From: Petr Vorel <pvorel@suse.cz>
To: Bruno Meneguele <bmeneg@redhat.com>
Cc: Jerry Snitselaar <jsnitsel@redhat.com>,
Mimi Zohar <zohar@linux.ibm.com>,
ltp@lists.linux.it, Mimi Zohar <zohar@linux.vnet.ibm.com>,
Petr Cervinka <pcervinka@suse.com>,
Cyril Hrubis <chrubis@suse.cz>,
linux-integrity@vger.kernel.org,
Vitaly Chikunov <vt@altlinux.org>,
Maurizio Drocco <maurizio.drocco@ibm.com>
Subject: Re: [LTP v2 1/1] ima_tpm.sh: Fix for calculating boot aggregate
Date: Fri, 19 Jun 2020 10:21:34 +0200 [thread overview]
Message-ID: <20200619082134.GB23036@dell5510> (raw)
In-Reply-To: <20200617204500.GB40831@glitch>
Hi all,
...
> > > I'd appreciate if someone could send me a TPM event log, the PCRs, and
> > > the associated IMA ascii_runtime_measurements "boot_aggregate" from a
> > > system with a discrete TPM 2.0 with PCRs 8 & 9 events.
> Maybe Maurizio already have it at hand?
I'd appreciate to have these files as well.
> I can try to setup a system with grub2+tpm to get the log with pcr 8 and
> 9 filled.
> > > > > ...
> > > > > > > > The ima-evm-utils next-testing branch has code to calculate the
> > > > > > > > boot_aggregate based on multiple banks.
> > > > > > > I see, 696bf0b ("ima-evm-utils: calculate the digests for multiple TPM banks")
> > > > > > > I wonder whether it's reasonable trying to port that to ima_boot_aggregate.c or
> > > > > > > just depend on evmctl. External dependencies are sometimes complicated, but for
> > > > > > > IMA I incline to just require evmctl.
> > > > > > Unlike TPM 1.2, the TPM 2.0 device driver doesn't export the TPM PCRs.
> > > > > > Not only would you have a dependency on ima-evm-utils, but also on a
> > > > > > userspace application(s) for reading the TPM PCRs. That dependency
> > > > > > exists whether you're using evmctl to calculate the boot_aggregate or
> > > > > > doing it yourself.
> > > > > Hm, things get complicated.
> > > > > Yep I remember your patch to skip verifying TPM 2.0 PCR values
> > > > > https://patchwork.ozlabs.org/project/ltp/patch/1558041162.3971.2.camel@linux.ibm.com/
> > > > > At least thanks to Jerry Snitselaar since v5.6 we have
> > > > > /sys/class/tpm/tpm*/tpm_version_major. We could check this (+ try also
> > > > > /sys/class/tpm/tpm0/device/description for older kernels).
> > > > > BTW on my system there is also /sys/class/tpm/tpm0/ppi/version, which has 1.2,
> > > > > not sure if it indicate TPM 1.2, but I wouldn't rely on that.
> Missed this last paragraph.. but /sys/class/tpm/tpm0/ppi/version has
> relation to the Physical Presence Interface version, which is the
> communication interface between firmware and OS afaik, and doesn't
> points to the TPM version: TPM2.0 may have PPI version 1.2 or 1.3.
Kind regards,
Petr
WARNING: multiple messages have this Message-ID (diff)
From: Petr Vorel <pvorel@suse.cz>
To: ltp@lists.linux.it
Subject: [LTP] [LTP v2 1/1] ima_tpm.sh: Fix for calculating boot aggregate
Date: Fri, 19 Jun 2020 10:21:34 +0200 [thread overview]
Message-ID: <20200619082134.GB23036@dell5510> (raw)
In-Reply-To: <20200617204500.GB40831@glitch>
Hi all,
...
> > > I'd appreciate if someone could send me a TPM event log, the PCRs, and
> > > the associated IMA ascii_runtime_measurements "boot_aggregate" from a
> > > system with a discrete TPM 2.0 with PCRs 8 & 9 events.
> Maybe Maurizio already have it at hand?
I'd appreciate to have these files as well.
> I can try to setup a system with grub2+tpm to get the log with pcr 8 and
> 9 filled.
> > > > > ...
> > > > > > > > The ima-evm-utils next-testing branch has code to calculate the
> > > > > > > > boot_aggregate based on multiple banks.
> > > > > > > I see, 696bf0b ("ima-evm-utils: calculate the digests for multiple TPM banks")
> > > > > > > I wonder whether it's reasonable trying to port that to ima_boot_aggregate.c or
> > > > > > > just depend on evmctl. External dependencies are sometimes complicated, but for
> > > > > > > IMA I incline to just require evmctl.
> > > > > > Unlike TPM 1.2, the TPM 2.0 device driver doesn't export the TPM PCRs.
> > > > > > ?Not only would you have a dependency on ima-evm-utils, but also on a
> > > > > > userspace application(s) for reading the TPM PCRs. ?That dependency
> > > > > > exists whether you're using evmctl to calculate the boot_aggregate or
> > > > > > doing it yourself.
> > > > > Hm, things get complicated.
> > > > > Yep I remember your patch to skip verifying TPM 2.0 PCR values
> > > > > https://patchwork.ozlabs.org/project/ltp/patch/1558041162.3971.2.camel@linux.ibm.com/
> > > > > At least thanks to Jerry Snitselaar since v5.6 we have
> > > > > /sys/class/tpm/tpm*/tpm_version_major. We could check this (+ try also
> > > > > /sys/class/tpm/tpm0/device/description for older kernels).
> > > > > BTW on my system there is also /sys/class/tpm/tpm0/ppi/version, which has 1.2,
> > > > > not sure if it indicate TPM 1.2, but I wouldn't rely on that.
> Missed this last paragraph.. but /sys/class/tpm/tpm0/ppi/version has
> relation to the Physical Presence Interface version, which is the
> communication interface between firmware and OS afaik, and doesn't
> points to the TPM version: TPM2.0 may have PPI version 1.2 or 1.3.
Kind regards,
Petr
next prev parent reply other threads:[~2020-06-19 8:22 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-27 7:14 [LTP v2 1/1] ima_tpm.sh: Fix for calculating boot aggregate Petr Vorel
2020-05-27 7:14 ` [LTP] " Petr Vorel
2020-05-27 17:41 ` Mimi Zohar
2020-05-27 17:41 ` [LTP] " Mimi Zohar
2020-05-28 14:07 ` Petr Vorel
2020-05-28 14:07 ` [LTP] " Petr Vorel
2020-05-28 15:19 ` Mimi Zohar
2020-05-28 15:19 ` [LTP] " Mimi Zohar
2020-05-28 16:05 ` Petr Vorel
2020-05-28 16:05 ` [LTP] " Petr Vorel
2020-06-15 19:41 ` Bruno Meneguele
2020-06-15 19:41 ` [LTP] " Bruno Meneguele
2020-06-15 20:01 ` Bruno Meneguele
2020-06-15 20:01 ` [LTP] " Bruno Meneguele
2020-06-16 22:40 ` Mimi Zohar
2020-06-16 22:40 ` [LTP] " Mimi Zohar
2020-06-17 19:52 ` Bruno Meneguele
2020-06-17 19:52 ` [LTP] " Bruno Meneguele
2020-06-19 7:46 ` Petr Vorel
2020-06-19 7:46 ` [LTP] " Petr Vorel
2020-06-15 20:21 ` Mimi Zohar
2020-06-15 20:21 ` [LTP] " Mimi Zohar
2020-06-17 1:21 ` Jerry Snitselaar
2020-06-17 1:21 ` [LTP] " Jerry Snitselaar
2020-06-17 20:45 ` Bruno Meneguele
2020-06-17 20:45 ` [LTP] " Bruno Meneguele
2020-06-17 22:19 ` Maurizio Drocco
2020-06-17 22:19 ` [LTP] " Maurizio Drocco
2020-06-19 8:21 ` Petr Vorel [this message]
2020-06-19 8:21 ` Petr Vorel
2020-06-19 12:43 ` Mimi Zohar
2020-06-19 12:43 ` [LTP] " Mimi Zohar
2020-06-19 13:01 ` Petr Vorel
2020-06-19 13:01 ` [LTP] " Petr Vorel
2020-06-19 10:07 ` Petr Vorel
2020-06-19 10:07 ` [LTP] " Petr Vorel
2020-06-19 13:01 ` Mimi Zohar
2020-06-19 13:01 ` [LTP] " Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200619082134.GB23036@dell5510 \
--to=pvorel@suse.cz \
--cc=bmeneg@redhat.com \
--cc=chrubis@suse.cz \
--cc=jsnitsel@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=ltp@lists.linux.it \
--cc=maurizio.drocco@ibm.com \
--cc=pcervinka@suse.com \
--cc=vt@altlinux.org \
--cc=zohar@linux.ibm.com \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.