x+4VʮA%pkז* K(){|vyo~l{E4Q9^VBwqV̟#˦X~ig~ <νC-j+Z|DR-R=`3e |N8/ o.9'B)FA;gCYe Ou;$PA@y-O j'vnRi{E­S076aJi4hl l"yF`!y2`ج"KK}?W5Ou`"Sy֛ATp 5|4r`;y뢲]%o8yi uk4`\WN62&Ri$Cٜ5c 7I5μ6}E8xRe\1˲:=EgeodbY䔧J\+rǬN]CE00 Ecz aRD0  *H  0l1 0 UJP10U Kanagawa10U Yokohama10U Lenovo Ltd.1!0U Lenovo Ltd. Root CA 20120 120629104731Z 320624104731Z0l1 0 UJP10U Kanagawa10U Yokohama10U Lenovo Ltd.1!0U ThinkPad Product CA 20120"0  *H 0 V7ۨpg_dgzqOL.$>tW_󥟒Y㘮f-uGqdt L)aA77^7jK0yb3͠>biC'Qsaǵ z% [X;&It_jsY54bps| wRW'T~b3RZ{7GD.b"2Tfm_H!_ʈJZ- $(*I9MAӏ+όn4,cP0N0UTUc_p@i&YI0U#0A hPnT~p͒ak0 U00  *H  N9<56ĎG(B("I8#CiXGŇ<%$Ϳm"@s_yDtK[;(B&s˚('&A/ -e$waa0x[#l&$OCT< [Ps'p'Lk@X$j1S XPB`߷1ќgK6 'Uԫ4-cP\QJ}MQ%MF\qFPd@Y䔧J\+rǬN]CE00k Hb4u4# M0  *H  0U1 0 UUS10U North Carolina10 U Lenovo10U Lenovo UEFI CA 20140 140124161424Z 340119161424Z0U1 0 UUS10U North Carolina10 U Lenovo10U Lenovo UEFI CA 20140"0  *H 0 ;pJ*ɱEe'< c >(|-PҊ"ٴ1T{e0'AQ`g,Wwg&jӞSgY=? Ԏad!g@ys?期'&/[\-8-B0Fn#1~`wXykk Uߞ6&$ݤJ[J.DGb ¹'0Q+k؛2 j(Sb=hK b}Π*?4˽gJD,ZܡY䔧J\+r@$wY2M`(xK00 a0  *H  01 0 UUS10U Washington10URedmond10U Microsoft Corporation1;09U2Microsoft Corporation Third Party Marketplace Root0 110627212245Z 260627213245Z01 0 UUS10U Washington10URedmond10U Microsoft Corporation1+0)U"Microsoft Corporation UEFI CA 20110"0  *H 0 lLE jK u CTd} s JEa-+MIA#/^Pƍ_A. lui!Mڭ,wS%27lRr5aj;PV2-B'UZ0TG%/&A\?[<>?GrU%"{*F 5'bq'Y7`8xpLEe¶~iuYXY䔧J\+rwY2M`(xK00 avV0  *H  01 0 UUS10U Washington10URedmond10U Microsoft Corporation1200U)Microsoft Root Certificate Authority 20100 111019184142Z 261019185142Z01 0 UUS10U Washington10URedmond10U Microsoft Corporation1.0,U%Microsoft Windows Production PCA 20110"0  *H 0  . i!i33T ҋ8-|byJ?5 pk6u1ݍp7tF([`#,GgQ'rɹ;S5|'# oFnhttp://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0  *H  |qQyn9>\` QfG=*hwLb{Ǻz4KbzJ7-W|=ܸZij:ni!7ށugӓW^)9-Es[zFX^gl5?$5 uVx,Јߺ~,c#!xlX6+̤-@EΊ\k>p* j_Gc 26*pZBYqKW~!<ŹE ŕ]b֠c uw}=EWo3wbY~Bp`qjc3 DJMʚȗV'ÅϹ +e[˲:=Egeodbx&LP@A6C(0wY2M`(xKi1 ORm@`MAe wY2M`(xK/֒r($E4[$k;}nzwY2M`(xKء- *o.s >d,NgyjwY2M`(xK63M. xbdYWC&`HXšvwY2M`(xK세Kle qR0! b h2۲ '%'߶=IҕrLwY2M`(xK^T`< k覃R8wY2M`(xKƨXdoy(#g+69ОwY2M`(xK _NQxmЁ%orxRYe&wY2M`(xK Cڬz0eu1{ 될ctwY2M`(xK 9v-6=cqZ9ϰF\`lk׽wY2M`(xK o)o3}rK H:*?OwY2M`(xK !Hʃ62u> [1R*[wY2M`(xKoN0;t􀠀Ѐ+ot!hwY2M`(xKN: [CƦ@O4=9bgΔ.