2 * ima-evm-utils - IMA/EVM support utilities
4 * Copyright (C) 2011 Nokia Corporation
5 * Copyright (C) 2011,2012,2013 Intel Corporation
6 * Copyright (C) 2013,2014 Samsung Electronics
9 * Dmitry Kasatkin <dmitry.kasatkin@nokia.com>
10 * <dmitry.kasatkin@intel.com>
11 * <d.kasatkin@samsung.com>
13 * This program is free software; you can redistribute it and/or
14 * modify it under the terms of the GNU General Public License
15 * version 2 as published by the Free Software Foundation.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program. If not, see <http://www.gnu.org/licenses/>.
26 * IMA/EVM control program
29 #include <sys/types.h>
31 #include <sys/ioctl.h>
32 #include <sys/param.h>
39 #include <attr/xattr.h>
43 #include <asm/byteorder.h>
50 static char *evm_config_xattrnames[] = {
54 "security.capability",
60 int (*func)(struct command *cmd);
63 char *msg; /* extra info message */
75 static char *uuid_str = "+";
76 static char *search_type;
81 typedef int (*find_cb_t)(const char *path);
82 static int find(const char *path, int dts, find_cb_t func);
84 #define REG_MASK (1 << DT_REG)
85 #define DIR_MASK (1 << DT_DIR)
86 #define LNK_MASK (1 << DT_LNK)
87 #define CHR_MASK (1 << DT_CHR)
88 #define BLK_MASK (1 << DT_BLK)
90 typedef int (*sign_hash_fn_t)(const char *algo, const unsigned char *hash, int size, const char *keyfile, unsigned char *sig);
92 static sign_hash_fn_t sign_hash;
94 struct command cmds[];
95 static void print_usage(struct command *cmd);
97 static int bin2file(const char *file, const char *ext, const unsigned char *data, int len)
100 char name[strlen(file) + (ext ? strlen(ext) : 0) + 2];
104 sprintf(name, "%s.%s", file, ext);
106 sprintf(name, "%s", file);
108 log_info("Writing to %s\n", name);
110 fp = fopen(name, "w");
112 log_err("Unable to open %s for writing\n", name);
115 err = fwrite(data, len, 1, fp);
120 static unsigned char *file2bin(const char *file, const char *ext, int *size)
125 char name[strlen(file) + (ext ? strlen(ext) : 0) + 2];
128 sprintf(name, "%s.%s", file, ext);
130 sprintf(name, "%s", file);
132 log_info("Reading to %s\n", name);
134 len = get_filesize(name);
135 fp = fopen(name, "r");
137 log_err("Unable to open %s\n", name);
141 if (!fread(data, len, 1, fp))
150 * Create binary key representation suitable for kernel
152 static int key2bin(RSA *key, unsigned char *pub)
154 int len, b, offset = 0;
155 struct pubkey_hdr *pkh = (struct pubkey_hdr *)pub;
159 pkh->timestamp = 0; /* PEM has no timestamp?? */
160 pkh->algo = PUBKEY_ALGO_RSA;
163 offset += sizeof(*pkh);
165 len = BN_num_bytes(key->n);
166 b = BN_num_bits(key->n);
167 pub[offset++] = b >> 8;
168 pub[offset++] = b & 0xff;
169 BN_bn2bin(key->n, &pub[offset]);
172 len = BN_num_bytes(key->e);
173 b = BN_num_bits(key->e);
174 pub[offset++] = b >> 8;
175 pub[offset++] = b & 0xff;
176 BN_bn2bin(key->e, &pub[offset]);
182 static void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len)
184 uint8_t sha1[SHA_DIGEST_LENGTH];
187 SHA1(pkey, len, sha1);
189 /* sha1[12 - 19] is exactly keyid from gpg file */
190 memcpy(keyid, sha1 + 12, 8);
191 log_debug("keyid: ");
192 log_debug_dump(keyid, 8);
194 id = __be64_to_cpup((__be64 *) keyid);
195 sprintf(str, "%llX", (unsigned long long)id);
196 log_info("keyid: %s\n", str);
199 static void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key)
201 uint8_t sha1[SHA_DIGEST_LENGTH];
202 unsigned char *pkey = NULL;
205 len = i2d_RSAPublicKey(key, &pkey);
207 SHA1(pkey, len, sha1);
209 /* sha1[12 - 19] is exactly keyid from gpg file */
210 memcpy(keyid, sha1 + 16, 4);
211 log_debug("keyid: ");
212 log_debug_dump(keyid, 4);
214 sprintf(str, "%x", __be32_to_cpup(keyid));
215 log_info("keyid: %s\n", str);
220 static RSA *read_priv_key(const char *keyfile)
225 fp = fopen(keyfile, "r");
227 log_err("Unable to open keyfile %s\n", keyfile);
