From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: linux-security-module@vger.kernel.org
Subject: Re: [tpmdd-devel] [Linux-ima-devel] [PATCH v3 0/6] Updated API for TPM 2.0 PCR extend
Date: Wed, 05 Jul 2017 16:06:42 +0000 [thread overview]
Message-ID: <1499270802.3059.101.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <55cf0a07-bee8-a034-4d40-6232bc0eefb8@linux.vnet.ibm.com>
On Wed, 2017-07-05 at 11:18 -0400, Ken Goldman wrote:
> On 6/28/2017 1:28 PM, Jarkko Sakkinen wrote:
> > On Mon, Jun 26, 2017 at 08:33:59AM -0400, Mimi Zohar wrote:
> >> On Sat, 2017-06-24 at 11:03 +0200, Jarkko Sakkinen wrote:
> >>> On Wed, Jun 21, 2017 at 04:29:35PM +0200, Roberto Sassu wrote:
> >>> There's absolutely no need to pass digest size like you do BTW as
> it >>> is defined by the standard.
> >>
> >> For algorithms known to the crypto subsystem, that is fine, but for
> >> the unknown TPM crypto algorithms, we would need to somehow query the
> >> TPM for the digest sizes to create the mapping.
> >>
> >> Mimi
> >
> > There's a TPM command to query TPM algorithms.
>
> This is true - one getcap to determine the number of algorithms, then a
> pcr read, then parse the response structures and match the algorithms to
> sizes.
>
> Alternatively, could you create a table mapping the algorithm to the
> size? There are currently 8 approved algorithms, meaning the table is
> 32 bytes, probably less code than the queries.
>
> As for an algorithm appearing in the TPM that's not in the table, it
> takes a year or more for a new algorithm to appear. Is that enough time
> to patch the device driver?
>
> FYI, the 8 algorithms are:
>
> sha1, sha256, sha384, sha512, sm3-256, sha3-256, sha3-384, sha3-512.
>
> I am only aware of sha1, sha256, and sm3-256 being used in production
> hardware TPMs.
New devices aren't being shipped with the most recent kernels.  So
even if the upstream kernel supports the newer crypto algorithms, that
doesn't imply that it is available.
A safer method would be to query the TPM for the digest sizes.
Mimi
--
To unsubscribe from this list: send the line "unsubscribe keyrings" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: zohar@linux.vnet.ibm.com (Mimi Zohar)
To: linux-security-module@vger.kernel.org
Subject: [tpmdd-devel] [Linux-ima-devel] [PATCH v3 0/6] Updated API for TPM 2.0 PCR extend
Date: Wed, 05 Jul 2017 12:06:42 -0400 [thread overview]
Message-ID: <1499270802.3059.101.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <55cf0a07-bee8-a034-4d40-6232bc0eefb8@linux.vnet.ibm.com>
On Wed, 2017-07-05 at 11:18 -0400, Ken Goldman wrote:
> On 6/28/2017 1:28 PM, Jarkko Sakkinen wrote:
> > On Mon, Jun 26, 2017 at 08:33:59AM -0400, Mimi Zohar wrote:
> >> On Sat, 2017-06-24 at 11:03 +0200, Jarkko Sakkinen wrote:
> >>> On Wed, Jun 21, 2017 at 04:29:35PM +0200, Roberto Sassu wrote:
> >>> There's absolutely no need to pass digest size like you do BTW as
> it >>> is defined by the standard.
> >>
> >> For algorithms known to the crypto subsystem, that is fine, but for
> >> the unknown TPM crypto algorithms, we would need to somehow query the
> >> TPM for the digest sizes to create the mapping.
> >>
> >> Mimi
> >
> > There's a TPM command to query TPM algorithms.
>
> This is true - one getcap to determine the number of algorithms, then a
> pcr read, then parse the response structures and match the algorithms to
> sizes.
>
> Alternatively, could you create a table mapping the algorithm to the
> size? There are currently 8 approved algorithms, meaning the table is
> 32 bytes, probably less code than the queries.
>
> As for an algorithm appearing in the TPM that's not in the table, it
> takes a year or more for a new algorithm to appear. Is that enough time
> to patch the device driver?
>
> FYI, the 8 algorithms are:
>
> sha1, sha256, sha384, sha512, sm3-256, sha3-256, sha3-384, sha3-512.
>
> I am only aware of sha1, sha256, and sm3-256 being used in production
> hardware TPMs.
New devices aren't being shipped with the most recent kernels. ?So
even if the upstream kernel supports the newer crypto algorithms, that
doesn't imply that it is available.
A safer method would be to query the TPM for the digest sizes.
