From: Petr Vorel <pvorel@suse.cz>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: Bruno Meneguele <bmeneg@redhat.com>,
ltp@lists.linux.it, Mimi Zohar <zohar@linux.vnet.ibm.com>,
Petr Cervinka <pcervinka@suse.com>,
Cyril Hrubis <chrubis@suse.cz>,
linux-integrity@vger.kernel.org,
Vitaly Chikunov <vt@altlinux.org>,
Maurizio Drocco <maurizio.drocco@ibm.com>
Subject: Re: [LTP v2 1/1] ima_tpm.sh: Fix for calculating boot aggregate
Date: Fri, 19 Jun 2020 12:07:37 +0200 [thread overview]
Message-ID: <20200619100737.GB18704@dell5510> (raw)
In-Reply-To: <1592252491.11061.181.camel@linux.ibm.com>
Hi all,
> On Mon, 2020-06-15 at 16:41 -0300, Bruno Meneguele wrote:
> > On Thu, May 28, 2020 at 06:05:27PM +0200, Petr Vorel wrote:
> > > Hi Mimi,
...
> > > To sum that: my patch is required for any system without physical TPM with with
> > > kernel with b59fda449cf0 + it also works for TPM 1.2 (regardless kernel
> > > version), because TPM 1.2 supports sha1 only boot aggregate.
> > > But testing on kernel with b59fda449cf0 with TPM 2.0 is not only broken with
> > > this patch, but also on current version in master, right? As you have
> > > sha256:3fd5dc717f886ff7182526efc5edc3abb179a5aac1ab589c8ec888398233ae5 anyway.
> > > So this patch would help at least testing on VM without vTPM.
> > If we consider to delay this change until we have the ima-evm-utils
> > released with the ima_boot_aggregate + make this test dependent on
> > both ima-evm-utils and tsspcrread, would it be worth to SKIP the test in
> > case a TPM2.0 sha256 bank is detected instead of FAIL? Thus we could
> > have the test fixed for TPM1.2 && no-TPM cases until we get the full
> > support for multiple banks?
+1
> As long as we're dealing with the "boot_aggregate", Maurizio just
> posted a kernel patch for including PCR 8 & 9 in the boot_aggregate.
> The existing IMA LTP "boot_aggregate" test is going to need to
> support this change.
I'm not sure if I did something wrong, but it looks to me that 'evmctl
ima_boot_aggregate' does not provide backward compatibility with TPM 1.2.
Or am I wrong?
And given the fact that new evmctl is not released, I'd adapt the test just for
TPM 1.2 && no-TPM as Bruno suggested (TCONF if
/sys/class/tpm/tpm0/tpm_version_major presented and not 1, print info about TPM
2.0 not yet supported otherwise).
BTW what is the correct way for systems with more TPM (is there any? It looks
it's possible [1]). Which of them is used? Should I loop over
/sys/class/tpm/tpm*/tpm_version_major or just use
/sys/class/tpm/tpm0/tpm_version_major?
Kind regards,
Petr
[1] https://letstrust.de/archives/29-New-fun-fact!.html
next prev parent reply other threads:[~2020-06-19 10:07 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-27 7:14 [LTP v2 1/1] ima_tpm.sh: Fix for calculating boot aggregate Petr Vorel
2020-05-27 17:41 ` Mimi Zohar
2020-05-28 14:07 ` Petr Vorel
2020-05-28 15:19 ` Mimi Zohar
2020-05-28 16:05 ` Petr Vorel
2020-06-15 19:41 ` Bruno Meneguele
2020-06-15 20:01 ` Bruno Meneguele
2020-06-16 22:40 ` Mimi Zohar
2020-06-17 19:52 ` Bruno Meneguele
2020-06-19 7:46 ` Petr Vorel
2020-06-15 20:21 ` Mimi Zohar
2020-06-17 1:21 ` Jerry Snitselaar
2020-06-17 20:45 ` Bruno Meneguele
2020-06-17 22:19 ` Maurizio Drocco
2020-06-19 8:21 ` Petr Vorel
2020-06-19 12:43 ` Mimi Zohar
2020-06-19 13:01 ` Petr Vorel
2020-06-19 10:07 ` Petr Vorel [this message]
2020-06-19 13:01 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200619100737.GB18704@dell5510 \
--to=pvorel@suse.cz \
--cc=bmeneg@redhat.com \
--cc=chrubis@suse.cz \
--cc=linux-integrity@vger.kernel.org \
--cc=ltp@lists.linux.it \
--cc=maurizio.drocco@ibm.com \
--cc=pcervinka@suse.com \
--cc=vt@altlinux.org \
--cc=zohar@linux.ibm.com \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).