[PATCH 1/2] ima: use the IMA configured hash algo to calculate the boot aggregate

[PATCH 1/2] ima: use the IMA configured hash algo to calculate the boot aggregate

[Mimi Zohar]

The boot aggregate is a cumulative SHA1 hash over TPM registers 0 - 7.
NIST has depreciated the usage of SHA1 in most instances.  Instead of
continuing to use SHA1 to calculate the boot_aggregate, use the
configured IMA default hash algorithm.

Although the IMA measurement list boot_aggregate template data contains
the hash algorithm followed by the digest, allowing verifiers (e.g.
attesttaion servers) to calculate and verify the boot_aggregate, the
verifiers might not have the knowledge of what constitutes a good value
based on a different hash algorithm.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 security/integrity/ima/ima_init.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
index 195cb4079b2b..b1b334fe0db5 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -27,7 +27,7 @@ struct tpm_chip *ima_tpm_chip;
 /* Add the boot aggregate to the IMA measurement list and extend
  * the PCR register.
  *
- * Calculate the boot aggregate, a SHA1 over tpm registers 0-7,
+ * Calculate the boot aggregate, a hash over tpm registers 0-7,
  * assuming a TPM chip exists, and zeroes if the TPM chip does not
  * exist.  Add the boot aggregate measurement to the measurement
  * list and extend the PCR register.
@@ -51,14 +51,14 @@ static int __init ima_add_boot_aggregate(void)
 	int violation = 0;
 	struct {
 		struct ima_digest_data hdr;
-		char digest[TPM_DIGEST_SIZE];
+		char digest[TPM_MAX_DIGEST_SIZE];
 	} hash;
 
 	memset(iint, 0, sizeof(*iint));
 	memset(&hash, 0, sizeof(hash));
 	iint->ima_hash = &hash.hdr;
-	iint->ima_hash->algo = HASH_ALGO_SHA1;
-	iint->ima_hash->length = SHA1_DIGEST_SIZE;
+	iint->ima_hash->algo = ima_hash_algo;
+	iint->ima_hash->length = hash_digest_size[ima_hash_algo];
 
 	if (ima_tpm_chip) {
 		result = ima_calc_boot_aggregate(&hash.hdr);
-- 
2.7.5

[PATCH 2/2] ima: support calculating the boot_aggregate based on different TPM banks

[Mimi Zohar]

Calculating the boot_aggregate attempts to read the TPM SHA1 bank,
assuming it is always enabled.  With TPM 2.0 hash agility, TPM chips
could support multiple TPM PCR banks, allowing firmware to configure and
enable different banks.

Instead of hard coding the TPM 2.0 bank hash algorithm used for calculating
the boot-aggregate, see if the configured IMA_DEFAULT_HASH algorithm is
an allocated TPM bank, otherwise use the first allocated TPM bank.

For TPM 1.2 SHA1 is the only supported hash algorithm.

Reported-by: Jerry Snitselaar <jsnitsel@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 security/integrity/ima/ima_crypto.c | 37 ++++++++++++++++++++++++++++++++++++-
 1 file changed, 36 insertions(+), 1 deletion(-)

diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
index 7967a6904851..b1b26d61f174 100644
--- a/security/integrity/ima/ima_crypto.c
+++ b/security/integrity/ima/ima_crypto.c
@@ -656,8 +656,25 @@ static void __init ima_pcrread(u32 idx, struct tpm_digest *d)
 		pr_err("Error Communicating to TPM chip\n");
 }
 
+/* tpm2_hash_map is the same as defined in tpm2-cmd.c and trusted_tpm2.c */
+static struct tpm2_hash tpm2_hash_map[] = {
+	{HASH_ALGO_SHA1, TPM_ALG_SHA1},
+	{HASH_ALGO_SHA256, TPM_ALG_SHA256},
+	{HASH_ALGO_SHA384, TPM_ALG_SHA384},
+	{HASH_ALGO_SHA512, TPM_ALG_SHA512},
+	{HASH_ALGO_SM3_256, TPM_ALG_SM3_256},
+};
+
 /*
- * Calculate the boot aggregate hash
+ * The boot_aggregate is a cumulative hash over TPM registers 0 - 7.  With
+ * TPM 2.0 hash agility, TPM chips could support multiple TPM PCR banks,
+ * allowing firmware to configure and enable different banks.
+ *
+ * Instead of hard coding the TPM bank hash algorithm used for calculating
+ * the boot-aggregate, see if the configured IMA_DEFAULT_HASH algorithm is
+ * an allocated TPM bank, otherwise use the first allocated TPM bank.
+ *
+ * For TPM 1.2 SHA1 is the only hash algorithm.
  */
 static int __init ima_calc_boot_aggregate_tfm(char *digest,
 					      struct crypto_shash *tfm)
@@ -673,6 +690,24 @@ static int __init ima_calc_boot_aggregate_tfm(char *digest,
 	if (rc != 0)
 		return rc;
 
+	for (i = 0; i < ARRAY_SIZE(tpm2_hash_map); i++) {
+		if (tpm2_hash_map[i].crypto_id == ima_hash_algo) {
+			d.alg_id = tpm2_hash_map[i].tpm_id;
+			break;
+		}
+	}
+
+	for (i = 0; i < ima_tpm_chip->nr_allocated_banks; i++) {
+		if (ima_tpm_chip->allocated_banks[i].alg_id == d.alg_id)
+			break;
+	}
+
+	if (i == ima_tpm_chip->nr_allocated_banks)
+		d.alg_id = ima_tpm_chip->allocated_banks[0].alg_id;
+
+	pr_info("Calculating the boot-aggregregate, reading TPM PCR bank: %04x",
+		d.alg_id);
+
 	/* cumulative sha1 over tpm registers 0-7 */
 	for (i = TPM_PCR0; i < TPM_PCR8; i++) {
 		ima_pcrread(i, &d);
-- 
2.7.5

Re: [PATCH 2/2] ima: support calculating the boot_aggregate based on different TPM banks

[Lakshmi Ramasubramanian]

On 1/27/2020 8:01 AM, Mimi Zohar wrote:

> +
> +	for (i = 0; i < ima_tpm_chip->nr_allocated_banks; i++) {
> +		if (ima_tpm_chip->allocated_banks[i].alg_id == d.alg_id)
> +			break;
> +	}
> +
> +	if (i == ima_tpm_chip->nr_allocated_banks)
> +		d.alg_id = ima_tpm_chip->allocated_banks[0].alg_id;
> +

Can the number of allocated banks (ima_tpm_chip->nr_allocated_banks) be 
zero? Should that be checked before accessing "allocated_banks"?

