From: kernel test robot <lkp@intel.com>
To: Maurizio Drocco <maurizio.drocco@ibm.com>,
linux-integrity@vger.kernel.org
Cc: kbuild-all@lists.01.org, clang-built-linux@googlegroups.com,
jejb@linux.ibm.com, Maurizio Drocco <maurizio.drocco@ibm.com>,
Mimi Zohar <zohar@linux.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
"open list:SECURITY SUBSYSTEM"
<linux-security-module@vger.kernel.org>,
open list <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] extend IMA boot_aggregate with kernel measurements
Date: Fri, 12 Jun 2020 12:47:57 +0800 [thread overview]
Message-ID: <202006121210.R5q1RkS0%lkp@intel.com> (raw)
In-Reply-To: <20200611195422.2117-1-maurizio.drocco@ibm.com>
[-- Attachment #1: Type: text/plain, Size: 4066 bytes --]
Hi Maurizio,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on integrity/next-integrity]
[also build test WARNING on next-20200611]
[cannot apply to v5.7]
[if your patch is applied to the wrong git tree, please drop us a note to help
improve the system. BTW, we also suggest to use '--base' option to specify the
base tree in git format-patch, please see https://stackoverflow.com/a/37406982]
url: https://github.com/0day-ci/linux/commits/Maurizio-Drocco/extend-IMA-boot_aggregate-with-kernel-measurements/20200612-091504
base: https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git next-integrity
config: x86_64-allyesconfig (attached as .config)
compiler: clang version 11.0.0 (https://github.com/llvm/llvm-project 3b43f006294971b8049d4807110032169780e5b8)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install x86_64 cross compiling tool for clang build
# apt-get install binutils-x86-64-linux-gnu
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=x86_64
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All warnings (new ones prefixed by >>, old ones prefixed by <<):
>> security/integrity/ima/ima_crypto.c:838:35: warning: size argument in 'memcmp' call is a comparison [-Wmemsize-comparison]
crypto_shash_digestsize(tfm) != 0))
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~
security/integrity/ima/ima_crypto.c:837:7: note: did you mean to compare the result of 'memcmp' instead?
if (memcmp(d.digest, d0.digest,
^
security/integrity/ima/ima_crypto.c:838:6: note: explicitly cast the argument to size_t to silence this warning
crypto_shash_digestsize(tfm) != 0))
^
(size_t)( )
1 warning generated.
vim +/memcmp +838 security/integrity/ima/ima_crypto.c
797
798 /*
799 * The boot_aggregate is a cumulative hash over TPM registers 0 - 7. With
800 * TPM 1.2 the boot_aggregate was based on reading the SHA1 PCRs, but with
801 * TPM 2.0 hash agility, TPM chips could support multiple TPM PCR banks,
802 * allowing firmware to configure and enable different banks.
803 *
804 * Knowing which TPM bank is read to calculate the boot_aggregate digest
805 * needs to be conveyed to a verifier. For this reason, use the same
806 * hash algorithm for reading the TPM PCRs as for calculating the boot
807 * aggregate digest as stored in the measurement list.
808 */
809 static int ima_calc_boot_aggregate_tfm(char *digest, u16 alg_id,
810 struct crypto_shash *tfm)
811 {
812 struct tpm_digest d = { .alg_id = alg_id, .digest = {0} }, d0 = d;
813 int rc;
814 u32 i;
815 SHASH_DESC_ON_STACK(shash, tfm);
816
817 shash->tfm = tfm;
818
819 pr_devel("calculating the boot-aggregate based on TPM bank: %04x\n",
820 d.alg_id);
821
822 rc = crypto_shash_init(shash);
823 if (rc != 0)
824 return rc;
825
826 /* cumulative sha1 over tpm registers 0-7 */
827 for (i = TPM_PCR0; i < TPM_PCR8; i++) {
828 ima_pcrread(i, &d);
829 /* now accumulate with current aggregate */
830 rc = crypto_shash_update(shash, d.digest,
831 crypto_shash_digestsize(tfm));
832 }
833 /* extend cumulative sha1 over tpm registers 8-9 */
834 for (i = TPM_PCR8; i < TPM_PCR10; i++) {
835 ima_pcrread(i, &d);
836 /* if not zero, accumulate with current aggregate */
837 if (memcmp(d.digest, d0.digest,
> 838 crypto_shash_digestsize(tfm) != 0))
839 rc = crypto_shash_update(shash, d.digest,
840 crypto_shash_digestsize(tfm));
841 }
842 if (!rc)
843 crypto_shash_final(shash, digest);
844 return rc;
845 }
846
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 73441 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: kernel test robot <lkp@intel.com>
To: kbuild-all@lists.01.org
Subject: Re: [PATCH] extend IMA boot_aggregate with kernel measurements
Date: Fri, 12 Jun 2020 12:47:57 +0800 [thread overview]
Message-ID: <202006121210.R5q1RkS0%lkp@intel.com> (raw)
In-Reply-To: <20200611195422.2117-1-maurizio.drocco@ibm.com>
[-- Attachment #1: Type: text/plain, Size: 4164 bytes --]
Hi Maurizio,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on integrity/next-integrity]
[also build test WARNING on next-20200611]
[cannot apply to v5.7]
[if your patch is applied to the wrong git tree, please drop us a note to help
improve the system. BTW, we also suggest to use '--base' option to specify the
base tree in git format-patch, please see https://stackoverflow.com/a/37406982]
url: https://github.com/0day-ci/linux/commits/Maurizio-Drocco/extend-IMA-boot_aggregate-with-kernel-measurements/20200612-091504
base: https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git next-integrity
config: x86_64-allyesconfig (attached as .config)
compiler: clang version 11.0.0 (https://github.com/llvm/llvm-project 3b43f006294971b8049d4807110032169780e5b8)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install x86_64 cross compiling tool for clang build
# apt-get install binutils-x86-64-linux-gnu
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=x86_64
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All warnings (new ones prefixed by >>, old ones prefixed by <<):
>> security/integrity/ima/ima_crypto.c:838:35: warning: size argument in 'memcmp' call is a comparison [-Wmemsize-comparison]
crypto_shash_digestsize(tfm) != 0))
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~
security/integrity/ima/ima_crypto.c:837:7: note: did you mean to compare the result of 'memcmp' instead?
