keylime icon indicating copy to clipboard operation
keylime copied to clipboard

Published 20 hours ago verified publisher icon keylime

Better error handling and algo validation for `create_allowlist.sh`

Open lkatalin opened this issue 2 years ago • 2 comments

Environment

  • OS / version: Fedora 36
  • Processor architecture: x86_64
  • TPM Manufacturer: N/A
  • Keylime version: latest

Description

If I accidentally run ./scripts/create_allowlist.sh with incorrect parameters, the error handling is not very helpful in the following cases:

  1. I use an incorrect or nonexistent hash algorithm
  2. I pass the hash algorithm as the wrong parameter because I did not see that I must specify a filename due to the syntax of the usage output

Proposed solution: I think it would help to have flags here for the file name and the hash alg, instead of relying on parameter order. If we don't want flags, I think at the least we should validate input and the usage should be updated so that the two parameters look similar syntactically, ex:

Usage:  create_allowlist.sh list.txt sha256sum

OR

Usage:  create_allowlist.sh [filename] [hash-algo]

Ideally we would have both in the output, one as a specification and the other as an example.

Expected behavior vs. actual behavior

I would expect the usage output to be more clear, some validation on the two inputs, clearer error messages, and ideally flags.

[f36-keylime@localhost-live keylime]$ ./scripts/create_allowlist.sh -out list.txt -hash sha256
Error: hash alg must be either sha256sum or sha1sum

[f36-keylime@localhost-live keylime]$ ./scripts/create_allowlist.sh
Usage:  create_allowlist.sh [filename] [hash-algo]
Example:  create_allowlist.sh list.txt sha256sum

Steps to reproduce problem

Example 1: hash alg not validated, error handling not present

[f36-keylime@localhost-live keylime]$ ./scripts/create_allowlist.sh list.txt sha256
Writing allowlist to /home/f36-keylime/keylime/list.txt with sha256...
find: ‘sha256’: No such file or directory
find: ‘sha256’: No such file or directory
find: ‘sha256’: No such file or directory

Example 2: Script interprets hash alg as filename, and uses default hash alg

[f36-keylime@localhost-live keylime]$ sudo ./scripts/create_allowlist.sh sha256
Writing allowlist to /home/f36-keylime/keylime/sha256 with sha1sum...

lkatalin avatar Jun 29 '22 18:06 lkatalin

This is actually not quite finished, the second part (validating the hash algo passed in) still needs to be implemented.

lkatalin avatar Aug 02 '22 14:08 lkatalin

Oops, my bad @lkatalin.

maugustosilva avatar Aug 03 '22 14:08 maugustosilva