  -lakshmi

Re: [PATCH 2/2] ima: support calculating the boot_aggregate based on different TPM banks

[Mimi Zohar]

On Mon, 2020-01-27 at 08:50 -0800, Lakshmi Ramasubramanian wrote:
> On 1/27/2020 8:01 AM, Mimi Zohar wrote:
> 
> > +
> > +	for (i = 0; i < ima_tpm_chip->nr_allocated_banks; i++) {
> > +		if (ima_tpm_chip->allocated_banks[i].alg_id == d.alg_id)
> > +			break;
> > +	}
> > +
> > +	if (i == ima_tpm_chip->nr_allocated_banks)
> > +		d.alg_id = ima_tpm_chip->allocated_banks[0].alg_id;
> > +
> 
> Can the number of allocated banks (ima_tpm_chip->nr_allocated_banks) be 
> zero? Should that be checked before accessing "allocated_banks"?

Yes, that might be the true, but I think the solution is not fixing
the problem here, but when ima_tpm_chip is set in ima_init().
tpm_default_chip() should be modified to return a TPM with at least
one bank enabled; and ima_init() needs to go into TPM-bypass mode if
there isn't.

Can anyone look into this please?

Mimi

Re: [PATCH 2/2] ima: support calculating the boot_aggregate based on different TPM banks

[Ken Goldman]

On 1/27/2020 11:50 AM, Lakshmi Ramasubramanian wrote:
> Can the number of allocated banks (ima_tpm_chip->nr_allocated_banks) be 
> zero? Should that be checked before accessing "allocated_banks"?

Summary:

It's unlikely that Linux on a PC will encounter a TPM without PCR 10.

It is likely that PCR 10 will be only SHA-256, that there will be no 
SHA-1 PCR 10.

~~

In theory:

Yes, one could have a TPM with no allocated banks.

In practice:

A PC Client TPM must have at least one bank with PCR 0 and PCR 17.

Some other TPMs, like automotive or embedded, may be different.

Most platforms will be designed to meet Windows requirements, which will 
have AFAIK at least one bank of 24 PCRs.

The TPM specification permits allocation of partial banks.  In theory, 
one could encounter a TPM with e.g., PCR 0-7 but not PCR 10.

In practice, AFAIK the hardware TPMs implement only full banks. 
Platform firmware allocates full banks.

RE: [PATCH 2/2] ima: support calculating the boot_aggregate based on different TPM banks

[Roberto Sassu]

> -----Original Message-----
> From: linux-integrity-owner@vger.kernel.org [mailto:linux-integrity-
> owner@vger.kernel.org] On Behalf Of Mimi Zohar
> Sent: Monday, January 27, 2020 5:02 PM
> To: linux-integrity@vger.kernel.org
> Cc: Jerry Snitselaar <jsnitsel@redhat.com>; James Bottomley
> <James.Bottomley@HansenPartnership.com>; linux-
> kernel@vger.kernel.org; Mimi Zohar <zohar@linux.ibm.com>
> Subject: [PATCH 2/2] ima: support calculating the boot_aggregate based on
> different TPM banks
> 
> Calculating the boot_aggregate attempts to read the TPM SHA1 bank,
> assuming it is always enabled.  With TPM 2.0 hash agility, TPM chips
> could support multiple TPM PCR banks, allowing firmware to configure and
> enable different banks.
> 
> Instead of hard coding the TPM 2.0 bank hash algorithm used for calculating
> the boot-aggregate, see if the configured IMA_DEFAULT_HASH algorithm is
> an allocated TPM bank, otherwise use the first allocated TPM bank.
> 
> For TPM 1.2 SHA1 is the only supported hash algorithm.
> 
> Reported-by: Jerry Snitselaar <jsnitsel@redhat.com>
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
>  security/integrity/ima/ima_crypto.c | 37
> ++++++++++++++++++++++++++++++++++++-
>  1 file changed, 36 insertions(+), 1 deletion(-)
> 
> diff --git a/security/integrity/ima/ima_crypto.c
> b/security/integrity/ima/ima_crypto.c
> index 7967a6904851..b1b26d61f174 100644
> --- a/security/integrity/ima/ima_crypto.c
> +++ b/security/integrity/ima/ima_crypto.c
> @@ -656,8 +656,25 @@ static void __init ima_pcrread(u32 idx, struct
> tpm_digest *d)
>  		pr_err("Error Communicating to TPM chip\n");
>  }
> 
> +/* tpm2_hash_map is the same as defined in tpm2-cmd.c and
> trusted_tpm2.c */
> +static struct tpm2_hash tpm2_hash_map[] = {
> +	{HASH_ALGO_SHA1, TPM_ALG_SHA1},
> +	{HASH_ALGO_SHA256, TPM_ALG_SHA256},
> +	{HASH_ALGO_SHA384, TPM_ALG_SHA384},
> +	{HASH_ALGO_SHA512, TPM_ALG_SHA512},
> +	{HASH_ALGO_SM3_256, TPM_ALG_SM3_256},
> +};
> +
>  /*
> - * Calculate the boot aggregate hash
> + * The boot_aggregate is a cumulative hash over TPM registers 0 - 7.  With
> + * TPM 2.0 hash agility, TPM chips could support multiple TPM PCR banks,
> + * allowing firmware to configure and enable different banks.
> + *
> + * Instead of hard coding the TPM bank hash algorithm used for calculating
> + * the boot-aggregate, see if the configured IMA_DEFAULT_HASH
> algorithm is
> + * an allocated TPM bank, otherwise use the first allocated TPM bank.
> + *
> + * For TPM 1.2 SHA1 is the only hash algorithm.
>   */
>  static int __init ima_calc_boot_aggregate_tfm(char *digest,
>  					      struct crypto_shash *tfm)
> @@ -673,6 +690,24 @@ static int __init ima_calc_boot_aggregate_tfm(char
> *digest,
>  	if (rc != 0)
>  		return rc;
> 
> +	for (i = 0; i < ARRAY_SIZE(tpm2_hash_map); i++) {
> +		if (tpm2_hash_map[i].crypto_id == ima_hash_algo) {

It is not necessary to define a new map. ima_tpm_chip->allocated_banks
has a crypto_id field.

> +			d.alg_id = tpm2_hash_map[i].tpm_id;
> +			break;
> +		}
> +	}
> +
> +	for (i = 0; i < ima_tpm_chip->nr_allocated_banks; i++) {
> +		if (ima_tpm_chip->allocated_banks[i].alg_id == d.alg_id)
> +			break;
> +	}
> +
> +	if (i == ima_tpm_chip->nr_allocated_banks)
> +		d.alg_id = ima_tpm_chip->allocated_banks[0].alg_id;

This code assumes that the algorithm used to calculate boot_aggregate and
the algorithm of the PCR bank can be different. I don't know if it is possible to
communicate to the verifier which bank has been selected (it depends on
the local configuration).

In my opinion the safest approach would be to use the same algorithm for the
digest and the PCR bank. If you agree to this, then the code above must be
moved to ima_calc_boot_aggregate() so that the algorithm of the selected
PCR bank can be passed to ima_alloc_tfm().

The selected PCR bank might be not the first, if the algorithm is unknown to
the crypto subsystem.

> +	pr_info("Calculating the boot-aggregregate, reading TPM PCR

Typo.

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli

Re: [PATCH 2/2] ima: support calculating the boot_aggregate based on different TPM banks

[Mimi Zohar]

On Tue, 2020-01-28 at 14:19 +0000, Roberto Sassu wrote:
> > -----Original Message-----
> > From: linux-integrity-owner@vger.kernel.org [mailto:linux-integrity-
> > owner@vger.kernel.org] On Behalf Of Mimi Zohar
> > Sent: Monday, January 27, 2020 5:02 PM
> > To: linux-integrity@vger.kernel.org
> > Cc: Jerry Snitselaar <jsnitsel@redhat.com>; James Bottomley
> > <James.Bottomley@HansenPartnership.com>; linux-
> > kernel@vger.kernel.org; Mimi Zohar <zohar@linux.ibm.com>
> > Subject: [PATCH 2/2] ima: support calculating the boot_aggregate based on
> > different TPM banks
> > 
> > Calculating the boot_aggregate attempts to read the TPM SHA1 bank,
> > assuming it is always enabled.  With TPM 2.0 hash agility, TPM chips
> > could support multiple TPM PCR banks, allowing firmware to configure and
> > enable different banks.
> > 
> > Instead of hard coding the TPM 2.0 bank hash algorithm used for calculating
> > the boot-aggregate, see if the configured IMA_DEFAULT_HASH algorithm is
> > an allocated TPM bank, otherwise use the first allocated TPM bank.
> > 
> > For TPM 1.2 SHA1 is the only supported hash algorithm.
> > 
> > Reported-by: Jerry Snitselaar <jsnitsel@redhat.com>
> > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> > ---
> >  security/integrity/ima/ima_crypto.c | 37
> > ++++++++++++++++++++++++++++++++++++-
> >  1 file changed, 36 insertions(+), 1 deletion(-)
> > 
> > diff --git a/security/integrity/ima/ima_crypto.c
> > b/security/integrity/ima/ima_crypto.c
> > index 7967a6904851..b1b26d61f174 100644
> > --- a/security/integrity/ima/ima_crypto.c
> > +++ b/security/integrity/ima/ima_crypto.c
> > @@ -656,8 +656,25 @@ static void __init ima_pcrread(u32 idx, struct
> > tpm_digest *d)
> >  		pr_err("Error Communicating to TPM chip\n");
> >  }
> > 
> > +/* tpm2_hash_map is the same as defined in tpm2-cmd.c and
> > trusted_tpm2.c */
> > +static struct tpm2_hash tpm2_hash_map[] = {
> > +	{HASH_ALGO_SHA1, TPM_ALG_SHA1},
> > +	{HASH_ALGO_SHA256, TPM_ALG_SHA256},
> > +	{HASH_ALGO_SHA384, TPM_ALG_SHA384},
> > +	{HASH_ALGO_SHA512, TPM_ALG_SHA512},
> > +	{HASH_ALGO_SM3_256, TPM_ALG_SM3_256},
> > +};
> > +
> >  /*
> > - * Calculate the boot aggregate hash
> > + * The boot_aggregate is a cumulative hash over TPM registers 0 - 7.  With
> > + * TPM 2.0 hash agility, TPM chips could support multiple TPM PCR banks,
> > + * allowing firmware to configure and enable different banks.
> > + *
> > + * Instead of hard coding the TPM bank hash algorithm used for calculating
> > + * the boot-aggregate, see if the configured IMA_DEFAULT_HASH
> > algorithm is
> > + * an allocated TPM bank, otherwise use the first allocated TPM bank.
> > + *
> > + * For TPM 1.2 SHA1 is the only hash algorithm.
> >   */
> >  static int __init ima_calc_boot_aggregate_tfm(char *digest,
> >  					      struct crypto_shash *tfm)
> > @@ -673,6 +690,24 @@ static int __init ima_calc_boot_aggregate_tfm(char
> > *digest,
> >  	if (rc != 0)
> >  		return rc;
> > 
> > +	for (i = 0; i < ARRAY_SIZE(tpm2_hash_map); i++) {
> > +		if (tpm2_hash_map[i].crypto_id == ima_hash_algo) {
> 
> It is not necessary to define a new map. ima_tpm_chip->allocated_banks
> has a crypto_id field.

Ok, thanks.

> 
> > +			d.alg_id = tpm2_hash_map[i].tpm_id;
> > +			break;
> > +		}
> > +	}
> > +
> > +	for (i = 0; i < ima_tpm_chip->nr_allocated_banks; i++) {
> > +		if (ima_tpm_chip->allocated_banks[i].alg_id == d.alg_id)
> > +			break;
> > +	}
> > +
> > +	if (i == ima_tpm_chip->nr_allocated_banks)
> > +		d.alg_id = ima_tpm_chip->allocated_banks[0].alg_id;
> 
> This code assumes that the algorithm used to calculate boot_aggregate and
> the algorithm of the PCR bank can be different. I don't know if it is possible to
> communicate to the verifier which bank has been selected (it depends on
> the local configuration).

Agreed, but defaulting to the first bank would only happen if the IMA
default hash algorithm is not a configured TPM algorithm.

> 
> In my opinion the safest approach would be to use the same algorithm for the
> digest and the PCR bank. If you agree to this, then the code above must be
> moved to ima_calc_boot_aggregate() so that the algorithm of the selected
> PCR bank can be passed to ima_alloc_tfm().

Using the same hash algorithm, preferably the IMA hash default
algorithm, for reading the TPM PCR bank and calculating the
boot_aggregate makes sense.

> 
> The selected PCR bank might be not the first, if the algorithm is unknown to
> the crypto subsystem.

It sounds like you're suggesting finding a common configured hash
algorithm between the TPM and the kernel. 

> 
> > +	pr_info("Calculating the boot-aggregregate, reading TPM PCR
> 
> Typo.

thanks

Mimi

RE: [PATCH 2/2] ima: support calculating the boot_aggregate based on different TPM banks

[Roberto Sassu]

> -----Original Message-----
> From: Mimi Zohar [mailto:zohar@linux.ibm.com]
> Sent: Tuesday, January 28, 2020 4:41 PM
> To: Roberto Sassu <roberto.sassu@huawei.com>; linux-
> integrity@vger.kernel.org
> Cc: Jerry Snitselaar <jsnitsel@redhat.com>; James Bottomley
> <James.Bottomley@HansenPartnership.com>; linux-
> kernel@vger.kernel.org; Silviu Vlasceanu <Silviu.Vlasceanu@huawei.com>
> Subject: Re: [PATCH 2/2] ima: support calculating the boot_aggregate based
> on different TPM banks
> 
> On Tue, 2020-01-28 at 14:19 +0000, Roberto Sassu wrote:
> > > -----Original Message-----
> > > From: linux-integrity-owner@vger.kernel.org [mailto:linux-integrity-
> > > owner@vger.kernel.org] On Behalf Of Mimi Zohar
> > > Sent: Monday, January 27, 2020 5:02 PM
> > > To: linux-integrity@vger.kernel.org
> > > Cc: Jerry Snitselaar <jsnitsel@redhat.com>; James Bottomley
> > > <James.Bottomley@HansenPartnership.com>; linux-
> > > kernel@vger.kernel.org; Mimi Zohar <zohar@linux.ibm.com>
> > > Subject: [PATCH 2/2] ima: support calculating the boot_aggregate based
> on
> > > different TPM banks
> > >
> > > Calculating the boot_aggregate attempts to read the TPM SHA1 bank,
> > > assuming it is always enabled.  With TPM 2.0 hash agility, TPM chips
> > > could support multiple TPM PCR banks, allowing firmware to configure
> and
> > > enable different banks.
> > >
> > > Instead of hard coding the TPM 2.0 bank hash algorithm used for
> calculating
> > > the boot-aggregate, see if the configured IMA_DEFAULT_HASH
> algorithm is
> > > an allocated TPM bank, otherwise use the first allocated TPM bank.
> > >
> > > For TPM 1.2 SHA1 is the only supported hash algorithm.
> > >
> > > Reported-by: Jerry Snitselaar <jsnitsel@redhat.com>
> > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> > > ---
> > >  security/integrity/ima/ima_crypto.c | 37
> > > ++++++++++++++++++++++++++++++++++++-
> > >  1 file changed, 36 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/security/integrity/ima/ima_crypto.c
> > > b/security/integrity/ima/ima_crypto.c
> > > index 7967a6904851..b1b26d61f174 100644
> > > --- a/security/integrity/ima/ima_crypto.c
> > > +++ b/security/integrity/ima/ima_crypto.c
> > > @@ -656,8 +656,25 @@ static void __init ima_pcrread(u32 idx, struct
> > > tpm_digest *d)
> > >  		pr_err("Error Communicating to TPM chip\n");
> > >  }
> > >
> > > +/* tpm2_hash_map is the same as defined in tpm2-cmd.c and
> > > trusted_tpm2.c */
> > > +static struct tpm2_hash tpm2_hash_map[] = {
> > > +	{HASH_ALGO_SHA1, TPM_ALG_SHA1},
> > > +	{HASH_ALGO_SHA256, TPM_ALG_SHA256},
> > > +	{HASH_ALGO_SHA384, TPM_ALG_SHA384},
> > > +	{HASH_ALGO_SHA512, TPM_ALG_SHA512},
> > > +	{HASH_ALGO_SM3_256, TPM_ALG_SM3_256},
> > > +};
> > > +
> > >  /*
> > > - * Calculate the boot aggregate hash
> > > + * The boot_aggregate is a cumulative hash over TPM registers 0 - 7.
> With
> > > + * TPM 2.0 hash agility, TPM chips could support multiple TPM PCR
> banks,
> > > + * allowing firmware to configure and enable different banks.
> > > + *
> > > + * Instead of hard coding the TPM bank hash algorithm used for
> calculating
> > > + * the boot-aggregate, see if the configured IMA_DEFAULT_HASH
> > > algorithm is
> > > + * an allocated TPM bank, otherwise use the first allocated TPM bank.
> > > + *
> > > + * For TPM 1.2 SHA1 is the only hash algorithm.
> > >   */
> > >  static int __init ima_calc_boot_aggregate_tfm(char *digest,
> > >  					      struct crypto_shash *tfm)
> > > @@ -673,6 +690,24 @@ static int __init
> ima_calc_boot_aggregate_tfm(char
> > > *digest,
> > >  	if (rc != 0)
> > >  		return rc;
> > >
> > > +	for (i = 0; i < ARRAY_SIZE(tpm2_hash_map); i++) {
> > > +		if (tpm2_hash_map[i].crypto_id == ima_hash_algo) {
> >
> > It is not necessary to define a new map. ima_tpm_chip->allocated_banks
> > has a crypto_id field.
> 
> Ok, thanks.

When you send the new version, please include patch 1/8 of my patch set,
that sets crypto_id to HASH_ALGO__LAST if there is no mapping between
TPM ID and crypto ID.

