11use anyhow:: { anyhow, Error } ;
2- use evidence_api:: { api:: EvidenceApi , api_data:: ExtraArgs , tcg} ;
32use cctrusted_vm:: sdk:: API ;
3+ use evidence_api:: { api:: EvidenceApi , api_data:: ExtraArgs , tcg} ;
44use log:: info;
55use std:: cmp:: Ordering ;
66use std:: collections:: HashMap ;
7+ use std:: fs:: read_to_string;
78
89use crate :: {
910 cima_pb:: { TcgDigest , TcgEventlog } ,
@@ -12,6 +13,8 @@ use crate::{
1213 policy:: PolicyConfig ,
1314} ;
1415
16+ pub const IMA_PATTERN : & str = "ima_template=ima-cgpath" ;
17+
1518pub enum IMR {
1619 FIRMWARE = 0 ,
1720 KERNEL = 1 ,
@@ -23,6 +26,7 @@ pub struct Agent {
2326 measurement : Option < Measurement > ,
2427 containers : HashMap < String , Container > ,
2528 event_logs : Vec < TcgEventlog > ,
29+ ima_enabled : bool ,
2630}
2731
2832impl Default for Agent {
@@ -37,20 +41,27 @@ impl Agent {
3741 measurement : None ,
3842 containers : HashMap :: new ( ) ,
3943 event_logs : vec ! [ ] ,
44+ ima_enabled : false ,
4045 }
4146 }
4247
4348 pub fn init ( & mut self , policy : PolicyConfig ) -> Result < ( ) , Error > {
44- // Measure the system when Agent initialization
45- self . measurement = Some ( Measurement :: new ( policy) ) ;
46- match self
47- . measurement
48- . as_mut ( )
49- . expect ( "The measurement was not initialized." )
50- . measure ( )
51- {
52- Ok ( _) => info ! ( "The system has been measured as the policy defined." ) ,
53- Err ( e) => return Err ( e) ,
49+ let cmdline = read_to_string ( "/proc/cmdline" ) . expect ( "Failed to read /proc/cmdline." ) ;
50+ if !cmdline. contains ( IMA_PATTERN ) {
51+ self . ima_enabled = false ;
52+ } else {
53+ self . ima_enabled = true ;
54+ // Measure the system when Agent initialization
55+ self . measurement = Some ( Measurement :: new ( policy) ) ;
56+ match self
57+ . measurement
58+ . as_mut ( )
59+ . expect ( "The measurement was not initialized." )
60+ . measure ( )
61+ {
62+ Ok ( _) => info ! ( "The system has been measured as the policy defined." ) ,
63+ Err ( e) => return Err ( e) ,
64+ }
5465 }
5566
5667 self . fetch_all_event_logs ( )
@@ -198,26 +209,30 @@ impl Agent {
198209 let _ = self . fetch_all_event_logs ( ) ;
199210 let mut event_logs = vec ! [ ] ;
200211
201- let measurement = match self . measurement . as_mut ( ) {
202- Some ( v) => v,
203- None => return Err ( anyhow ! ( "The measurement was not initialized." ) ) ,
204- } ;
212+ if self . ima_enabled {
213+ let measurement = match self . measurement . as_mut ( ) {
214+ Some ( v) => v,
215+ None => return Err ( anyhow ! ( "The measurement was not initialized." ) ) ,
216+ } ;
205217
206- if measurement. container_isolated ( ) {
207- if !self . containers . contains_key ( & container_id) {
208- return Err ( anyhow ! ( "Container cannot be found." ) ) ;
209- }
218+ if measurement. container_isolated ( ) {
219+ if !self . containers . contains_key ( & container_id) {
220+ return Err ( anyhow ! ( "Container cannot be found." ) ) ;
221+ }
210222
211- for event_log in & self . event_logs {
212- if event_log. imr_index == IMR :: FIRMWARE as u32
213- || event_log. imr_index == IMR :: KERNEL as u32
214- {
215- event_logs. push ( event_log. clone ( ) ) ;
223+ for event_log in & self . event_logs {
224+ if event_log. imr_index == IMR :: FIRMWARE as u32
225+ || event_log. imr_index == IMR :: KERNEL as u32
226+ {
227+ event_logs. push ( event_log. clone ( ) ) ;
228+ }
216229 }
217- }
218230
219- let container = & self . containers [ & container_id] ;
220- event_logs. extend ( container. event_logs ( ) . clone ( ) ) ;
231+ let container = & self . containers [ & container_id] ;
232+ event_logs. extend ( container. event_logs ( ) . clone ( ) ) ;
233+ } else {
