refactored PTS functional component measurements
[strongswan.git] / src / libpts / pts / components / ita / ita_comp_ima.c
1 /*
2 * Copyright (C) 2011 Andreas Steffen
3 *
4 * HSR Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include "ita_comp_ima.h"
18 #include "ita_comp_func_name.h"
19
20 #include "libpts.h"
21 #include "pts/components/pts_component.h"
22
23 #include <debug.h>
24 #include <pen/pen.h>
25
26 #include <sys/types.h>
27 #include <sys/stat.h>
28 #include <unistd.h>
29 #include <fcntl.h>
30 #include <errno.h>
31
32 #define SECURITY_DIR "/sys/kernel/security/"
33 #define IMA_BIOS_MEASUREMENTS SECURITY_DIR "tpm0/binary_bios_measurements"
34 #define IMA_RUNTIME_MEASUREMENTS SECURITY_DIR "ima/binary_runtime_measurements"
35 #define IMA_PCR 10
36 #define IMA_PCR_MAX 16
37 #define IMA_TYPE_LEN 3
38
39 typedef struct pts_ita_comp_ima_t pts_ita_comp_ima_t;
40 typedef struct bios_entry_t bios_entry_t;
41 typedef struct ima_entry_t ima_entry_t;
42 typedef enum ima_state_t ima_state_t;
43
44 enum ima_state_t {
45 IMA_STATE_INIT,
46 IMA_STATE_BIOS,
47 IMA_STATE_BIOS_AGGREGATE,
48 IMA_STATE_RUNTIME,
49 IMA_STATE_END
50 };
51
52 /**
53 * Private data of a pts_ita_comp_ima_t object.
54 *
55 */
56 struct pts_ita_comp_ima_t {
57
58 /**
59 * Public pts_component_t interface.
60 */
61 pts_component_t public;
62
63 /**
64 * Component Functional Name
65 */
66 pts_comp_func_name_t *name;
67
68 /**
69 * AIK keyid
70 */
71 chunk_t keyid;
72
73 /**
74 * Sub-component depth
75 */
76 u_int32_t depth;
77
78 /**
79 * PTS measurement database
80 */
81 pts_database_t *pts_db;
82
83 /**
84 * Primary key for Component Functional Name database entry
85 */
86 int cid;
87
88 /**
89 * Primary key for AIK database entry
90 */
91 int kid;
92
93 /**
94 * Component is registering measurements
95 */
96 bool is_registering;
97
98 /**
99 * Measurement sequence number
100 */
101 int seq_no;
102
103 /**
104 * Expected IMA BIOS measurement count
105 */
106 int count;
107
108 /**
109 * IMA BIOS measurements
110 */
111 linked_list_t *bios_list;
112
113 /**
114 * IMA runtime file measurements
115 */
116 linked_list_t *ima_list;
117
118 /**
119 * Shadow PCR registers
120 */
121 chunk_t pcrs[IMA_PCR_MAX];
122
123 /**
124 * IMA measurement time
125 */
126 time_t measurement_time;
127
128 /**
129 * IMA state machine
130 */
131 ima_state_t state;
132
133 /**
134 * Hasher used to extend emulated PCRs
135 */
136 hasher_t *hasher;
137
138 };
139
140 /**
141 * Linux IMA BIOS measurement entry
142 */
143 struct bios_entry_t {
144
145 /**
146 * PCR register
147 */
148 u_int32_t pcr;
149
150 /**
151 * SHA1 measurement hash
152 */
153 chunk_t measurement;
154 };
155
156 /**
157 * Linux IMA runtime file measurement entry
158 */
159 struct ima_entry_t {
160
161 /**
162 * SHA1 measurement hash
163 */
164 chunk_t measurement;
165
166 /**
167 * SHA1 file measurement thash
168 */
169 chunk_t file_measurement;
170
171 /**
172 * absolute path of executable files or basename of dynamic libraries
173 */
174 chunk_t filename;
175 };
176
177 /**
178 * Free a bios_entry_t object
179 */
180 static void free_bios_entry(bios_entry_t *this)
