1 #!/bin/sh 2 3 ################################################################################ 4 ## ## 5 ## Copyright (C) 2009 IBM Corporation ## 6 ## ## 7 ## This program is free software; you can redistribute it and#or modify ## 8 ## it under the terms of the GNU General Public License as published by ## 9 ## the Free Software Foundation; either version 2 of the License, or ## 10 ## (at your option) any later version. ## 11 ## ## 12 ## This program is distributed in the hope that it will be useful, but ## 13 ## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ## 14 ## or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ## 15 ## for more details. ## 16 ## ## 17 ## You should have received a copy of the GNU General Public License ## 18 ## along with this program; if not, write to the Free Software ## 19 ## Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ## 20 ## ## 21 ################################################################################ 22 # 23 # File : ima_tpm.sh 24 # 25 # Description: This file verifies the boot and PCR aggregates 26 # 27 # Author: Mimi Zohar, zohar (at] ibm.vnet.ibm.com 28 # 29 # Return - zero on success 30 # - non zero on failure. return value from commands ($RC) 31 ################################################################################ 32 export TST_TOTAL=3 33 export TCID="ima_tpm" 34 35 init() 36 { 37 tst_check_cmds ima_boot_aggregate ima_measure 38 } 39 40 # Function: test01 41 # Description - Verify boot aggregate value is correct 42 test01() 43 { 44 zero="0000000000000000000000000000000000000000" 45 46 # IMA boot aggregate 47 ima_measurements=$SECURITYFS/ima/ascii_runtime_measurements 48 read line < $ima_measurements 49 ima_aggr=$(expr substr "${line}" 49 40) 50 51 # verify TPM is available and enabled. 52 tpm_bios=$SECURITYFS/tpm0/binary_bios_measurements 53 if [ ! -f "$tpm_bios" ]; then 54 tst_brkm TCONF "TPM not builtin kernel, or TPM not enabled" 55 56 if [ "${ima_aggr}" = "${zero}" ]; then 57 tst_resm TPASS "bios boot aggregate is 0." 58 else 59 tst_resm TFAIL "bios boot aggregate is not 0." 60 fi 61 else 62 boot_aggregate=$(ima_boot_aggregate $tpm_bios) 63 boot_aggr=$(expr substr $boot_aggregate 16 40) 64 if [ "x${ima_aggr}" = "x${boot_aggr}" ]; then 65 tst_resm TPASS "bios aggregate matches IMA boot aggregate." 66 else 67 tst_resm TFAIL "bios aggregate does not match IMA boot aggregate." 68 fi 69 fi 70 } 71 72 # Probably cleaner to programmatically read the PCR values directly 73 # from the TPM, but that would require a TPM library. For now, use 74 # the PCR values from /sys/devices. 75 validate_pcr() 76 { 77 ima_measurements=$SECURITYFS/ima/binary_runtime_measurements 78 aggregate_pcr=$(ima_measure $ima_measurements --validate) 79 dev_pcrs=$1 80 RC=0 81 82 while read line ; do 83 pcr=$(expr substr "${line}" 1 6) 84 if [ "${pcr}" = "PCR-10" ]; then 85 aggr=$(expr substr "${aggregate_pcr}" 26 59) 86 pcr=$(expr substr "${line}" 9 59) 87 [ "${pcr}" = "${aggr}" ] || RC=$? 88 fi 89 done < $dev_pcrs 90 return $RC 91 } 92 93 # Function: test02 94 # Description - Verify ima calculated aggregate PCR values matches 95 # actual PCR value. 96 test02() 97 { 98 99 # Would be nice to know where the PCRs are located. Is this safe? 100 PCRS_PATH=$(find /$SYSFS/devices/ | grep pcrs) 101 if [ $? -eq 0 ]; then 102 validate_pcr $PCRS_PATH 103 if [ $? -eq 0 ]; then 104 tst_resm TPASS "aggregate PCR value matches real PCR value." 105 else 106 tst_resm TFAIL "aggregate PCR value does not match real PCR value." 107 fi 108 else 109 tst_resm TFAIL "TPM not enabled, no PCR value to validate" 110 fi 111 } 112 113 # Function: test03 114 # Description - Verify template hash value for IMA entry is correct. 115 test03() 116 { 117 118 ima_measurements=$SECURITYFS/ima/binary_runtime_measurements 119 aggregate_pcr=$(ima_measure $ima_measurements --verify --validate) > /dev/null 120 if [ $? -eq 0 ]; then 121 tst_resm TPASS "verified IMA template hash values." 122 else 123 tst_resm TFAIL "error verifing IMA template hash values." 124 fi 125 } 126 127 . ima_setup.sh 128 129 setup 130 TST_CLEANUP=cleanup 131 132 init 133 test01 134 test02 135 test03 136 137 tst_exit 138