[PATCH v4 1/7] ima: Switch to ima_hash_algo for boot aggregate

[Mimi Zohar]

On Thu, 2020-05-07 at 21:54 -0700, Jerry Snitselaar wrote:
> On Thu Apr 02 20, Mimi Zohar wrote:
> >Hi Roberto,
> >
> >On Wed, 2020-03-25 at 11:47 +0100, Roberto Sassu wrote:
> >> boot_aggregate is the first entry of IMA measurement list. Its purpose is
> >> to link pre-boot measurements to IMA measurements. As IMA was designed to
> >> work with a TPM 1.2, the SHA1 PCR bank was always selected even if a
> >> TPM 2.0 with support for stronger hash algorithms is available.
> >>
> >> This patch first tries to find a PCR bank with the IMA default hash
> >> algorithm. If it does not find it, it selects the SHA256 PCR bank for
> >> TPM 2.0 and SHA1 for TPM 1.2. Ultimately, it selects SHA1 also for TPM 2.0
> >> if the SHA256 PCR bank is not found.
> >>
> >> If none of the PCR banks above can be found, boot_aggregate file digest is
> >> filled with zeros, as for TPM bypass, making it impossible to perform a
> >> remote attestation of the system.
> >>
> >> Cc: stable at vger.kernel.org # 5.1.x
> >> Fixes: 879b589210a9 ("tpm: retrieve digest size of unknown algorithms with PCR read")
> >> Reported-by: Jerry Snitselaar <jsnitsel at redhat.com>
> >> Suggested-by: James Bottomley <James.Bottomley at HansenPartnership.com>
> >> Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com>
> >
> >Thank you!  This patch set is now queued in next-integrity-testing
> >during the open window.  Jerry, I assume this works for you.  Could we
> >get your tag?
> >
> 
> Yes, I no longer get the errors with this patch.
> 
> 
> Tested-by: Jerry Snitselaar <jsnitsel at redhat.com>

Thanks, Jerry.  I really do appreciate receiving your tag.

Not all, but a lot of subsystems, do not rebase their branch, at least
once it is in linux-next.  Adding tags is considered rebasing.  For
this reason, I've started staging patches in the next-integrity-
testing branch, before moving them to next-integrity.

thanks,

Mimi