• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#!/bin/sh
2# Copyright (c) 2009 IBM Corporation
3# Copyright (c) 2018 Petr Vorel <pvorel@suse.cz>
4#
5# This program is free software; you can redistribute it and/or
6# modify it under the terms of the GNU General Public License as
7# published by the Free Software Foundation; either version 2 of
8# the License, or (at your option) any later version.
9#
10# This program is distributed in the hope that it would be useful,
11# but WITHOUT ANY WARRANTY; without even the implied warranty of
12# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13# GNU General Public License for more details.
14#
15# You should have received a copy of the GNU General Public License
16# along with this program. If not, see <http://www.gnu.org/licenses/>.
17#
18# Author: Mimi Zohar, zohar@ibm.vnet.ibm.com
19#
20# Verify the boot and PCR aggregates.
21
22TST_CNT=2
23TST_NEEDS_CMDS="awk cut ima_boot_aggregate"
24
25. ima_setup.sh
26
27test1()
28{
29	tst_res TINFO "verify boot aggregate"
30
31	local zero="0000000000000000000000000000000000000000"
32	local tpm_bios="$SECURITYFS/tpm0/binary_bios_measurements"
33	local ima_measurements="$ASCII_MEASUREMENTS"
34	local boot_aggregate boot_hash line
35
36	# IMA boot aggregate
37	read line < $ima_measurements
38	boot_hash=$(echo $line | awk '{print $(NF-1)}' | cut -d':' -f2)
39
40	if [ ! -f "$tpm_bios" ]; then
41		tst_res TINFO "TPM Hardware Support not enabled in kernel or no TPM chip found"
42
43		if [ "${boot_hash}" = "${zero}" ]; then
44			tst_res TPASS "bios boot aggregate is 0"
45		else
46			tst_res TFAIL "bios boot aggregate is not 0"
47		fi
48	else
49		boot_aggregate=$(ima_boot_aggregate $tpm_bios | grep "boot_aggregate:" | cut -d':' -f2)
50		if [ "${boot_hash}" = "${boot_aggregate}" ]; then
51			tst_res TPASS "bios aggregate matches IMA boot aggregate"
52		else
53			tst_res TFAIL "bios aggregate does not match IMA boot aggregate"
54		fi
55	fi
56}
57
58# Probably cleaner to programmatically read the PCR values directly
59# from the TPM, but that would require a TPM library. For now, use
60# the PCR values from /sys/devices.
61validate_pcr()
62{
63	tst_res TINFO "verify PCR (Process Control Register)"
64
65	local dev_pcrs="$1"
66	local pcr hash aggregate_pcr
67
68	aggregate_pcr="$(evmctl -v ima_measurement $BINARY_MEASUREMENTS 2>&1 | \
69		grep 'HW PCR-10:' | awk '{print $3}')"
70	if [ -z "$aggregate_pcr" ]; then
71		tst_res TFAIL "failed to get PCR-10"
72		return 1
73	fi
74
75	while read line; do
76		pcr="$(echo $line | cut -d':' -f1)"
77		if [ "${pcr}" = "PCR-10" ]; then
78			hash="$(echo $line | cut -d':' -f2 | awk '{ gsub (" ", "", $0); print tolower($0) }')"
79			[ "${hash}" = "${aggregate_pcr}" ]
80			return $?
81		fi
82	done < $dev_pcrs
83	return 1
84}
85
86test2()
87{
88	tst_res TINFO "verify PCR values"
89	tst_check_cmds evmctl
90
91	tst_res TINFO "evmctl version: $(evmctl --version)"
92
93	local pcrs_path="/sys/class/tpm/tpm0/device/pcrs"
94	if [ -f "$pcrs_path" ]; then
95		tst_res TINFO "new PCRS path, evmctl >= 1.1 required"
96	else
97		pcrs_path="/sys/class/misc/tpm0/device/pcrs"
98	fi
99
100	if [ -f "$pcrs_path" ]; then
101		validate_pcr $pcrs_path
102		if [ $? -eq 0 ]; then
103			tst_res TPASS "aggregate PCR value matches real PCR value"
104		else
105			tst_res TFAIL "aggregate PCR value does not match real PCR value"
106		fi
107	else
108		tst_res TCONF "TPM Hardware Support not enabled in kernel or no TPM chip found"
109	fi
110}
111
112tst_run
113