transfer IMA file measurements via PA-TNC
[strongswan.git] / src / libpts / pts / components / ita / ita_comp_ima.c
1 /*
2 * Copyright (C) 2011-2012 Andreas Steffen
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "ita_comp_ima.h"
17 #include "ita_comp_func_name.h"
18
19 #include "libpts.h"
20 #include "pts/components/pts_component.h"
21
22 #include <debug.h>
23 #include <pen/pen.h>
24
25 #include <sys/types.h>
26 #include <sys/stat.h>
27 #include <unistd.h>
28 #include <fcntl.h>
29 #include <errno.h>
30
31 #define SECURITY_DIR "/sys/kernel/security/"
32 #define IMA_BIOS_MEASUREMENTS SECURITY_DIR "tpm0/binary_bios_measurements"
33 #define IMA_RUNTIME_MEASUREMENTS SECURITY_DIR "ima/binary_runtime_measurements"
34 #define IMA_EVENT_NAME_LEN_MAX 255
35 #define IMA_PCR 10
36 #define IMA_PCR_MAX 16
37 #define IMA_TYPE_LEN 3
38
39 typedef struct pts_ita_comp_ima_t pts_ita_comp_ima_t;
40 typedef struct bios_entry_t bios_entry_t;
41 typedef struct ima_entry_t ima_entry_t;
42 typedef enum ima_state_t ima_state_t;
43
44 enum ima_state_t {
45 IMA_STATE_INIT,
46 IMA_STATE_BIOS,
47 IMA_STATE_BOOT_AGGREGATE,
48 IMA_STATE_RUNTIME,
49 IMA_STATE_END
50 };
51
52 /**
53 * Private data of a pts_ita_comp_ima_t object.
54 *
55 */
56 struct pts_ita_comp_ima_t {
57
58 /**
59 * Public pts_component_t interface.
60 */
61 pts_component_t public;
62
63 /**
64 * Component Functional Name
65 */
66 pts_comp_func_name_t *name;
67
68 /**
69 * AIK keyid
70 */
71 chunk_t keyid;
72
73 /**
74 * Sub-component depth
75 */
76 u_int32_t depth;
77
78 /**
79 * PTS measurement database
80 */
81 pts_database_t *pts_db;
82
83 /**
84 * Primary key for Component Functional Name database entry
85 */
86 int cid;
87
88 /**
89 * Primary key for AIK database entry
90 */
91 int kid;
92
93 /**
94 * Component is registering measurements
95 */
96 bool is_registering;
97
98 /**
99 * Measurement sequence number
100 */
101 int seq_no;
102
103 /**
104 * Expected IMA BIOS measurement count
105 */
106 int count;
107
108 /**
109 * IMA BIOS measurements
110 */
111 linked_list_t *bios_list;
112
113 /**
114 * IMA runtime file measurements
115 */
116 linked_list_t *ima_list;
117
118 /**
119 * Shadow PCR registers
120 */
121 chunk_t pcrs[IMA_PCR_MAX];
122
123 /**
124 * IMA measurement time
125 */
126 time_t measurement_time;
127
128 /**
129 * IMA state machine
130 */
131 ima_state_t state;
132
133 /**
134 * Hasher used to extend emulated PCRs
135 */
136 hasher_t *hasher;
137
138 };
139
140 /**
141 * Linux IMA BIOS measurement entry
142 */
143 struct bios_entry_t {
144
145 /**
146 * PCR register
147 */
148 u_int32_t pcr;
149
150 /**
151 * SHA1 measurement hash
152 */
153 chunk_t measurement;
154 };
155
156 /**
157 * Linux IMA runtime file measurement entry
158 */
159 struct ima_entry_t {
160
161 /**
162 * SHA1 measurement hash
163 */
164 chunk_t measurement;
165
166 /**
167 * SHA1 file measurement thash
168 */
169 chunk_t file_measurement;
170
171 /**
172 * absolute path of executable files or basename of dynamic libraries
173 */
174 char *filename;
175 };
176
177 /**
178 * Free a bios_entry_t object
179 */
180 static void free_bios_entry(bios_entry_t *this)
181 {
182 free(this->measurement.ptr);
183 free(this);
184 }
185
186 /**
187 * Free an ima_entry_t object
188 */
189 static void free_ima_entry(ima_entry_t *this)
190 {
191 free(this->measurement.ptr);
192 free(this->file_measurement.ptr);
193 free(this->filename);
194 free(this);
195 }
196
197 /**
198 * Load a PCR measurement file and determine the creation date
199 */
200 static bool load_bios_measurements(char *file, linked_list_t *list,
201 time_t *created)
202 {
203 u_int32_t pcr, num, len;
204 bios_entry_t *entry;
205 struct stat st;
206 ssize_t res;
207 int fd;
208
209 fd = open(file, O_RDONLY);
210 if (fd == -1)
211 {
212 DBG1(DBG_PTS, "opening '%s' failed: %s", file, strerror(errno));
213 return FALSE;
214 }
215
216 if (fstat(fd, &st) == -1)
217 {
218 DBG1(DBG_PTS, "getting statistics of '%s' failed: %s", file,
219 strerror(errno));
220 close(fd);
221 return FALSE;
222 }
223 *created = st.st_ctime;
224
225 while (TRUE)
226 {
227 res = read(fd, &pcr, 4);
228 if (res == 0)
229 {
230 DBG2(DBG_PTS, "loaded bios measurements '%s' (%d entries)",
231 file, list->get_count(list));
232 close(fd);
233 return TRUE;
234 }
235
236 entry = malloc_thing(bios_entry_t);
237 entry->pcr = pcr;
238 entry->measurement = chunk_alloc(HASH_SIZE_SHA1);
239
240 if (res != 4)
241 {
242 break;
243 }
244 if (read(fd, &num, 4) != 4)
245 {
246 break;
247 }
248 if (read(fd, entry->measurement.ptr, HASH_SIZE_SHA1) != HASH_SIZE_SHA1)
249 {
250 break;
251 }
252 if (read(fd, &len, 4) != 4)
253 {
254 break;
255 }
256 if (lseek(fd, len, SEEK_CUR) == -1)
257 {
258 break;
259 }
260 list->insert_last(list, entry);
261 }
262
263 DBG1(DBG_PTS, "loading bios measurements '%s' failed: %s", file,
264 strerror(errno));
265 close(fd);
266 return FALSE;
267 }
268
269 /**
270 * Load an IMA runtime measurement file and determine the creation and
271 * update dates
272 */
273 static bool load_runtime_measurements(char *file, linked_list_t *list,
274 time_t *created)
275 {
276 u_int32_t pcr, len;
277 ima_entry_t *entry;
278 char type[IMA_TYPE_LEN];
279 struct stat st;
280 ssize_t res;
281 int fd;
282
283 fd = open(file, O_RDONLY);
284 if (fd == -1)
285 {
286 DBG1(DBG_PTS, "opening '%s' failed: %s", file, strerror(errno));
287 return TRUE;
288 }
289
290 if (fstat(fd, &st) == -1)
291 {
292 DBG1(DBG_PTS, "getting statistics of '%s' failed: %s", file,
293 strerror(errno));
294 close(fd);
295 return FALSE;
296 }
297 *created = st.st_ctime;
298
299 while (TRUE)
300 {
301 res = read(fd, &pcr, 4);
302 if (res == 0)
303 {
304 DBG2(DBG_PTS, "loaded ima measurements '%s' (%d entries)",
305 file, list->get_count(list));
306 close(fd);
307 return TRUE;
308 }
309
310 entry = malloc_thing(ima_entry_t);
311 entry->measurement = chunk_alloc(HASH_SIZE_SHA1);
312 entry->file_measurement = chunk_alloc(HASH_SIZE_SHA1);
313 entry->filename = NULL;
314
315 if (res != 4 || pcr != IMA_PCR)
316 {
317 break;
318 }
319 if (read(fd, entry->measurement.ptr, HASH_SIZE_SHA1) != HASH_SIZE_SHA1)
320 {
321 break;
322 }
323 if (read(fd, &len, 4) != 4 || len != IMA_TYPE_LEN)
324 {
325 break;
326 }
327 if (read(fd, type, IMA_TYPE_LEN) != IMA_TYPE_LEN ||
328 memcmp(type, "ima", IMA_TYPE_LEN))
329 {
330 break;
331 }
332 if (read(fd, entry->file_measurement.ptr, HASH_SIZE_SHA1) != HASH_SIZE_SHA1)
333 {
334 break;
335 }
336 if (read(fd, &len, 4) != 4)
337 {
338 break;
339 }
340 entry->filename = malloc(len + 1);
341 if (read(fd, entry->filename, len) != len)
342 {
343 break;
344 }
345 entry->filename[len] = '\0';
346
347 list->insert_last(list, entry);
348 }
349
350 DBG1(DBG_PTS, "loading ima measurements '%s' failed: %s",
351 file, strerror(errno));
352 close(fd);
353 return FALSE;
354 }
355
356 /**
357 * Extend measurement into PCR an create evidence
358 */
359 pts_comp_evidence_t* extend_pcr(pts_ita_comp_ima_t* this, u_int32_t pcr,
360 chunk_t measurement)
361 {
362 size_t pcr_len;
363 pts_pcr_transform_t pcr_transform;
364 pts_meas_algorithms_t hash_algo;
