1 #!/bin/sh 2 # Copyright (c) 2009 IBM Corporation 3 # Copyright (c) 2018 Petr Vorel <pvorel (at] suse.cz> 4 # 5 # This program is free software; you can redistribute it and/or 6 # modify it under the terms of the GNU General Public License as 7 # published by the Free Software Foundation; either version 2 of 8 # the License, or (at your option) any later version. 9 # 10 # This program is distributed in the hope that it would be useful, 11 # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 # GNU General Public License for more details. 14 # 15 # You should have received a copy of the GNU General Public License 16 # along with this program. If not, see <http://www.gnu.org/licenses/>. 17 # 18 # Author: Mimi Zohar, zohar (at] ibm.vnet.ibm.com 19 # 20 # Verify the boot and PCR aggregates. 21 22 TST_CNT=2 23 TST_NEEDS_CMDS="awk cut ima_boot_aggregate" 24 25 . ima_setup.sh 26 27 test1() 28 { 29 tst_res TINFO "verify boot aggregate" 30 31 local zero="0000000000000000000000000000000000000000" 32 local tpm_bios="$SECURITYFS/tpm0/binary_bios_measurements" 33 local ima_measurements="$ASCII_MEASUREMENTS" 34 local boot_aggregate boot_hash line 35 36 # IMA boot aggregate 37 read line < $ima_measurements 38 boot_hash=$(echo $line | awk '{print $(NF-1)}' | cut -d':' -f2) 39 40 if [ ! -f "$tpm_bios" ]; then 41 tst_res TINFO "TPM Hardware Support not enabled in kernel or no TPM chip found" 42 43 if [ "${boot_hash}" = "${zero}" ]; then 44 tst_res TPASS "bios boot aggregate is 0" 45 else 46 tst_res TFAIL "bios boot aggregate is not 0" 47 fi 48 else 49 boot_aggregate=$(ima_boot_aggregate $tpm_bios | grep "boot_aggregate:" | cut -d':' -f2) 50 if [ "${boot_hash}" = "${boot_aggregate}" ]; then 51 tst_res TPASS "bios aggregate matches IMA boot aggregate" 52 else 53 tst_res TFAIL "bios aggregate does not match IMA boot aggregate" 54 fi 55 fi 56 } 57 58 # Probably cleaner to programmatically read the PCR values directly 59 # from the TPM, but that would require a TPM library. For now, use 60 # the PCR values from /sys/devices. 61 validate_pcr() 62 { 63 tst_res TINFO "verify PCR (Process Control Register)" 64 65 local dev_pcrs="$1" 66 local pcr hash aggregate_pcr 67 68 aggregate_pcr="$(evmctl -v ima_measurement $BINARY_MEASUREMENTS 2>&1 | \ 69 grep 'HW PCR-10:' | awk '{print $3}')" 70 if [ -z "$aggregate_pcr" ]; then 71 tst_res TFAIL "failed to get PCR-10" 72 return 1 73 fi 74 75 while read line; do 76 pcr="$(echo $line | cut -d':' -f1)" 77 if [ "${pcr}" = "PCR-10" ]; then 78 hash="$(echo $line | cut -d':' -f2 | awk '{ gsub (" ", "", $0); print tolower($0) }')" 79 [ "${hash}" = "${aggregate_pcr}" ] 80 return $? 81 fi 82 done < $dev_pcrs 83 return 1 84 } 85 86 test2() 87 { 88 tst_res TINFO "verify PCR values" 89 tst_check_cmds evmctl 90 91 tst_res TINFO "evmctl version: $(evmctl --version)" 92 93 local pcrs_path="/sys/class/tpm/tpm0/device/pcrs" 94 if [ -f "$pcrs_path" ]; then 95 tst_res TINFO "new PCRS path, evmctl >= 1.1 required" 96 else 97 pcrs_path="/sys/class/misc/tpm0/device/pcrs" 98 fi 99 100 if [ -f "$pcrs_path" ]; then 101 validate_pcr $pcrs_path 102 if [ $? -eq 0 ]; then 103 tst_res TPASS "aggregate PCR value matches real PCR value" 104 else 105 tst_res TFAIL "aggregate PCR value does not match real PCR value" 106 fi 107 else 108 tst_res TCONF "TPM Hardware Support not enabled in kernel or no TPM chip found" 109 fi 110 } 111 112 tst_run 113
