From: Mimi Zohar <zohar@linux.ibm.com>
To: Jerry Snitselaar <jsnitsel@redhat.com>
Cc: linux-integrity@vger.kernel.org,
James Bottomley <James.Bottomley@HansenPartnership.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/2] ima: use the IMA configured hash algo to calculate the boot aggregate
Date: Mon, 27 Jan 2020 16:31:39 -0500 [thread overview]
Message-ID: <1580160699.5088.64.camel@linux.ibm.com> (raw)
In-Reply-To: <20200127204941.2ewman4y5nzvkjqe@cantor>
On Mon, 2020-01-27 at 13:49 -0700, Jerry Snitselaar wrote:
> On Mon Jan 27 20, Mimi Zohar wrote:
> >The boot aggregate is a cumulative SHA1 hash over TPM registers 0 - 7.
> >NIST has depreciated the usage of SHA1 in most instances. Instead of
> >continuing to use SHA1 to calculate the boot_aggregate, use the
> >configured IMA default hash algorithm.
> >
> >Although the IMA measurement list boot_aggregate template data contains
> >the hash algorithm followed by the digest, allowing verifiers (e.g.
> >attesttaion servers) to calculate and verify the boot_aggregate, the
> >verifiers might not have the knowledge of what constitutes a good value
> >based on a different hash algorithm.
> >
> >Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> >---
> > security/integrity/ima/ima_init.c | 8 ++++----
> > 1 file changed, 4 insertions(+), 4 deletions(-)
> >
> >diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
> >index 195cb4079b2b..b1b334fe0db5 100644
> >--- a/security/integrity/ima/ima_init.c
> >+++ b/security/integrity/ima/ima_init.c
> >@@ -27,7 +27,7 @@ struct tpm_chip *ima_tpm_chip;
> > /* Add the boot aggregate to the IMA measurement list and extend
> > * the PCR register.
> > *
> >- * Calculate the boot aggregate, a SHA1 over tpm registers 0-7,
> >+ * Calculate the boot aggregate, a hash over tpm registers 0-7,
> > * assuming a TPM chip exists, and zeroes if the TPM chip does not
> > * exist. Add the boot aggregate measurement to the measurement
> > * list and extend the PCR register.
> >@@ -51,14 +51,14 @@ static int __init ima_add_boot_aggregate(void)
> > int violation = 0;
> > struct {
> > struct ima_digest_data hdr;
> >- char digest[TPM_DIGEST_SIZE];
> >+ char digest[TPM_MAX_DIGEST_SIZE];
> > } hash;
> >
> > memset(iint, 0, sizeof(*iint));
> > memset(&hash, 0, sizeof(hash));
> > iint->ima_hash = &hash.hdr;
> >- iint->ima_hash->algo = HASH_ALGO_SHA1;
> >- iint->ima_hash->length = SHA1_DIGEST_SIZE;
> >+ iint->ima_hash->algo = ima_hash_algo;
> >+ iint->ima_hash->length = hash_digest_size[ima_hash_algo];
> >
> > if (ima_tpm_chip) {
> > result = ima_calc_boot_aggregate(&hash.hdr);
> >--
> >2.7.5
> >
>
> Tested the patches on the Dell and no longer spits out the error messages on boot.
> /sys/kernel/security/ima/ascii_runtime_measurements shows the boot aggregate.
>
> Is there something else I should look at to verify it is functioning properly?
The original LTP ima_boot_aggregate.c test needed to be updated to
support TPM 2.0 before this change. For TPM 2.0, the PCRs are not
exported. With this change, the kernel could be reading PCRs from a
TPM bank other than SHA1 and calculating the boot_aggregate based on a
different hash algorithm as well. I'm not sure how a remote verifier
would know which TPM bank was read, when calculating the boot-
aggregate.
At the moment, the only test would be to make sure that the LTP test
still works for TPM 1.2 properly.
Mimi
next prev parent reply other threads:[~2020-01-27 21:31 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-27 16:01 [PATCH 1/2] ima: use the IMA configured hash algo to calculate the boot aggregate Mimi Zohar
2020-01-27 16:01 ` [PATCH 2/2] ima: support calculating the boot_aggregate based on different TPM banks Mimi Zohar
2020-01-27 16:50 ` Lakshmi Ramasubramanian
2020-01-27 18:01 ` Mimi Zohar
2020-01-27 20:55 ` Ken Goldman
2020-01-28 14:19 ` Roberto Sassu
2020-01-28 15:40 ` Mimi Zohar
2020-01-28 16:31 ` Roberto Sassu
2020-01-29 23:20 ` Mimi Zohar
2020-01-30 7:31 ` James Bottomley
2020-01-27 17:38 ` [PATCH 1/2] ima: use the IMA configured hash algo to calculate the boot aggregate Roberto Sassu
2020-01-27 18:16 ` Mimi Zohar
2020-01-27 18:35 ` Mimi Zohar
2020-01-27 20:49 ` Jerry Snitselaar
2020-01-27 21:31 ` Mimi Zohar [this message]
2020-01-29 8:30 ` Petr Vorel
2020-01-29 22:51 ` Mimi Zohar
2020-01-30 8:41 ` Petr Vorel
2020-01-30 15:27 ` Roberto Sassu
2020-01-30 15:40 ` Roberto Sassu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1580160699.5088.64.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=jsnitsel@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.