Home | History | Annotate | Download | only in tests 
      1 #!/bin/sh
      2 
      3 ################################################################################
      4 ##                                                                            ##
      5 ## Copyright (C) 2009 IBM Corporation                                         ##
      6 ##                                                                            ##
      7 ## This program is free software;  you can redistribute it and#or modify      ##
      8 ## it under the terms of the GNU General Public License as published by       ##
      9 ## the Free Software Foundation; either version 2 of the License, or          ##
     10 ## (at your option) any later version.                                        ##
     11 ##                                                                            ##
     12 ## This program is distributed in the hope that it will be useful, but        ##
     13 ## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ##
     14 ## or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License   ##
     15 ## for more details.                                                          ##
     16 ##                                                                            ##
     17 ## You should have received a copy of the GNU General Public License          ##
     18 ## along with this program;  if not, write to the Free Software               ##
     19 ## Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA    ##
     20 ##                                                                            ##
     21 ################################################################################
     22 #
     23 # File :        ima_tpm.sh
     24 #
     25 # Description:  This file verifies the boot and PCR aggregates
     26 #
     27 # Author:       Mimi Zohar, zohar (at] ibm.vnet.ibm.com
     28 #
     29 # Return        - zero on success
     30 #               - non zero on failure. return value from commands ($RC)
     31 ################################################################################
     32 export TST_TOTAL=3
     33 export TCID="ima_tpm"
     34 
     35 init()
     36 {
     37 	tst_check_cmds ima_boot_aggregate ima_measure
     38 }
     39 
     40 # Function:     test01
     41 # Description   - Verify boot aggregate value is correct
     42 test01()
     43 {
     44 	zero="0000000000000000000000000000000000000000"
     45 
     46 	# IMA boot aggregate
     47 	ima_measurements=$SECURITYFS/ima/ascii_runtime_measurements
     48 	read line < $ima_measurements
     49 	ima_aggr=$(expr substr "${line}" 49 40)
     50 
     51 	# verify TPM is available and enabled.
     52 	tpm_bios=$SECURITYFS/tpm0/binary_bios_measurements
     53 	if [ ! -f "$tpm_bios" ]; then
     54 		tst_brkm TCONF "TPM not builtin kernel, or TPM not enabled"
     55 
     56 		if [ "${ima_aggr}" = "${zero}" ]; then
     57 			tst_resm TPASS "bios boot aggregate is 0."
     58 		else
     59 			tst_resm TFAIL "bios boot aggregate is not 0."
     60 		fi
     61 	else
     62 		boot_aggregate=$(ima_boot_aggregate $tpm_bios)
     63 		boot_aggr=$(expr substr $boot_aggregate 16 40)
     64 		if [ "x${ima_aggr}" = "x${boot_aggr}" ]; then
     65 			tst_resm TPASS "bios aggregate matches IMA boot aggregate."
     66 		else
     67 			tst_resm TFAIL "bios aggregate does not match IMA boot aggregate."
     68 		fi
     69 	fi
     70 }
     71 
     72 # Probably cleaner to programmatically read the PCR values directly
     73 # from the TPM, but that would require a TPM library. For now, use
     74 # the PCR values from /sys/devices.
     75 validate_pcr()
     76 {
     77 	ima_measurements=$SECURITYFS/ima/binary_runtime_measurements
     78 	aggregate_pcr=$(ima_measure $ima_measurements --validate)
     79 	dev_pcrs=$1
     80 	RC=0
     81 
     82 	while read line ; do
     83 		pcr=$(expr substr "${line}" 1 6)
     84 		if [ "${pcr}" = "PCR-10" ]; then
     85 			aggr=$(expr substr "${aggregate_pcr}" 26 59)
     86 			pcr=$(expr substr "${line}" 9 59)
     87 			[ "${pcr}" = "${aggr}" ] || RC=$?
     88 		fi
     89 	done < $dev_pcrs
     90 	return $RC
     91 }
     92 
     93 # Function:     test02
     94 # Description	- Verify ima calculated aggregate PCR values matches
     95 #		  actual PCR value.
     96 test02()
     97 {
     98 
     99 	# Would be nice to know where the PCRs are located.  Is this safe?
    100 	PCRS_PATH=$(find /$SYSFS/devices/ | grep pcrs)
    101 	if [ $? -eq 0 ]; then
    102 		validate_pcr $PCRS_PATH
    103 		if [ $? -eq 0 ]; then
    104 			tst_resm TPASS "aggregate PCR value matches real PCR value."
    105 		else
    106 			tst_resm TFAIL "aggregate PCR value does not match real PCR value."
    107 		fi
    108 	else
    109 		tst_resm TFAIL "TPM not enabled, no PCR value to validate"
    110 	fi
    111 }
    112 
    113 # Function:     test03
    114 # Description 	- Verify template hash value for IMA entry is correct.
    115 test03()
    116 {
    117 
    118 	ima_measurements=$SECURITYFS/ima/binary_runtime_measurements
    119 	aggregate_pcr=$(ima_measure $ima_measurements --verify --validate) > /dev/null
    120 	if [ $? -eq 0 ]; then
    121 		tst_resm TPASS "verified IMA template hash values."
    122 	else
    123 		tst_resm TFAIL "error verifing IMA template hash values."
    124 	fi
    125 }
    126 
    127 . ima_setup.sh
    128 
    129 setup
    130 TST_CLEANUP=cleanup
    131 
    132 init
    133 test01
    134 test02
    135 test03
    136 
    137 tst_exit
    138