Thanks

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli

Re: [PATCH 2/2] ima: support calculating the boot_aggregate based on different TPM banks

[Mimi Zohar]

On Tue, 2020-01-28 at 10:40 -0500, Mimi Zohar wrote:
> > This code assumes that the algorithm used to calculate boot_aggregate and
> > the algorithm of the PCR bank can be different. I don't know if it is possible to
> > communicate to the verifier which bank has been selected (it depends on
> > the local configuration).
> 
> Agreed, but defaulting to the first bank would only happen if the IMA
> default hash algorithm is not a configured TPM algorithm.
> 
> > 
> > In my opinion the safest approach would be to use the same algorithm for the
> > digest and the PCR bank. If you agree to this, then the code above must be
> > moved to ima_calc_boot_aggregate() so that the algorithm of the selected
> > PCR bank can be passed to ima_alloc_tfm().
> 
> Using the same hash algorithm, preferably the IMA hash default
> algorithm, for reading the TPM PCR bank and calculating the
> boot_aggregate makes sense.
> 
> > 
> > The selected PCR bank might be not the first, if the algorithm is unknown to
> > the crypto subsystem.
> 
> It sounds like you're suggesting finding a common configured hash
> algorithm between the TPM and the kernel. 

I'd like to clarify the logic for the case when a common algorithm
does not exist.  None of the TPM allocated banks are known by the
kernel.  If the hash algorithm of the boot_aggregate represents not
only that of the digest included in the measurement list, but also of
the TPM PCR bank read, what should happen?  Should the boot aggregate
be 0's, like in the case when there isn't a TPM?

thanks,

Mimi

Re: [PATCH 2/2] ima: support calculating the boot_aggregate based on different TPM banks

[James Bottomley]

On Wed, 2020-01-29 at 18:20 -0500, Mimi Zohar wrote:
> On Tue, 2020-01-28 at 10:40 -0500, Mimi Zohar wrote:
> > > This code assumes that the algorithm used to calculate
> > > boot_aggregate and the algorithm of the PCR bank can be
> > > different. I don't know if it is possible to communicate to the
> > > verifier which bank has been selected (it depends on the local
> > > configuration).
> > 
> > Agreed, but defaulting to the first bank would only happen if the
> > IMA default hash algorithm is not a configured TPM algorithm.
> > 
> > > 
> > > In my opinion the safest approach would be to use the same
> > > algorithm for the digest and the PCR bank. If you agree to this,
> > > then the code above must be moved to ima_calc_boot_aggregate() so
> > > that the algorithm of the selected PCR bank can be passed to
> > > ima_alloc_tfm().
> > 
> > Using the same hash algorithm, preferably the IMA hash default
> > algorithm, for reading the TPM PCR bank and calculating the
> > boot_aggregate makes sense.
> > 
> > > 
> > > The selected PCR bank might be not the first, if the algorithm is
> > > unknown to the crypto subsystem.
> > 
> > It sounds like you're suggesting finding a common configured hash
> > algorithm between the TPM and the kernel. 
> 
> I'd like to clarify the logic for the case when a common algorithm
> does not exist.

I'm not sure we need to twist ourselves in knots over this.  The TCG
client platform for 2.0 mandates sha256, so we should be able to count
on it being present.  I'd be happy to treat the failure to find sha256
on TPM 2.0 as a fatal error, and the same for the failure to find sha1
on TPM 1.2.

>   None of the TPM allocated banks are known by the kernel.  If the
> hash algorithm of the boot_aggregate represents not only that of the
> digest included in the measurement list, but also of the TPM PCR bank
> read, what should happen?  Should the boot aggregate be 0's, like in
> the case when there isn't a TPM?

For TPM 1.2 sha1 is required and for TPM2 sha256 is.  I'd just force
search for those, based on the TPM version, and fail to use the TPM if
they're not found.  There should be a boot time and config option for
weird hashes which might be the only ones on BRIC embedded devices,
like Streebog or ZM2, but the clear default should be the TCG mandates
and it should be up to anything weird to cope with their own induced
problems and not make it part of the standard setup.

James

RE: [PATCH 1/2] ima: use the IMA configured hash algo to calculate the boot aggregate

[Roberto Sassu]

> -----Original Message-----
> From: linux-integrity-owner@vger.kernel.org [mailto:linux-integrity-
> owner@vger.kernel.org] On Behalf Of Mimi Zohar
> Sent: Monday, January 27, 2020 5:02 PM
> To: linux-integrity@vger.kernel.org
> Cc: Jerry Snitselaar <jsnitsel@redhat.com>; James Bottomley
> <James.Bottomley@HansenPartnership.com>; linux-
> kernel@vger.kernel.org; Mimi Zohar <zohar@linux.ibm.com>
> Subject: [PATCH 1/2] ima: use the IMA configured hash algo to calculate the
> boot aggregate

Hi Mimi

I did a similar change (patch 8/8) in the patch set I just sent. The patch is simpler,
as it reuses the data structures I introduced in the previous patches. Let me know
if I can keep this part in my patch set or I should remove it.

Thanks

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli

Re: [PATCH 1/2] ima: use the IMA configured hash algo to calculate the boot aggregate

[Mimi Zohar]

On Mon, 2020-01-27 at 17:38 +0000, Roberto Sassu wrote:
> > -----Original Message-----
> > From: linux-integrity-owner@vger.kernel.org [mailto:linux-integrity-
> > owner@vger.kernel.org] On Behalf Of Mimi Zohar
> > Sent: Monday, January 27, 2020 5:02 PM
> > To: linux-integrity@vger.kernel.org
> > Cc: Jerry Snitselaar <jsnitsel@redhat.com>; James Bottomley
> > <James.Bottomley@HansenPartnership.com>; linux-
> > kernel@vger.kernel.org; Mimi Zohar <zohar@linux.ibm.com>
> > Subject: [PATCH 1/2] ima: use the IMA configured hash algo to calculate the
> > boot aggregate
> 
> Hi Mimi
> 
> I did a similar change (patch 8/8) in the patch set I just sent. The patch is simpler,
> as it reuses the data structures I introduced in the previous patches. Let me know
> if I can keep this part in my patch set or I should remove it.

