From: Petr Vorel <pvorel@suse.cz>
To: ltp@lists.linux.it
Subject: [LTP] [LTP v2 1/1] ima_tpm.sh: Fix for calculating boot aggregate
Date: Fri, 19 Jun 2020 10:21:34 +0200 [thread overview]
Message-ID: <20200619082134.GB23036@dell5510> (raw)
In-Reply-To: <20200617204500.GB40831@glitch>
Hi all,
...
> > > I'd appreciate if someone could send me a TPM event log, the PCRs, and
> > > the associated IMA ascii_runtime_measurements "boot_aggregate" from a
> > > system with a discrete TPM 2.0 with PCRs 8 & 9 events.
> Maybe Maurizio already have it at hand?
I'd appreciate to have these files as well.
> I can try to setup a system with grub2+tpm to get the log with pcr 8 and
> 9 filled.
> > > > > ...
> > > > > > > > The ima-evm-utils next-testing branch has code to calculate the
> > > > > > > > boot_aggregate based on multiple banks.
> > > > > > > I see, 696bf0b ("ima-evm-utils: calculate the digests for multiple TPM banks")
> > > > > > > I wonder whether it's reasonable trying to port that to ima_boot_aggregate.c or
> > > > > > > just depend on evmctl. External dependencies are sometimes complicated, but for
> > > > > > > IMA I incline to just require evmctl.
> > > > > > Unlike TPM 1.2, the TPM 2.0 device driver doesn't export the TPM PCRs.
> > > > > > ?Not only would you have a dependency on ima-evm-utils, but also on a
> > > > > > userspace application(s) for reading the TPM PCRs. ?That dependency
> > > > > > exists whether you're using evmctl to calculate the boot_aggregate or
> > > > > > doing it yourself.
> > > > > Hm, things get complicated.
> > > > > Yep I remember your patch to skip verifying TPM 2.0 PCR values
> > > > > https://patchwork.ozlabs.org/project/ltp/patch/1558041162.3971.2.camel@linux.ibm.com/
> > > > > At least thanks to Jerry Snitselaar since v5.6 we have
> > > > > /sys/class/tpm/tpm*/tpm_version_major. We could check this (+ try also
> > > > > /sys/class/tpm/tpm0/device/description for older kernels).
> > > > > BTW on my system there is also /sys/class/tpm/tpm0/ppi/version, which has 1.2,
> > > > > not sure if it indicate TPM 1.2, but I wouldn't rely on that.
> Missed this last paragraph.. but /sys/class/tpm/tpm0/ppi/version has
> relation to the Physical Presence Interface version, which is the
> communication interface between firmware and OS afaik, and doesn't
> points to the TPM version: TPM2.0 may have PPI version 1.2 or 1.3.
Kind regards,
Petr
next prev parent reply other threads:[~2020-06-19 8:21 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-27 7:14 [LTP] [LTP v2 1/1] ima_tpm.sh: Fix for calculating boot aggregate Petr Vorel
2020-05-27 17:41 ` Mimi Zohar
2020-05-28 14:07 ` Petr Vorel
2020-05-28 15:19 ` Mimi Zohar
2020-05-28 16:05 ` Petr Vorel
2020-06-15 19:41 ` Bruno Meneguele
2020-06-15 20:01 ` Bruno Meneguele
2020-06-16 22:40 ` Mimi Zohar
2020-06-17 19:52 ` Bruno Meneguele
2020-06-19 7:46 ` Petr Vorel
2020-06-15 20:21 ` Mimi Zohar
2020-06-17 1:21 ` Jerry Snitselaar
2020-06-17 20:45 ` Bruno Meneguele
2020-06-17 22:19 ` Maurizio Drocco
2020-06-19 8:21 ` Petr Vorel [this message]
2020-06-19 12:43 ` Mimi Zohar
2020-06-19 13:01 ` Petr Vorel
2020-06-19 10:07 ` Petr Vorel
2020-06-19 13:01 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200619082134.GB23036@dell5510 \
--to=pvorel@suse.cz \
--cc=ltp@lists.linux.it \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox