[PATCH v2] ima_evm_utils: extended calc_bootaggr to PCRs 8 - 9
Stefan Berger
stefanb at linux.ibm.com
Wed Jun 24 21:17:52 UTC 2020
On 6/23/20 2:13 PM, Bruno Meneguele wrote:
> On Tue, Jun 23, 2020 at 02:01:22PM -0400, Maurizio Drocco wrote:
>> From: Maurizio <maurizio.drocco at ibm.com>
>>
>> If PCRs 8 - 9 are set (i.e. not all-zeros), cal_bootaggr should include
>> them into the digest.
Wouldn't you have to check for not all-zeros in your code?
Stefan
>>
>> Signed-off-by: Maurizio Drocco <maurizio.drocco at ibm.com>
>> ---
>> Changelog:
>> v2:
>> - Always include PCRs 8 & 9 to non-sha1 hashes
>> v1:
>> - Include non-zero PCRs 8 & 9 to boot aggregates
>>
>> src/evmctl.c | 15 +++++++++++++--
>> 1 file changed, 13 insertions(+), 2 deletions(-)
>>
>> diff --git a/src/evmctl.c b/src/evmctl.c
>> index 1d065ce..46b7092 100644
>> --- a/src/evmctl.c
>> +++ b/src/evmctl.c
>> @@ -1930,6 +1930,16 @@ static void calc_bootaggr(struct tpm_bank_info *bank)
>> }
>> }
>>
>> + if (strcmp(bank->algo_name, "sha1") != 0) {
>> + for (i = 8; i < 10; i++) {
>> + err = EVP_DigestUpdate(pctx, bank->pcr[i], bank->digest_size);
>> + if (!err) {
>> + log_err("EVP_DigestUpdate() failed\n");
>> + return;
>> + }
>> + }
>> + }
>> +
>> err = EVP_DigestFinal(pctx, bank->digest, &mdlen);
>> if (!err) {
>> log_err("EVP_DigestFinal() failed\n");
>> @@ -1972,8 +1982,9 @@ static int append_bootaggr(char *bootaggr, struct tpm_bank_info *tpm_banks)
>> /*
>> * The IMA measurement list boot_aggregate is the link between the preboot
>> * event log and the IMA measurement list. Read and calculate all the
>> - * possible per TPM bank boot_aggregate digests based on the existing
>> - * PCRs 0 - 7 to validate against the IMA boot_aggregate record.
>> + * possible per TPM bank boot_aggregate digests based on the existing PCRs
>> + * 0 - 9 to validate against the IMA boot_aggregate record. If the digest
>> + * algorithm is SHA1, only PCRs 0 - 7 are considered to avoid ambiguity.
>> */
>> static int cmd_ima_bootaggr(struct command *cmd)
>> {
>> --
>> 2.17.1
>>
> Reviewed-by: Bruno Meneguele <bmeneg at redhat.com>
>
More information about the Linux-security-module-archive
mailing list