[prev in list] [next in list] [prev in thread] [next in thread]
List: ltp-cvs
Subject: [Ltp-cvs] ltp/testcases/kernel/security/integrity/ima/src Makefile,
From: Subrata <subrata_modak () users ! sourceforge ! net>
Date: 2009-03-31 13:58:16
Message-ID: E1LoeTo-0005Xy-5O () ddv4jf1 ! ch3 ! sourceforge ! com
[Download RAW message or body]
Update of /cvsroot/ltp/ltp/testcases/kernel/security/integrity/ima/src
In directory ddv4jf1.ch3.sourceforge.com:/tmp/cvs-serv21227/ltp/testcases/kernel/security/integrity/ima/src
Added Files:
Makefile ima_boot_aggregate.c ima_measure.c ima_mmap.c
Log Message:
This patch adds Integrity Measurement Architecture(IMA) testing support:
Changes:
- updated README
- add test for existence of openssl-devel (m4/ltp-crypto.m4)
- add support for finding an audit message in different log files
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>.
--- NEW FILE: Makefile ---
include ../../../../../../config.mk
ifeq ($(CRYPTO_LIB),-lcrypto)
TARGETS=ima_mmap ima_measure ima_boot_aggregate
LDLIBS += $(CRYPTO_LIB)
else
TARGETS=ima_mmap
endif
all: $(TARGETS)
install:
@set -e; for i in $(TARGETS); do ln -f $$i ../../../../../bin/$$i; done
clean:
rm -f $(TARGETS)
--- NEW FILE: ima_boot_aggregate.c ---
/*
* Copyright (c) International Business Machines Corp., 2009
*
* Authors:
* Mimi Zohar <zohar@us.ibm.com>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation, version 2 of the
* License.
*
* File: ima_boot_aggregate.c
*
* Calculate a SHA1 boot aggregate value based on the TPM
* binary_bios_measurements.
*
* Requires openssl; compile with -lcrypto option
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <string.h>
#include <unistd.h>
#include <openssl/sha.h>
#define MAX_EVENT_SIZE 500
#define EVENT_HEADER_SIZE 32
#define MAX_EVENT_DATA_SIZE (MAX_EVENT_SIZE - EVENT_HEADER_SIZE)
#define NUM_PCRS 8 /* PCR registers 0-7 in boot aggregate */
static void *display_sha1_digest(char *pcr)
{
int i;
for (i = 0; i < 20; i++)
printf("%02x", *(pcr + i) & 0xff);
printf("\n");
}
int main(int argc, char *argv[])
{
unsigned char boot_aggregate[SHA_DIGEST_LENGTH];
struct {
struct {
u_int32_t pcr;
int type;
unsigned char digest[SHA_DIGEST_LENGTH];
u_int16_t len;
} header;
unsigned char data[MAX_EVENT_DATA_SIZE];
} event;
struct {
unsigned char digest[SHA_DIGEST_LENGTH];
} pcr[NUM_PCRS];
FILE *fp;
int i;
int debug = 0;
SHA_CTX c;
if (argc != 2) {
printf("format: %s binary_bios_measurement file\n", argv[0]);
return 1;
}
fp = fopen(argv[1], "r");
if (!fp) {
perror("unable to open pcr file\n");
return 1;
}
/* Initialize psuedo PCR registers 0 - 7 */
for ( i = 0; i < NUM_PCRS; i++)
memset(&pcr[i].digest, 0, SHA_DIGEST_LENGTH);
/* Extend the pseudo PCRs with the event digest */
while (fread(&event, sizeof event.header, 1, fp)) {
if (debug) {
printf("%03u ", event.header.pcr);
display_sha1_digest(event.header.digest);
}
SHA1_Init(&c);
SHA1_Update(&c, pcr[event.header.pcr].digest, 20);
SHA1_Update(&c, event.header.digest, 20);
SHA1_Final(pcr[event.header.pcr].digest, &c);
if (event.header.len > MAX_EVENT_DATA_SIZE) {
printf("Error event too long");
break;
}
fread(event.data, event.header.len, 1, fp);
}
fclose(fp);
/* Extend the boot aggregate with the pseudo PCR digest values */
memset(&boot_aggregate, 0, SHA_DIGEST_LENGTH);
SHA1_Init(&c);
for (i = 0; i < NUM_PCRS; i++) {
if (debug) {
printf("PCR-%2.2x: ", i);
display_sha1_digest(pcr[i].digest);
}
SHA1_Update(&c, pcr[i].digest, 20);
}
SHA1_Final(boot_aggregate, &c);
printf("boot_aggregate:");
display_sha1_digest(boot_aggregate);
return 0;
}
--- NEW FILE: ima_mmap.c ---
/*
* Copyright (c) International Business Machines Corp., 2009
*
* Authors:
* Mimi Zohar <zohar@us.ibm.com>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation, version 2 of the
* License.
