From: Nayna Jain <nayna@linux.vnet.ibm.com>
To: tpmdd-devel@lists.sourceforge.net
Cc: peterhuewe@gmx.de, tpmdd@selhorst.net,
jarkko.sakkinen@linux.intel.com, jgunthorpe@obsidianresearch.com,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org,
Nayna Jain <nayna@linux.vnet.ibm.com>
Subject: [PATCH v6 0/2] enhance TPM 2.0 extend function to support multiple PCR banks
Date: Fri, 20 Jan 2017 12:05:11 -0500 [thread overview]
Message-ID: <1484931913-24909-1-git-send-email-nayna@linux.vnet.ibm.com> (raw)
IMA extends its hash measurements in the TPM PCRs, based on policy.
The existing in-kernel TPM extend function extends only the SHA1
PCR bank. TPM 2.0 defines multiple PCR banks, to support different
hash algorithms. The TCG TPM 2.0 Specification[1] recommends
extending all active PCR banks to prevent malicious users from
setting unused PCR banks with fake measurements and quoting them.
This patch set adds support for extending all active PCR banks,
as recommended.
The first patch implements the TPM 2.0 capability to retrieve
the list of active PCR banks.
The second patch modifies the tpm_pcr_extend() and tpm2_pcr_extend()
interface to support extending multiple PCR banks. The existing
tpm_pcr_extend() interface expects only a SHA1 digest. Hence, to
extend all active PCR banks with differing digest sizes for TPM 2.0,
the SHA1 digest is padded with 0's as needed.
[1] TPM 2.0 Specification referred here is "TCG PC Client Specific
Platform Firmware Profile for TPM 2.0"
Changelog v6:
- Patch "tpm: implement TPM 2.0 capability to get active PCR banks"
- Fixed the regression - missing tpm_buf_destroy() in
in tpm2_get_pcr_allocation(). Thanks Jarkko for noticing.
- Added TPM2_ALG_ERROR = 0x0000 to represent invalid algorithm.
Changelog v5:
- Patch "tpm: implement TPM 2.0 capability to get active PCR banks"
- Included Jarkko's feedbacks
- Moved variable declaration to start of function in
tpm_pcr_extend()
Changelog v4:
- Updated cover letter as per Mimi's feedback.
- Rebased to Jarkko's latest master branch (4064b6b tpm_tis: use
default timeout value if chip reports it as zero)
- Patch "tpm: implement TPM 2.0 capability to get active PCR banks"
- Included Jarkko's feedbacks
- Moved call to tpm2_get_pcr_allocation to Patch 2
- Renamed struct tpm2_tpms_pcr_selection to struct tpm2_pcr_selection
and moved the struct to before tpm2_get_pcr_allocation()
- Fixed code formatting
- Patch "tpm: enchance TPM 2.0 PCR extend to support multiple banks"
- Included Jarkkos' feedbacks
- Updated commit msg to mention dependency on CRYPTO_HASH_INFO
- Renamed struct tpmt_hash to struct tpm2_digest
- Removed struct tpml_digest_values, tpm2_pcr_extend() now accepts
count and digests list as two separate arguments. Added check for
count of hashes passed.
- Cleaned up struct tpm2_pcr_extend_in as not required anymore with
use of tpm_buf
- Moved struct tpm2_null_auth_area just before tpm2_pcr_extend() as
it is the only function using it for now.
- Fixed code formatting
Changelog v3:
- Rebased to the Jarkko's latest master branch (8e25809 tpm:
Do not print an error message when doing TPM auto startup)
- Patch "tpm: implement TPM 2.0 capability to get active PCR banks"
- Included Jarkko's feedbacks
- Removed getcap_in, getcap_out and used tpm_buf for getting
capability.
- Used ARRAY_SIZE in place of TPM_MAX_PCR_BANKS and included
other feedbacks.
- Patch "tpm: enhance TPM 2.0 PCR extend to support multiple banks"
- Fixed kbuild errors
- Fixed buf.data uninitialized warning.
- Added TCG_TPM dependency on CONFIG_CRYPTO_HASH_INFO in Kconfig.
Changelog v2:
- Patch "tpm: implement TPM 2.0 capability to get active PCR banks"
- defined structs definition in tpm2-cmd.c.
- no_of_active_banks field is removed. Instead, constant
TPM2_MAX_PCR_BANKS is defined.
