def _validate_ima_buf(
exclude_regex,
allowlist,
ima_keyrings: file_signatures.ImaKeyrings,
dm_validator: Optional[ima_dm.DmIMAValidator],
digest: ast.Digest,
path: ast.Name,
data: ast.Buffer,
):
failure = Failure(Component.IMA)
# Is data.data a key?
pubkey, keyidv2 = file_signatures.get_pubkey(data.data)
if pubkey:
ignored_keyrings = allowlist["ima"]["ignored_keyrings"]
if "*" not in ignored_keyrings and path.name not in ignored_keyrings:
failure = _validate_ima_ng(exclude_regex, allowlist, digest, path, hash_types="keyrings")
if not failure:
# Add the key only now that it's validated (no failure)
ima_keyrings.add_pubkey_to_keyring(pubkey, path.name, keyidv2=keyidv2)
# Check if this is a device mapper entry only if we have a validator for that
elif dm_validator is not None and path.name in dm_validator.valid_names:
failure = dm_validator.validate(digest, path, data)
else:
# handling of generic ima-buf entries that for example carry a hash in the buf field
failure = _validate_ima_ng(exclude_regex, allowlist, digest, path, hash_types="ima-buf")
# Anything else evaluates to true for now
return failure
def reset_ima_attestation(self):
""" Reset the IMA attestation state to start over with 1st entry
ad start over with learning the keys """
self.next_ima_ml_entry = 0
for pcr_num in self.ima_pcrs:
self.tpm_state.reset_pcr(pcr_num)
self.set_boottime(0)
self.ima_keyrings = ImaKeyrings()
def add(self, agent_id, boottime, ima_pcrs_dict, next_ima_ml_entry,
learned_ima_keyrings):
""" Add or replace an existing AgentAttestState initialized with the given values """
agentAttestState = self.get_by_agent_id(agent_id)
agentAttestState.set_boottime(boottime)
agentAttestState.set_ima_pcrs(ima_pcrs_dict)
agentAttestState.set_next_ima_ml_entry(next_ima_ml_entry)
agentAttestState.set_ima_keyrings(
ImaKeyrings.from_json(learned_ima_keyrings))
def __init__(self, agent_id):
""" constructor """
self.agent_id = agent_id
self.next_ima_ml_entry = 0
self.set_boottime(0)
self.tpm_state = TPMState()
self.ima_pcrs = set()
self.ima_keyrings = ImaKeyrings()
self.reset_ima_attestation()
self.ima_dm_state = None
def __init__(self, agent_id):
"""constructor"""
self.agent_id = agent_id
self.next_ima_ml_entry = 0
self.set_boottime(0)
self.tpm_clockinfo = TPMClockInfo(clock=0,
resetcount=0,
restartcount=0,
safe=1)
self.tpm_state = TPMState()
self.ima_pcrs = set()
self.ima_keyrings = ImaKeyrings()
self.reset_ima_attestation()
self.ima_dm_state = None