230 key = PEM_read_RSAPrivateKey(fp, NULL, NULL, keypass);
232 log_err("PEM_read_RSAPrivateKey() failed\n");
238 static int get_hash_algo_v1(const char *algo)
241 if (!strcmp(algo, "sha1"))
242 return DIGEST_ALGO_SHA1;
243 else if (!strcmp(algo, "sha256"))
244 return DIGEST_ALGO_SHA256;
249 static int sign_hash_v1(const char *hashalgo, const unsigned char *hash, int size, const char *keyfile, unsigned char *sig)
251 int len = -1, hashalgo_idx;
253 unsigned char pub[1024];
256 unsigned char sighash[20];
257 struct signature_hdr *hdr = (struct signature_hdr *)sig;
261 log_dump(hash, size);
263 key = read_priv_key(keyfile);
267 /* now create a new hash */
268 hdr->version = (uint8_t) DIGSIG_VERSION_1;
269 hdr->timestamp = time(NULL);
270 hdr->algo = PUBKEY_ALGO_RSA;
271 hashalgo_idx = get_hash_algo_v1(hashalgo);
272 if (hashalgo_idx < 0) {
273 log_err("Signature version 1 does not support hash algo %s\n",
277 hdr->hash = (uint8_t) hashalgo_idx;
279 len = key2bin(key, pub);
280 calc_keyid_v1(hdr->keyid, name, pub, len);
285 SHA1_Update(&ctx, hash, size);
286 SHA1_Update(&ctx, hdr, sizeof(*hdr));
287 SHA1_Final(sighash, &ctx);
288 log_info("sighash: ");
289 log_dump(sighash, sizeof(sighash));
291 len = RSA_private_encrypt(sizeof(sighash), sighash, sig + sizeof(*hdr) + 2, key, RSA_PKCS1_PADDING);
293 log_err("RSA_private_encrypt() failed: %d\n", len);
297 /* we add bit length of the signature to make it gnupg compatible */
298 blen = (uint16_t *) (sig + sizeof(*hdr));
299 *blen = __cpu_to_be16(len << 3);
300 len += sizeof(*hdr) + 2;
301 log_info("evm/ima signature: %d bytes\n", len);
302 if (sigdump || params.verbose >= LOG_INFO)
309 static int sign_hash_v2(const char *algo, const unsigned char *hash, int size, const char *keyfile, unsigned char *sig)
311 struct signature_v2_hdr *hdr = (struct signature_v2_hdr *)sig;
316 const struct RSA_ASN1_template *asn1;
319 log_dump(hash, size);
321 key = read_priv_key(keyfile);
325 hdr->version = (uint8_t) DIGSIG_VERSION_2;
326 hdr->hash_algo = get_hash_algo(algo);
328 calc_keyid_v2(&hdr->keyid, name, key);
330 asn1 = &RSA_ASN1_templates[hdr->hash_algo];
332 buf = malloc(size + asn1->size);
336 memcpy(buf, asn1->data, asn1->size);
337 memcpy(buf + asn1->size, hash, size);
338 len = RSA_private_encrypt(size + asn1->size, buf, hdr->sig,
339 key, RSA_PKCS1_PADDING);
341 log_err("RSA_private_encrypt() failed: %d\n", len);
345 /* we add bit length of the signature to make it gnupg compatible */
346 hdr->sig_size = __cpu_to_be16(len);
348 log_info("evm/ima signature: %d bytes\n", len);
349 if (sigdump || params.verbose >= LOG_INFO)
358 static int find_xattr(const char *list, int list_size, const char *xattr)
362 for (; list_size > 0; len++, list_size -= len, list += len) {
364 if (!strcmp(list, xattr))
370 static int hex_to_bin(char ch)
372 if ((ch >= '0') && (ch <= '9'))
375 if ((ch >= 'a') && (ch <= 'f'))
376 return ch - 'a' + 10;
380 static int hex2bin(uint8_t *dst, const char *src, size_t count)
388 hi = hex_to_bin(*src++);
389 lo = hex_to_bin(*src++);
391 if ((hi < 0) || (lo < 0))
394 *dst++ = (hi << 4) | lo;
399 static int pack_uuid(const char *uuid_str, char *uuid)
404 for (i = 0; i < 16; ++i) {
405 if (!uuid_str[0] || !uuid_str[1]) {
406 log_err("wrong UUID format\n");
409 *to++ = (hex_to_bin(*uuid_str) << 4) |
410 (hex_to_bin(*(uuid_str + 1)));
417 if (*uuid_str != '-') {
418 log_err("wrong UUID format\n");
430 static int get_uuid(struct stat *st, char *uuid)
433 unsigned minor, major;
434 char path[PATH_MAX], _uuid[37];
438 if (uuid_str[0] != '+')
439 return pack_uuid(uuid_str, uuid);
442 major = (dev & 0xfff00) >> 8;
443 minor = (dev & 0xff) | ((dev >> 12) & 0xfff00);
445 log_debug("dev: %u:%u\n", major, minor);
446 sprintf(path, "blkid -s UUID -o value /dev/block/%u:%u", major, minor);
448 fp = popen(path, "r");