- renamed tpm2_get_active_pcr_banks() to tpm2_get_pcr_allocation()
- removed generic function tpm2_get_capability().
- Patch "tpm: enchance TPM 2.0 PCR extend to support multiple banks"
- Removed tpm2.h, and defined structs common for extend and event log
in tpm_eventlog.h
- uses tpm_buf in tpm2_pcr_extend().
Nayna Jain (2):
tpm: implement TPM 2.0 capability to get active PCR banks
tpm: enhance TPM 2.0 PCR extend to support multiple banks
drivers/char/tpm/Kconfig | 1 +
drivers/char/tpm/tpm-interface.c | 15 +++-
drivers/char/tpm/tpm.h | 8 ++-
drivers/char/tpm/tpm2-cmd.c | 150 ++++++++++++++++++++++++++++-----------
drivers/char/tpm/tpm_eventlog.h | 7 ++
5 files changed, 137 insertions(+), 44 deletions(-)
--
2.5.0
WARNING: multiple messages have this Message-ID (diff)
From: Nayna Jain <nayna-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
To: tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: [PATCH v6 0/2] enhance TPM 2.0 extend function to support multiple PCR banks
Date: Fri, 20 Jan 2017 12:05:11 -0500 [thread overview]
Message-ID: <1484931913-24909-1-git-send-email-nayna@linux.vnet.ibm.com> (raw)
IMA extends its hash measurements in the TPM PCRs, based on policy.
The existing in-kernel TPM extend function extends only the SHA1
PCR bank. TPM 2.0 defines multiple PCR banks, to support different
hash algorithms. The TCG TPM 2.0 Specification[1] recommends
extending all active PCR banks to prevent malicious users from
setting unused PCR banks with fake measurements and quoting them.
This patch set adds support for extending all active PCR banks,
as recommended.
The first patch implements the TPM 2.0 capability to retrieve
the list of active PCR banks.
The second patch modifies the tpm_pcr_extend() and tpm2_pcr_extend()
interface to support extending multiple PCR banks. The existing
tpm_pcr_extend() interface expects only a SHA1 digest. Hence, to
extend all active PCR banks with differing digest sizes for TPM 2.0,
the SHA1 digest is padded with 0's as needed.
[1] TPM 2.0 Specification referred here is "TCG PC Client Specific
Platform Firmware Profile for TPM 2.0"
Changelog v6:
- Patch "tpm: implement TPM 2.0 capability to get active PCR banks"
- Fixed the regression - missing tpm_buf_destroy() in
in tpm2_get_pcr_allocation(). Thanks Jarkko for noticing.
- Added TPM2_ALG_ERROR = 0x0000 to represent invalid algorithm.
Changelog v5:
- Patch "tpm: implement TPM 2.0 capability to get active PCR banks"
- Included Jarkko's feedbacks
- Moved variable declaration to start of function in
tpm_pcr_extend()
Changelog v4:
- Updated cover letter as per Mimi's feedback.
- Rebased to Jarkko's latest master branch (4064b6b tpm_tis: use
default timeout value if chip reports it as zero)
- Patch "tpm: implement TPM 2.0 capability to get active PCR banks"
- Included Jarkko's feedbacks
- Moved call to tpm2_get_pcr_allocation to Patch 2
- Renamed struct tpm2_tpms_pcr_selection to struct tpm2_pcr_selection
and moved the struct to before tpm2_get_pcr_allocation()
- Fixed code formatting
- Patch "tpm: enchance TPM 2.0 PCR extend to support multiple banks"
- Included Jarkkos' feedbacks
- Updated commit msg to mention dependency on CRYPTO_HASH_INFO
- Renamed struct tpmt_hash to struct tpm2_digest
- Removed struct tpml_digest_values, tpm2_pcr_extend() now accepts
count and digests list as two separate arguments. Added check for
count of hashes passed.
- Cleaned up struct tpm2_pcr_extend_in as not required anymore with
use of tpm_buf
- Moved struct tpm2_null_auth_area just before tpm2_pcr_extend() as
it is the only function using it for now.
- Fixed code formatting
Changelog v3:
- Rebased to the Jarkko's latest master branch (8e25809 tpm:
Do not print an error message when doing TPM auto startup)
- Patch "tpm: implement TPM 2.0 capability to get active PCR banks"
- Included Jarkko's feedbacks
- Removed getcap_in, getcap_out and used tpm_buf for getting
capability.