365 pts_comp_evidence_t *evidence;
366 chunk_t pcr_before, pcr_after;
367
368 hash_algo = PTS_MEAS_ALGO_SHA1;
369 pcr_len = HASH_SIZE_SHA1;
370 pcr_transform = pts_meas_algo_to_pcr_transform(hash_algo, pcr_len);
371 pcr_before = chunk_clone(this->pcrs[pcr]);
372 this->hasher->get_hash(this->hasher, pcr_before, NULL);
373 this->hasher->get_hash(this->hasher, measurement, this->pcrs[pcr].ptr);
374 pcr_after = chunk_clone(this->pcrs[pcr]);
375
376 evidence = pts_comp_evidence_create(this->name->clone(this->name),
377 this->depth, pcr, hash_algo, pcr_transform,
378 this->measurement_time, measurement);
379 evidence->set_pcr_info(evidence, pcr_before, pcr_after);
380
381 return evidence;
382 }
383
384 /**
385 * Compute and check boot aggregate value by hashing PCR0 to PCR7
386 */
387 void check_boot_aggregate(pts_ita_comp_ima_t *this, chunk_t measurement)
388 {
389 u_int32_t pcr;
390 u_char pcr_buffer[HASH_SIZE_SHA1];
391 u_char boot_aggregate_name[] = "boot_aggregate";
392 u_char filename_buffer[IMA_EVENT_NAME_LEN_MAX + 1];
393 chunk_t boot_aggregate, file_name;
394
395 /* See Linux kernel header: security/integrity/ima/ima.h */
396 boot_aggregate = chunk_create(pcr_buffer, sizeof(pcr_buffer));
397 memset(filename_buffer, 0, sizeof(filename_buffer));
398 strcpy(filename_buffer, boot_aggregate_name);
399 file_name = chunk_create(filename_buffer, sizeof(filename_buffer));
400
401 for (pcr = 0; pcr < 8; pcr++)
402 {
403 this->hasher->get_hash(this->hasher, this->pcrs[pcr], NULL);
404 }
405 this->hasher->get_hash(this->hasher, chunk_empty, pcr_buffer);
406 this->hasher->get_hash(this->hasher, boot_aggregate, NULL);
407 this->hasher->get_hash(this->hasher, file_name, pcr_buffer);
408
409 DBG1(DBG_PTS, "boot aggregate value is %scorrect",
410 chunk_equals(boot_aggregate, measurement) ? "":"in");
411 }
412
413 METHOD(pts_component_t, get_comp_func_name, pts_comp_func_name_t*,
414 pts_ita_comp_ima_t *this)
415 {
416 return this->name;
417 }
418
419 METHOD(pts_component_t, get_evidence_flags, u_int8_t,
420 pts_ita_comp_ima_t *this)
421 {
422 return PTS_REQ_FUNC_COMP_EVID_PCR;
423 }
424
425 METHOD(pts_component_t, get_depth, u_int32_t,
426 pts_ita_comp_ima_t *this)
427 {
428 return this->depth;
429 }
430
431 METHOD(pts_component_t, measure, status_t,
432 pts_ita_comp_ima_t *this, pts_t *pts, pts_comp_evidence_t **evidence,
433 pts_file_meas_t **measurements)
434 {
435 bios_entry_t *bios_entry;
436 ima_entry_t *ima_entry, *entry;
437 status_t status;
438 enumerator_t *e;
439 pts_file_meas_t *file_meas;
440
441 *measurements = NULL;
442
443 switch (this->state)
444 {
445 case IMA_STATE_INIT:
446 if (!load_bios_measurements(IMA_BIOS_MEASUREMENTS, this->bios_list,
447 &this->measurement_time))
448 {
449 return FAILED;
450 }
451 this->state = IMA_STATE_BIOS;
452 /* fall through to next state */
453 case IMA_STATE_BIOS:
454 status = this->bios_list->remove_first(this->bios_list,
455 (void**)&bios_entry);
456 if (status != SUCCESS)
457 {
458 DBG1(DBG_PTS, "could not retrieve bios measurement entry");
459 return status;
460 }
461 *evidence = extend_pcr(this, bios_entry->pcr,
462 bios_entry->measurement);
463 free(bios_entry);
464
465 /* break if still some BIOS measurements are left */
466 if (this->bios_list->get_count(this->bios_list))
467 {
468 break;
469 }
470
471 /* check if IMA runtime measurements are enabled */
472 if (!load_runtime_measurements(IMA_RUNTIME_MEASUREMENTS,
473 this->ima_list, &this->measurement_time))
474 {
475 return FAILED;
476 }
477
478 this->state = this->ima_list->get_count(this->ima_list) ?
