[PATCH v4 1/7] ima: Switch to ima_hash_algo for boot aggregate
zohar at linux.ibm.com
Fri May 8 17:29:36 UTC 2020
On Thu, 2020-05-07 at 21:54 -0700, Jerry Snitselaar wrote:
> On Thu Apr 02 20, Mimi Zohar wrote:
> >Hi Roberto,
> >On Wed, 2020-03-25 at 11:47 +0100, Roberto Sassu wrote:
> >> boot_aggregate is the first entry of IMA measurement list. Its purpose is
> >> to link pre-boot measurements to IMA measurements. As IMA was designed to
> >> work with a TPM 1.2, the SHA1 PCR bank was always selected even if a
> >> TPM 2.0 with support for stronger hash algorithms is available.
> >> This patch first tries to find a PCR bank with the IMA default hash
> >> algorithm. If it does not find it, it selects the SHA256 PCR bank for
> >> TPM 2.0 and SHA1 for TPM 1.2. Ultimately, it selects SHA1 also for TPM 2.0
> >> if the SHA256 PCR bank is not found.
> >> If none of the PCR banks above can be found, boot_aggregate file digest is
> >> filled with zeros, as for TPM bypass, making it impossible to perform a
> >> remote attestation of the system.
> >> Cc: stable at vger.kernel.org # 5.1.x
> >> Fixes: 879b589210a9 ("tpm: retrieve digest size of unknown algorithms with PCR read")
> >> Reported-by: Jerry Snitselaar <jsnitsel at redhat.com>
> >> Suggested-by: James Bottomley <James.Bottomley at HansenPartnership.com>
> >> Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com>
> >Thank you! This patch set is now queued in next-integrity-testing
> >during the open window. Jerry, I assume this works for you. Could we
> >get your tag?
> Yes, I no longer get the errors with this patch.
> Tested-by: Jerry Snitselaar <jsnitsel at redhat.com>
Thanks, Jerry. I really do appreciate receiving your tag.
Not all, but a lot of subsystems, do not rebase their branch, at least
once it is in linux-next. Adding tags is considered rebasing. For
this reason, I've started staging patches in the next-integrity-
testing branch, before moving them to next-integrity.
More information about the Linux-security-module-archive