tools/mrtool: allow to prepend ima paths

smo4201 · smo4201 · commit e6cba4ffb86f · 2026-01-23T12:13:50.000+01:00
Signed-off-by: Simon Ott &lt;simon.ott@aisec.fraunhofer.de&gt;
diff --git a/tools/mrtool/precomputetpm/ima.go b/tools/mrtool/precomputetpm/ima.go
@@ -30,7 +30,7 @@ import (
 	ar "github.com/Fraunhofer-AISEC/cmc/attestationreport"
 )
 
-func performImaPrecomputation(pcr int, bootAggregate []byte, paths []string, strip string, imaTemplate string) ([]*ar.ReferenceValue, error) {
+func performImaPrecomputation(pcr int, bootAggregate []byte, paths []string, strip, prepend string, imaTemplate string) ([]*ar.ReferenceValue, error) {
 
 	refvals := make([]*ar.ReferenceValue, 0)
 	fileCh := make(chan string, 100)
@@ -57,9 +57,9 @@ func performImaPrecomputation(pcr int, bootAggregate []byte, paths []string, str
 		go func() {
 			defer wg.Done()
 			for path := range fileCh {
-				refval, err := precomputeImaEntry(path, strip, imaTemplate, pcr, true)
+				refval, err := precomputeImaEntry(path, strip, prepend, imaTemplate, pcr, true)
 				if err != nil {
-					log.Debugf("error hashing %q: %v", path, err)
+					log.Errorf("error hashing %q: %v", path, err)
 					continue
 				}
 				log.Tracef("%s: %s", refval.SubType, hex.EncodeToString(refval.Sha256))
@@ -151,27 +151,27 @@ func precomputeImaBootAggregate(hash []byte, template string, pcr int, optional
 	return r, nil
 }
 
-func precomputeImaEntry(path, strip, template string, pcr int, optional bool) (*ar.ReferenceValue, error) {
+func precomputeImaEntry(path, strip, prepend, template string, pcr int, optional bool) (*ar.ReferenceValue, error) {
 
 	fileHash, err := hashFile(path)
 	if err != nil {
 		return nil, fmt.Errorf("failed to hash file: %w", err)
 	}
 
-	strippedPath := stripPrefix(path, strip)
+	hashedPath := modifyPath(path, strip, prepend)
 
-	tmpl, err := precomputeImaTemplate(fileHash, strippedPath, template)
+	tmpl, err := precomputeImaTemplate(fileHash, hashedPath, template)
 	if err != nil {
 		return nil, fmt.Errorf("failed to precompute ima template: %w", err)
 	}
 
 	// Create reference value
 	r := &ar.ReferenceValue{
 		Type:        "TPM Reference Value",
-		SubType:     filepath.Base(strippedPath),
+		SubType:     filepath.Base(hashedPath),
 		Index:       pcr,
 		Sha256:      tmpl,
-		Description: strippedPath,
+		Description: hashedPath,
 		Optional:    optional,
 	}
 
@@ -224,12 +224,10 @@ func hashFile(path string) ([]byte, error) {
 	return h.Sum(nil), nil
 }
 
-func stripPrefix(s, prefix string) string {
+func modifyPath(s, prefix, prepend string) string {
 	if s == "" {
 		return ""
 	}
-	if prefix != "" && strings.HasPrefix(s, prefix) {
-		return s[len(prefix):]
-	}
-	return s
+	s = strings.TrimPrefix(s, prefix)
+	return prepend + s
 }
diff --git a/tools/mrtool/precomputetpm/pcrs.go b/tools/mrtool/precomputetpm/pcrs.go
@@ -617,7 +617,7 @@ func PrecomputePcr9(c *Config) (*ar.ReferenceValue, []*ar.ReferenceValue, error)
 
 func PrecomputePcr10(c *Config) (*ar.ReferenceValue, []*ar.ReferenceValue, error) {
 
