From: Mimi Zohar <zohar@linux.ibm.com>
To: Petr Vorel <pvorel@suse.cz>, ltp@lists.linux.it
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>,
Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
Tushar Sugandhi <tusharsu@linux.microsoft.com>,
linux-integrity@vger.kernel.org
Subject: Re: [PATCH v5 4/4] ima_tpm.sh: Fix calculating PCR aggregate
Date: Thu, 17 Dec 2020 14:16:04 -0500 [thread overview]
Message-ID: <b9408c3ccf8260d9a2232074c7a0433119b83d42.camel@linux.ibm.com> (raw)
In-Reply-To: <20201214221946.6340-5-pvorel@suse.cz>
On Mon, 2020-12-14 at 23:19 +0100, Petr Vorel wrote:
> for TPM 2.0 and support more evmctl versions.
>
> Because exporting PCR registers for TPM 2.0 has not been upstreamed [1],
> we use user space code, which requires evmctl >= 1.3.1 and tsspcrread.
Yes, really annoying.
> Using evmctl allows to test for TPM devices which does not export event
> log (/sys/kernel/security/tpm0/binary_bios_measurements).
Interesting way of phrasing the lack of a TPM 2.0 event log parser in
ima-evm-utils. Until someone contributes a TPM 2.0 event log parser,
we're dependent on users verifying the event log against the TPM 2.0
PCR banks some other way (e.g. "tsseventextend -sim -if
/sys/kernel/security/tpm0/binary_bios_measurements -ns").
>
> For TPM 1.2 read tpm0 device's pcrs file from sysfs. (tss1pcrread could
> be also used, but it's not yet packaged by distros.)
>
> For old kernels which use SHA1/MD5, any evmctl version is required (evmctl
> ima_measurement was introduced in very old v0.7), but
> * newer sysctl path /sys/class/tpm/tpm0/device/pcrs requires evmctl 1.1
> * using ima_policy=tcb requires 1.3.1 due --ignore-violations
>
> We now support output format of ima_measurement command for various
> evmctl versions:
> * 1.3: "sha256: TPM PCR-10:" (or other algorithm, e.g. "sha1:")
> * 1.1-1.2.1: "HW PCR-10:" (the only previously supported format)
> * 0.7-1.0: "PCR-10:"
>
> NOTE: we ignore evmctl failure for evmctl < 1.3.1 (missing --ignore-violations,
> also evmctl < 1.1 fails with "PCRAgg does not match PCR-10")
>
> As for previous commit fix testing with TPM 2.0 device which does not
> export event log (/sys/kernel/security/tpm0/binary_bios_measurements):
> not wrongly assuming TPM-bypass when kernel didn't export other TPM
> 2.0 files we check in get_tpm_version() but bios boot aggregate is
> correct (i.e. not 0x00s). In that case evmctl ima_boot_aggregate can get
> boot aggregate even without TPM event log.
>
> [1] https://patchwork.kernel.org/patch/11759729/
>
> Co-developed-by: Mimi Zohar <zohar@linux.ibm.com>
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
Thanks, Petr!
Other than the typo below, it looks good.
Mimi
> +test2()
> {
> - tst_res TINFO "verify PCR (Process Control Register)"
> + local hash pcr_aggregate out ret
>
> - local dev_pcrs="$1"
> - local pcr hash aggregate_pcr
> + tst_res TINFO "verify PCR values"
>
> - aggregate_pcr="$(evmctl -v ima_measurement $BINARY_MEASUREMENTS 2>&1 | \
> - grep 'HW PCR-10:' | awk '{print $3}')"
> - if [ -z "$aggregate_pcr" ]; then
> - tst_res TFAIL "failed to get PCR-10"
> - return 1
> + if [ "$MAYBE_TPM2" = 1 ]; then
> + tst_res TINFO "TMP version not detected ($ERRMSG_TPM), assume TPM 2"
^ TPM above and below
> + TPM_VERSION=2
> fi
>
> - while read line; do
> - pcr="$(echo $line | cut -d':' -f1)"
> - if [ "$pcr" = "PCR-10" ]; then
> - hash="$(echo $line | cut -d':' -f2 | awk '{ gsub (" ", "", $0); print tolower($0) }')"
> - [ "$hash" = "$aggregate_pcr" ]
> - return $?
> - fi
> - done < $dev_pcrs
> - return 1
> -}
> + if [ -z "$TPM_VERSION" ]; then
> + tst_brk TCONF "TMP version not detected ($ERRMSG_TPM)"
and here
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: ltp@lists.linux.it
Subject: [LTP] [PATCH v5 4/4] ima_tpm.sh: Fix calculating PCR aggregate
Date: Thu, 17 Dec 2020 14:16:04 -0500 [thread overview]
Message-ID: <b9408c3ccf8260d9a2232074c7a0433119b83d42.camel@linux.ibm.com> (raw)
In-Reply-To: <20201214221946.6340-5-pvorel@suse.cz>
On Mon, 2020-12-14 at 23:19 +0100, Petr Vorel wrote:
> for TPM 2.0 and support more evmctl versions.
>
> Because exporting PCR registers for TPM 2.0 has not been upstreamed [1],
> we use user space code, which requires evmctl >= 1.3.1 and tsspcrread.
Yes, really annoying.
> Using evmctl allows to test for TPM devices which does not export event
> log (/sys/kernel/security/tpm0/binary_bios_measurements).
Interesting way of phrasing the lack of a TPM 2.0 event log parser in
ima-evm-utils. Until someone contributes a TPM 2.0 event log parser,
we're dependent on users verifying the event log against the TPM 2.0
PCR banks some other way (e.g. "tsseventextend -sim -if
/sys/kernel/security/tpm0/binary_bios_measurements -ns").
