Linux-Integrity Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] ima: skip verifying TPM 2.0 PCR values
@ 2019-05-16 21:12 Mimi Zohar
  2019-05-17  6:51 ` Petr Vorel
  2019-05-17 13:50 ` Nayna
  0 siblings, 2 replies; 6+ messages in thread
From: Mimi Zohar @ 2019-05-16 21:12 UTC (permalink / raw)
  To: linux-integrity; +Cc: ltp, Petr Vorel

TPM 1.2 exported the PCRs.  Reading the TPM 2.0 PCRs requires a
userspace application.  For now, skip this test.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 testcases/kernel/security/integrity/ima/tests/ima_tpm.sh | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh b/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh
index 0ffc3c02247d..ebe4b4c360e4 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh
@@ -88,6 +88,14 @@ test2()
 	tst_res TINFO "verify PCR values"
 	tst_check_cmds evmctl
 
+	local tpm_description="/sys/class/tpm/tpm0/device/description"
+	if [ -f "$tpm_description" ]; then
+		if grep -q "^\TPM 2.0" $tpm_description; then
+			tst_res TCONF "TPM 2.0 enabled, but not supported"
+			return 0
+		fi
+	fi
+
 	tst_res TINFO "evmctl version: $(evmctl --version)"
 
 	local pcrs_path="/sys/class/tpm/tpm0/device/pcrs"
-- 
2.7.5


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] ima: skip verifying TPM 2.0 PCR values
  2019-05-16 21:12 [PATCH] ima: skip verifying TPM 2.0 PCR values Mimi Zohar
@ 2019-05-17  6:51 ` Petr Vorel
  2019-05-17 11:19   ` Mimi Zohar
  2019-05-17 13:50 ` Nayna
  1 sibling, 1 reply; 6+ messages in thread
From: Petr Vorel @ 2019-05-17  6:51 UTC (permalink / raw)
  To: Mimi Zohar; +Cc: linux-integrity, ltp

Hi Mimi,

> TPM 1.2 exported the PCRs.  Reading the TPM 2.0 PCRs requires a
> userspace application.  For now, skip this test.

> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Acked-by: Petr Vorel <pvorel@suse.cz>
> ---
>  testcases/kernel/security/integrity/ima/tests/ima_tpm.sh | 8 ++++++++
>  1 file changed, 8 insertions(+)

> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh b/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh
> index 0ffc3c02247d..ebe4b4c360e4 100755
> --- a/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh
> @@ -88,6 +88,14 @@ test2()
>  	tst_res TINFO "verify PCR values"
>  	tst_check_cmds evmctl

> +	local tpm_description="/sys/class/tpm/tpm0/device/description"
> +	if [ -f "$tpm_description" ]; then
> +		if grep -q "^\TPM 2.0" $tpm_description; then
I guess the backslash in "^\TPM 2.0" is a typo.
If yes, no need to repost, I'll fix it when applying your patch.
+ I'd prefer join 2 ifs into single one, but that's just matter of preference,
not important.

> +			tst_res TCONF "TPM 2.0 enabled, but not supported"
> +			return 0
> +		fi
> +	fi
> +
>  	tst_res TINFO "evmctl version: $(evmctl --version)"

>  	local pcrs_path="/sys/class/tpm/tpm0/device/pcrs"

Thanks for your fix.

Kind regards,
Petr

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] ima: skip verifying TPM 2.0 PCR values
  2019-05-17  6:51 ` Petr Vorel
@ 2019-05-17 11:19   ` Mimi Zohar
  2019-05-17 11:28     ` Petr Vorel
  0 siblings, 1 reply; 6+ messages in thread
From: Mimi Zohar @ 2019-05-17 11:19 UTC (permalink / raw)
  To: Petr Vorel
  Cc: linux-integrity, ltp, Jason Gunthorpe, Peter Hüwe, Jarkko Sakkinen

On Fri, 2019-05-17 at 08:51 +0200, Petr Vorel wrote:

> > diff --git a/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh b/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh
> > index 0ffc3c02247d..ebe4b4c360e4 100755
> > --- a/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh
> > +++ b/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh
> > @@ -88,6 +88,14 @@ test2()
> >  	tst_res TINFO "verify PCR values"
> >  	tst_check_cmds evmctl
> 
> > +	local tpm_description="/sys/class/tpm/tpm0/device/description"
> > +	if [ -f "$tpm_description" ]; then
> > +		if grep -q "^\TPM 2.0" $tpm_description; then

> I guess the backslash in "^\TPM 2.0" is a typo.
> If yes, no need to repost, I'll fix it when applying your patch.
> + I'd prefer join 2 ifs into single one, but that's just matter of preference,
> not important.

Thank you for fixing it.  I'd just like to hear from others first, if
this is correct way to differentiate between TPM 1.2 and TPM 2.0.