-	refvals, err := performImaPrecomputation(10, c.BootAggregate, c.ImaPaths, c.ImaStrip, c.ImaTemplate)
+	refvals, err := performImaPrecomputation(10, c.BootAggregate, c.ImaPaths, c.ImaStrip, c.ImaPrepend, c.ImaTemplate)
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to precompute IMA refvals: %w", err)
 	}
diff --git a/tools/mrtool/precomputetpm/run.go b/tools/mrtool/precomputetpm/run.go
@@ -42,6 +42,7 @@ type Config struct {
 	MokLists       []string
 	ImaPaths       []string
 	ImaStrip       string
+	ImaPrepend     string
 	ImaTemplate    string
 	BootAggregate  []byte
 	PrintAggregate bool
@@ -50,9 +51,10 @@ type Config struct {
 const (
 	systemUuidFlag     = "systemuuid"
 	grubcmdsFlag       = "grubcmds"
-	pathFlag           = "ima-path"
+	pathFlag           = "paths"
 	imaPathFlag        = "ima-path"
 	imaStripFlag       = "ima-strip"
+	imaPrependFlag     = "ima-prepend"
 	imaTemplateFlag    = "ima-template"
 	bootAggregateFlag  = "boot-aggregate"
 	printAggregateFlag = "print-aggregate"
@@ -71,9 +73,14 @@ var flags = []cli.Flag{
 		Name:  imaStripFlag,
 		Usage: "Optional ima path prefix which is stripped from the actual path in the output",
 	},
+	&cli.StringFlag{
+		Name:  imaPrependFlag,
+		Usage: "Optional ima path segment which is prepended the actual path in the output",
+	},
 	&cli.StringFlag{
 		Name:  imaTemplateFlag,
 		Usage: "IMA template name (ima-ng or ima-sig)",
+		Value: "ima-sig",
 	},
 	&cli.StringFlag{
 		Name:  bootAggregateFlag,
@@ -186,9 +193,12 @@ func getConfig(cmd *cli.Command) (*Config, error) {
 	if cmd.IsSet(imaStripFlag) {
 		c.ImaStrip = cmd.String(imaStripFlag)
 	}
-	if cmd.IsSet(imaTemplateFlag) {
-		c.ImaTemplate = cmd.String(imaTemplateFlag)
+	if cmd.IsSet(imaPrependFlag) {
+		c.ImaPrepend = cmd.String(imaPrependFlag)
 	}
+
+	c.ImaTemplate = cmd.String(imaTemplateFlag)
+
 	if cmd.IsSet(bootAggregateFlag) {
 		b, err := hex.DecodeString(cmd.String(bootAggregateFlag))
 		if err != nil {
@@ -239,6 +249,9 @@ func (c *Config) print() {
 	if c.ImaStrip != "" {
 		log.Debugf("\tIMA strip     : %q", c.ImaStrip)
 	}
+	if c.ImaPrepend != "" {
+		log.Debugf("\tIMA prepend   : %q", c.ImaPrepend)
+	}
 	if c.BootAggregate != nil {
 		log.Debugf("\tboot-aggregate: %q", hex.EncodeToString(c.BootAggregate))
 	}

Original file line number	Diff line number	Diff line change
`@@ -617,7 +617,7 @@ func PrecomputePcr9(c Config) (ar.ReferenceValue, []*ar.ReferenceValue, error)`
`617`	`617`
`618`	`618`	`func PrecomputePcr10(c Config) (ar.ReferenceValue, []*ar.ReferenceValue, error) {`
`619`	`619`
`620`		`- refvals, err := performImaPrecomputation(10, c.BootAggregate, c.ImaPaths, c.ImaStrip, c.ImaTemplate)`
	`620`	`+ refvals, err := performImaPrecomputation(10, c.BootAggregate, c.ImaPaths, c.ImaStrip, c.ImaPrepend, c.ImaTemplate)`
`621`	`621`	`if err != nil {`
`622`	`622`	`return nil, nil, fmt.Errorf("failed to precompute IMA refvals: %w", err)`
`623`	`623`	`}`