Only 2/2 "ima: support calculating the boot_aggregate based on
different TPM banks" is really needed to address Jerry's bug report.
 Let's review your patch set before making any decisions about 1/2
"ima: use the IMA configured hash algo to calculate the boot
aggregate".

thanks,

Mimi

Re: [PATCH 1/2] ima: use the IMA configured hash algo to calculate the boot aggregate

[Mimi Zohar]

On Mon, 2020-01-27 at 13:16 -0500, Mimi Zohar wrote:
> On Mon, 2020-01-27 at 17:38 +0000, Roberto Sassu wrote:
> > > -----Original Message-----
> > > From: linux-integrity-owner@vger.kernel.org [mailto:linux-integrity-
> > > owner@vger.kernel.org] On Behalf Of Mimi Zohar
> > > Sent: Monday, January 27, 2020 5:02 PM
> > > To: linux-integrity@vger.kernel.org
> > > Cc: Jerry Snitselaar <jsnitsel@redhat.com>; James Bottomley
> > > <James.Bottomley@HansenPartnership.com>; linux-
> > > kernel@vger.kernel.org; Mimi Zohar <zohar@linux.ibm.com>
> > > Subject: [PATCH 1/2] ima: use the IMA configured hash algo to calculate the
> > > boot aggregate
> > 
> > Hi Mimi
> > 
> > I did a similar change (patch 8/8) in the patch set I just sent. The patch is simpler,
> > as it reuses the data structures I introduced in the previous patches. Let me know
> > if I can keep this part in my patch set or I should remove it.
> 
> Only 2/2 "ima: support calculating the boot_aggregate based on
> different TPM banks" is really needed to address Jerry's bug report.
>  Let's review your patch set before making any decisions about 1/2
> "ima: use the IMA configured hash algo to calculate the boot
> aggregate".

To be more precise, we need to be able to backport the bug fix.  So
the change needs to be independent of anything you're defining now.
 Changes/improvements can be made on top of the bug fix.

thanks,

Mimi

Re: [PATCH 1/2] ima: use the IMA configured hash algo to calculate the boot aggregate

[Jerry Snitselaar]

On Mon Jan 27 20, Mimi Zohar wrote:
>The boot aggregate is a cumulative SHA1 hash over TPM registers 0 - 7.
>NIST has depreciated the usage of SHA1 in most instances.  Instead of
>continuing to use SHA1 to calculate the boot_aggregate, use the
>configured IMA default hash algorithm.
>
>Although the IMA measurement list boot_aggregate template data contains
>the hash algorithm followed by the digest, allowing verifiers (e.g.
>attesttaion servers) to calculate and verify the boot_aggregate, the
>verifiers might not have the knowledge of what constitutes a good value
>based on a different hash algorithm.
>
>Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
>---
> security/integrity/ima/ima_init.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
>diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
>index 195cb4079b2b..b1b334fe0db5 100644
>--- a/security/integrity/ima/ima_init.c
>+++ b/security/integrity/ima/ima_init.c
>@@ -27,7 +27,7 @@ struct tpm_chip *ima_tpm_chip;
> /* Add the boot aggregate to the IMA measurement list and extend
>  * the PCR register.
>  *
>- * Calculate the boot aggregate, a SHA1 over tpm registers 0-7,
>+ * Calculate the boot aggregate, a hash over tpm registers 0-7,
>  * assuming a TPM chip exists, and zeroes if the TPM chip does not
>  * exist.  Add the boot aggregate measurement to the measurement
>  * list and extend the PCR register.
>@@ -51,14 +51,14 @@ static int __init ima_add_boot_aggregate(void)
> 	int violation = 0;
> 	struct {
> 		struct ima_digest_data hdr;
>-		char digest[TPM_DIGEST_SIZE];
>+		char digest[TPM_MAX_DIGEST_SIZE];
> 	} hash;
>
> 	memset(iint, 0, sizeof(*iint));
> 	memset(&hash, 0, sizeof(hash));
> 	iint->ima_hash = &hash.hdr;
>-	iint->ima_hash->algo = HASH_ALGO_SHA1;
>-	iint->ima_hash->length = SHA1_DIGEST_SIZE;
>+	iint->ima_hash->algo = ima_hash_algo;
>+	iint->ima_hash->length = hash_digest_size[ima_hash_algo];
>
> 	if (ima_tpm_chip) {
> 		result = ima_calc_boot_aggregate(&hash.hdr);
>-- 
>2.7.5
>

Tested the patches on the Dell and no longer spits out the error messages on boot.
/sys/kernel/security/ima/ascii_runtime_measurements shows the boot aggregate.

Is there something else I should look at to verify it is functioning properly?

Regards,
Jerry

Re: [PATCH 1/2] ima: use the IMA configured hash algo to calculate the boot aggregate

[Mimi Zohar]

On Mon, 2020-01-27 at 13:49 -0700, Jerry Snitselaar wrote:
> On Mon Jan 27 20, Mimi Zohar wrote:
> >The boot aggregate is a cumulative SHA1 hash over TPM registers 0 - 7.
> >NIST has depreciated the usage of SHA1 in most instances.  Instead of
> >continuing to use SHA1 to calculate the boot_aggregate, use the
> >configured IMA default hash algorithm.
> >
> >Although the IMA measurement list boot_aggregate template data contains
> >the hash algorithm followed by the digest, allowing verifiers (e.g.
> >attesttaion servers) to calculate and verify the boot_aggregate, the
> >verifiers might not have the knowledge of what constitutes a good value
> >based on a different hash algorithm.
> >
> >Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> >---
> > security/integrity/ima/ima_init.c | 8 ++++----
> > 1 file changed, 4 insertions(+), 4 deletions(-)
> >
> >diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
> >index 195cb4079b2b..b1b334fe0db5 100644
> >--- a/security/integrity/ima/ima_init.c
> >+++ b/security/integrity/ima/ima_init.c
> >@@ -27,7 +27,7 @@ struct tpm_chip *ima_tpm_chip;
> > /* Add the boot aggregate to the IMA measurement list and extend
> >  * the PCR register.
> >  *
> >- * Calculate the boot aggregate, a SHA1 over tpm registers 0-7,
> >+ * Calculate the boot aggregate, a hash over tpm registers 0-7,
> >  * assuming a TPM chip exists, and zeroes if the TPM chip does not
> >  * exist.  Add the boot aggregate measurement to the measurement
> >  * list and extend the PCR register.
> >@@ -51,14 +51,14 @@ static int __init ima_add_boot_aggregate(void)
> > 	int violation = 0;
> > 	struct {
> > 		struct ima_digest_data hdr;
> >-		char digest[TPM_DIGEST_SIZE];
> >+		char digest[TPM_MAX_DIGEST_SIZE];
> > 	} hash;
> >
> > 	memset(iint, 0, sizeof(*iint));
> > 	memset(&hash, 0, sizeof(hash));
> > 	iint->ima_hash = &hash.hdr;
> >-	iint->ima_hash->algo = HASH_ALGO_SHA1;
> >-	iint->ima_hash->length = SHA1_DIGEST_SIZE;
> >+	iint->ima_hash->algo = ima_hash_algo;
> >+	iint->ima_hash->length = hash_digest_size[ima_hash_algo];
> >
> > 	if (ima_tpm_chip) {
> > 		result = ima_calc_boot_aggregate(&hash.hdr);
> >-- 
> >2.7.5
> >
> 
> Tested the patches on the Dell and no longer spits out the error messages on boot.
> /sys/kernel/security/ima/ascii_runtime_measurements shows the boot aggregate.
> 
> Is there something else I should look at to verify it is functioning properly?

