From: Nicolai Stange <nstange@suse.de>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: Nicolai Stange <nstange@suse.de>,
Roberto Sassu <roberto.sassu@huawei.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
Eric Snowberg <eric.snowberg@oracle.com>,
Jarkko Sakkinen <jarkko@kernel.org>,
James Bottomley <James.Bottomley@HansenPartnership.com>,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [RFC PATCH v2 03/13] ima: invalidate unsupported PCR banks
Date: Wed, 26 Mar 2025 10:01:17 +0100 [thread overview]
Message-ID: <877c4cqi76.fsf@> (raw)
In-Reply-To: <e492df76d30b0b95f83b577499a25cdca2256407.camel@linux.ibm.com> (Mimi Zohar's message of "Mon, 24 Mar 2025 11:05:54 -0400")
Mimi Zohar <zohar@linux.ibm.com> writes:
>> diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
>> index 6f5696d999d0..a43080fb8edc 100644
>> --- a/security/integrity/ima/ima_crypto.c
>> +++ b/security/integrity/ima/ima_crypto.c
>> @@ -625,26 +625,43 @@ int ima_calc_field_array_hash(struct ima_field_data *field_data,
>> u16 alg_id;
>> int rc, i;
>>
>> +#if IS_ENABLED(CONFIG_IMA_COMPAT_FALLBACK_TPM_EXTEND)
>> rc = ima_calc_field_array_hash_tfm(field_data, entry, ima_sha1_idx);
>> if (rc)
>> return rc;
>>
>> entry->digests[ima_sha1_idx].alg_id = TPM_ALG_SHA1;
>> +#endif
>>
>> for (i = 0; i < NR_BANKS(ima_tpm_chip) + ima_extra_slots; i++) {
>> +#if IS_ENABLED(CONFIG_IMA_COMPAT_FALLBACK_TPM_EXTEND)
>> if (i == ima_sha1_idx)
>> continue;
>> +#endif
>>
>> if (i < NR_BANKS(ima_tpm_chip)) {
>> alg_id = ima_tpm_chip->allocated_banks[i].alg_id;
>> entry->digests[i].alg_id = alg_id;
>> }
>>
>> - /* for unmapped TPM algorithms digest is still a padded SHA1 */
>> + /*
>> + * For unmapped TPM algorithms, the digest is still a
>> + * padded SHA1 if backwards-compatibility fallback PCR
>> + * extension is enabled. Otherwise fill with
>> + * 0xfes. This is the value to invalidate unsupported
>> + * PCR banks with. Also, a non-all-zeroes value serves
>> + * as an indicator to kexec measurement restoration
>> + * that the entry is not a violation and all its
>> + * template digests need to get recomputed.
>> + */
>> if (!ima_algo_array[i].tfm) {
>> +#if IS_ENABLED(CONFIG_IMA_COMPAT_FALLBACK_TPM_EXTEND)
>> memcpy(entry->digests[i].digest,
>> entry->digests[ima_sha1_idx].digest,
>> TPM_DIGEST_SIZE);
^
That's been here before, just for the record for the below.
>> +#else
>> + memset(entry->digests[i].digest, 0xfe, TPM_DIGEST_SIZE);
>> +#endif
>
> Using TPM_DIGEST_SIZE will result in a padded 0xfe value.
Yes, but as the sysfs files for unsupported algos are gone, this will be
used only for extending the PCR banks. tpm[12]_pcr_extend()
(necessarily) truncate the digests to the correct size before sending
them to the TPM.
But if you prefer I can absolutely replace TPM_DIGEST_SIZE by
hash_digest_size[ima_algo_array[i].algo].
Thanks,
Nicolai
>
>> continue;
>> }
>>
>
--
SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nürnberg, Germany
GF: Ivo Totev, Andrew McDonald, Werner Knoblich
(HRB 36809, AG Nürnberg)
next prev parent reply other threads:[~2025-03-26 9:01 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-23 14:08 [RFC PATCH v2 00/13] ima: get rid of hard dependency on SHA-1 Nicolai Stange
2025-03-23 14:08 ` [RFC PATCH v2 01/13] ima: don't expose runtime_measurements for unsupported hashes Nicolai Stange
2025-03-25 14:26 ` Mimi Zohar
2025-03-26 7:44 ` Nicolai Stange
2025-03-26 13:28 ` Mimi Zohar
2025-03-23 14:09 ` [RFC PATCH v2 02/13] ima: always create runtime_measurements sysfs file for ima_hash Nicolai Stange
2025-03-24 14:31 ` Mimi Zohar
2025-03-26 8:21 ` Nicolai Stange
2025-03-26 13:17 ` Mimi Zohar
2025-03-26 13:46 ` Nicolai Stange
2025-03-26 14:48 ` Mimi Zohar
2025-03-23 14:09 ` [RFC PATCH v2 03/13] ima: invalidate unsupported PCR banks Nicolai Stange
2025-03-23 21:18 ` James Bottomley
2025-03-25 1:03 ` Mimi Zohar
2025-03-25 15:44 ` James Bottomley
2025-03-26 8:45 ` Nicolai Stange
2025-03-24 15:05 ` Mimi Zohar
2025-03-26 9:01 ` Nicolai Stange [this message]
2025-03-26 14:18 ` Mimi Zohar
2025-03-26 14:31 ` Nicolai Stange
2025-03-23 14:09 ` [RFC PATCH v2 04/13] ima: make SHA1 non-mandatory Nicolai Stange
2025-03-23 14:09 ` [RFC PATCH v2 05/13] ima: select CRYPTO_SHA256 from Kconfig Nicolai Stange
2025-03-25 15:17 ` Mimi Zohar
2025-03-23 14:09 ` [RFC PATCH v2 06/13] ima: move INVALID_PCR() to ima.h Nicolai Stange
2025-03-23 14:09 ` [RFC PATCH v2 07/13] tpm: enable bank selection for PCR extend Nicolai Stange
2025-03-23 20:41 ` Jarkko Sakkinen
2025-03-26 9:45 ` Nicolai Stange
2025-03-26 1:18 ` Mimi Zohar
2025-03-26 9:41 ` Nicolai Stange
2025-03-23 14:09 ` [RFC PATCH v2 08/13] ima: track the set of PCRs ever extended Nicolai Stange
2025-03-25 17:09 ` Mimi Zohar
2025-03-26 9:56 ` Nicolai Stange
2025-03-23 14:09 ` [RFC PATCH v2 09/13] ima: invalidate unsupported PCR banks only once Nicolai Stange
2025-03-23 14:09 ` [RFC PATCH v2 10/13] tpm: authenticate tpm2_pcr_read() Nicolai Stange
2025-03-23 17:25 ` James Bottomley
2025-03-26 6:34 ` Nicolai Stange
2025-03-23 20:35 ` Jarkko Sakkinen
2025-03-23 14:09 ` [RFC PATCH v2 11/13] ima: introduce ima_pcr_invalidated_banks() helper Nicolai Stange
2025-03-23 14:09 ` [RFC PATCH v2 12/13] ima: make ima_free_tfm()'s linkage extern Nicolai Stange
2025-03-23 14:09 ` [RFC PATCH v2 13/13] ima: don't re-invalidate unsupported PCR banks after kexec Nicolai Stange
2025-03-26 1:58 ` [RFC PATCH v2 00/13] ima: get rid of hard dependency on SHA-1 Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=877c4cqi76.fsf@ \
--to=nstange@suse.de \
--cc=James.Bottomley@HansenPartnership.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=eric.snowberg@oracle.com \
--cc=jarkko@kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=roberto.sassu@huawei.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.