From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=el+A=3D=vger.kernel.org=linux-integrity-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.2 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_2 autolearn=no
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5A12CC33CA9
	for <linux-integrity@archiver.kernel.org>; Tue, 14 Jan 2020 01:17:48 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 33E4A207FF
	for <linux-integrity@archiver.kernel.org>; Tue, 14 Jan 2020 01:17:48 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729307AbgANBRq (ORCPT
        <rfc822;linux-integrity@archiver.kernel.org>);
        Mon, 13 Jan 2020 20:17:46 -0500
Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:42464 "EHLO
        mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1729088AbgANBRq (ORCPT
        <rfc822;linux-integrity@vger.kernel.org>);
        Mon, 13 Jan 2020 20:17:46 -0500
Received: from pps.filterd (m0187473.ppops.net [127.0.0.1])
        by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 00E1H1dN181125
        for <linux-integrity@vger.kernel.org>; Mon, 13 Jan 2020 20:17:45 -0500
Received: from e06smtp02.uk.ibm.com (e06smtp02.uk.ibm.com [195.75.94.98])
        by mx0a-001b2d01.pphosted.com with ESMTP id 2xfavyd2x1-1
        (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT)
        for <linux-integrity@vger.kernel.org>; Mon, 13 Jan 2020 20:17:45 -0500
Received: from localhost
        by e06smtp02.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted
        for <linux-integrity@vger.kernel.org> from <zohar@linux.ibm.com>;
        Tue, 14 Jan 2020 01:17:43 -0000
Received: from b06cxnps4074.portsmouth.uk.ibm.com (9.149.109.196)
        by e06smtp02.uk.ibm.com (192.168.101.132) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted;
        (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256)
        Tue, 14 Jan 2020 01:17:42 -0000
Received: from d06av26.portsmouth.uk.ibm.com (d06av26.portsmouth.uk.ibm.com [9.149.105.62])
        by b06cxnps4074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 00E1Hf468192182
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Tue, 14 Jan 2020 01:17:41 GMT
Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id C1878AE058;
        Tue, 14 Jan 2020 01:17:41 +0000 (GMT)
Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 4DDDFAE056;
        Tue, 14 Jan 2020 01:17:41 +0000 (GMT)
Received: from localhost.localdomain (unknown [9.80.237.5])
        by d06av26.portsmouth.uk.ibm.com (Postfix) with ESMTP;
        Tue, 14 Jan 2020 01:17:41 +0000 (GMT)
Subject: Re: ima pcr question
From:   Mimi Zohar <zohar@linux.ibm.com>
To:     Jerry Snitselaar <jsnitsel@redhat.com>,
        linux-integrity@vger.kernel.org
Date:   Mon, 13 Jan 2020 20:17:39 -0500
In-Reply-To: <20200114000602.h5k5rr2k6zl3dlts@cantor>
References: <20200114000602.h5k5rr2k6zl3dlts@cantor>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) 
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-TM-AS-GCONF: 00
x-cbid: 20011401-0008-0000-0000-0000034918EB
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
x-cbparentid: 20011401-0009-0000-0000-00004A6969B2
Message-Id: <1578964659.5796.7.camel@linux.ibm.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138,18.0.572
 definitions=2020-01-13_08:2020-01-13,2020-01-13 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 spamscore=0
 suspectscore=0 adultscore=0 priorityscore=1501 lowpriorityscore=0
 malwarescore=0 phishscore=0 mlxlogscore=999 bulkscore=0 mlxscore=0
 clxscore=1015 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-1910280000 definitions=main-2001140009
Sender: linux-integrity-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-integrity.vger.kernel.org>
X-Mailing-List: linux-integrity@vger.kernel.org

On Mon, 2020-01-13 at 17:06 -0700, Jerry Snitselaar wrote:
> We had a report of messages from ima saying "Error communicating with
> TPM".  Looking into it a bit, it looks like with some Dell systems
> (possibly others as well) in the bios they can set the hash algorithm
> being used. In this case with that set to sha256 the messages
> appear. Flipping the system to using sha1 makes them disappear.
> Looking at the ima code, ima_calc_boot_aggregate_tfm hard codes using
> sha1. Should that be changed to use whatever the default is in the
> config, or possibly find out from the tpm what algorithm is being used?

The ima-ng template contains two digests.  The first digest is the
value being extended into the TPM, while the second digest is either
the boot aggregate or file data hash.  It sounds like the problem is
with the first digest.  Changing the boot-aggregate to use sha256
might be a good idea, but probably won't fix the problem.

Mimi