450 log_err("popen() failed\n");
454 len = fread(_uuid, 1, sizeof(_uuid), fp);
456 if (len != sizeof(_uuid)) {
457 log_err("fread() failed\n");
461 return pack_uuid(_uuid, uuid);
464 static int calc_evm_hash(const char *file, unsigned char *hash)
468 uint32_t generation = 0;
472 char xattr_value[1024];
476 struct h_misc_64 hmac_misc;
479 if (lstat(file, &st)) {
480 log_err("lstat() failed\n");
484 if (S_ISREG(st.st_mode) || S_ISDIR(st.st_mode)) {
485 /* we cannot at the momement to get generation of special files..
486 * kernel API does not support it */
487 int fd = open(file, 0);
489 log_err("Unable to open %s\n", file);
492 if (ioctl(fd, EXT34_IOC_GETVERSION, &generation)) {
493 log_err("ioctl() failed\n");
499 log_info("generation: %u\n", generation);
501 list_size = llistxattr(file, list, sizeof(list));
503 log_err("llistxattr() failed\n");
507 err = EVP_DigestInit(&ctx, EVP_sha1());
509 log_err("EVP_DigestInit() failed\n");
513 for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) {
514 err = lgetxattr(file, *xattrname, xattr_value, sizeof(xattr_value));
516 log_info("no xattr: %s\n", *xattrname);
519 if (!find_xattr(list, list_size, *xattrname)) {
520 log_info("skipping xattr: %s\n", *xattrname);
523 /*log_debug("name: %s, value: %s, size: %d\n", *xattrname, xattr_value, err);*/
524 log_info("name: %s, size: %d\n", *xattrname, err);
525 log_debug_dump(xattr_value, err);
526 err = EVP_DigestUpdate(&ctx, xattr_value, err);
528 log_err("EVP_DigestUpdate() failed\n");
533 memset(&hmac_misc, 0, sizeof(hmac_misc));
536 struct h_misc *hmac = (struct h_misc *)&hmac_misc;
537 hmac_size = sizeof(*hmac);
538 hmac->ino = st.st_ino;
539 hmac->generation = generation;
540 hmac->uid = st.st_uid;
541 hmac->gid = st.st_gid;
542 hmac->mode = st.st_mode;
543 } else if (msize == 64) {
544 struct h_misc_64 *hmac = (struct h_misc_64 *)&hmac_misc;
545 hmac_size = sizeof(*hmac);
546 hmac->ino = st.st_ino;
547 hmac->generation = generation;
548 hmac->uid = st.st_uid;
549 hmac->gid = st.st_gid;
550 hmac->mode = st.st_mode;
552 struct h_misc_32 *hmac = (struct h_misc_32 *)&hmac_misc;
553 hmac_size = sizeof(*hmac);
554 hmac->ino = st.st_ino;
555 hmac->generation = generation;
556 hmac->uid = st.st_uid;
557 hmac->gid = st.st_gid;
558 hmac->mode = st.st_mode;
561 log_debug("hmac_misc (%d): ", hmac_size);
562 log_debug_dump(&hmac_misc, hmac_size);
564 err = EVP_DigestUpdate(&ctx, &hmac_misc, hmac_size);
566 log_err("EVP_DigestUpdate() failed\n");
570 if (*uuid_str != '-') {
571 err = get_uuid(&st, uuid);
575 err = EVP_DigestUpdate(&ctx, (const unsigned char *)uuid, sizeof(uuid));
577 log_err("EVP_DigestUpdate() failed\n");
582 err = EVP_DigestFinal(&ctx, hash, &mdlen);
584 log_err("EVP_DigestFinal() failed\n");
591 static int sign_evm(const char *file, const char *key)
593 unsigned char hash[20];
594 unsigned char sig[1024] = "\x03";
597 len = calc_evm_hash(file, hash);
601 len = sign_hash("sha1", hash, len, key, sig + 1);
606 err = lsetxattr(file, "security.evm", sig, len + 1, 0);
608 log_err("setxattr failed: %s\n", file);
616 static int hash_ima(const char *file)
618 unsigned char hash[65] = "\x01"; /* MAX hash size + 1 */
621 len = ima_calc_hash(file, hash + 1);
625 if (params.verbose >= LOG_INFO)
628 if (sigdump || params.verbose >= LOG_INFO)
632 err = lsetxattr(file, "security.ima", hash, len + 1, 0);
634 log_err("setxattr failed: %s\n", file);
642 static int cmd_hash_ima(struct command *cmd)
644 char *file = g_argv[optind++];
647 log_err("Parameters missing\n");
652 return hash_ima(file);
655 static int sign_ima(const char *file, const char *key)
657 unsigned char hash[64];
658 unsigned char sig[1024] = "\x03";
661 len = ima_calc_hash(file, hash);
665 len = sign_hash(params.hash_algo, hash, len, key, sig + 1);
673 bin2file(file, "sig", sig, len);
