[PATCH AUTOSEL 5.7 03/30] ima: extend boot_aggregate with kernel measurements
Mimi Zohar
zohar at linux.ibm.com
Tue Dec 1 03:13:02 UTC 2020
On Mon, 2020-11-30 at 19:21 -0500, Sasha Levin wrote:
> On Sun, Nov 29, 2020 at 08:17:38AM -0500, Mimi Zohar wrote:
> >Hi Sasha,
> >
> >On Wed, 2020-07-08 at 21:27 -0400, Sasha Levin wrote:
> >> On Wed, Jul 08, 2020 at 12:13:13PM -0400, Mimi Zohar wrote:
> >> >Hi Sasha,
> >> >
> >> >On Wed, 2020-07-08 at 11:40 -0400, Sasha Levin wrote:
> >> >> From: Maurizio Drocco <maurizio.drocco at ibm.com>
> >> >>
> >> >> [ Upstream commit 20c59ce010f84300f6c655d32db2610d3433f85c ]
> >> >>
> >> >> Registers 8-9 are used to store measurements of the kernel and its
> >> >> command line (e.g., grub2 bootloader with tpm module enabled). IMA
> >> >> should include them in the boot aggregate. Registers 8-9 should be
> >> >> only included in non-SHA1 digests to avoid ambiguity.
> >> >
> >> >Prior to Linux 5.8, the SHA1 template data hashes were padded before
> >> >being extended into the TPM. Support for calculating and extending
> >> >the per TPM bank template data digests is only being upstreamed in
> >> >Linux 5.8.
> >> >
> >> >How will attestation servers know whether to include PCRs 8 & 9 in the
> >> >the boot_aggregate calculation? Now, there is a direct relationship
> >> >between the template data SHA1 padded digest not including PCRs 8 & 9,
> >> >and the new per TPM bank template data digest including them.
> >>
> >> Got it, I'll drop it then, thank you!
> >
> >After re-thinking this over, I realized that the attestation server can
> >verify the "boot_aggregate" based on the quoted PCRs without knowing
> >whether padded SHA1 hashes or per TPM bank hash values were extended
> >into the TPM[1], but non-SHA1 boot aggregate values [2] should always
> >include PCRs 8 & 9.
> >
> >Any place commit 6f1a1d103b48 was backported [2], this commit
> >20c59ce010f8 ("ima: extend boot_aggregate with kernel measurements")
> >should be backported as well.
>
> Which kernels should it apply to? 5.7 is EOL now, so I looked at 5.4 but
> it doesn't apply cleanly there.
For 5.4, both "git cherry-pick" and "git am --3way" for 20c59ce010f8
seem to work.
thanks,
Mimi
More information about the Linux-security-module-archive
mailing list