Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ima_emulator: Support PCR hash algorithms other than SHA-1 #376

Merged
merged 4 commits into from
Jul 7, 2022
Merged

ima_emulator: Support PCR hash algorithms other than SHA-1 #376

merged 4 commits into from
Jul 7, 2022

Conversation

ueno
Copy link
Contributor

@ueno ueno commented May 16, 2022
edited
Loading

This ports the recent changes to keylime_ima_emulator in the Python
stack, which allows PCR hash algorithms other than SHA-1 through the
command-line options.

Fixes: #373

Signed-off-by: Daiki Ueno [email protected]

@ueno ueno force-pushed the wip/dueno/ima-emulator-update branch from 963a5e0 to 155da11 Compare May 16, 2022 07:16
@ueno
Copy link
Contributor Author

ueno commented May 16, 2022
edited
Loading

I've only tried this with --hash_algs sha256 and it seems to work; we probably should add deterministic unit tests with fixtures.
Also it might make sense to use ima-measurements crate in the future, though it currently seems to lack support for ASCII format and incremental (push?) parsing.

@ueno ueno force-pushed the wip/dueno/ima-emulator-update branch from 155da11 to 9cc824d Compare May 16, 2022 07:18
@ueno ueno force-pushed the wip/dueno/ima-emulator-update branch from 9cc824d to c5c2e2c Compare May 16, 2022 07:34
@THS-on
Copy link
Member

THS-on commented Jun 3, 2022
edited
Loading

Note that the hashes of ToMToU errors need to be handled differently. See here: https://github.com/keylime/keylime/blob/37553151b204ace6a1b672b017486f2ed9b17ff4/keylime/ima/ast.py#L371-L376

@ueno
Copy link
Contributor Author

ueno commented Jun 3, 2022

I think the logic is here; I'll add a comment to be clear.

@THS-on
Copy link
Member

THS-on commented Jun 3, 2022

I think the logic is here; I'll add a comment to be clear.

Yes, I missed that.

@ueno ueno mentioned this pull request Jun 9, 2022
Closed
@kkaarreell
Copy link
Contributor

Parameters that we are currently using in tests for Python IMA emulator are --hash_algs sha256 --ima-hash-alg sha256.

@ueno ueno force-pushed the wip/dueno/ima-emulator-update branch 2 times, most recently from d4cd098 to 2901cbd Compare July 5, 2022 07:51
@ueno ueno marked this pull request as ready for review July 5, 2022 07:51
@ueno ueno force-pushed the wip/dueno/ima-emulator-update branch 5 times, most recently from 1f722f0 to 51c6e50 Compare July 6, 2022 02:03
@kkaarreell
Copy link
Contributor

Hi @ueno, you can now use
master...kkaarreell:rust-keylime:rust_emu
to use Rust emulator in E2E tests.

@ueno ueno force-pushed the wip/dueno/ima-emulator-update branch from 85b09e5 to 995d79a Compare July 7, 2022 00:13
ueno and others added 3 commits July 7, 2022 10:46
@ueno
ima_entry: add IMA entry parser ported from Python Keylime
a90aa5b 
Signed-off-by: Daiki Ueno <[email protected]>
@ueno
ima_emulator: Support PCR hash algorithms other than SHA-1
7decf3b 
This ports the recent changes to keylime_ima_emulator in the Python
stack, which allows PCR hash algorithms other than SHA-1 through the
command-line options.

Signed-off-by: Daiki Ueno <[email protected]>
@kkaarreell @ueno
Enable usage of Rust IMA emulator in E2E tests.
d0e2dd7 
Instalation of Rust IMA emulator has been implemented in
RedHat-SP-Security/keylime-tests#141

Signed-off-by: Karel Srot <[email protected]>
@ueno ueno force-pushed the wip/dueno/ima-emulator-update branch from 995d79a to d0e2dd7 Compare July 7, 2022 01:46
@ueno
Copy link
Contributor Author

ueno commented Jul 7, 2022

@kkaarreell thanks Karel, I've cherry-picked the commit. The CI is currently failing at:
https://github.com/keylime/rust-keylime/pull/376/files#diff-c5136e0a6dc3c65b67d122a69621f5b9057833a037c277995acf9dcb8533fc7fR87

This code does not exist in the Python IMA emulator, but it checks sanity that the calculated hash value match the template hash in the log file. However, it never matches if --ima-hash-alg=sha256 is given, because the hash value in the template is hard-coded to be SHA-1:
https://elixir.bootlin.com/linux/v5.18/source/security/integrity/ima/ima_fs.c#L236

That could also mean that, with that option the ToMToU measure will never trigger:
https://github.com/keylime/rust-keylime/pull/376/files#diff-c5136e0a6dc3c65b67d122a69621f5b9057833a037c277995acf9dcb8533fc7fR80

Therefore I suggest using --hash_algs=sha256 --ima-hash-alg=sha1.

@kkaarreell
Copy link
Contributor

Hi @ueno , I have change it in RedHat-SP-Security/keylime-tests#142
Please rerun packit tests.

@ueno
Copy link
Contributor Author

ueno commented Jul 7, 2022

/packit retest-failed

ansasaki
ansasaki approved these changes Jul 7, 2022
View reviewed changes
Copy link
Contributor

@ansasaki ansasaki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@ansasaki ansasaki merged commit 47f50e0 into keylime:master Jul 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ansasaki ansasaki ansasaki approved these changes

@lukehinds lukehinds Awaiting requested review from lukehinds

@THS-on THS-on Awaiting requested review from THS-on

@lkatalin lkatalin Awaiting requested review from lkatalin

Assignees

@lukehinds lukehinds

@THS-on THS-on

@lkatalin lkatalin

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

IMA emulator to use hash algo from config
6 participants
@ueno @THS-on @kkaarreell @ansasaki @lukehinds @lkatalin