676 err = lsetxattr(file, "security.ima", sig, len, 0);
678 log_err("setxattr failed: %s\n", file);
686 static int get_file_type(const char *path, const char *search_type)
691 for (i = 0; search_type[i]; i++) {
692 switch (search_type[i]) {
694 dts |= REG_MASK; break;
696 dts |= DIR_MASK; break;
698 dts |= BLK_MASK | CHR_MASK | LNK_MASK; break;
700 /* stay within the same filesystem*/
701 err = lstat(path, &st);
703 log_err("stat() failed\n");
706 fs_dev = st.st_dev; /* filesystem to start from */
714 static int sign_ima_file(const char *file)
718 key = params.keyfile ? : "/etc/keys/privkey_evm.pem";
720 return sign_ima(file, key);
723 static int cmd_sign_ima(struct command *cmd)
725 char *file = g_argv[optind++];
726 int err, dts = REG_MASK; /* only regular files by default */
729 log_err("Parameters missing\n");
736 dts = get_file_type(file, search_type);
740 err = find(file, dts, sign_ima_file);
742 err = sign_ima_file(file);
748 static int sign_evm_path(const char *file)
753 key = params.keyfile ? : "/etc/keys/privkey_evm.pem";
756 err = sign_ima(file, key);
762 err = hash_ima(file);
767 return sign_evm(file, key);
770 static int cmd_sign_evm(struct command *cmd)
772 char *path = g_argv[optind++];
773 int err, dts = REG_MASK; /* only regular files by default */
776 log_err("Parameters missing\n");
783 dts = get_file_type(path, search_type);
787 err = find(path, dts, sign_evm_path);
789 err = sign_evm_path(path);
795 static int verify_evm(const char *file)
797 unsigned char hash[20];
798 unsigned char sig[1024];
801 len = calc_evm_hash(file, hash);
805 len = lgetxattr(file, "security.evm", sig, sizeof(sig));
807 log_err("getxattr failed\n");
811 if (sig[0] != 0x03) {
812 log_err("security.evm has not signature\n");
816 return verify_hash(hash, sizeof(hash), sig + 1, len - 1);
819 static int cmd_verify_evm(struct command *cmd)
821 char *file = g_argv[optind++];
824 log_err("Parameters missing\n");
829 return verify_evm(file);
832 static int verify_ima(const char *file)
834 unsigned char sig[1024];
838 len = lgetxattr(file, "security.ima", sig, sizeof(sig));
840 log_err("getxattr failed\n");
847 tmp = file2bin(file, "sig", &len);
848 memcpy(sig, tmp, len);
852 return ima_verify_signature(file, sig, len);
855 static int cmd_verify_ima(struct command *cmd)
857 char *file = g_argv[optind++];
860 log_err("Parameters missing\n");
865 return verify_ima(file);
868 static int cmd_import(struct command *cmd)
870 char *inkey, *ring = NULL;
871 unsigned char _pub[1024], *pub = _pub;
872 int id, len, err = 0;
877 inkey = g_argv[optind++];
879 inkey = x509 ? "/etc/keys/x509_evm.der" :
880 "/etc/keys/pubkey_evm.pem";
882 ring = g_argv[optind++];
885 id = KEY_SPEC_USER_KEYRING;
889 key = read_pub_key(inkey, x509);
894 pub = file2bin(inkey, NULL, &len);
897 calc_keyid_v2((uint32_t *)keyid, name, key);
899 len = key2bin(key, pub);
900 calc_keyid_v1(keyid, name, pub, len);
903 log_info("Importing public key %s from file %s into keyring %d\n", name, inkey, id);
905 id = add_key(x509 ? "asymmetric" : "user", x509 ? NULL : name, pub, len, id);
907 log_err("add_key failed\n");
910 log_info("keyid: %d\n", id);
920 #define MAX_KEY_SIZE 128
922 static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *hash)
926 uint32_t generation = 0;
930 unsigned char xattr_value[1024];
933 unsigned char evmkey[MAX_KEY_SIZE];
936 struct h_misc_64 hmac_misc;
939 key = file2bin(keyfile, NULL, &keylen);
941 log_err("Unable to read a key: %s\n\n", keyfile);
945 if (keylen > sizeof(evmkey)) {
946 log_err("key is too long\n");
950 /* EVM key is 128 bytes */
951 memcpy(evmkey, key, keylen);
952 memset(evmkey + keylen, 0, sizeof(evmkey) - keylen);
954 if (lstat(file, &st)) {
955 log_err("lstat() failed\n");
959 if (S_ISREG(st.st_mode) || S_ISDIR(st.st_mode)) {
960 /* we cannot at the momement to get generation of special files..