#ڒ wY2M`(xK34)bퟗ>H-.ImTdwY2M`(xK+&B.6_K 'lKzoD/ki9wY2M`(xK+,'R*]IZ+R]fbUwY2M`(xK,s3%mԤ<[UYPPR}wY2M`(xK.pgsQpW2.#ӹ+Q}wY2M`(xK0f(Tw0W(JF}8zTiv^uҍwY2M`(xK6Awz/^g4g^Ù^i5 ҽwY2M`(xK8A!6\ !`9MlN g`b[wY2M`(xK?Λ>TR^·mt:syqUpj>swY2M`(xKCʃc| C-/&zKuwY2M`(xKGa':k,Zmk6!h,*Z߽wY2M`(xKQ1s>!"Ty 0a5wY2M`(xKZIU9[.B,/gg6A+\wY2M`(xKkxA{^`Gr̴/fwY2M`(xKlTGYQ&l+585rѓ.wY2M`(xKo(qկ.{˫d|eͶ& :x^wY2M`(xKqo"I~TFb$ whٿcuwY2M`(xKrk>Tj0=ppq-ĝ,#wY2M`(xKrg]V;ݼ2ت^/m(ؽwY2M`(xKx'6,q}䱿CqZH[ʤKŽwY2M`(xKeӇk)T̕SϪȣ;3佚wY2M`(xK;δCΝч͛YA=Xo+V7W_gwY2M`(xKZ~OG q"8b:ߒ=wY2M`(xKHY jagznFdr!YEwY2M`(xK4͐e;=<5P_{c!wY2M`(xK se(Q$Q?eYW5)@νwY2M`(xK5g+6~OIia]JlrMBwY2M`(xK,";VB\GYG8DoYwY2M`(xKn=)t=J2@ؽwY2M`(xKcOx,7`XbfnmwY2M`(xKϲ2.KmH],qgrRY\u"6wY2M`(xKaJ~UәnE AR'[wY2M`(xKU =HZ7?=|cwY2M`(xKw ^; b x  S^ˇ k/wY2M`(xK<9"`tFu7̔ܭZ˦G/4q9脽wY2M`(xK;S> #Aryę-æ6wY2M`(xKQ3@HΈrRjRç`IwY2M`(xKdW[x.V4Rk DxYuN-dEwY2M`(xKEȮu ϻH7R}ddMؑ<͊$MigߎixE (QsC>RRs ?a/@W-=HwRI$Q"}e8i"\J 8+HBs5J@z<7oE_ -M*AEo-4e LenovoConfig4%zr{cStc !B+MF5#RbW?9QQ "O LAӝILenovoSecurityConfig [B֤hHo9@w w ;m9WEt0u#@ D,J. gyUYKjY C`ϽbC;}#TEh)LH-Ts+Jaʓ + BootOrder$qC؏:3I ۫.E Ec<%vT EA*an!caʓ +vBoot0000bubuntu*#MEΛGE{4\EFI\ubuntu\shimx64.efi&'CfH9O Z ԅj {tz8⇉ =z kaʓ +;Boot001A)NVMe0 %8x`Mhy[2LN鎸K =7m8UR ݽs( 6a>3 @;Flaʓ +<Boot0017(USB CD $8x`Mhy[pZxHlԝӺjUMTte2fk! |YF@7gE[;,.Snaʓ +>Boot0018(USB FDD $8x`Mhy[o0Cd FI EX{r5< U4ww4aca%wW?XvMT.3+qaʓ +ABoot001B)ATA HDD0 %8x`Mhy[bYVDAO*j7΅gnS 8 P ܅5`7Sk2?qB~iHnaʓ +>Boot001C(USB HDD $8x`Mhy[3!3GA39 M҄N2")ʓg;Q $y N,:.#qJ4 kaʓ +;Boot0019)NVMe1 %8x`Mhy[2LN鎸ȩG<9O[) U 6'3hC <{6PAKR4naʓ +>Boot001D(PCI LAN $8x`Mhy[xJ+*N̏=8~l`huL V24kJD@JZbKV0 mqaʓ +ABoot001E)Other CD %8x`Mhy[ !N:^GVT -+o2יaܓM ;ߎ1iǺiw@u3saʓ +CBoot001F)Other HDD %8x`Mhy[bYVDAO* :~YJN5NJ.TY ?Vw+XS.Nn7XO0naʓ +>Boot0024 (PCI LAN $8x`Mhy[xJ+*N̏=8XSth%VJ57 b\0T0<6K&;{(l/+;<aʓ +Boot0001bLinux-Firmware-Updater*#MEΛGE{4\EFI\ubuntu\shimx64.efi\fwupdx64.efiE1A'S&7V =grNu*,L_rPo*ƝV3(Calling EFI Application from Boot OptionixE (QsC>RRs ?a/@W-=HwRI$ixE (QsC>RRs ?a/@W-=HwRI$ixE (QsC>RRs ?a/@W-=HwRI$ixE (QsC>RRs ?a/@W-=HwRI$ixE (QsC>RRs ?a/@W-=HwRI$ixE (QsC>RRs ?a/@W-=HwRI$ixE (QsC>RRs ?a/@W-=HwRI$XfL g A' MJ,t;۵u6`C.H˲:=Egeo$dbwY2M`(xK00 a0  *H  01 0 UUS10U Washington10URedmond10U Microsoft Corporation1;09U2Microsoft Corporation Third Party Marketplace Root0 110627212245Z 260627213245Z01 0 UUS10U Washington10URedmond10U Microsoft Corporation1+0)U"Microsoft Corporation UEFI CA 20110"0  *H 0 lLE jK u CTd} s JEa-+MIA#/^Pƍ_A. lui!Mڭ,wS%27lRr5aj;PV2-B'UZ0TG%/&A\?