The original LTP ima_boot_aggregate.c test needed to be updated to
support TPM 2.0 before this change.  For TPM 2.0, the PCRs are not
exported.  With this change, the kernel could be reading PCRs from a
TPM bank other than SHA1 and calculating the boot_aggregate based on a
different hash algorithm as well.  I'm not sure how a remote verifier
would know which TPM bank was read, when calculating the boot-
aggregate.

At the moment, the only test would be to make sure that the LTP test
still works for TPM 1.2 properly.

Mimi

Re: [PATCH 1/2] ima: use the IMA configured hash algo to calculate the boot aggregate

[Petr Vorel]

Hi Mimi,

Reviewed-by: Petr Vorel <pvorel@suse.cz>

> The original LTP ima_boot_aggregate.c test needed to be updated to
> support TPM 2.0 before this change.  For TPM 2.0, the PCRs are not
> exported.  With this change, the kernel could be reading PCRs from a
> TPM bank other than SHA1 and calculating the boot_aggregate based on a
> different hash algorithm as well.  I'm not sure how a remote verifier
> would know which TPM bank was read, when calculating the boot-
> aggregate.
Mimi, do you plan to do update LTP test?

Kind regards,
Petr

Re: [PATCH 1/2] ima: use the IMA configured hash algo to calculate the boot aggregate

[Mimi Zohar]

On Wed, 2020-01-29 at 09:30 +0100, Petr Vorel wrote:
> Hi Mimi,
> 
> Reviewed-by: Petr Vorel <pvorel@suse.cz>
> 
> > The original LTP ima_boot_aggregate.c test needed to be updated to
> > support TPM 2.0 before this change.  For TPM 2.0, the PCRs are not
> > exported.  With this change, the kernel could be reading PCRs from a
> > TPM bank other than SHA1 and calculating the boot_aggregate based on a
> > different hash algorithm as well.  I'm not sure how a remote verifier
> > would know which TPM bank was read, when calculating the boot-
> > aggregate.
> Mimi, do you plan to do update LTP test?

In order to test Roberto's patches that calculates and extends the
different TPM banks with the appropriate hashes, we'll need some test
to verify that it is working properly.  As to whether this will be in
LTP or ima-evm-utils, I'm not sure.

Mimi

Re: [PATCH 1/2] ima: use the IMA configured hash algo to calculate the boot aggregate

[Petr Vorel]

Hi Mimi,

> > > The original LTP ima_boot_aggregate.c test needed to be updated to
> > > support TPM 2.0 before this change.  For TPM 2.0, the PCRs are not
> > > exported.  With this change, the kernel could be reading PCRs from a
> > > TPM bank other than SHA1 and calculating the boot_aggregate based on a
> > > different hash algorithm as well.  I'm not sure how a remote verifier
> > > would know which TPM bank was read, when calculating the boot-
> > > aggregate.
> > Mimi, do you plan to do update LTP test?

> In order to test Roberto's patches that calculates and extends the
> different TPM banks with the appropriate hashes, we'll need some test
> to verify that it is working properly.  As to whether this will be in
> LTP or ima-evm-utils, I'm not sure.
Sure, it's up to you where you place the test (if you plan to write it).

BTW I see evmtest [1] haven't been merged yet into ima-evm-utils.
What's blocking to merge them? (My objections to require bash shouldn't be the
reason for not being merged.)
I'd like to package them separately for developers to run them on SUT
(unless they're meant to be running only during building package).

Kind regards,
Petr

[1] https://patchwork.kernel.org/project/linux-integrity/list/?series=95303

RE: [PATCH 1/2] ima: use the IMA configured hash algo to calculate the boot aggregate

[Roberto Sassu]

> -----Original Message-----
> From: linux-integrity-owner@vger.kernel.org [mailto:linux-integrity-
> owner@vger.kernel.org] On Behalf Of Mimi Zohar
> Sent: Wednesday, January 29, 2020 11:51 PM
> To: Petr Vorel <pvorel@suse.cz>
> Cc: Jerry Snitselaar <jsnitsel@redhat.com>; linux-integrity@vger.kernel.org;
> James Bottomley <James.Bottomley@hansenpartnership.com>; linux-
> kernel@vger.kernel.org; Roberto Sassu <roberto.sassu@huawei.com>
> Subject: Re: [PATCH 1/2] ima: use the IMA configured hash algo to calculate
> the boot aggregate
> 
> On Wed, 2020-01-29 at 09:30 +0100, Petr Vorel wrote:
> > Hi Mimi,
> >
> > Reviewed-by: Petr Vorel <pvorel@suse.cz>
> >
> > > The original LTP ima_boot_aggregate.c test needed to be updated to
> > > support TPM 2.0 before this change.  For TPM 2.0, the PCRs are not
> > > exported.  With this change, the kernel could be reading PCRs from a
> > > TPM bank other than SHA1 and calculating the boot_aggregate based on
> a
> > > different hash algorithm as well.  I'm not sure how a remote verifier
> > > would know which TPM bank was read, when calculating the boot-
> > > aggregate.
> > Mimi, do you plan to do update LTP test?
> 
> In order to test Roberto's patches that calculates and extends the
> different TPM banks with the appropriate hashes, we'll need some test
> to verify that it is working properly.  As to whether this will be in
> LTP or ima-evm-utils, I'm not sure.

attest-tools (https://github.com/euleros/attest-tools, branch 0.2-devel) has the
ability to parse the BIOS and IMA event logs, and to compare boot_aggregate
with the digest of final PCR values obtained by performing in software the PCR
extend operation with digests in the BIOS event log.