961 * kernel API does not support it */
962 int fd = open(file, 0);
964 log_err("Unable to open %s\n", file);
967 if (ioctl(fd, EXT34_IOC_GETVERSION, &generation)) {
968 log_err("ioctl() failed\n");
974 log_info("generation: %u\n", generation);
976 list_size = llistxattr(file, list, sizeof(list));
977 if (list_size <= 0) {
978 log_err("llistxattr() failed\n");
982 err = !HMAC_Init(&ctx, evmkey, sizeof(evmkey), EVP_sha1());
984 log_err("HMAC_Init() failed\n");
988 for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) {
989 err = lgetxattr(file, *xattrname, xattr_value, sizeof(xattr_value));
991 log_info("no xattr: %s\n", *xattrname);
994 if (!find_xattr(list, list_size, *xattrname)) {
995 log_info("skipping xattr: %s\n", *xattrname);
998 /*log_debug("name: %s, value: %s, size: %d\n", *xattrname, xattr_value, err);*/
999 log_info("name: %s, size: %d\n", *xattrname, err);
1000 log_debug_dump(xattr_value, err);
1001 err = !HMAC_Update(&ctx, xattr_value, err);
1003 log_err("HMAC_Update() failed\n");
1004 goto out_ctx_cleanup;
1008 memset(&hmac_misc, 0, sizeof(hmac_misc));
1011 struct h_misc *hmac = (struct h_misc *)&hmac_misc;
1012 hmac_size = sizeof(*hmac);
1013 hmac->ino = st.st_ino;
1014 hmac->generation = generation;
1015 hmac->uid = st.st_uid;
1016 hmac->gid = st.st_gid;
1017 hmac->mode = st.st_mode;
1018 } else if (msize == 64) {
1019 struct h_misc_64 *hmac = (struct h_misc_64 *)&hmac_misc;
1020 hmac_size = sizeof(*hmac);
1021 hmac->ino = st.st_ino;
1022 hmac->generation = generation;
1023 hmac->uid = st.st_uid;
1024 hmac->gid = st.st_gid;
1025 hmac->mode = st.st_mode;
1027 struct h_misc_32 *hmac = (struct h_misc_32 *)&hmac_misc;
1028 hmac_size = sizeof(*hmac);
1029 hmac->ino = st.st_ino;
1030 hmac->generation = generation;
1031 hmac->uid = st.st_uid;
1032 hmac->gid = st.st_gid;
1033 hmac->mode = st.st_mode;
1036 log_debug("hmac_misc (%d): ", hmac_size);
1037 log_debug_dump(&hmac_misc, hmac_size);
1039 err = !HMAC_Update(&ctx, (const unsigned char *)&hmac_misc, hmac_size);
1041 log_err("HMAC_Update() failed\n");
1042 goto out_ctx_cleanup;
1044 err = !HMAC_Final(&ctx, hash, &mdlen);
1046 log_err("HMAC_Final() failed\n");
1048 HMAC_CTX_cleanup(&ctx);
1051 return err ?: mdlen;
1054 static int hmac_evm(const char *file, const char *key)
1056 unsigned char hash[20];
1057 unsigned char sig[1024] = "\x02";
1060 len = calc_evm_hmac(file, key, hash);
1065 log_dump(hash, len);
1066 memcpy(sig + 1, hash, len);
1069 err = lsetxattr(file, "security.evm", sig, len + 1, 0);
1071 log_err("setxattr failed: %s\n", file);
1079 static int cmd_hmac_evm(struct command *cmd)
1081 char *key, *file = g_argv[optind++];
1085 log_err("Parameters missing\n");
1090 key = params.keyfile ? : "/etc/keys/privkey_evm.pem";
1093 err = sign_ima(file, key);
1099 err = hash_ima(file);
1104 return hmac_evm(file, "/etc/keys/evm-key-plain");
1107 static int ima_fix(const char *path)
1109 int fd, size, len, ima = 0, evm = 0;
1110 char buf[1024], *list = buf;
1112 log_info("%s\n", path);
1115 /* re-measuring takes a time
1116 * in some cases we can skip labeling if xattrs exists
1118 size = llistxattr(path, list, sizeof(buf));
1120 log_errno("llistxattr() failed: %s\n", path);
1123 for (; size > 0; len++, size -= len, list += len) {
1125 if (!strcmp(list, "security.ima"))
1127 else if (!strcmp(list, "security.evm"))
