From: "Roberts, William C" <william.c.roberts@intel.com>
To: "linux-integrity@vger.kernel.org" <linux-integrity@vger.kernel.org>
Subject: Questions on SHA1 in ima_init
Date: Mon, 11 May 2020 17:49:25 +0000 [thread overview]
Message-ID: <476DC76E7D1DF2438D32BFADF679FC5649EDCB91@ORSMSX101.amr.corp.intel.com> (raw)
Hello,
I'm part of the tpm2 users pace tooling and libraries, and I am trying to track down an issue in where boot aggregate is only extended in the SHA1
bank of PCR10.
You can read the details on the link below, but ill summarize here
- https://lists.01.org/hyperkitty/list/tpm2@lists.01.org/thread/FUBD3MY5U5YICNUYSF3NE2STO3YAW7Y4/
It looks like ima_add_boot_aggregate() is hardcoded to SHA1, our guess is, that it's so it works between TPM 1.X and TPM2.0 chips. Is that
correct?
I was wondering if that synopsis is correct and if there would be traction to add something like querying the tpm chip and getting the version
And picking SHA256 if its tpm2.0, as a sample to guide the discussion I included the patch below (totally untested/not-compiled). The main
downside would be leaking TPM versions into IMA to make a decisions, so it may be better to have a helper in the tpm code to pick the best
default algorithm where it could pick SHA1 for TPM1.X and SHA256 for TPM2.0. Thoughts?
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
index 567468188a61..d0513bafeebf 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -15,6 +15,7 @@
#include <linux/scatterlist.h>
#include <linux/slab.h>
#include <linux/err.h>
+#include <linux/printk.h>
#include "ima.h"
@@ -59,6 +60,16 @@ static int __init ima_add_boot_aggregate(void)
iint->ima_hash->length = SHA1_DIGEST_SIZE;
if (ima_tpm_chip) {
+ result = tpm_is_tpm2(ima_tpm_chip);
+ if (result > 0) {
+ /* yes it's a TPM2 chipset use sha256 */
+ iint->ima_hash->algo = HASH_ALGO_SHA256;
+ iint->ima_hash->length = SHA256_DIGEST_SIZE;
+ } else if (result < 0) {
+ /* ignore errors here, as we can just move on with SHA1 */
+ pr_warn("Could not query TPM chip version, got: %d\n", result);
+ }
+
result = ima_calc_boot_aggregate(&hash.hdr);
if (result < 0) {
audit_cause = "hashing_error";
next reply other threads:[~2020-05-11 17:49 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-11 17:49 Roberts, William C [this message]
2020-05-11 19:14 ` Questions on SHA1 in ima_init James Bottomley
2020-05-11 19:28 ` Roberts, William C
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=476DC76E7D1DF2438D32BFADF679FC5649EDCB91@ORSMSX101.amr.corp.intel.com \
--to=william.c.roberts@intel.com \
--cc=linux-integrity@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).