>
> For TPM 1.2 read tpm0 device's pcrs file from sysfs. (tss1pcrread could
> be also used, but it's not yet packaged by distros.)
>
> For old kernels which use SHA1/MD5, any evmctl version is required (evmctl
> ima_measurement was introduced in very old v0.7), but
> * newer sysctl path /sys/class/tpm/tpm0/device/pcrs requires evmctl 1.1
> * using ima_policy=tcb requires 1.3.1 due --ignore-violations
>
> We now support output format of ima_measurement command for various
> evmctl versions:
> * 1.3: "sha256: TPM PCR-10:" (or other algorithm, e.g. "sha1:")
> * 1.1-1.2.1: "HW PCR-10:" (the only previously supported format)
> * 0.7-1.0: "PCR-10:"
>
> NOTE: we ignore evmctl failure for evmctl < 1.3.1 (missing --ignore-violations,
> also evmctl < 1.1 fails with "PCRAgg does not match PCR-10")
>
> As for previous commit fix testing with TPM 2.0 device which does not
> export event log (/sys/kernel/security/tpm0/binary_bios_measurements):
> not wrongly assuming TPM-bypass when kernel didn't export other TPM
> 2.0 files we check in get_tpm_version() but bios boot aggregate is
> correct (i.e. not 0x00s). In that case evmctl ima_boot_aggregate can get
> boot aggregate even without TPM event log.
>
> [1] https://patchwork.kernel.org/patch/11759729/
>
> Co-developed-by: Mimi Zohar <zohar@linux.ibm.com>
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
Thanks, Petr!
Other than the typo below, it looks good.
Mimi
> +test2()
> {
> - tst_res TINFO "verify PCR (Process Control Register)"
> + local hash pcr_aggregate out ret
>
> - local dev_pcrs="$1"
> - local pcr hash aggregate_pcr
> + tst_res TINFO "verify PCR values"
>
> - aggregate_pcr="$(evmctl -v ima_measurement $BINARY_MEASUREMENTS 2>&1 | \
> - grep 'HW PCR-10:' | awk '{print $3}')"
> - if [ -z "$aggregate_pcr" ]; then
> - tst_res TFAIL "failed to get PCR-10"
> - return 1
> + if [ "$MAYBE_TPM2" = 1 ]; then
> + tst_res TINFO "TMP version not detected ($ERRMSG_TPM), assume TPM 2"
^ TPM above and below
> + TPM_VERSION=2
> fi
>
> - while read line; do
> - pcr="$(echo $line | cut -d':' -f1)"
> - if [ "$pcr" = "PCR-10" ]; then
> - hash="$(echo $line | cut -d':' -f2 | awk '{ gsub (" ", "", $0); print tolower($0) }')"
> - [ "$hash" = "$aggregate_pcr" ]
> - return $?
> - fi
> - done < $dev_pcrs
> - return 1
> -}
> + if [ -z "$TPM_VERSION" ]; then
> + tst_brk TCONF "TMP version not detected ($ERRMSG_TPM)"
and here
next prev parent reply other threads:[~2020-12-17 19:17 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-14 22:19 [PATCH v5 0/4] TPM 2.0 fixes in IMA tests Petr Vorel
2020-12-14 22:19 ` [LTP] " Petr Vorel
2020-12-14 22:19 ` [PATCH v5 1/4] IMA: Move get_algorithm_digest(), set_digest_index() to ima_setup.sh Petr Vorel
2020-12-14 22:19 ` [LTP] " Petr Vorel
2020-12-17 16:56 ` Mimi Zohar
2020-12-17 16:56 ` [LTP] " Mimi Zohar
2020-12-18 11:27 ` Petr Vorel
2020-12-18 11:27 ` [LTP] " Petr Vorel
2020-12-18 12:10 ` Mimi Zohar
2020-12-18 12:10 ` [LTP] " Mimi Zohar
2020-12-14 22:19 ` [PATCH v5 2/4] IMA: Rewrite ima_boot_aggregate.c to new API Petr Vorel
2020-12-14 22:19 ` [LTP] " Petr Vorel
2020-12-14 22:19 ` [PATCH v5 3/4] ima_tpm.sh: Fix calculating boot aggregate Petr Vorel
2020-12-14 22:19 ` [LTP] " Petr Vorel
2020-12-17 18:12 ` Mimi Zohar
2020-12-17 18:12 ` [LTP] " Mimi Zohar
2020-12-17 19:36 ` Petr Vorel
2020-12-17 19:36 ` [LTP] " Petr Vorel
2020-12-14 22:19 ` [PATCH v5 4/4] ima_tpm.sh: Fix calculating PCR aggregate Petr Vorel
2020-12-14 22:19 ` [LTP] " Petr Vorel
2020-12-17 19:16 ` Mimi Zohar [this message]
2020-12-17 19:16 ` Mimi Zohar
2020-12-17 5:20 ` [PATCH v5 0/4] TPM 2.0 fixes in IMA tests Mimi Zohar
2020-12-17 5:20 ` [LTP] " Mimi Zohar
2020-12-17 8:33 ` Petr Vorel
2020-12-17 8:33 ` [LTP] " Petr Vorel
2020-12-17 19:23 ` Mimi Zohar
2020-12-17 19:23 ` [LTP] " Mimi Zohar
2020-12-18 11:45 ` Petr Vorel
2020-12-18 11:45 ` [LTP] " Petr Vorel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b9408c3ccf8260d9a2232074c7a0433119b83d42.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=ltp@lists.linux.it \
--cc=nramas@linux.microsoft.com \
--cc=pvorel@suse.cz \
--cc=tusharsu@linux.microsoft.com \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.