*
* File: ima_mmap.c
*
* Open and mmap a file and sleep. Another process will open the
* mmapped file in read mode, resulting in a open_writer violation.
*/
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <fcntl.h>
int main(int argc, char *argv[])
{
int fd;
void *file;
char *filename;
int rc;
if (argc != 2)
printf("%s: filename\n", argv[1]);
filename = argv[1];
fd = open(filename, O_CREAT | O_RDWR, S_IRWXU);
if (fd < 0) {
perror("open");
return(-1);
}
file = mmap(NULL, 1024, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
if (file == (void *) -1) {
perror("mmap");
return(-1);
}
close(fd);
sleep(30);
if (munmap(file, 1024) < 0) {
perror("unmap");
return(-1);
}
}
--- NEW FILE: ima_measure.c ---
/*
* Copyright (c) International Business Machines Corp., 2008
*
* Authors:
* Reiner Sailer <sailer@watson.ibm.com>
* Mimi Zohar <zohar@us.ibm.com>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation, version 2 of the
* License.
*
* File: ima_measure.c
*
* Calculate the SHA1 aggregate-pcr value based on the IMA runtime
* binary measurements.
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <string.h>
#include <unistd.h>
#include <openssl/sha.h>
#define TCG_EVENT_NAME_LEN_MAX 255
static int verbose = 0;
static int validate = 0;
static int verify = 0;
#define print_info(format, arg...) \
if (verbose) \
printf(format, ##arg)
static u_int8_t zero[SHA_DIGEST_LENGTH];
static u_int8_t fox[SHA_DIGEST_LENGTH];
struct event {
struct {
u_int32_t pcr;
u_int8_t digest[SHA_DIGEST_LENGTH];
u_int32_t name_len;
} header;
char name[TCG_EVENT_NAME_LEN_MAX + 1];
struct {
u_int8_t digest[SHA_DIGEST_LENGTH];
char filename[TCG_EVENT_NAME_LEN_MAX + 1];
} ima_data;
int filename_len;
};
static void display_sha1_digest(u_int8_t *digest)
{
int i;
for (i = 0; i < 20; i++)
print_info(" %02X", (*(digest + i) & 0xff));
}
/*
* Calculate the sha1 hash of data
*/
static void calc_digest(u_int8_t *digest, int len, void *data )
{
SHA_CTX c;
/* Calc template hash for an ima entry */
memset(digest, 0, sizeof *digest);
SHA1_Init(&c);
SHA1_Update(&c, data, len);
SHA1_Final(digest, &c);
}
static int verify_template_hash(struct event *template)
{
int rc;
rc = memcmp(fox, template->header.digest, sizeof fox);
if (rc != 0) {
u_int8_t digest[SHA_DIGEST_LENGTH];
memset(digest, 0, sizeof digest);
calc_digest(digest, sizeof template->ima_data,
&template->ima_data);
rc = memcmp(digest, template->header.digest, sizeof digest);
return rc != 0 ? 1 : 0;
}
return 0;
}
/*
* ima_measurements.c - calculate the SHA1 aggregate-pcr value based
* on the IMA runtime binary measurements.
