Integrity Measurement Architecture (IMA) IMA/EVM Utils

ima-evm-utils: add SM3 to pkey_hash_algo algorithm list

SM3 was published by State Encryption Management Bureau, China.
It has been well supported in the kernel and openssl.
This patch allows SM3 to be used smoothly by specifying the
parameter `-a sm3` or `--hashalgo sm3`.

Signed-off-by: Tianjia Zhang <tianjia.zhang@...>
Signed-off-by: Mimi Zohar <zohar@...>

ima-evm-utils: beautify the code to make it more readable

Use enum type instead of hard-coded numbers to improve code readability.

Signed-off-by: Tianjia Zhang <tianjia.zhang@...>
Signed-off-by: Mimi Zohar <zohar@...>

ima-evm-utils: Fix mismatched type checking

Even if imaevm_get_hash_algo() returns an error value of -1, it is
forced to be converted to uint8_t type here, resulting in this error
not being checked by the if condition. This patch fixes this error.

Signed-off-by: Tianjia Zhang <tianjia.zhang@...>
Signed-off-by: Mimi Zohar <zohar@...>

ima-evm-utils: skip test for discrete TPM 1.2 and exec'd as normal user

boot_aggregate test make use of a software TPM 2.0 in case it doesn't find
any /dev/tpm0 in the system or if the test is ran as a normal user. However,
when the system has a discrete TPM 1.2 and the user runs the test with a
non-root user evmctl fails to return the software TPM 2.0 boot aggregate
value because it tries to access TPM 1.2 the sysfs PCRs file and,
consequently, the test fails. Thus TPM 2.0 log test is not supported on
systems with a discrete TPM 1.2

Signed-off-by: Bruno Meneguele <bmeneg@...>
Signed-off-by: Mimi Zohar <zohar@...>

ima-evm-utils: logging: Print also LOG_INFO messages

as some errors are using it, e.g. in previous fix
just errno would be printed:

./src/evmctl ima_boot_aggregate
Failed to read any TPM PCRs
errno: No such file or directory (2)

Signed-off-by: Petr Vorel <pvorel@...>
Signed-off-by: Mimi Zohar <zohar@...>

ima-evm-utils: tests: fix finding the "boot_aggregate" value

Searching for the last "boot_aggregate" record in the measurement list
could inadvertently match a filename containing the string
"boot_aggregate". Prevent this from happening.

Reviewed-by: Bruno Meneguele <bmeneg@...>
Signed-off-by: Mimi Zohar <zohar@...>

ima_evm_utils: tests: boot_aggregate.test spans PCRs 0-9

display_pcrs() should include PCRS 8 - 9 as they are non-zeros on some
systems. boot_aggregate may span PCRs 0 - 9 so check()'s info message
should be fixed accordingly.

Signed-off-by: Maurizio Drocco <maurizio.drocco@...>

ima_evm_utils: extended calc_bootaggr to PCRs 8 - 9

cal_bootaggr() should include PCRs 8-9 in non-SHA1 digests.

Signed-off-by: Maurizio Drocco <maurizio.drocco@...>
Signed-off-by: Mimi Zohar <zohar@...>

ima_evm_utils: tests: color boot_aggregate.test tty output

Use the "functions.sh" tty color scheme, which defines SKIP as CYAN.

FAILURE: RED (31)
SUCCESS: GREEN (32)
SKIP: CYAN (36)

Should VERBOSE or informational messages be color coded?

Signed-off-by: Mimi Zohar <zohar@...>

ima-evm-utils: tests: verify the last "boot_aggregate" record

For each kexec, an additional "boot_aggregate" will appear in the
measurement list, assuming the previous measurement list is carried
across kexec.

Verify that the last "boot_aggregate" record in the IMA measurement list
matches. The "boot_aggregate" is either the last field (e.g. "ima-ng")
or the second to last field (e.g. "ima-sig") in the measurement list
record.

Signed-off-by: Mimi Zohar <zohar@...>