181 {
182 free(this->measurement.ptr);
183 free(this);
184 }
185
186 /**
187 * Free an ima_entry_t object
188 */
189 static void free_ima_entry(ima_entry_t *this)
190 {
191 free(this->measurement.ptr);
192 free(this->file_measurement.ptr);
193 free(this->filename.ptr);
194 free(this);
195 }
196
197 /**
198 * Load a PCR measurement file and determine the creation date
199 */
200 static bool load_bios_measurements(char *file, linked_list_t *list,
201 time_t *created)
202 {
203 u_int32_t pcr, num, len;
204 bios_entry_t *entry;
205 struct stat st;
206 ssize_t res;
207 int fd;
208
209 fd = open(file, O_RDONLY);
210 if (fd == -1)
211 {
212 DBG1(DBG_PTS, "opening '%s' failed: %s", file, strerror(errno));
213 return FALSE;
214 }
215
216 if (fstat(fd, &st) == -1)
217 {
218 DBG1(DBG_PTS, "getting statistics of '%s' failed: %s", file,
219 strerror(errno));
220 close(fd);
221 return FALSE;
222 }
223 *created = st.st_ctime;
224
225 while (TRUE)
226 {
227 res = read(fd, &pcr, 4);
228 if (res == 0)
229 {
230 DBG2(DBG_PTS, "loaded bios measurements '%s' (%d entries)",
231 file, list->get_count(list));
232 close(fd);
233 return TRUE;
234 }
235
236 entry = malloc_thing(bios_entry_t);
237 entry->pcr = pcr;
238 entry->measurement = chunk_alloc(HASH_SIZE_SHA1);
239
240 if (res != 4)
241 {
242 break;
243 }
244 if (read(fd, &num, 4) != 4)
245 {
246 break;
247 }
248 if (read(fd, entry->measurement.ptr, HASH_SIZE_SHA1) != HASH_SIZE_SHA1)
249 {
250 break;
251 }
252 if (read(fd, &len, 4) != 4)
253 {
254 break;
255 }
256 if (lseek(fd, len, SEEK_CUR) == -1)
257 {
258 break;
259 }
260 list->insert_last(list, entry);
261 }
262
263 DBG1(DBG_PTS, "loading bios measurements '%s' failed: %s", file,
264 strerror(errno));
265 close(fd);
266 return FALSE;
267 }
268
269 /**
270 * Load an IMA runtime measurement file and determine the creation and
271 * update dates
272 */
273 static bool load_runtime_measurements(char *file, linked_list_t *list,
274 time_t *created)
275 {
276 u_int32_t pcr, len;
277 ima_entry_t *entry;
278 char type[IMA_TYPE_LEN];
279 struct stat st;
280 ssize_t res;
281 int fd;
282
283 fd = open(file, O_RDONLY);
284 if (fd == -1)
285 {
286 DBG1(DBG_PTS, "opening '%s' failed: %s", file, strerror(errno));
287 return TRUE;
288 }
289
290 if (fstat(fd, &st) == -1)
291 {
292 DBG1(DBG_PTS, "getting statistics of '%s' failed: %s", file,
293 strerror(errno));
294 close(fd);
295 return FALSE;
296 }
297 *created = st.st_ctime;
298
299 while (TRUE)
300 {
301 res = read(fd, &pcr, 4);
302 if (res == 0)
303 {
304 DBG2(DBG_PTS, "loaded ima measurements '%s' (%d entries)",
305 file, list->get_count(list));
306 close(fd);
307 return TRUE;
308 }
309
310 entry = malloc_thing(ima_entry_t);
311 entry->measurement = chunk_alloc(HASH_SIZE_SHA1);
312 entry->file_measurement = chunk_alloc(HASH_SIZE_SHA1);
313 entry->filename = chunk_empty;
314
315 if (res != 4 || pcr != IMA_PCR)
316 {
317 break;
318 }
319 if (read(fd, entry->measurement.ptr, HASH_SIZE_SHA1) != HASH_SIZE_SHA1)
320 {
321 break;
322 }
323 if (read(fd, &len, 4) != 4 || len != IMA_TYPE_LEN)
324 {
325 break;
326 }
327 if (read(fd, type, IMA_TYPE_LEN) != IMA_TYPE_LEN ||
328 memcmp(type, "ima", IMA_TYPE_LEN))
329 {
330 break;
331 }
332 if (read(fd, entry->file_measurement.ptr, HASH_SIZE_SHA1) != HASH_SIZE_SHA1)
333 {
334 break;
335 }
336 if (read(fd, &len, 4) != 4)
337 {
338 break;
339 }
340 entry->filename = chunk_alloc(len);
341 if (read(fd, entry->filename.ptr, len) != len)
342 {
343 break;
344 }
345 list->insert_last(list, entry);
346 }
347
348 DBG1(DBG_PTS, "loading ima measurements '%s' failed: %s",
349 file, strerror(errno));
350 close(fd);
351 return FALSE;
352 }
353
354 /**
355 * Extend measurement into PCR an create evidence
356 */
357 pts_comp_evidence_t* extend_pcr(pts_ita_comp_ima_t* this, u_int32_t pcr,
358 size_t pcr_len, chunk_t measurement)
359 {
360 pts_pcr_transform_t pcr_transform;
361 pts_meas_algorithms_t hash_algo;
362 pts_comp_evidence_t *evidence;
363 chunk_t pcr_before, pcr_after;
364
365 hash_algo = PTS_MEAS_ALGO_SHA1;
366 pcr_transform = pts_meas_algo_to_pcr_transform(hash_algo, pcr_len);
367 pcr_before = chunk_clone(this->pcrs[pcr]);
368 this->hasher->get_hash(this->hasher, pcr_before, NULL);
369 this->hasher->get_hash(this->hasher, measurement, this->pcrs[pcr].ptr);
370 pcr_after = chunk_clone(this->pcrs[pcr]);
371
372 evidence = pts_comp_evidence_create(this->name->clone(this->name),
373 this->depth, pcr, hash_algo, pcr_transform,
374 this->measurement_time, measurement);
375 evidence->set_pcr_info(evidence, pcr_before, pcr_after);
376
377 return evidence;
378 }
379
380 METHOD(pts_component_t, get_comp_func_name, pts_comp_func_name_t*,
381 pts_ita_comp_ima_t *this)
382 {
383 return this->name;
384 }
385
386 METHOD(pts_component_t, get_evidence_flags, u_int8_t,
387 pts_ita_comp_ima_t *this)
388 {
389 return PTS_REQ_FUNC_COMP_EVID_PCR;
390 }
391
392 METHOD(pts_component_t, get_depth, u_int32_t,
393 pts_ita_comp_ima_t *this)
394 {
395 return this->depth;
396 }
397
398 METHOD(pts_component_t, measure, status_t,
399 pts_ita_comp_ima_t *this, pts_t *pts, pts_comp_evidence_t **evidence)
400 {
401 bios_entry_t *bios_entry;
402 ima_entry_t *ima_entry;
403 status_t status;
404
405 switch (this->state)
406 {
407 case IMA_STATE_INIT:
408 if (!load_bios_measurements(IMA_BIOS_MEASUREMENTS, this->bios_list,
409 &this->measurement_time))
410 {
411 return FAILED;
412 }
413 this->state = IMA_STATE_BIOS;
414 /* fall through to next state */
415 case IMA_STATE_BIOS:
416 status = this->bios_list->remove_first(this->bios_list,
417 (void**)&bios_entry);
418 if (status != SUCCESS)
419 {
420 DBG1(DBG_PTS, "could not retrieve bios measurement entry");
421 return status;
422 }
423 *evidence = extend_pcr(this, bios_entry->pcr, pts->get_pcr_len(pts),
424 bios_entry->measurement);
425 free(bios_entry);
426
427 /* break if still some BIOS measurements are left */
428 if (this->bios_list->get_count(this->bios_list))
429 {
430 break;
431 }
432
433 /* check if IMA runtime measurements are enabled */
434 if (!load_runtime_measurements(IMA_RUNTIME_MEASUREMENTS,
435 this->ima_list, &this->measurement_time))
436 {
437 return FAILED;
438 }
439
440 this->state = this->ima_list->get_count(this->ima_list) ?
441 IMA_STATE_BIOS_AGGREGATE : IMA_STATE_END;
442 break;
443 case IMA_STATE_BIOS_AGGREGATE:
444 case IMA_STATE_RUNTIME:
445 status = this->ima_list->remove_first(this->ima_list,
446 (void**)&ima_entry);
447 if (status != SUCCESS)
448 {
449 DBG1(DBG_PTS, "could not retrieve ima measurement entry");
450 return status;
451 }
452 *evidence = extend_pcr(this, IMA_PCR, pts->get_pcr_len(pts),
453 ima_entry->measurement);
454
455 /* TODO optionally send file measurements */
456 chunk_free(&ima_entry->file_measurement);
457 chunk_free(&ima_entry->filename);
458 free(ima_entry);
459
460 if (this->state == IMA_STATE_BIOS_AGGREGATE)
461 {
462 /* TODO check BIOS aggregate value */
463 }
464 this->state = this->ima_list->get_count(this->ima_list) ?
465 IMA_STATE_RUNTIME : IMA_STATE_END;
466 break;
467 case IMA_STATE_END:
468 /* shouldn't happen */
469 return FAILED;
470 }
471
472 return (this->state == IMA_STATE_END) ? SUCCESS : NEED_MORE;
473 }
474
475 METHOD(pts_component_t, verify, status_t,
476 pts_ita_comp_ima_t *this, pts_t *pts, pts_comp_evidence_t *evidence)
477 {
478 bool has_pcr_info;
479 u_int32_t extended_pcr, vid, name;
480 enum_name_t *names;
481 pts_meas_algorithms_t algo;
482 pts_pcr_transform_t transform;
483 time_t measurement_time;
484 chunk_t measurement, pcr_before, pcr_after;
485 status_t status;
486
487 measurement = evidence->get_measurement(evidence, &extended_pcr,
488 &algo, &transform, &measurement_time);
489
490 if (!this->keyid.ptr)
491 {
492 if (!pts->get_aik_keyid(pts, &this->keyid))
493 {
494 return FAILED;
495 }
496 this->keyid = chunk_clone(this->keyid);
497
498 if (!this->pts_db)
499 {
500 DBG1(DBG_PTS, "pts database not available");
501 return FAILED;
502 }
503 status = this->pts_db->get_comp_measurement_count(this->pts_db,
504 this->name, this->keyid, algo,
505 &this->cid, &this->kid, &this->count);
506 if (status != SUCCESS)
507 {
508 return status;
509 }
510 vid = this->name->get_vendor_id(this->name);
511 name = this->name->get_name(this->name);
512 names = pts_components->get_comp_func_names(pts_components, vid);
513
514 if (this->count)
515 {
516 DBG1(DBG_PTS, "checking %d %N '%N' functional component evidence "
517 "measurements", this->count, pen_names, vid, names, name);
518 }
519 else
520 {
521 DBG1(DBG_PTS, "registering %N '%N' functional component evidence "
522 "measurements", pen_names, vid, names, name);
523 this->is_registering = TRUE;
524 }
525 }
526
527 if (extended_pcr != IMA_PCR)
528 {
529 if (this->is_registering)
530 {
531 status = this->pts_db->insert_comp_measurement(this->pts_db,
532 measurement, this->cid, this->kid,
533 ++this->seq_no, extended_pcr, algo);
534 if (status != SUCCESS)
535 {
536 return status;
537 }
538 this->count = this->seq_no + 1;
539 }
540 else
541 {
542 status = this->pts_db->check_comp_measurement(this->pts_db,
543 measurement, this->cid, this->kid,
544 ++this->seq_no, extended_pcr, algo);
545 if (status != SUCCESS)
546 {
547 return status;