479 IMA_STATE_BOOT_AGGREGATE : IMA_STATE_END;
480 break;
481 case IMA_STATE_BOOT_AGGREGATE:
482 case IMA_STATE_RUNTIME:
483 status = this->ima_list->remove_first(this->ima_list,
484 (void**)&ima_entry);
485 if (status != SUCCESS)
486 {
487 DBG1(DBG_PTS, "could not retrieve ima measurement entry");
488 return status;
489 }
490 *evidence = extend_pcr(this, IMA_PCR, ima_entry->measurement);
491
492 if (this->state == IMA_STATE_BOOT_AGGREGATE)
493 {
494 check_boot_aggregate(this, ima_entry->measurement);
495
496 if (this->ima_list->get_count(this->ima_list))
497 {
498 /* extract file measurements */
499 file_meas = pts_file_meas_create(0);
500
501 e = this->ima_list->create_enumerator(this->ima_list);
502 while (e->enumerate(e, &entry))
503 {
504 file_meas->add(file_meas, entry->filename,
505 entry->file_measurement);
506 }
507 e->destroy(e);
508 *measurements = file_meas;
509 }
510 }
511
512 free(ima_entry->file_measurement.ptr);
513 free(ima_entry->filename);
514 free(ima_entry);
515 this->state = this->ima_list->get_count(this->ima_list) ?
516 IMA_STATE_RUNTIME : IMA_STATE_END;
517 break;
518 case IMA_STATE_END:
519 break;
520 }
521
522 return (this->state == IMA_STATE_END) ? SUCCESS : NEED_MORE;
523 }
524
525 METHOD(pts_component_t, verify, status_t,
526 pts_ita_comp_ima_t *this, pts_t *pts, pts_comp_evidence_t *evidence)
527 {
528 bool has_pcr_info;
529 u_int32_t extended_pcr, vid, name;
530 enum_name_t *names;
531 pts_meas_algorithms_t algo;
532 pts_pcr_transform_t transform;
533 time_t measurement_time;
534 chunk_t measurement, pcr_before, pcr_after;
535 status_t status;
536
537 measurement = evidence->get_measurement(evidence, &extended_pcr,
538 &algo, &transform, &measurement_time);
539
540 switch (this->state)
541 {
542 case IMA_STATE_INIT:
543 if (!pts->get_aik_keyid(pts, &this->keyid))
544 {
545 return FAILED;
546 }
547 this->keyid = chunk_clone(this->keyid);
548
549 if (!this->pts_db)
550 {
551 DBG1(DBG_PTS, "pts database not available");
552 return FAILED;
553 }
554 status = this->pts_db->get_comp_measurement_count(this->pts_db,
555 this->name, this->keyid, algo,
556 &this->cid, &this->kid, &this->count);
557 if (status != SUCCESS)
558 {
559 return status;
560 }
561 vid = this->name->get_vendor_id(this->name);
562 name = this->name->get_name(this->name);
563 names = pts_components->get_comp_func_names(pts_components, vid);
564
565 if (this->count)
566 {
567 DBG1(DBG_PTS, "checking %d %N '%N' functional component "
568 "evidence measurements", this->count, pen_names,
569 vid, names, name);
570 }
571 else
572 {
573 DBG1(DBG_PTS, "registering %N '%N' functional component "
574 "evidence measurements", pen_names, vid, names,
575 name);
576 this->is_registering = TRUE;
577 }
578 this->state = IMA_STATE_BIOS;
579 /* fall through to next state */
580 case IMA_STATE_BIOS:
581 if (extended_pcr != IMA_PCR)
582 {
583 if (this->is_registering)
584 {
585 status = this->pts_db->insert_comp_measurement(this->pts_db,
586 measurement, this->cid, this->kid,
587 ++this->seq_no, extended_pcr, algo);
588 if (status != SUCCESS)
589 {
590 return status;
591 }
592 this->count = this->seq_no + 1;
593 }
594 else
595 {
596 status = this->pts_db->check_comp_measurement(this->pts_db,
597 measurement, this->cid, this->kid,
598 ++this->seq_no, extended_pcr, algo);