*
* format: ima_measurement [--validate] [--verify] [--verbose]
*
* --validate: forces validation of the aggregrate pcr value
* for an invalidated PCR. Replace all entries in the
* runtime binary measurement list with 0x00 hash values,
* which indicate the PCR was invalidated, either for
* "a time of measure, time of use"(ToMToU) error, or a
* file open for read was already open for write, with
* 0xFF's hash value, when calculating the aggregate
* pcr value.
*
* --verify: for all IMA template entries in the runtime binary
* measurement list, calculate the template hash value
* and compare it with the actual template hash value.
* Return the number of incorrect hash measurements.
*
* --verbose: For all entries in the runtime binary measurement
* list, display the template information.
*
* template info: list #, PCR-register #, template hash, template name
* IMA info: IMA hash, filename hint
*
* Ouput: displays the aggregate-pcr value
* Return code: if verification enabled, returns number of verification
* errors.
*/
int main(int argc, char *argv[])
{
FILE *fp;
struct event template;
u_int8_t pcr[SHA_DIGEST_LENGTH];
int i, count = 0, len;
int failed_count = 0; /* number of template verifications failed */
if (argc < 2) {
printf("format: %s binary_runtime_measurements" \
" [--validate] [--verbose] [--verify]\n", argv[0]);
return 1;
}
for (i = 2; i < argc; i++) {
if (strncmp(argv[i], "--validate", 8) == 0)
validate = 1;
if (strncmp(argv[i], "--verbose", 7) == 0)
verbose = 1;
if (strncmp(argv[i], "--verify", 6) == 0)
verify = 1;
}
fp = fopen(argv[1], "r");
if (!fp) {
printf("fn: %s\n", argv[1]);
perror("Unable to open file\n");
return 1;
}
memset(pcr, 0, SHA_DIGEST_LENGTH); /* initial PCR content 0..0 */
memset(zero, 0, SHA_DIGEST_LENGTH);
memset(fox, 0xff, SHA_DIGEST_LENGTH);
print_info( "### PCR HASH " \
"TEMPLATE-NAME\n");
while (fread(&template.header, sizeof template.header, 1, fp)) {
SHA_CTX c;
/* Extend simulated PCR with new template digest */
SHA1_Init(&c);
SHA1_Update(&c, pcr, SHA_DIGEST_LENGTH);
if (validate) {
if (memcmp(template.header.digest, zero, 20) == 0)
memset(template.header.digest, 0xFF, 20);
}
SHA1_Update(&c, template.header.digest, 20);
SHA1_Final(pcr, &c);
print_info("%3d %03u ", count++, template.header.pcr);
display_sha1_digest(template.header.digest);
if (template.header.name_len > TCG_EVENT_NAME_LEN_MAX) {
printf("%d ERROR: event name too long!\n",
template.header.name_len);
exit(1);
}
memset(template.name, 0, sizeof template.name);
fread(template.name, template.header.name_len, 1, fp);
print_info(" %s ", template.name);
memset(&template.ima_data, 0, sizeof template.ima_data);
fread(&template.ima_data.digest,
sizeof template.ima_data.digest, 1, fp);
display_sha1_digest(template.ima_data.digest);
fread(&template.filename_len,
sizeof template.filename_len, 1, fp);
fread(template.ima_data.filename, template.filename_len, 1, fp);
print_info(" %s\n", template.ima_data.filename);
if (verify)
failed_count += verify_template_hash(&template);
}
fclose(fp);
verbose=1;
print_info("PCRAggr (re-calculated):");
display_sha1_digest(pcr);
return failed_count;
}
------------------------------------------------------------------------------
_______________________________________________
Ltp-cvs mailing list
Ltp-cvs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-cvs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic