Test IMA boot aggregate -- whether generated from PCR0-7 or from PCR0-9

bootagg_test.py

#!/usr/bin/env python3

import os
import hashlib

# #####################################
# read the ima boot aggregate
# #####################################

print ("====> reading sha1 boot aggregate from IMA log")
p = os.popen('cat /sys/kernel/security/ima/ascii_runtime_measurements | grep boot_aggregate')
ba = p.readline().split(' ')[3]
p.close()

if 'sha256' in ba:   shamode = 'sha256'
else:                shamode = 'sha1'
    
ba=ba.replace(shamode + ':','')
print ("    shamode=%s"%(shamode))
print ("    boot aggregate=%s"%(ba))

# #####################################
# read PCR values from the machine into a dictionary
# #####################################

print("====> reading PCRs using tpm2 tool kit")
pcrdict={}
p = os.popen('tpm2_pcrread %s'%(shamode))
while True:
    line = p.readline()
    if not line: break
    if 'sha' in line: continue
    pcr=line.split(':')
    pcrvalue=pcr[1].strip().replace('0x','')
    pcrhex=bytes.fromhex(pcrvalue)
    pcrdict[int(pcr[0])] = pcrhex
p.close()

# #####################################
# calculate the two possible boot aggregates
# #####################################

print("====> calculating possible boot aggregate values")
if shamode == 'sha256':
    h1 = hashlib.sha256()
    h2 = hashlib.sha256()
else:
    h1 = hashlib.sha1()
    h2 = hashlib.sha1()

for pcr in range(0,8): h1.update(pcrdict[pcr])
for pcr in range(0,10): h2.update(pcrdict[pcr])

hash1 = h1.hexdigest()
hash2 = h2.hexdigest()

print("    Using PCR0-7: %s"%(hash1))
print("    Using PCR0-9: %s"%(hash2))

# analyze

if ba == hash1 :
       print("MATCH: boot aggregate calculated with PCR0-7")
elif ba == hash2 :
       print("MATCH: boot aggregate calculated with PCR0-9")
else:
       print("NO MATCH")