548 }
549 }
550 }
551
552 has_pcr_info = evidence->get_pcr_info(evidence, &pcr_before, &pcr_after);
553 if (has_pcr_info)
554 {
555 if (!pts->add_pcr(pts, extended_pcr, pcr_before, pcr_after))
556 {
557 return FAILED;
558 }
559 }
560
561 return SUCCESS;
562 }
563
564 METHOD(pts_component_t, finalize, bool,
565 pts_ita_comp_ima_t *this)
566 {
567 u_int32_t vid, name;
568 enum_name_t *names;
569
570 vid = this->name->get_vendor_id(this->name);
571 name = this->name->get_name(this->name);
572 names = pts_components->get_comp_func_names(pts_components, vid);
573
574 if (this->is_registering)
575 {
576 /* close registration */
577 this->is_registering = FALSE;
578
579 DBG1(DBG_PTS, "registered %d %N '%N' functional component evidence "
580 "measurements", this->seq_no, pen_names, vid, names, name);
581 }
582 else if (this->seq_no < this->count)
583 {
584 DBG1(DBG_PTS, "%d of %d %N '%N' functional component evidence "
585 "measurements missing", this->count - this->seq_no,
586 this->count, pen_names, vid, names, name);
587 return FALSE;
588 }
589
590 return TRUE;
591 }
592
593 METHOD(pts_component_t, destroy, void,
594 pts_ita_comp_ima_t *this)
595 {
596 int i, count;
597 u_int32_t vid, name;
598 enum_name_t *names;
599
600 for (i = 0; i < IMA_PCR_MAX; i++)
601 {
602 free(this->pcrs[i].ptr);
603 }
604 if (this->is_registering)
605 {
606 count = this->pts_db->delete_comp_measurements(this->pts_db,
607 this->cid, this->kid);
608 vid = this->name->get_vendor_id(this->name);
609 name = this->name->get_name(this->name);
610 names = pts_components->get_comp_func_names(pts_components, vid);
611 DBG1(DBG_PTS, "deleted %d registered %N '%N' functional component "
612 "evidence measurements", count, pen_names, vid, names, name);
613 }
614 this->bios_list->destroy_function(this->bios_list, (void *)free_bios_entry);
615 this->ima_list->destroy_function(this->ima_list, (void *)free_ima_entry);
616 this->name->destroy(this->name);
617 this->hasher->destroy(this->hasher);
618 free(this->keyid.ptr);
619 free(this);
620 }
621
622 /**
623 * See header
624 */
625 pts_component_t *pts_ita_comp_ima_create(u_int8_t qualifier, u_int32_t depth,
626 pts_database_t *pts_db)
627 {
628 pts_ita_comp_ima_t *this;
629 int i;
630
631 INIT(this,
632 .public = {
633 .get_comp_func_name = _get_comp_func_name,
634 .get_evidence_flags = _get_evidence_flags,
635 .get_depth = _get_depth,
636 .measure = _measure,
637 .verify = _verify,
638 .finalize = _finalize,
639 .destroy = _destroy,
640 },
641 .name = pts_comp_func_name_create(PEN_ITA, PTS_ITA_COMP_FUNC_NAME_IMA,
642 qualifier),
643 .depth = depth,
644 .pts_db = pts_db,
645 .bios_list = linked_list_create(),
646 .ima_list = linked_list_create(),
647 .hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1),
648 );
649
650 for (i = 0; i < IMA_PCR_MAX; i++)
651 {
652 this->pcrs[i] = chunk_alloc(HASH_SIZE_SHA1);
653 memset(this->pcrs[i].ptr, 0x00, HASH_SIZE_SHA1);
654 }
655 return &this->public;
656 }
657