[<>?GrU%"{*F 5'bq'Y7`8xpLEe¶~iuYX[s!׽@lV }.s͓.H'碛KOcJ',dEFI PART\xJ2"2"A; FB$@ӎ(s*K>;#MEΛGE{EFI System Partition=rGy=iG}f9L#ɯC/90J_4gs+> LW >!f>-# X3#6تx ^ A %8K*#MEΛGE{4\EFI\ubuntu\shimx64.efi Kq~I(/sC IF ȋ[$Pj{usE>E MokListu{֎HU"N ڷNaYʬ\+줆6'%rp)]zD('Rfl pܠ@>.g+C00U *#eZ&4Zc0U#0 *#eZ&4Zc0U00 U0CU<0:08642http://www.canonical.com/secure-boot-master-ca.crl0  *H  ?}v+zmRPGwҮW2:UVv Qۚ\?sڔj8m9qtv>V#5UG[AL b s^ֵz~>~f[9HQS1S;upLF=hG}QĚϣ]풻3Qs fm'wBj dEu1$0Os 8R(M>EaĪ;[}8U`&) dEu1$0Os 8R(M>EaĪ;[}8U`&) _sB{Ieߏ fuon|GᲖPwP]`FC=݋#CMokList0?0'w%VW ߫XTv0  *H  01 0 UUS1 0 U NY10U WhitePlains1 0 U IBM10U Secure Boot Signing1"0  *H  zohar@linux.ibm.com0  200311122912Z21200216122912Z01 0 UUS1 0 U NY10U WhitePlains1 0 U IBM10U Secure Boot Signing1"0  *H  zohar@linux.ibm.com0"0  *H 0 }} ~0?| 1A350ԑ-j+/lF)S)Ȏ^Jf .]3>hռw"GA*ힹߊ֋xU׹5K_3"zʫO!K~@ymj'WƖ9t;˥'kv?%1+6vWC刉['5~ pA.L$)+b q4櫪&\}Knj;*S|pjNщSM{bvvq00U y2T5Q;o0U#0 y2T5Q;o0 U00+U%$0"+ +7  +0, `HB OpenSSL Generated Certificate0  *H  è>Y.A;% ,Ԍ(9#Z Ѹ4$%Kz,}BQ8`ƔGJwO9e<V%8s=qVޟ"4GqC5˅6"yWHߨ\a"&b`Lo$ p ƚzhvgKe\O^lVi.wӨ[w0b>Uެ41dӸ=SJkv-< yi[m`m)łǮ'Y;)D^eіזHm SbK\\bXĸ'y8=<"WRk]W(\]zJҍDZ^OAgF[>ƒ5-d8n--sf1dpT,2/ _Y㰰ʮo{y½睅hHP^!6଑z =۔&ki~bDpv|i"}FM7pima-evm-utils-1.5/tests/test_mmap.c000066400000000000000000000061041440135744700173610ustar00rootroot00000000000000// SPDX-License-Identifier: GPL-2.0 /* * Copyright (C) 2023 Huawei Technologies Duesseldorf GmbH * * Tool to test IMA MMAP_CHECK and MMAP_CHECK_REQPROT hooks. */ #include #include #include #include #include #include #include #include /* * Convention: return 1 for errors that should not occur, as they are * setup-related, return 2 for errors that might occur due to testing * conditions. */ #define ERR_SETUP 1 #define ERR_TEST 2 int main(int argc, char *argv[]) { struct stat st; void *ptr, *ptr_write = NULL; int ret, fd, fd_write, prot = PROT_READ; if (!argv[1]) { printf("Missing file parameter\n"); return ERR_SETUP; } if (argv[2] && !strcmp(argv[2], "read_implies_exec")) { ret = personality(READ_IMPLIES_EXEC); if (ret == -1) { printf("Failed to set personality, err: %d (%s)\n", -errno, strerror(errno)); return ERR_SETUP; } } if (stat(argv[1], &st) == -1) { printf("Failed to access %s, err: %d (%s)\n", argv[1], -errno, strerror(errno)); return ERR_SETUP; } if (argv[2] && !strcmp(argv[2], "exec_on_writable")) { fd_write = open(argv[1], O_RDWR); if (fd_write == -1) { printf("Failed to open %s in r/w, err: %d (%s)\n", argv[1], -errno, strerror(errno)); return ERR_SETUP; } ptr_write = mmap(0, st.st_size, PROT_WRITE, MAP_SHARED, fd_write, 0); close(fd_write); if (ptr_write == MAP_FAILED) { printf("Failed mmap() with PROT_WRITE on %s, err: %d (%s)\n", argv[1], -errno, strerror(errno)); return ERR_SETUP; } } fd = open(argv[1], O_RDONLY); if (fd == -1) { printf("Failed to open %s in ro, err: %d (%s)\n", argv[1], -errno, strerror(errno)); if (ptr_write && munmap(ptr_write, st.st_size) == -1) printf("Failed munmap() of writable mapping on %s, err: %d (%s)\n", argv[1], -errno, strerror(errno)); return ERR_SETUP; } if (argv[2] && !strncmp(argv[2], "exec", 4)) prot |= PROT_EXEC; ptr = mmap(0, st.st_size, prot, MAP_PRIVATE, fd, 0); close(fd); if (ptr_write && munmap(ptr_write, st.st_size) == -1) { printf("Failed munmap() of writable mapping on %s, err: %d (%s)\n", argv[1], -errno, strerror(errno)); return ERR_SETUP; } if (ptr == MAP_FAILED) { ret = ERR_SETUP; if (argv[2] && !strcmp(argv[2], "exec_on_writable") && errno == EACCES) ret = ERR_TEST; else printf("Failed mmap() with PROT_READ%s on %s, err: %d (%s)\n", (prot & PROT_EXEC) ? " | PROT_EXEC" : "", argv[1], -errno, strerror(errno)); return ret; } ret = 0; if (argv[2] && !strcmp(argv[2], "mprotect")) { ret = mprotect(ptr, st.st_size, PROT_EXEC); if (ret == -1) { ret = ERR_SETUP; if (errno == EPERM) ret = ERR_TEST; else printf("Unexpected mprotect() error on %s, err: %d (%s)\n", argv[1], -errno, strerror(errno)); } } if (munmap(ptr, st.st_size) == -1) { printf("Failed munmap() of mapping on %s, err: %d (%s)\n", argv[1], -errno, strerror(errno)); return ERR_SETUP; } return ret; }