1#!/bin/sh
2
3################################################################################
4##                                                                            ##
5## Copyright (C) 2009 IBM Corporation                                         ##
6##                                                                            ##
7## This program is free software;  you can redistribute it and#or modify      ##
8## it under the terms of the GNU General Public License as published by       ##
9## the Free Software Foundation; either version 2 of the License, or          ##
10## (at your option) any later version.                                        ##
11##                                                                            ##
12## This program is distributed in the hope that it will be useful, but        ##
13## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ##
14## or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License   ##
15## for more details.                                                          ##
16##                                                                            ##
17## You should have received a copy of the GNU General Public License          ##
18## along with this program;  if not, write to the Free Software               ##
19## Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA    ##
20##                                                                            ##
21################################################################################
22#
23# File :        ima_tpm.sh
24#
25# Description:  This file verifies the boot and PCR aggregates
26#
27# Author:       Mimi Zohar, zohar@ibm.vnet.ibm.com
28#
29# Return        - zero on success
30#               - non zero on failure. return value from commands ($RC)
31################################################################################
32export TST_TOTAL=3
33export TCID="ima_tpm"
34
35init()
36{
37	tst_check_cmds ima_boot_aggregate ima_measure
38}
39
40# Function:     test01
41# Description   - Verify boot aggregate value is correct
42test01()
43{
44	zero="0000000000000000000000000000000000000000"
45
46	# IMA boot aggregate
47	ima_measurements=$SECURITYFS/ima/ascii_runtime_measurements
48	read line < $ima_measurements
49	ima_aggr=$(expr substr "${line}" 49 40)
50
51	# verify TPM is available and enabled.
52	tpm_bios=$SECURITYFS/tpm0/binary_bios_measurements
53	if [ ! -f "$tpm_bios" ]; then
54		tst_brkm TCONF "TPM not builtin kernel, or TPM not enabled"
55
56		if [ "${ima_aggr}" = "${zero}" ]; then
57			tst_resm TPASS "bios boot aggregate is 0."
58		else
59			tst_resm TFAIL "bios boot aggregate is not 0."
60		fi
61	else
62		boot_aggregate=$(ima_boot_aggregate $tpm_bios)
63		boot_aggr=$(expr substr $boot_aggregate 16 40)
64		if [ "x${ima_aggr}" = "x${boot_aggr}" ]; then
65			tst_resm TPASS "bios aggregate matches IMA boot aggregate."
66		else
67			tst_resm TFAIL "bios aggregate does not match IMA boot aggregate."
68		fi
69	fi
70}
71
72# Probably cleaner to programmatically read the PCR values directly
73# from the TPM, but that would require a TPM library. For now, use
74# the PCR values from /sys/devices.
75validate_pcr()
76{
77	ima_measurements=$SECURITYFS/ima/binary_runtime_measurements
78	aggregate_pcr=$(ima_measure $ima_measurements --validate)
79	dev_pcrs=$1
80	RC=0
81
82	while read line ; do
83		pcr=$(expr substr "${line}" 1 6)
84		if [ "${pcr}" = "PCR-10" ]; then
85			aggr=$(expr substr "${aggregate_pcr}" 26 59)
86			pcr=$(expr substr "${line}" 9 59)
87			[ "${pcr}" = "${aggr}" ] || RC=$?
88		fi
89	done < $dev_pcrs
90	return $RC
91}
92
93# Function:     test02
94# Description	- Verify ima calculated aggregate PCR values matches
95#		  actual PCR value.
96test02()
97{
98
99	# Would be nice to know where the PCRs are located.  Is this safe?
100	PCRS_PATH=$(find /$SYSFS/devices/ | grep pcrs)
101	if [ $? -eq 0 ]; then
102		validate_pcr $PCRS_PATH
103		if [ $? -eq 0 ]; then
104			tst_resm TPASS "aggregate PCR value matches real PCR value."
105		else
106			tst_resm TFAIL "aggregate PCR value does not match real PCR value."
107		fi
108	else
109		tst_resm TFAIL "TPM not enabled, no PCR value to validate"
110	fi
111}
112
113# Function:     test03
114# Description 	- Verify template hash value for IMA entry is correct.
115test03()
116{
117
118	ima_measurements=$SECURITYFS/ima/binary_runtime_measurements
119	aggregate_pcr=$(ima_measure $ima_measurements --verify --validate) > /dev/null
120	if [ $? -eq 0 ]; then
121		tst_resm TPASS "verified IMA template hash values."
122	else
123		tst_resm TFAIL "error verifing IMA template hash values."
124	fi
125}
126
127. ima_setup.sh
128
129setup
130TST_CLEANUP=cleanup
131
132init
133test01
134test02
135test03
136
137tst_exit
138