1134 fd = open(path, O_RDONLY);
1136 log_errno("%s open failed", path);
1145 static int find(const char *path, int dts, find_cb_t func)
1152 int err = lstat(path, &st);
1154 log_err("stat() failed\n");
1157 if (st.st_dev != fs_dev)
1161 dir = opendir(path);
1163 log_err("Unable to open %s\n", path);
1167 if (fchdir(dirfd(dir))) {
1168 log_err("Unable to chdir %s\n", path);
1172 while ((de = readdir(dir))) {
1173 if (!strcmp(de->d_name, "..") || !strcmp(de->d_name, "."))
1175 log_debug("path: %s, type: %u\n", de->d_name, de->d_type);
1176 if (de->d_type == DT_DIR)
1177 find(de->d_name, dts, func);
1178 else if (dts & (1 << de->d_type))
1183 log_err("Unable to chdir %s\n", path);
1195 static int cmd_ima_fix(struct command *cmd)
1197 char *path = g_argv[optind++];
1198 int err, dts = REG_MASK; /* only regular files by default */
1202 log_err("Parameters missing\n");
1207 xattr = 0; /* do not check xattrs, fix everything */
1213 for (i = 0; search_type[i]; i++) {
1214 switch (search_type[i]) {
1216 dts |= REG_MASK; break;
1218 dts |= DIR_MASK; break;
1220 dts |= BLK_MASK | CHR_MASK | LNK_MASK; break;
1225 /* stay within the same filesystem*/
1226 err = lstat(path, &st);
1228 log_err("stat() failed\n");
1231 fs_dev = st.st_dev; /* filesystem to start from */
1237 err = find(path, dts, ima_fix);
1245 static char *pcrs = "/sys/class/misc/tpm0/device/pcrs";
1247 static int tpm_pcr_read(int idx, uint8_t *pcr, int len)
1250 char *p, pcr_str[7], buf[70]; /* length of the TPM string */
1252 sprintf(pcr_str, "PCR-%d", idx);
1254 fp = fopen(pcrs, "r");
1256 log_err("Unable to open %s\n", pcrs);
1261 p = fgets(buf, sizeof(buf), fp);
1264 if (!strncmp(p, pcr_str, 6)) {
1265 hex2bin(pcr, p + 7, len);
1273 #define TCG_EVENT_NAME_LEN_MAX 255
1275 struct template_entry {
1278 uint8_t digest[SHA_DIGEST_LENGTH];
1281 char name[TCG_EVENT_NAME_LEN_MAX + 1];
1284 int template_buf_len;
1287 static uint8_t zero[SHA_DIGEST_LENGTH];
1288 static uint8_t fox[SHA_DIGEST_LENGTH];
1292 void ima_extend_pcr(uint8_t *pcr, uint8_t *digest, int length)
1297 SHA1_Update(&ctx, pcr, length);
1298 if (validate && !memcmp(digest, zero, length))
1299 SHA1_Update(&ctx, fox, length);
1301 SHA1_Update(&ctx, digest, length);
1302 SHA1_Final(pcr, &ctx);
1305 static int ima_verify_tamplate_hash(struct template_entry *entry)
1307 uint8_t digest[SHA_DIGEST_LENGTH];
1309 if (!memcmp(zero, entry->header.digest, sizeof(zero)))
1312 SHA1(entry->template, entry->template_len, digest);
1314 if (memcmp(digest, entry->header.digest, sizeof(digest))) {
1315 log_err("template hash error\n");
1322 void ima_show(struct template_entry *entry)
1324 log_debug("ima, digest: ");
1325 log_debug_dump(entry->header.digest, sizeof(entry->header.digest));
1328 void ima_ng_show(struct template_entry *entry)
1330 uint8_t *fieldp = entry->template;
1332 int total_len = entry->template_len, digest_len, len, sig_len;
1333 uint8_t *digest, *sig = NULL;
1336 /* get binary digest */
1337 field_len = *(uint8_t *)fieldp;
1338 fieldp += sizeof(field_len);
1339 total_len -= sizeof(field_len);
1341 algo = (char *)fieldp;
1342 len = strlen(algo) + 1;
1343 digest_len = field_len - len;
1344 digest = fieldp + len;
1346 /* move to next field */
1347 fieldp += field_len;
1348 total_len -= field_len;
1351 field_len = *(uint8_t *)fieldp;
1352 fieldp += sizeof(field_len);
1353 total_len -= sizeof(field_len);
