From bda0b0771ce64b8a70b9c9ae8846d4bd40c54b18 Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Mon, 25 Jan 2021 14:32:10 -0500 Subject: [PATCH] ima: Count for bad file signatures in separate error field Extend the err array with another field and account for bad file signatures in err[3]. We move prior usage of err[3] to err[4] where the good entries are counted and now sum over 4 error fields rather than 3. Signed-off-by: Stefan Berger --- keylime/ima.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/keylime/ima.py b/keylime/ima.py index f4cd0df06..7d61fc6e5 100644 --- a/keylime/ima.py +++ b/keylime/ima.py @@ -218,7 +218,7 @@ def _extract_from_ima_sig(tokens, template_hash): def process_measurement_list(lines, lists=None, m2w=None, pcrval=None, ima_keyring=None): - errs = [0, 0, 0, 0] + errs = [0, 0, 0, 0, 0] runninghash = START_HASH found_pcr = (pcrval is None) @@ -294,7 +294,7 @@ def process_measurement_list(lines, lists=None, m2w=None, pcrval=None, ima_keyri if not ima_keyring.integrity_digsig_verify(signature, filedata_hash, filedata_algo): logger.warning("signature for file %s is not valid" % (path)) - errs[0] += 1 + errs[3] += 1 else: logger.debug("signature for file %s is good" % path) @@ -335,7 +335,7 @@ def process_measurement_list(lines, lists=None, m2w=None, pcrval=None, ima_keyri logger.warning("File %s not evaluated with signature or allowlist" % path) errs[1] += 1 - errs[3] += 1 + errs[4] += 1 # check PCR value has been found if not found_pcr: @@ -343,9 +343,9 @@ def process_measurement_list(lines, lists=None, m2w=None, pcrval=None, ima_keyri return None # clobber the retval if there were IMA file errors - if sum(errs[:3]) > 0: + if sum(errs[:4]) > 0: logger.error( - "IMA ERRORS: template-hash %d fnf %d hash %d good %d" % tuple(errs)) + "IMA ERRORS: template-hash %d fnf %d hash %d bad-sig %d good %d" % tuple(errs)) return None return codecs.encode(runninghash, 'hex').decode('utf-8')