From: Mimi Zohar <zohar@linux.ibm.com>
To: Roberto Sassu <roberto.sassu@huawei.com>,
Prakhar Srivastava <prsriva02@gmail.com>,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Cc: mjg59@google.com, vgoyal@redhat.com
Subject: Re: Re:
Date: Fri, 24 May 2019 14:09:45 -0400 [thread overview]
Message-ID: <1558721385.3977.84.camel@linux.ibm.com> (raw)
In-Reply-To: <cb0eb785-9050-738e-c1bf-8e769fe096fa@huawei.com>
> >> As mentioned, the first patch description should include a shell
> >> command for verifying the digest in the kexec boot command line
> >> measurement list record against /proc/cmdline. This patch description
> >> should include a shell command showing how to verify the digest based
> >> on the new field. Should the new field in the ascii measurement list
> >> be displayed as a string, not hex?
> >
> > We should define a new type. If the type is DATA_FMT_STRING, spaces are
> > replaced with '_'.
>
> Or better. Leave it as hex, otherwise there would be a parsing problem
> if there are spaces in the data for a field.
After making a few changes, the measurement list contains the
following kexec-cmdline data:
10 edc32d1e3a5ba7272280a395b6fb56a5ef7c78c3 ima-buf
sha256:4f43b7db850e
88c49dfeffd4b1eb4f021d78033dfb05b07e45eec8d0b45275
kexec-cmdline
726f6f
743d2f6465762f7364613420726f2072642e6c756b732e757569643d6c756b73
2d6637
3633643737632d653236622d343431642d613734652d62363633636334643832
656120
696d615f706f6c6963793d7463627c61707072616973655f746362
There's probably a better shell command, but the following works to
verify the digest locally against the /proc/cmdline:
$ echo -n -e `cat /proc/cmdline | sed 's/^.*root=/root=/'` | sha256sum
4f43b7db850e88c49dfeffd4b1eb4f021d78033dfb05b07e45eec8d0b4527f65 -
If we leave the "buf" field as ascii-hex, what would the shell command
look like when verifying the digest based on the "buf" field?
Mimi
next prev parent reply other threads:[~2019-05-24 18:09 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-21 0:06 [PATCH v6 0/3] add new ima hook ima_kexec_cmdline to measure kexec boot cmdline args Prakhar Srivastava
2019-05-21 0:06 ` [PATCH v6 1/3] Add a new ima hook ima_kexec_cmdline to measure " Prakhar Srivastava
2019-05-24 14:56 ` Mimi Zohar
2019-05-21 0:06 ` [PATCH v6 2/3] add a new ima template field buf Prakhar Srivastava
2019-05-21 7:11 ` Roberto Sassu
2019-05-24 15:12 ` Mimi Zohar
2019-05-24 15:42 ` Roberto Sassu
2019-05-24 15:47 ` Re: Roberto Sassu
2019-05-24 18:09 ` Mimi Zohar [this message]
2019-05-24 19:00 ` Re: prakhar srivastava
2019-05-24 19:15 ` Re: Mimi Zohar
2019-05-21 0:06 ` [PATCH v6 3/3] call ima_kexec_cmdline to measure the cmdline args Prakhar Srivastava
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1558721385.3977.84.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mjg59@google.com \
--cc=prsriva02@gmail.com \
--cc=roberto.sassu@huawei.com \
--cc=vgoyal@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).