1355 path = (char *)fieldp;
1357 /* move to next field */
1358 fieldp += field_len;
1359 total_len -= field_len;
1361 if (!strcmp(entry->name, "ima-sig")) {
1363 field_len = *(uint8_t *)fieldp;
1364 fieldp += sizeof(field_len);
1365 total_len -= sizeof(field_len);
1369 sig_len = field_len;
1371 /* move to next field */
1372 fieldp += field_len;
1373 total_len -= field_len;
1377 /* ascii_runtime_measurements */
1378 log_info("%d ", entry->header.pcr);
1379 log_dump_n(entry->header.digest, sizeof(entry->header.digest));
1380 log_info(" %s %s", entry->name, algo);
1381 log_dump_n(digest, digest_len);
1382 log_info(" %s", path);
1386 log_dump(sig, sig_len);
1387 ima_verify_signature(path, sig, sig_len);
1392 log_err("Remain unprocessed data: %d\n", total_len);
1395 static int ima_measurement(const char *file)
1397 uint8_t pcr[SHA_DIGEST_LENGTH] = {0,};
1398 uint8_t pcr10[SHA_DIGEST_LENGTH];
1399 struct template_entry entry = { .template = 0 };
1403 memset(fox, 0xff, SHA_DIGEST_LENGTH);
1405 log_debug("Initial PCR value: ");
1406 log_debug_dump(pcr, sizeof(pcr));
1408 fp = fopen(file, "rb");
1410 log_err("Unable to open measurement file\n");
1414 while ((err = fread(&entry.header, sizeof(entry.header), 1, fp))) {
1415 ima_extend_pcr(pcr, entry.header.digest, SHA_DIGEST_LENGTH);
1417 if (!fread(entry.name, entry.header.name_len, 1, fp)) {
1418 log_err("Unable to read template name\n");
1422 entry.name[entry.header.name_len] = '\0';
1424 if (!fread(&entry.template_len, sizeof(entry.template_len), 1, fp)) {
1425 log_err("Unable to read template length\n");
1429 if (entry.template_buf_len < entry.template_len) {
1430 free(entry.template);
1431 entry.template_buf_len = entry.template_len;
1432 entry.template = malloc(entry.template_len);
1435 if (!fread(entry.template, entry.template_len, 1, fp)) {
1436 log_err("Unable to read template\n");
1441 ima_verify_tamplate_hash(&entry);
1443 if (!strcmp(entry.name, "ima"))
1446 ima_ng_show(&entry);
1451 tpm_pcr_read(10, pcr10, sizeof(pcr10));
1453 log_info("PCRAgg: ");
1454 log_dump(pcr, sizeof(pcr));
1456 log_info("PCR-10: ");
1457 log_dump(pcr10, sizeof(pcr10));
1459 if (memcmp(pcr, pcr10, sizeof(pcr))) {
1460 log_err("PCRAgg does not match PCR-10\n");
1467 static int cmd_ima_measurement(struct command *cmd)
1469 char *file = g_argv[optind++];
1472 log_err("Parameters missing\n");
1477 return ima_measurement(file);
1480 static void print_usage(struct command *cmd)
1482 printf("usage: %s %s\n", cmd->name, cmd->arg ? cmd->arg : "");
1485 static void print_full_usage(struct command *cmd)
1488 printf("usage: %s %s\n", cmd->name, cmd->arg ? cmd->arg : "");
1490 printf("%s", cmd->msg);
1493 static int print_command_usage(struct command *cmds, char *command)
1495 struct command *cmd;
1497 for (cmd = cmds; cmd->name; cmd++) {
1498 if (strcmp(cmd->name, command) == 0) {
1499 print_full_usage(cmd);
1503 printf("invalid command: %s\n", command);
1507 static void print_all_usage(struct command *cmds)
1509 struct command *cmd;
1511 printf("commands:\n");
1513 for (cmd = cmds; cmd->name; cmd++) {
1515 printf(" %s %s\n", cmd->name, cmd->arg);
1517 printf(" %s", cmd->msg);
1521 static int call_command(struct command *cmds, char *command)
1523 struct command *cmd;
1525 for (cmd = cmds; cmd->name; cmd++) {
1526 if (strcasecmp(cmd->name, command) == 0)
1527 return cmd->func(cmd);
1529 printf("Invalid command: %s\n", command);
1533 static int cmd_help(struct command *cmd)
1535 if (!g_argv[optind]) {
1539 return print_command_usage(cmds, g_argv[optind]);
1542 static void usage(void)
1544 printf("Usage: evmctl [-v] <command> [OPTIONS]\n");
1546 print_all_usage(cmds);
1550 " -a, --hashalgo sha1 (default), sha224, sha256, sha384, sha512\n"
1551 " -s, --imasig also make IMA signature\n"
1552 " -d, --imahash also make IMA hash\n"
1553 " -f, --sigfile store IMA signature in .sig file instead of xattr\n"
1554 " -1, --rsa signing key is in RSA DER format (signing v1)\n"
1555 " -k, --key path to signing key (default keys are /etc/keys/{privkey,pubkey}_evm.pem)\n"
1556 " -p, --pass password for encrypted signing key\n"
1557 " -u, --uuid use file system UUID in HMAC calculation (EVM v2)\n"
1558 " -t, --type file types to fix 'fdsxm' (f - file, d - directory, s - block/char/symlink)\n"
1559 " x - skip fixing if both ima and evm xattrs exist (caution: they may be wrong)\n"
1560 " m - stay on the same filesystem (like 'find -xdev')\n"
1561 " -n print result to stdout instead of setting xattr\n"
1562 " -r, --recursive recurse into directories (sign)\n"
1563 " --x32 force signature for 32 bit target system\n"
1564 " --x64 force signature for 32 bit target system\n"
1565 " -v increase verbosity level\n"
1566 " -h, --help display this help and exit\n"
1570 struct command cmds[] = {
1571 {"help", cmd_help, 0, "<command>"},
1572 {"import", cmd_import, 0, "[--rsa] pubkey keyring", "Import public key into the keyring.\n"},
1573 {"sign", cmd_sign_evm, 0, "[-r] [--imahash | --imasig ] [--key key] [--pass password] file", "Sign file metadata.\n"},
1574 {"verify", cmd_verify_evm, 0, "file", "Verify EVM signature (for debugging).\n"},
1575 {"ima_sign", cmd_sign_ima, 0, "[--sigfile] [--key key] [--pass password] file", "Make file content signature.\n"},
1576 {"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"},
1577 {"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
1578 {"ima_measurement", cmd_ima_measurement, 0, "file", "Verify measurement list (experimental).\n"},
1579 {"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
1581 {"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig ] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"},
1586 static struct option opts[] = {
1587 {"help", 0, 0, 'h'},
1588 {"imasig", 0, 0, 's'},
1589 {"imahash", 0, 0, 'd'},
1590 {"hashalgo", 1, 0, 'a'},
1591 {"pass", 1, 0, 'p'},
1592 {"sigfile", 0, 0, 'f'},
1593 {"uuid", 2, 0, 'u'},
1596 {"type", 1, 0, 't'},
1597 {"recursive", 0, 0, 'r'},
1604 int main(int argc, char *argv[])
1606 int err = 0, c, lind;
1612 c = getopt_long(argc, argv, "hvnsda:p:fu::xk:t:r", opts, &lind);
1631 /* do not set Extended Attributes... just print signature */
1636 params.hash_algo = optarg;
1646 uuid_str = optarg ?: "+";
1652 params.keyfile = optarg;
1655 search_type = optarg;
1670 log_err("getopt() returned: %d (%c)\n", c, c);
1675 sign_hash = sign_hash_v2;
1677 sign_hash = sign_hash_v1;
1679 OpenSSL_add_all_algorithms();
1680 ERR_load_crypto_strings();
1682 if (argv[optind] == NULL)
1685 err = call_command(cmds, argv[optind++]);
1688 unsigned long error;
1690 log_err("errno: %s (%d)\n", strerror(errno), errno);
1692 error = ERR_get_error();
1695 log_err("%s\n", ERR_error_string(error, NULL));