if (memcmp(d.digest, d0.digest,
^
security/integrity/ima/ima_crypto.c:838:6: note: explicitly cast the argument to size_t to silence this warning
crypto_shash_digestsize(tfm) != 0))
^
(size_t)( )
1 warning generated.
vim +/memcmp +838 security/integrity/ima/ima_crypto.c
797
798 /*
799 * The boot_aggregate is a cumulative hash over TPM registers 0 - 7. With
800 * TPM 1.2 the boot_aggregate was based on reading the SHA1 PCRs, but with
801 * TPM 2.0 hash agility, TPM chips could support multiple TPM PCR banks,
802 * allowing firmware to configure and enable different banks.
803 *
804 * Knowing which TPM bank is read to calculate the boot_aggregate digest
805 * needs to be conveyed to a verifier. For this reason, use the same
806 * hash algorithm for reading the TPM PCRs as for calculating the boot
807 * aggregate digest as stored in the measurement list.
808 */
809 static int ima_calc_boot_aggregate_tfm(char *digest, u16 alg_id,
810 struct crypto_shash *tfm)
811 {
812 struct tpm_digest d = { .alg_id = alg_id, .digest = {0} }, d0 = d;
813 int rc;
814 u32 i;
815 SHASH_DESC_ON_STACK(shash, tfm);
816
817 shash->tfm = tfm;
818
819 pr_devel("calculating the boot-aggregate based on TPM bank: %04x\n",
820 d.alg_id);
821
822 rc = crypto_shash_init(shash);
823 if (rc != 0)
824 return rc;
825
826 /* cumulative sha1 over tpm registers 0-7 */
827 for (i = TPM_PCR0; i < TPM_PCR8; i++) {
828 ima_pcrread(i, &d);
829 /* now accumulate with current aggregate */
830 rc = crypto_shash_update(shash, d.digest,
831 crypto_shash_digestsize(tfm));
832 }
833 /* extend cumulative sha1 over tpm registers 8-9 */
834 for (i = TPM_PCR8; i < TPM_PCR10; i++) {
835 ima_pcrread(i, &d);
836 /* if not zero, accumulate with current aggregate */
837 if (memcmp(d.digest, d0.digest,
> 838 crypto_shash_digestsize(tfm) != 0))
839 rc = crypto_shash_update(shash, d.digest,
840 crypto_shash_digestsize(tfm));
841 }
842 if (!rc)
843 crypto_shash_final(shash, digest);
844 return rc;
845 }
846
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 73441 bytes --]
next prev parent reply other threads:[~2020-06-12 4:49 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-11 19:54 [PATCH] extend IMA boot_aggregate with kernel measurements Maurizio Drocco
2020-06-12 0:29 ` Mimi Zohar
2020-06-12 14:38 ` Maurizio Drocco
2020-06-12 15:11 ` Roberto Sassu
2020-06-12 17:14 ` James Bottomley
2020-06-16 17:29 ` Roberto Sassu
2020-06-16 18:11 ` Mimi Zohar
2020-06-18 12:38 ` Roberto Sassu
2020-06-18 20:11 ` Maurizio Drocco
2020-06-18 20:11 ` [PATCH] ima_evm_utils: extended calc_bootaggr to PCRs 8 - 9 Maurizio Drocco
2020-06-22 20:14 ` Mimi Zohar
2020-06-22 4:50 ` [PATCH] ima: extend boot_aggregate with kernel measurements Maurizio Drocco
2020-06-23 14:03 ` Mimi Zohar
2020-06-23 15:57 ` [PATCH v4] " Maurizio Drocco
2020-06-23 18:53 ` Bruno Meneguele
2020-06-23 18:01 ` [PATCH v2] ima_evm_utils: extended calc_bootaggr to PCRs 8 - 9 Maurizio Drocco
2020-06-23 18:13 ` Bruno Meneguele
2020-06-24 21:17 ` Stefan Berger
2020-06-24 21:33 ` [PATCH] " Maurizio Drocco
2020-06-24 21:33 ` [PATCH v2] " Bruno Meneguele
2020-06-24 21:35 ` [PATCH v3] " Maurizio Drocco
2020-06-24 21:50 ` Bruno Meneguele
2020-06-12 4:47 ` kernel test robot [this message]
2020-06-12 4:47 ` [PATCH] extend IMA boot_aggregate with kernel measurements kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202006121210.R5q1RkS0%lkp@intel.com \
--to=lkp@intel.com \
--cc=clang-built-linux@googlegroups.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=jejb@linux.ibm.com \
--cc=jmorris@namei.org \
--cc=kbuild-all@lists.01.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=maurizio.drocco@ibm.com \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.