[PATCH v3 2/8] ima: Switch to ima_hash_algo for boot aggregate

Mimi Zohar zohar at linux.ibm.com
Mon Mar 2 13:41:46 UTC 2020


On Tue, 2020-02-11 at 10:09 +0000, Roberto Sassu wrote:
> > -----Original Message-----

Please find/use a mailer that doesn't include this junk.

> > On Mon, 2020-02-10 at 11:00 +0100, Roberto Sassu wrote:
> > > boot_aggregate is the first entry of IMA measurement list. Its purpose is
> > > to link pre-boot measurements to IMA measurements. As IMA was
> > designed to
> > > work with a TPM 1.2, the SHA1 PCR bank was always selected.
> > >
> > > Currently, even if a TPM 2.0 is used, the SHA1 PCR bank is selected.
> > > However, the assumption that the SHA1 PCR bank is always available is not
> > > correct, as PCR banks can be selected with the PCR_Allocate() TPM
> > command.
> > >
> > > This patch tries to use ima_hash_algo as hash algorithm for
> > boot_aggregate.
> > > If no PCR bank uses that algorithm, the patch tries to find the SHA256 PCR
> > > bank (which is mandatory in the TCG PC Client specification).
> > 
> > Up to here, the patch description matches the code.
> > > If also this
> > > bank is not found, the patch selects the first one. If the TPM algorithm
> > > of that bank is not mapped to a crypto ID, boot_aggregate is set to zero.
> > 
> > This comment and the one inline are left over from previous version.
> 
> Hi Mimi
> 
> actually the code does what is described above. bank_idx is initially
> set to zero and remains as it is if there is no PCR bank for the default
> IMA algorithm or SHA256.

Sorry for the delay in continuing to review this patch set.  It took a
while to write ima-evm-utils regression tests for it.

Dmitry and you were the ones that initiated ima-evm-utils, saying
there should a single package for signing files and integrity testing.
 The features in ima-evm-utils should reflect what is actually
upstreamed in the kernel.  (Currently there are a few experimental
features which were never upstreamed.  I'd like to remove them, but am
a bit concerned that they are being used.)  I'd appreciate your help
in keeping ima-evm-utils up to date.  It will help simplify
upstreaming new kernel features.

My initial patch attempted to use any common TPM and kernel hash
algorithm to calculate the boot_aggregate.  The discussion with James
was pretty clear, which you even stated in the Changelog.  Either we
use the IMA default hash algorithm, SHA256 for TPM 2.0 or SHA1 for TPM
1.2 for the boot-aggregate.

thanks,

Mimi



More information about the Linux-security-module-archive mailing list