Mimi


> > +			tst_res TCONF "TPM 2.0 enabled, but not supported"
> > +			return 0
> > +		fi
> > +	fi
> > +
> >  	tst_res TINFO "evmctl version: $(evmctl --version)"
> 
> >  	local pcrs_path="/sys/class/tpm/tpm0/device/pcrs"
> 


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] ima: skip verifying TPM 2.0 PCR values
  2019-05-17 11:19   ` Mimi Zohar
@ 2019-05-17 11:28     ` Petr Vorel
  0 siblings, 0 replies; 6+ messages in thread
From: Petr Vorel @ 2019-05-17 11:28 UTC (permalink / raw)
  To: Mimi Zohar
  Cc: linux-integrity, ltp, Jason Gunthorpe, Peter Hüwe, Jarkko Sakkinen

Hi Mimi,

> On Fri, 2019-05-17 at 08:51 +0200, Petr Vorel wrote:

> > > diff --git a/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh b/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh
> > > index 0ffc3c02247d..ebe4b4c360e4 100755
> > > --- a/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh
> > > +++ b/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh
> > > @@ -88,6 +88,14 @@ test2()
> > >  	tst_res TINFO "verify PCR values"
> > >  	tst_check_cmds evmctl

> > > +	local tpm_description="/sys/class/tpm/tpm0/device/description"
> > > +	if [ -f "$tpm_description" ]; then
> > > +		if grep -q "^\TPM 2.0" $tpm_description; then

> > I guess the backslash in "^\TPM 2.0" is a typo.
> > If yes, no need to repost, I'll fix it when applying your patch.
> > + I'd prefer join 2 ifs into single one, but that's just matter of preference,
> > not important.

> Thank you for fixing it.  I'd just like to hear from others first, if
> this is correct way to differentiate between TPM 1.2 and TPM 2.0.
Oh, yes, let's wait for a feedback.

> Mimi

Kind regards,
Petr

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] ima: skip verifying TPM 2.0 PCR values
  2019-05-16 21:12 [PATCH] ima: skip verifying TPM 2.0 PCR values Mimi Zohar
  2019-05-17  6:51 ` Petr Vorel
@ 2019-05-17 13:50 ` Nayna
  2019-05-17 15:04   ` Petr Vorel
  1 sibling, 1 reply; 6+ messages in thread
From: Nayna @ 2019-05-17 13:50 UTC (permalink / raw)
  To: Mimi Zohar, linux-integrity; +Cc: ltp, Petr Vorel



On 05/16/2019 05:12 PM, Mimi Zohar wrote:
> TPM 1.2 exported the PCRs.  Reading the TPM 2.0 PCRs requires a
> userspace application.  For now, skip this test.
>
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
>   testcases/kernel/security/integrity/ima/tests/ima_tpm.sh | 8 ++++++++
>   1 file changed, 8 insertions(+)
>
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh b/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh
> index 0ffc3c02247d..ebe4b4c360e4 100755
> --- a/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh
> @@ -88,6 +88,14 @@ test2()
>   	tst_res TINFO "verify PCR values"
>   	tst_check_cmds evmctl
>
> +	local tpm_description="/sys/class/tpm/tpm0/device/description"


I do not see a "description" file on either my PowerPC or x86 systems 
with TPM 2.0.  Perhaps instead of testing for the "description" file, if 
the "pcrs" file is not found, emit a more verbose informational message, 
for eg. - "pcrs file is not found - either you are running a TPM 2.0, or 
having sysfs failed to show pcrs for TPM 1.2"

Thanks & Regards,
       - Nayna


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] ima: skip verifying TPM 2.0 PCR values
  2019-05-17 13:50 ` Nayna
@ 2019-05-17 15:04   ` Petr Vorel
  0 siblings, 0 replies; 6+ messages in thread
From: Petr Vorel @ 2019-05-17 15:04 UTC (permalink / raw)
  To: Nayna; +Cc: Mimi Zohar, linux-integrity, ltp

Hi Nayna,

...
> > +	local tpm_description="/sys/class/tpm/tpm0/device/description"
...

> I do not see a "description" file on either my PowerPC or x86 systems with
> TPM 2.0.  Perhaps instead of testing for the "description" file, if the
> "pcrs" file is not found, emit a more verbose informational message, for eg.
> - "pcrs file is not found - either you are running a TPM 2.0, or having
> sysfs failed to show pcrs for TPM 1.2"
Some people are using /sys/class/tpm/tpm0/device/description [1] for testing TPM
version. From the discussion on [1] I also got an expression that the file is
not always presented. If there is really no reliable way to detect TPM version
from sysfs (huh!) your approach would make sense for me.

> Thanks & Regards,
>       - Nayna

Kind regards,
Petr

[1] https://github.com/tpm2-software/tpm2-tools/issues/604

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, back to index

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-05-16 21:12 [PATCH] ima: skip verifying TPM 2.0 PCR values Mimi Zohar
2019-05-17  6:51 ` Petr Vorel
2019-05-17 11:19   ` Mimi Zohar
2019-05-17 11:28     ` Petr Vorel
2019-05-17 13:50 ` Nayna
2019-05-17 15:04   ` Petr Vorel

Linux-Integrity Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-integrity/0 linux-integrity/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-integrity linux-integrity/ https://lore.kernel.org/linux-integrity \
		linux-integrity@vger.kernel.org linux-integrity@archiver.kernel.org
	public-inbox-index linux-integrity


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-integrity


AGPL code for this site: git clone https://public-inbox.org/ public-inbox