Mimi
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Ken Goldman <kgold@linux.vnet.ibm.com>
Cc: linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
tpmdd-devel@lists.sourceforge.net, keyrings@vger.kernel.org,
linux-ima-devel@lists.sourceforge.net
Subject: Re: [tpmdd-devel] [Linux-ima-devel] [PATCH v3 0/6] Updated API for TPM 2.0 PCR extend
Date: Wed, 05 Jul 2017 12:06:42 -0400 [thread overview]
Message-ID: <1499270802.3059.101.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <55cf0a07-bee8-a034-4d40-6232bc0eefb8@linux.vnet.ibm.com>
On Wed, 2017-07-05 at 11:18 -0400, Ken Goldman wrote:
> On 6/28/2017 1:28 PM, Jarkko Sakkinen wrote:
> > On Mon, Jun 26, 2017 at 08:33:59AM -0400, Mimi Zohar wrote:
> >> On Sat, 2017-06-24 at 11:03 +0200, Jarkko Sakkinen wrote:
> >>> On Wed, Jun 21, 2017 at 04:29:35PM +0200, Roberto Sassu wrote:
> >>> There's absolutely no need to pass digest size like you do BTW as
> it >>> is defined by the standard.
> >>
> >> For algorithms known to the crypto subsystem, that is fine, but for
> >> the unknown TPM crypto algorithms, we would need to somehow query the
> >> TPM for the digest sizes to create the mapping.
> >>
> >> Mimi
> >
> > There's a TPM command to query TPM algorithms.
>
> This is true - one getcap to determine the number of algorithms, then a
> pcr read, then parse the response structures and match the algorithms to
> sizes.
>
> Alternatively, could you create a table mapping the algorithm to the
> size? There are currently 8 approved algorithms, meaning the table is
> 32 bytes, probably less code than the queries.
>
> As for an algorithm appearing in the TPM that's not in the table, it
> takes a year or more for a new algorithm to appear. Is that enough time
> to patch the device driver?
>
> FYI, the 8 algorithms are:
>
> sha1, sha256, sha384, sha512, sm3-256, sha3-256, sha3-384, sha3-512.
>
> I am only aware of sha1, sha256, and sm3-256 being used in production
> hardware TPMs.
New devices aren't being shipped with the most recent kernels. So
even if the upstream kernel supports the newer crypto algorithms, that
doesn't imply that it is available.
A safer method would be to query the TPM for the digest sizes.
Mimi
next prev parent reply other threads:[~2017-07-05 16:06 UTC|newest]
Thread overview: 104+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-21 14:29 [PATCH v3 0/6] Updated API for TPM 2.0 PCR extend Roberto Sassu
2017-06-21 14:29 ` Roberto Sassu
2017-06-21 14:29 ` Roberto Sassu
2017-06-21 14:29 ` Roberto Sassu
2017-06-21 14:29 ` [PATCH v3 1/6] tpm: use tpm_buf functions to perform a PCR read Roberto Sassu
2017-06-21 14:29 ` Roberto Sassu
2017-06-21 14:29 ` Roberto Sassu
2017-06-21 14:29 ` Roberto Sassu
2017-06-22 10:14 ` [tpmdd-devel] " Jarkko Sakkinen
2017-06-22 10:14 ` Jarkko Sakkinen
2017-06-22 10:14 ` Jarkko Sakkinen
2017-06-22 11:54 ` Roberto Sassu
2017-06-22 11:54 ` Roberto Sassu
2017-06-22 11:54 ` Roberto Sassu
2017-06-22 11:54 ` [tpmdd-devel] " Roberto Sassu
2017-06-23 10:56 ` Jarkko Sakkinen
2017-06-23 10:56 ` Jarkko Sakkinen
2017-06-23 10:56 ` Jarkko Sakkinen
2017-06-21 14:29 ` [PATCH v3 2/6] tpm: use tpm2_pcr_read_tpm_buf() in tpm2_do_selftest() Roberto Sassu
2017-06-21 14:29 ` Roberto Sassu
2017-06-21 14:29 ` Roberto Sassu
2017-06-21 14:29 ` Roberto Sassu
2017-06-23 9:55 ` [tpmdd-devel] " Jarkko Sakkinen
2017-06-23 9:55 ` Jarkko Sakkinen
