From 7acd362cc93fa64451a0daac615bf0e12ff99b05 Mon Sep 17 00:00:00 2001 From: Simon Ott Date: Tue, 5 Mar 2024 23:53:46 +0000 Subject: [PATCH 1/2] attestationreport: fix Signed-off-by: Simon Ott --- attestationreport/attestationreport.go | 1 + 1 file changed, 1 insertion(+) diff --git a/attestationreport/attestationreport.go b/attestationreport/attestationreport.go index 79633368..830c9879 100644 --- a/attestationreport/attestationreport.go +++ b/attestationreport/attestationreport.go @@ -532,6 +532,7 @@ func Verify(arRaw, nonce, casPem []byte, policies []byte, polEng PolicyEngineSel if code != NotSet { result.ErrorCode = code result.Success = false + return result } // Verify and unpack metadata from attestation report From 914f4aead9000c51e4b0178580440880daad3915 Mon Sep 17 00:00:00 2001 From: Simon Ott Date: Tue, 5 Mar 2024 23:54:28 +0000 Subject: [PATCH 2/2] ima: parse template to retrieve path Signed-off-by: Simon Ott --- attestationreport/tpm.go | 4 +-- ima/ima.go | 59 ++++++++++++++++++++++++++++++++++------ 2 files changed, 53 insertions(+), 10 deletions(-) diff --git a/attestationreport/tpm.go b/attestationreport/tpm.go index 11ba25d4..34dc445c 100644 --- a/attestationreport/tpm.go +++ b/attestationreport/tpm.go @@ -177,8 +177,8 @@ func recalculatePcrs(measurement Measurement, referenceValues []ReferenceValue) EventData: event.EventData, } detailedResults = append(detailedResults, measResult) - log.Tracef("Failed to find measurement %v in reference values", - hex.EncodeToString(event.Sha256)) + log.Tracef("Failed to find PCR%v measurement %v: %v in reference values", + measuredPcr.Pcr, event.EventName, hex.EncodeToString(event.Sha256)) ok = false pcrResult.Success = false continue diff --git a/ima/ima.go b/ima/ima.go index 9efc24ae..3fcabedc 100644 --- a/ima/ima.go +++ b/ima/ima.go @@ -90,19 +90,19 @@ func parseImaRuntimeDigests(data []byte) ([]ar.PcrEvent, error) { template.header = header copy(template.Name[:], name) - var len uint32 + var length uint32 if strings.Compare(string(template.Name[:]), "ima") == 0 { template.DataLen = SHA1_DIGEST_LEN + MAX_TCG_EVENT_LEN + 1 - len = SHA1_DIGEST_LEN + length = SHA1_DIGEST_LEN } else { err = binary.Read(buf, binary.LittleEndian, &template.DataLen) if err != nil { return nil, fmt.Errorf("error reading binary data: %w", err) } - len = template.DataLen + length = template.DataLen } - template.Data = make([]byte, len) + template.Data = make([]byte, length) err = binary.Read(buf, binary.LittleEndian, template.Data) if err != nil { return nil, fmt.Errorf("error reading binary data: %w", err) @@ -122,16 +122,59 @@ func parseImaRuntimeDigests(data []byte) ([]ar.PcrEvent, error) { // template must be calculated manually digest := sha256.Sum256(template.Data) + // Parse the template data to retrieve additional information + _, eventName, err := parseTemplateData(&template) + if err != nil { + log.Tracef("Failed to parse addtional template data: %v", err) + } + event := ar.PcrEvent{ - Sha256: digest[:], - // TODO EventName: parseEventName(template.Data) - EventName: "", + Sha256: digest[:], + EventName: eventName, } - log.Tracef("Parsed PCR%v IMA %v event", header.Pcr, string(template.Name[:])) + log.Tracef("Parsed IMA PCR%v %v event %v", header.Pcr, + string(template.Name[:template.header.NameLen]), eventName) events = append(events, event) } return events, nil } + +func parseTemplateData(tmpl *imaTemplate) ([]byte, string, error) { + + if !bytes.Equal(tmpl.Name[:tmpl.header.NameLen], []byte("ima-ng")) && + !bytes.Equal(tmpl.Name[:tmpl.header.NameLen], []byte("ima-sig")) { + return nil, "", fmt.Errorf("template %v parsing additional information not supported", tmpl.Name[:tmpl.header.NameLen]) + } + + var tmplDigestLen uint32 + buf := bytes.NewBuffer(tmpl.Data) + err := binary.Read(buf, binary.LittleEndian, &tmplDigestLen) + if err != nil { + return nil, "", fmt.Errorf("failed to read digest length from template: %w", err) + } + + tmplDigest := make([]byte, tmplDigestLen) + err = binary.Read(buf, binary.LittleEndian, tmplDigest) + if err != nil { + return nil, "", fmt.Errorf("failed to read digest from template: %w", err) + } + + var tmplPathLen uint32 + err = binary.Read(buf, binary.LittleEndian, &tmplPathLen) + if err != nil { + return nil, "", fmt.Errorf("failed to read digest length from template: %w", err) + } + + tmplPath := make([]byte, tmplPathLen) + err = binary.Read(buf, binary.LittleEndian, tmplPath) + if err != nil { + return nil, "", fmt.Errorf("failed to read path from template: %w", err) + } + // Strip the path from the parsed \0 byte + tmplPath = tmplPath[:len(tmplPath)-1] + + return tmplDigest, string(tmplPath), nil +}