599 if (status != SUCCESS)
600 {
601 return status;
602 }
603 }
604 break;
605 }
606 this->state = IMA_STATE_BOOT_AGGREGATE;
607 /* fall through to next state */
608 case IMA_STATE_BOOT_AGGREGATE:
609 this->state = IMA_STATE_RUNTIME;
610 break;
611 case IMA_STATE_RUNTIME:
612 break;
613 case IMA_STATE_END:
614 break;
615 }
616
617 has_pcr_info = evidence->get_pcr_info(evidence, &pcr_before, &pcr_after);
618 if (has_pcr_info)
619 {
620 if (!pts->add_pcr(pts, extended_pcr, pcr_before, pcr_after))
621 {
622 return FAILED;
623 }
624 }
625
626 return SUCCESS;
627 }
628
629 METHOD(pts_component_t, finalize, bool,
630 pts_ita_comp_ima_t *this)
631 {
632 u_int32_t vid, name;
633 enum_name_t *names;
634
635 vid = this->name->get_vendor_id(this->name);
636 name = this->name->get_name(this->name);
637 names = pts_components->get_comp_func_names(pts_components, vid);
638
639 if (this->is_registering)
640 {
641 /* close registration */
642 this->is_registering = FALSE;
643
644 DBG1(DBG_PTS, "registered %d %N '%N' functional component evidence "
645 "measurements", this->seq_no, pen_names, vid, names, name);
646 }
647 else if (this->seq_no < this->count)
648 {
649 DBG1(DBG_PTS, "%d of %d %N '%N' functional component evidence "
650 "measurements missing", this->count - this->seq_no,
651 this->count, pen_names, vid, names, name);
652 return FALSE;
653 }
654
655 return TRUE;
656 }
657
658 METHOD(pts_component_t, destroy, void,
659 pts_ita_comp_ima_t *this)
660 {
661 int i, count;
662 u_int32_t vid, name;
663 enum_name_t *names;
664
665 for (i = 0; i < IMA_PCR_MAX; i++)
666 {
667 free(this->pcrs[i].ptr);
668 }
669 if (this->is_registering)
670 {
671 count = this->pts_db->delete_comp_measurements(this->pts_db,
672 this->cid, this->kid);
673 vid = this->name->get_vendor_id(this->name);
674 name = this->name->get_name(this->name);
675 names = pts_components->get_comp_func_names(pts_components, vid);
676 DBG1(DBG_PTS, "deleted %d registered %N '%N' functional component "
677 "evidence measurements", count, pen_names, vid, names, name);
678 }
679 this->bios_list->destroy_function(this->bios_list, (void *)free_bios_entry);
680 this->ima_list->destroy_function(this->ima_list, (void *)free_ima_entry);
681 this->name->destroy(this->name);
682 this->hasher->destroy(this->hasher);
683 free(this->keyid.ptr);
684 free(this);
685 }
686
687 /**
688 * See header
689 */
690 pts_component_t *pts_ita_comp_ima_create(u_int8_t qualifier, u_int32_t depth,
691 pts_database_t *pts_db)
692 {
693 pts_ita_comp_ima_t *this;
694 int i;
695
696 INIT(this,
697 .public = {
698 .get_comp_func_name = _get_comp_func_name,
699 .get_evidence_flags = _get_evidence_flags,
700 .get_depth = _get_depth,
701 .measure = _measure,
702 .verify = _verify,
703 .finalize = _finalize,
704 .destroy = _destroy,
705 },
706 .name = pts_comp_func_name_create(PEN_ITA, PTS_ITA_COMP_FUNC_NAME_IMA,
707 qualifier),
708 .depth = depth,
709 .pts_db = pts_db,
710 .bios_list = linked_list_create(),
711 .ima_list = linked_list_create(),
712 .hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1),
713 );
714
715 for (i = 0; i < IMA_PCR_MAX; i++)
716 {
717 this->pcrs[i] = chunk_alloc(HASH_SIZE_SHA1);
718 memset(this->pcrs[i].ptr, 0x00, HASH_SIZE_SHA1);
719 }
720 return &this->public;
721 }
722