234+ event_logs. extend ( self . event_logs . to_vec ( ) ) ;
235+ }
221236 } else {
222237 event_logs. extend ( self . event_logs . to_vec ( ) ) ;
223238 }
@@ -262,23 +277,27 @@ impl Agent {
262277 ) -> Result < ( Vec < u8 > , i32 ) , Error > {
263278 let _ = self . fetch_all_event_logs ( ) ;
264279
265- let measurement = match self . measurement . as_mut ( ) {
266- Some ( v) => v,
267- None => return Err ( anyhow ! ( "The measurement was not initialized." ) ) ,
268- } ;
280+ let new_nonce = if self . ima_enabled {
281+ let measurement = match self . measurement . as_mut ( ) {
282+ Some ( v) => v,
283+ None => return Err ( anyhow ! ( "The measurement was not initialized." ) ) ,
284+ } ;
269285
270- let new_nonce = if measurement. container_isolated ( ) {
271- if !self . containers . contains_key ( & container_id) {
272- return Err ( anyhow ! ( "Container cannot be found." ) ) ;
273- }
286+ if measurement. container_isolated ( ) {
287+ if !self . containers . contains_key ( & container_id) {
288+ return Err ( anyhow ! ( "Container cannot be found." ) ) ;
289+ }
274290
275- let container = & self . containers [ & container_id] ;
276- match nonce {
277- Some ( v) => match base64:: decode ( v) {
278- Ok ( v) => Some ( base64:: encode ( [ container. imr ( ) . hash . to_vec ( ) , v] . concat ( ) ) ) ,
279- Err ( e) => return Err ( anyhow ! ( "nonce is not base64 encoded: {:?}" , e) ) ,
280- } ,
281- None => None ,
291+ let container = & self . containers [ & container_id] ;
292+ match nonce {
293+ Some ( v) => match base64:: decode ( v) {
294+ Ok ( v) => Some ( base64:: encode ( [ container. imr ( ) . hash . to_vec ( ) , v] . concat ( ) ) ) ,
295+ Err ( e) => return Err ( anyhow ! ( "nonce is not base64 encoded: {:?}" , e) ) ,
296+ } ,
297+ None => None ,
298+ }
299+ } else {
300+ nonce. clone ( )
282301 }
283302 } else {
284303 nonce. clone ( )
@@ -300,28 +319,32 @@ impl Agent {
300319 ) -> Result < TcgDigest , Error > {
301320 let _ = self . fetch_all_event_logs ( ) ;
302321
303- let measurement = match self . measurement . as_mut ( ) {
304- Some ( v) => v,
305- None => return Err ( anyhow ! ( "The measurement was not initialized." ) ) ,
306- } ;
322+ if self . ima_enabled {
323+ let measurement = match self . measurement . as_mut ( ) {
324+ Some ( v) => v,
325+ None => return Err ( anyhow ! ( "The measurement was not initialized." ) ) ,
326+ } ;
307327
308- if measurement. container_isolated ( ) {
309- if !self . containers . contains_key ( & container_id) {
310- return Err ( anyhow ! ( "Container cannot be found." ) ) ;
311- }
328+ if measurement. container_isolated ( ) {
329+ if !self . containers . contains_key ( & container_id) {
330+ return Err ( anyhow ! ( "Container cannot be found." ) ) ;
331+ }
312332
313- if index == IMR :: SYSTEM as u32 {
314- return Err ( anyhow ! ( "Cannot access IMR according to the policy." ) ) ;
315- }
333+ if index == IMR :: SYSTEM as u32 {
334+ return Err ( anyhow ! ( "Cannot access IMR according to the policy." ) ) ;
335+ }
316336
317- if index == IMR :: CONTAINER as u32 {
318- let container = match self . containers . get_mut ( & container_id) {
319- Some ( v) => v,
320- None => {
321- return Err ( anyhow ! ( "The container is on the list but fails to get it." ) )
322- }
323- } ;
324- return Ok ( container. imr ( ) . clone ( ) ) ;
337+ if index == IMR :: CONTAINER as u32 {
338+ let container = match self . containers . get_mut ( & container_id) {
339+ Some ( v) => v,
340+ None => {
341+ return Err ( anyhow ! (
342+ "The container is on the list but fails to get it."
343+ ) )
344+ }
345+ } ;
346+ return Ok ( container. imr ( ) . clone ( ) ) ;
347+ }
325348 }
326349 }
327350
0 commit comments