2017-06-23 9:55 ` Jarkko Sakkinen
2017-06-23 10:22 ` Roberto Sassu
2017-06-23 10:22 ` Roberto Sassu
2017-06-23 10:22 ` Roberto Sassu
2017-06-23 10:22 ` Roberto Sassu
2017-06-21 14:29 ` [PATCH v3 3/6] tpm: introduce tpm_pcr_bank_info structure with digest_size from TPM Roberto Sassu
2017-06-21 14:29 ` Roberto Sassu
2017-06-21 14:29 ` Roberto Sassu
2017-06-21 14:29 ` Roberto Sassu
2017-06-23 10:26 ` Jarkko Sakkinen
2017-06-23 10:26 ` Jarkko Sakkinen
2017-06-23 10:26 ` Jarkko Sakkinen
2017-06-23 11:25 ` Roberto Sassu
2017-06-23 11:25 ` Roberto Sassu
2017-06-23 11:25 ` Roberto Sassu
2017-06-23 11:25 ` Roberto Sassu
2017-06-27 15:24 ` [tpmdd-devel] [PATCH v3 3/6] tpm: introduce tpm_pcr_bank_info structure with digest_size from TP Mimi Zohar
2017-06-27 15:24 ` [tpmdd-devel] [PATCH v3 3/6] tpm: introduce tpm_pcr_bank_info structure with digest_size from TPM Mimi Zohar
2017-06-27 15:24 ` Mimi Zohar
2017-06-27 15:24 ` [tpmdd-devel] " Mimi Zohar
2017-06-21 14:29 ` [PATCH v3 4/6] tpm: replace TPM algorithms IDs with tpm_pcr_bank_info structs in tpm_chip Roberto Sassu
2017-06-21 14:29 ` Roberto Sassu
2017-06-21 14:29 ` Roberto Sassu
2017-06-21 14:29 ` Roberto Sassu
2017-06-23 10:32 ` Jarkko Sakkinen
2017-06-23 10:32 ` Jarkko Sakkinen
2017-06-23 10:32 ` Jarkko Sakkinen
2017-06-21 14:29 ` [PATCH v3 5/6] tpm: introduce tpm_get_pcr_banks_info() Roberto Sassu
2017-06-21 14:29 ` Roberto Sassu
2017-06-21 14:29 ` Roberto Sassu
2017-06-21 14:29 ` Roberto Sassu
2017-06-23 10:35 ` Jarkko Sakkinen
2017-06-23 10:35 ` Jarkko Sakkinen
2017-06-23 10:35 ` Jarkko Sakkinen
2017-06-21 14:29 ` [PATCH v3 6/6] tpm: pass multiple digests to tpm_pcr_extend() Roberto Sassu
2017-06-21 14:29 ` Roberto Sassu
2017-06-21 14:29 ` Roberto Sassu
2017-06-21 14:29 ` Roberto Sassu
2017-06-23 10:37 ` [tpmdd-devel] " Jarkko Sakkinen
2017-06-23 10:37 ` Jarkko Sakkinen
2017-06-23 10:37 ` Jarkko Sakkinen
2017-06-23 10:37 ` [tpmdd-devel] " Jarkko Sakkinen
2017-06-24 9:03 ` [PATCH v3 0/6] Updated API for TPM 2.0 PCR extend Jarkko Sakkinen
2017-06-24 9:03 ` Jarkko Sakkinen
2017-06-24 9:03 ` Jarkko Sakkinen
2017-06-24 9:03 ` Jarkko Sakkinen
2017-06-26 6:58 ` Roberto Sassu
2017-06-26 6:58 ` Roberto Sassu
2017-06-26 6:58 ` Roberto Sassu
2017-06-26 6:58 ` Roberto Sassu
2017-06-26 7:21 ` Roberto Sassu
2017-06-26 7:21 ` Roberto Sassu
2017-06-26 7:21 ` Roberto Sassu
2017-06-26 7:21 ` Roberto Sassu
2017-06-28 17:10 ` Jarkko Sakkinen
2017-06-28 17:10 ` Jarkko Sakkinen
2017-06-28 17:10 ` Jarkko Sakkinen
2017-06-26 12:33 ` [Linux-ima-devel] " Mimi Zohar
2017-06-26 12:33 ` Mimi Zohar
2017-06-26 12:33 ` Mimi Zohar
2017-06-26 14:56 ` Roberto Sassu
2017-06-26 14:56 ` Roberto Sassu
2017-06-26 14:56 ` Roberto Sassu
2017-06-26 14:56 ` Roberto Sassu
2017-06-26 17:12 ` Mimi Zohar
2017-06-26 17:12 ` Mimi Zohar
2017-06-26 17:12 ` Mimi Zohar
2017-06-28 17:28 ` Jarkko Sakkinen
2017-06-28 17:28 ` Jarkko Sakkinen
2017-06-28 17:28 ` Jarkko Sakkinen
2017-06-28 22:28 ` Mimi Zohar
2017-06-28 22:28 ` Mimi Zohar
2017-06-28 22:28 ` Mimi Zohar
2017-07-05 15:18 ` [tpmdd-devel] " Ken Goldman
2017-07-05 15:18 ` Ken Goldman
2017-07-05 15:18 ` Ken Goldman
2017-07-05 15:18 ` Ken Goldman
2017-07-05 16:06 ` Mimi Zohar [this message]
2017-07-05 16:06 ` Mimi Zohar
2017-07-05 16:06 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1499270802.3059.101.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.