- Used ARRAY_SIZE in place of TPM_MAX_PCR_BANKS and included
other feedbacks.
- Patch "tpm: enhance TPM 2.0 PCR extend to support multiple banks"
- Fixed kbuild errors
- Fixed buf.data uninitialized warning.
- Added TCG_TPM dependency on CONFIG_CRYPTO_HASH_INFO in Kconfig.
Changelog v2:
- Patch "tpm: implement TPM 2.0 capability to get active PCR banks"
- defined structs definition in tpm2-cmd.c.
- no_of_active_banks field is removed. Instead, constant
TPM2_MAX_PCR_BANKS is defined.
- renamed tpm2_get_active_pcr_banks() to tpm2_get_pcr_allocation()
- removed generic function tpm2_get_capability().
- Patch "tpm: enchance TPM 2.0 PCR extend to support multiple banks"
- Removed tpm2.h, and defined structs common for extend and event log
in tpm_eventlog.h
- uses tpm_buf in tpm2_pcr_extend().
Nayna Jain (2):
tpm: implement TPM 2.0 capability to get active PCR banks
tpm: enhance TPM 2.0 PCR extend to support multiple banks
drivers/char/tpm/Kconfig | 1 +
drivers/char/tpm/tpm-interface.c | 15 +++-
drivers/char/tpm/tpm.h | 8 ++-
drivers/char/tpm/tpm2-cmd.c | 150 ++++++++++++++++++++++++++++-----------
drivers/char/tpm/tpm_eventlog.h | 7 ++
5 files changed, 137 insertions(+), 44 deletions(-)
--
2.5.0
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
next reply other threads:[~2017-01-20 18:12 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-20 17:05 Nayna Jain [this message]
2017-01-20 17:05 ` [PATCH v6 0/2] enhance TPM 2.0 extend function to support multiple PCR banks Nayna Jain
2017-01-20 17:05 ` [PATCH v6 1/2] tpm: implement TPM 2.0 capability to get active " Nayna Jain
2017-01-20 17:05 ` Nayna Jain
2017-01-26 12:23 ` [tpmdd-devel] " Stefan Berger
2017-01-27 6:30 ` Jarkko Sakkinen
2017-01-20 17:05 ` [PATCH v6 2/2] tpm: enhance TPM 2.0 PCR extend to support multiple banks Nayna Jain
2017-01-20 17:05 ` Nayna Jain
2017-01-23 15:19 ` Jarkko Sakkinen
2017-01-23 15:19 ` Jarkko Sakkinen
2017-01-23 16:41 ` Nayna
2017-01-24 11:59 ` Jarkko Sakkinen
2017-01-24 13:04 ` Nayna
2017-01-24 13:04 ` Nayna
2017-01-25 19:49 ` Jarkko Sakkinen
2017-01-25 19:49 ` Jarkko Sakkinen
2017-01-20 20:51 ` [PATCH v6 0/2] enhance TPM 2.0 extend function to support multiple PCR banks Jarkko Sakkinen
2017-01-20 20:51 ` Jarkko Sakkinen
2017-01-25 20:45 ` Jarkko Sakkinen
2017-01-25 20:45 ` Jarkko Sakkinen
2017-01-25 21:08 ` [tpmdd-devel] " Stefan Berger
2017-01-25 22:04 ` Jarkko Sakkinen
2017-01-25 22:52 ` Jarkko Sakkinen
2017-01-25 22:57 ` Jarkko Sakkinen
2017-01-25 23:33 ` Jarkko Sakkinen
2017-01-26 14:34 ` Nayna
2017-01-27 17:23 ` Nayna
2017-01-27 17:23 ` Nayna
2017-01-29 15:19 ` Jarkko Sakkinen
2017-01-29 15:19 ` Jarkko Sakkinen
2017-01-27 17:24 ` Nayna
2017-01-27 17:24 ` Nayna
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1484931913-24909-1-git-send-email-nayna@linux.vnet.ibm.com \
--to=nayna@linux.vnet.ibm.com \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=jgunthorpe@obsidianresearch.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=peterhuewe@gmx.de \
--cc=tpmdd-devel@lists.sourceforge.net \
--cc=tpmdd@selhorst.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.