diff --git a/0103-fix-ima-attestation-log-and-add-pcr-check.patch b/0103-fix-ima-attestation-log-and-add-pcr-check.patch new file mode 100644 index 0000000000000000000000000000000000000000..f9daae78ce668fd3e5a070142e813f34d7ed2932 --- /dev/null +++ b/0103-fix-ima-attestation-log-and-add-pcr-check.patch @@ -0,0 +1,128 @@ +From 011d8c8e874e07865bc481ae8daa03ccf1a31923 Mon Sep 17 00:00:00 2001 +From: SPYFAMILY +Date: Fri, 23 May 2025 17:26:33 +0800 +Subject: [PATCH] =?UTF-8?q?1.=20=E7=AE=80=E5=8C=96ima=E7=9A=84pcr=E6=A0=A1?= + =?UTF-8?q?=E9=AA=8C=E9=80=BB=E8=BE=91=202.=20=E6=B7=BB=E5=8A=A0ima=5Flog?= + =?UTF-8?q?=E5=BA=A6=E9=87=8F=E4=BA=8B=E4=BB=B6=E6=95=B0=E9=87=8F=E6=8A=A5?= + =?UTF-8?q?=E9=94=99=E6=8F=90=E7=A4=BA=203.=20=E6=B6=88=E9=99=A4=E9=83=A8?= + =?UTF-8?q?=E5=88=86=E5=86=97=E4=BD=99=E4=BB=A3=E7=A0=81?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +--- + .../agent/src/bin/aa-test/main.rs | 11 ++++++++-- + .../attester/src/virtcca/mod.rs | 20 +++++++++---------- + .../verifier/src/virtcca/ima.rs | 11 ++++++---- + 3 files changed, 25 insertions(+), 17 deletions(-) + +diff --git a/service/attestation/attestation-agent/agent/src/bin/aa-test/main.rs b/service/attestation/attestation-agent/agent/src/bin/aa-test/main.rs +index 8aa2200..6f23f8f 100644 +--- a/service/attestation/attestation-agent/agent/src/bin/aa-test/main.rs ++++ b/service/attestation/attestation-agent/agent/src/bin/aa-test/main.rs +@@ -23,10 +23,15 @@ const AA_ADDR: &str = "http://127.0.0.1:8081"; + #[tokio::main] + async fn main() { + env_logger::init_from_env(env_logger::Env::new().default_filter_or("info")); ++ ++ // 解析命令行参数 ++ let args: Vec = std::env::args().collect(); ++ let ima = args.contains(&"--ima".to_string()) || args.contains(&"-i".to_string()); ++ + let mut handles = Vec::with_capacity(TEST_THREAD_NUM as usize); + for i in 0..TEST_THREAD_NUM { + let t = tokio::spawn(async move { +- aa_proc(i).await; ++ aa_proc(i, ima).await; + }); + handles.push(t); + } +@@ -37,7 +42,7 @@ async fn main() { + log::info!("main stop"); + } + +-async fn aa_proc(i: i64) { ++async fn aa_proc(i: i64, ima: bool) { + log::info!("attestation_proc thread {} start", i); + + // get challenge +@@ -77,6 +82,7 @@ async fn aa_proc(i: i64) { + let request_body = json!({ + "challenge": challenge, + "uuid": String::from("f68fd704-6eb1-4d14-b218-722850eb3ef0"), ++ "ima": ima, + }); + log::info!( + "thread {} case2 get evidence, request body: {}", +@@ -150,6 +156,7 @@ async fn aa_proc(i: i64) { + let request_body = json!({ + "challenge": challenge, + "uuid": String::from("f68fd704-6eb1-4d14-b218-722850eb3ef0"), ++ "ima": ima, + }); + log::info!( + "thread {} case5 get token, request body: {}", +diff --git a/service/attestation/attestation-agent/attester/src/virtcca/mod.rs b/service/attestation/attestation-agent/attester/src/virtcca/mod.rs +index 9f84ed4..87153c5 100644 +--- a/service/attestation/attestation-agent/attester/src/virtcca/mod.rs ++++ b/service/attestation/attestation-agent/attester/src/virtcca/mod.rs +@@ -95,16 +95,14 @@ fn virtcca_get_token(user_data: EvidenceRequest) -> Result { + }; + + let ima_log = match with_ima { +- true => { +- match std::fs::read(IMA_LOG_PATH) { +- Ok(d) => { +- log::info!