From: Mimi Zohar <zohar@linux.ibm.com>
To: patrick@puiterwijk.org, linux-integrity@vger.kernel.org
Cc: pbrobinson@redhat.com
Subject: Re: [PATCH v2] ima-evm-utils: Add support for Intel TSS2 for PCR reading
Date: Wed, 20 May 2020 11:21:29 -0400 [thread overview]
Message-ID: <1589988089.5111.280.camel@linux.ibm.com> (raw)
In-Reply-To: <CAJweMda2DC+L10v5T7G_FCF5LZxwQMp4x4LYdAdi4kTO2bFAiw@mail.gmail.com>
On Mon, 2020-02-24 at 15:04 -0800, patrick@puiterwijk.org wrote:
> From: Patrick Uiterwijk <patrick@puiterwijk.org>
>
> This patch makes it possible to use the Intel TSS2 for getting
> PCR values from the SHA1/SHA256 banks on a TPM2.
> It is somewhat naive as it doesn't use the multi-PCR selection
> that TSS2 is capable of, that is for a future patch.
>
> Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
Thanks, Patrick. There was a missing include in pcr_tsspcrread.c,
which I've included. This patch is now in the ima-evm-utils next-
testing branch. I'd appreciate some Review/Test tags for at least the
pcr_tss.c aspect.
IMA support for extending the TPM 2.0 banks with the hash appropriate
algorithm will, hopefully, be upstreamed in Linux 5.8 The new
"boot_aggregate" test calculates a per TPM bank "boot_aggregate"
value. One of which should match the "boot_aggregate" value in the
IMA measurement list.
Please note that the new "boot_aggregate" test[1] can be run as root,
which accesses the exported TPM securityfs event log, or as a user,
which uses the sample TPM 2.0 sample event log and associated IMA
measurement list. To calculate the "boot_aggregate" based on the
sample TPM 2.0 event log, requires starting a software TPM and
initializing it based on the TPM event log. The code currently
initializes the TPM using tsseventextend.
Testing ima-evm-utils support for multiple crypto and TSS packages
requires building a matrix. As I'm new to travis, the travis code is
in the next-testing-travis branch, but will not be upstreamed at this
point. To prevent running the "boot_aggregate" test when using the
tpm2-tss, the software TPM is not installed.
Mimi
[1] VERBOSE=1 make check TESTS=boot_aggregate.test
[2] tsseventextend" -tpm -if "${BINARY_BIOS_MEASUREMENTS}" -v
prev parent reply other threads:[~2020-05-20 15:21 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-25 10:15 [PATCH] Add support for TSS2 for PCR reading Patrick Uiterwijk
2020-01-27 16:52 ` Mimi Zohar
2020-02-17 2:10 ` Mimi Zohar
2020-02-24 14:17 ` Mimi Zohar
2020-02-24 23:04 ` [PATCH v2] ima-evm-utils: Add support for Intel " patrick
2020-05-20 15:21 ` Mimi Zohar [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1589988089.5111.280.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=patrick@puiterwijk.org \
--cc=pbrobinson@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.