diff options
Diffstat (limited to 'src/libpts/pts/components/ita/ita_comp_ima.c')
| -rw-r--r-- | src/libpts/pts/components/ita/ita_comp_ima.c | 62 |
1 files changed, 48 insertions, 14 deletions
diff --git a/src/libpts/pts/components/ita/ita_comp_ima.c b/src/libpts/pts/components/ita/ita_comp_ima.c index a05dc7e5e..808a59580 100644 --- a/src/libpts/pts/components/ita/ita_comp_ima.c +++ b/src/libpts/pts/components/ita/ita_comp_ima.c @@ -17,6 +17,7 @@ #include "ita_comp_ima.h" #include "ita_comp_func_name.h" +#include "libpts.h" #include "pts/components/pts_component.h" #include <debug.h> @@ -31,7 +32,6 @@ #define IMA_SECURITY_DIR "/sys/kernel/security/tpm0/" #define IMA_BIOS_MEASUREMENT_PATH IMA_SECURITY_DIR "binary_bios_measurements" #define IMA_PCR_MAX 8 -#define IMA_SEQUENCE 126 typedef struct pts_ita_comp_ima_t pts_ita_comp_ima_t; @@ -57,6 +57,11 @@ struct pts_ita_comp_ima_t { u_int32_t depth; /** + * AIK keyid + */ + chunk_t keyid; + + /** * IMA BIOS measurement time */ time_t bios_measurement_time; @@ -67,6 +72,11 @@ struct pts_ita_comp_ima_t { linked_list_t *list; /** + * Expected measurement count + */ + int count; + + /** * Measurement sequence number */ int seq_no; @@ -247,27 +257,50 @@ METHOD(pts_component_t, verify, status_t, pts_comp_evidence_t *evidence) { bool has_pcr_info; - char *platform_info; - u_int32_t extended_pcr; + u_int32_t extended_pcr, vid, name; + enum_name_t *names; pts_meas_algorithms_t algo; pts_pcr_transform_t transform; time_t measurement_time; chunk_t measurement, pcr_before, pcr_after; - platform_info = pts->get_platform_info(pts); - if (!pts_db || !platform_info) - { - DBG1(DBG_PTS, "%s%s%s not available", - (pts_db) ? "" : "pts database", - (!pts_db && !platform_info) ? "and" : "", - (platform_info) ? "" : "platform info"); - return FAILED; - } measurement = evidence->get_measurement(evidence, &extended_pcr, &algo, &transform, &measurement_time); + if (!this->keyid.ptr) + { + if (!pts->get_aik_keyid(pts, &this->keyid)) + { + return FAILED; + } + this->keyid = chunk_clone(this->keyid); + + if (!pts_db) + { + DBG1(DBG_PTS, "pts database not available"); + return FAILED; + } + if (!pts_db->get_comp_measurement_count(pts_db, this->name, this->keyid, + algo, &this->count)) + { + return FAILED; + } + vid = this->name->get_vendor_id(this->name); + name = this->name->get_name(this->name); + names = pts_components->get_comp_func_names(pts_components, vid); + + if (this->count == 0) + { + DBG1(DBG_PTS, "no %N '%N' functional component evidence measurements " + "available", pen_names, vid, names, name); + return FAILED; + } + DBG1(DBG_PTS, "checking %d %N '%N' functional component evidence measurements", + this->count, pen_names, vid, names, name); + } + if (pts_db->check_comp_measurement(pts_db, measurement, this->name, - platform_info, ++this->seq_no, extended_pcr, algo) != SUCCESS) + this->keyid, ++this->seq_no, extended_pcr, algo) != SUCCESS) { return FAILED; } @@ -281,7 +314,7 @@ METHOD(pts_component_t, verify, status_t, } } - return (this->seq_no < IMA_SEQUENCE) ? NEED_MORE : SUCCESS; + return (this->seq_no < this->count) ? NEED_MORE : SUCCESS; } METHOD(pts_component_t, destroy, void, @@ -295,6 +328,7 @@ METHOD(pts_component_t, destroy, void, } this->list->destroy_function(this->list, (void *)free_entry); this->name->destroy(this->name); + free(this->keyid.ptr); free(this); } |