("read ima log success"); +- Some(d) +- }, +- Err(e) => { +- log::error!("read IMA log failed: {}", e); +- bail!("get ima log failed"); +- } ++ true => match std::fs::read(IMA_LOG_PATH) { ++ Ok(d) => { ++ log::info!("read ima log success"); ++ Some(d) ++ } ++ Err(e) => { ++ log::error!("read IMA log failed: {}", e); ++ bail!("get ima log failed"); + } + }, + false => None, +@@ -119,7 +117,7 @@ fn virtcca_get_token(user_data: EvidenceRequest) -> Result { + ccel_table: table, + ccel_data: data, + }) +- }, ++ } + _ => { + log::warn!("read ccel table or data failed"); + None +diff --git a/service/attestation/attestation-service/verifier/src/virtcca/ima.rs b/service/attestation/attestation-service/verifier/src/virtcca/ima.rs +index 271c9d2..fe29ecd 100644 +--- a/service/attestation/attestation-service/verifier/src/virtcca/ima.rs ++++ b/service/attestation/attestation-service/verifier/src/virtcca/ima.rs +@@ -39,11 +39,14 @@ impl ImaVerify { + events.push(event); + } + ++ if events.len() < 2 { ++ bail!("No IMA measurement records for files found."); ++ } + let pcr_index = events[1].pcr_index; +- let ima_index : usize = match (pcr_index-1).try_into() { +- Ok(idx) => idx, +- Err(_) => bail!("Invalid pcr_index for IMA"), +- }; ++ if pcr_index < 1 || pcr_index > CVM_REM_ARR_SIZE as u32 { ++ bail!("Invalid pcr_index for IMA"); ++ } ++ let ima_index = (pcr_index - 1) as usize; + let pcr_values = parser.pcr_values(); + let pcr_value = pcr_values.get(&pcr_index).expect("PCR not measured"); + let string_pcr_sha256 = hex::encode(pcr_value.sha256); +-- +2.49.0.windows.1 + diff --git a/secGear.spec b/secGear.spec index 203b4fef8ba4931c7e63ef2b0341ae7b98966dab..9e6c200a02e6b6146087a573b456dfe9a9ede2f9 100644 --- a/secGear.spec +++ b/secGear.spec @@ -1,6 +1,6 @@ Name: secGear Version: 0.1.0 -Release: 60 +Release: 61 Summary: secGear is an SDK to develop confidential computing apps based on hardware enclave features @@ -112,6 +112,7 @@ Patch98: 0099-fix-permit-dots-in-the-resource-policy-id.patch Patch99: 0100-challenge-may-generate-by-requester-so-aa-and-as-may.patch Patch100: 0101-generate-random-by-ra_tls-itself.patch Patch101: 0102-Add-support-for-UEFI-measured-boot-attestation.patch +Patch102: 0103-fix-ima-attestation-log-and-add-pcr-check.patch BuildRequires: gcc python automake autoconf libtool BUildRequires: glibc glibc-devel cmake ocaml-dune rpm gcc-c++ compat-openssl11-libs compat-openssl11-devel @@ -354,6 +355,9 @@ popd systemctl restart rsyslog %changelog +* Fri May 23 2025 SPYFAMILY - 0.1.0-61 +- fix ima attestation log and add pcr check + * Wed May 14 2025 SPYFAMILY - 0.1.0-60 - Add support for UEFI measured boot attestation