Verifying IMA Measurements

The IMA tests programs, shown here, are part of the Linux Test Project.

- ima_boot_aggregate <tpm_bios file>

Using the IMA binary bios measurement list, re-calculate the boot aggregate

$ su -c './ima_boot_aggregate /sys/kernel/security/tpm0/binary_bios_measurement
000 f797cb88c4b07745a129f35ea01b47c6c309cda9
000 dca68da0707a9a52b24db82def84f26fa463b44d
< snip >
005 6895eb784cdaf843eaad522e639f75d24d4c1ff5
PCR-00: 07274edf7147abda49200100fd668ce2c3a374d7
PCR-01: 48dff4fbf3a34d56a08dfc1504a3a9d707678ff7
PCR-02: 53de584dcef03f6a7dac1a240a835893896f218d
PCR-03: 3a3f780f11a4b49969fcaa80cd6e3957c33b2275
PCR-04: acb44e9dd4594d3f121df2848f572e4d891f0574
PCR-05: df72e880e68a2b52e6b6738bb4244b932e0f1c76
PCR-06: 585e579e48997fee8efd20830c6a841eb353c628
PCR-07: 3a3f780f11a4b49969fcaa80cd6e3957c33b2275
boot_aggregate:b5a166c10d153b7cc3e5b4f1eab1f71672b7c524

and compare the value with the ascii_runtime_measurement list value.

$ su -c 'cat /sys/kernel/security/ima/ascii_runtime_measurements | grep boot_aggregate'
10 7971593a7ad22a7cce5b234e4bc5d71b04696af4 ima b5a166c10d153b7cc3e5b4f1eab1f71672b7c524 boot_aggregate

- ima_measure <binary_runtime_measurements> [--validate] [--verify] [--verbose]

using the IMA binary measurement list, calculate the boot aggregate

$ su -c './ima_measure /sys/kernel/security/ima/binary_runtime_measurements --validate'
PCRAggr (re-calculated): B4 D1 93 D8 FB 31 B4 DD 36 5D DA AD C1 51 AC 84 FA 88 78 1B

and compare it against the PCR value.

$ cat /sys/devices/pnp0/00:0a/pcrs | grep PCR-10
PCR-10: B4 D1 93 D8 FB 31 B4 DD 36 5D DA AD C1 51 AC 84 FA 88 78 1B