Re: [RFC PATCH 0/8] ima-evm-utils: calculate per TPM bank template digest

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Mimi Zohar <zohar@linux.ibm.com>
To: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
	linux-integrity@vger.kernel.org
Cc: Roberto Sassu <roberto.sassu@huawei.com>,
	Vitaly Chikunov <vt@altlinux.org>,
	Patrick Uiterwijk <puiterwi@redhat.com>,
	Petr Vorel <pvorel@suse.cz>
Subject: Re: [RFC PATCH 0/8] ima-evm-utils: calculate per TPM bank template digest
Date: Sat, 22 Feb 2020 20:12:42 -0500	[thread overview]
Message-ID: <1582420362.10443.18.camel@linux.ibm.com> (raw)
In-Reply-To: <ed6849bf-0988-3807-1b8f-151871f702d1@linux.microsoft.com>

On Fri, 2020-02-21 at 16:11 -0800, Lakshmi Ramasubramanian wrote:
> Hi Mimi,
> 
> > IMA currently extends the different TPM banks by padding/truncating the
> > SHA1 template digest.  Although the IMA measurement list only includes
> > the SHA1 template digest, the template digest could be re-calculated
> > properly for each bank.  Roberto Sassu's proposed "ima: support stronger
> > algorithms for attestation" kernel patch set makes this change.
> > 
> > In order to test the proposed kernel change, this patch set walks the
> > IMA measurement list, re-calculating the per TPM bank template digest
> > and extending the TPM bank PCR with the bank specific digest.  The last
> > step, after walking the measurement list, is comparing the the resulting
> > TPM per bank PCR values with the actual TPM per bank PCR values.
> 
> I have built the kernel with Roberto's patch set and also built evmctl 
> with your patch set.
> 
> Could you please include an example for how evmctl can be used to test 
> Roberto's change?

There are two aspects to Roberto's changes - extending the TPM banks
with the bank specific template digest and verifying the boot
aggregate.  This patch set only addresses the first aspect.

Assuming both the sha1 and sha256 TPM banks are enabled,

# tssgetcapability -cap 5
2 PCR selections
    hash TPM_ALG_SHA1
    TPMS
_PCR_SELECTION length 3
    ff ff ff 
    hash TPM_ALG_SHA256
    TPMS_PC
R_SELECTION length 3
    ff ff ff 

the output would look like:
 
# evmctl ima_measurement -v --list
/sys/kernel/security/integrity/ima/binary_runtime_measurements

sha1: PCRAgg  10: 7723f6d980725507e5d0eb643dc179aae0efb719
sha1: TPM PCR-10: 7723f6d980725507e5d0eb643dc179aae0efb719
sha1 PCR-10: succeed

sha256: PCRAgg  10:
5254d6dce62765f884dc67dac8d59a8721ae14495ae4a0cb73426d0c013a82b2
sha256: TPM PCR-10:
5254d6dce62765f884dc67dac8d59a8721ae14495ae4a0cb73426d0c013a82b2
sha256 PCR-10: succeed

Mimi

next prev parent reply	other threads:[~2020-02-23  1:12 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-02-21 18:38 [RFC PATCH 0/8] ima-evm-utils: calculate per TPM bank template digest Mimi Zohar
2020-02-21 18:38 ` [RFC PATCH 1/8] ima-evm-utils: treat unallocated banks as an error Mimi Zohar
2020-02-21 18:38 ` [RFC PATCH 2/8] ima-evm-utils: increase the size of "zero" and "fox" variables Mimi Zohar
2020-02-21 18:38 ` [RFC PATCH 3/8] ima-evm-utils: calculate the digests for multiple TPM banks Mimi Zohar
2020-02-21 18:38 ` [RFC PATCH 4/8] ima-evm-utils: add support in tpm2_read_pcrs to read different " Mimi Zohar
2020-02-21 18:38 ` [RFC PATCH 5/8] ima-evm-utils: read the PCRs for the requested " Mimi Zohar
2020-02-21 18:38 ` [RFC PATCH 6/8] ima-evm-utils: compare re-calculated PCRs with the TPM values Mimi Zohar
2020-02-21 18:38 ` [RFC PATCH 7/8] ima-evm-utils: use a common bank variable for TPM 1.2 and TPM 2.0 Mimi Zohar
2020-02-21 18:38 ` [RFC PATCH 8/8] ima-evm-utils: remove TPM 1.2 specific code Mimi Zohar
2020-02-22  0:11 ` [RFC PATCH 0/8] ima-evm-utils: calculate per TPM bank template digest Lakshmi Ramasubramanian
2020-02-23  1:12   ` Mimi Zohar [this message]
2020-02-24 16:23     ` Lakshmi Ramasubramanian

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1582420362.10443.18.camel@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=nramas@linux.microsoft.com \
    --cc=puiterwi@redhat.com \
    --cc=pvorel@suse.cz \
    --cc=roberto.sassu@huawei.com \
    --cc=vt@altlinux.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.