To perform the test, it is necessary to have a complete BIOS event log.

Create req.json with this content:
---
{
  "reqs":{
    "dummy|verify":"",
    "ima_boot_aggregate|verify":""
  }
}
---

With the requirements above, we are telling attest-tools to verify only
boot_aggregate. Without the dummy requirement, verification would
fail (BIOS and remaining IMA measurement entries are not processed).

On server side run:
# attest_ra_server -p 10 -r req.json -s -i

-s disables TPM signature verification
-i allows IMA violations

To enable TPM signature verification it is necessary to have a valid AK
certificate. It can be obtained by following the instructions at:

https://github.com/euleros/attest-tools/blob/0.2-devel/README

On client side run:
# echo test > aik_cert.pem
# echo aik_cert.pem > list_privacy_ca
# attest_ra_client -A

The command above generates an AK.

# attest_ra_client -s <server IP> -q -p 10 -P <PCR algo> -b -i

The command above sends the TPM quote and the event logs
to the RA server and gets the response (successful/failed
verification).

-b includes the BIOS event log from securityfs
-i includes the IMA event log from securityfs

To check that boot_aggregate is calculated properly, use -P sha256
in attest_ra_client and set ima_hash=sha256 in the kernel command
line.

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli

RE: [PATCH 1/2] ima: use the IMA configured hash algo to calculate the boot aggregate

[Roberto Sassu]

> -----Original Message-----
> From: linux-integrity-owner@vger.kernel.org [mailto:linux-integrity-
> owner@vger.kernel.org] On Behalf Of Roberto Sassu
> Sent: Thursday, January 30, 2020 4:27 PM
> To: Mimi Zohar <zohar@linux.ibm.com>; Petr Vorel <pvorel@suse.cz>
> Cc: Jerry Snitselaar <jsnitsel@redhat.com>; linux-integrity@vger.kernel.org;
> James Bottomley <James.Bottomley@hansenpartnership.com>; linux-
> kernel@vger.kernel.org
> Subject: RE: [PATCH 1/2] ima: use the IMA configured hash algo to calculate
> the boot aggregate
> 
> > -----Original Message-----
> > From: linux-integrity-owner@vger.kernel.org [mailto:linux-integrity-
> > owner@vger.kernel.org] On Behalf Of Mimi Zohar
> > Sent: Wednesday, January 29, 2020 11:51 PM
> > To: Petr Vorel <pvorel@suse.cz>
> > Cc: Jerry Snitselaar <jsnitsel@redhat.com>; linux-
> integrity@vger.kernel.org;
> > James Bottomley <James.Bottomley@hansenpartnership.com>; linux-
> > kernel@vger.kernel.org; Roberto Sassu <roberto.sassu@huawei.com>
> > Subject: Re: [PATCH 1/2] ima: use the IMA configured hash algo to
> calculate
> > the boot aggregate
> >
> > On Wed, 2020-01-29 at 09:30 +0100, Petr Vorel wrote:
> > > Hi Mimi,
> > >
> > > Reviewed-by: Petr Vorel <pvorel@suse.cz>
> > >
> > > > The original LTP ima_boot_aggregate.c test needed to be updated to
> > > > support TPM 2.0 before this change.  For TPM 2.0, the PCRs are not
> > > > exported.  With this change, the kernel could be reading PCRs from a
> > > > TPM bank other than SHA1 and calculating the boot_aggregate based
> on
> > a
> > > > different hash algorithm as well.  I'm not sure how a remote verifier
> > > > would know which TPM bank was read, when calculating the boot-
> > > > aggregate.
> > > Mimi, do you plan to do update LTP test?
> >
> > In order to test Roberto's patches that calculates and extends the
> > different TPM banks with the appropriate hashes, we'll need some test
> > to verify that it is working properly.  As to whether this will be in
> > LTP or ima-evm-utils, I'm not sure.
> 
> attest-tools (https://github.com/euleros/attest-tools, branch 0.2-devel) has
> the
> ability to parse the BIOS and IMA event logs, and to compare
> boot_aggregate
> with the digest of final PCR values obtained by performing in software the
> PCR
> extend operation with digests in the BIOS event log.
> 
> To perform the test, it is necessary to have a complete BIOS event log.
> 
> Create req.json with this content:
> ---
> {
>   "reqs":{
>     "dummy|verify":"",
>     "ima_boot_aggregate|verify":""
>   }
> }
> ---
> 
> With the requirements above, we are telling attest-tools to verify only
> boot_aggregate. Without the dummy requirement, verification would
> fail (BIOS and remaining IMA measurement entries are not processed).
> 
> On server side run:
> # attest_ra_server -p 10 -r req.json -s -i
> 
> -s disables TPM signature verification
> -i allows IMA violations
> 
> To enable TPM signature verification it is necessary to have a valid AK
> certificate. It can be obtained by following the instructions at:
> 
> https://github.com/euleros/attest-tools/blob/0.2-devel/README
> 
> On client side run:
> # echo test > aik_cert.pem
> # echo aik_cert.pem > list_privacy_ca
> # attest_ra_client -A
> 
> The command above generates an AK.
> 
> # attest_ra_client -s <server IP> -q -p 10 -P <PCR algo> -b -i
> 
> The command above sends the TPM quote and the event logs
> to the RA server and gets the response (successful/failed
> verification).
> 
> -b includes the BIOS event log from securityfs
> -i includes the IMA event log from securityfs
> 
> To check that boot_aggregate is calculated properly, use -P sha256

and to check that IMA extends non-SHA1 PCR banks with an appropriate
digest,

> in attest_ra_client and set ima_hash=sha256 in the kernel command
> line.

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli