From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.6 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS,T_DKIMWL_WL_MED, USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0C2DFC04AB6 for ; Fri, 31 May 2019 18:07:51 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id C14FA26D97 for ; Fri, 31 May 2019 18:07:50 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="AiGG8HxT" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726877AbfEaSHu (ORCPT ); Fri, 31 May 2019 14:07:50 -0400 Received: from mail-io1-f66.google.com ([209.85.166.66]:38336 "EHLO mail-io1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726836AbfEaSHu (ORCPT ); Fri, 31 May 2019 14:07:50 -0400 Received: by mail-io1-f66.google.com with SMTP id x24so8959483ion.5 for ; Fri, 31 May 2019 11:07:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jKR1NtB7SgMzmShrYrZUhqCDiAbGVaXCYkkRHlfIGfM=; b=AiGG8HxTamjCh5sTyX1FQexy3sn1Vu8ubxAy5vg3x7vGwog1tCwZRTOAUm3v2deHky 9t7Vv0KslPwyKowMmV50tJjUKRsx6X+a5voLmvB/4BiP3pdeU/QsVk9uw+ZWV05REjTw gBTO2I2P6DRj/MTcXXgMobzggWZnNdgieetSruCu0uJoADNF78eDogg6nBBi32l17ggh 83fGPsKMquKtsNl0V9svF74h/2/l8Pz/m++No9+tV5ayLezJ5l1NGOdvVGmvSc4L3pXn Jgp6RdZ+TAL2u3ZhD3s5UQ5vKcDGs7PJvgfiZjwP3qMpwYa0Z+QYXcJgkuz40FK0Bf9r 9WPQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jKR1NtB7SgMzmShrYrZUhqCDiAbGVaXCYkkRHlfIGfM=; b=LzAq28yOn3AEVoMKGeJIKzgAbzGsKZBltzQYvKIC9GmzmvFO6BQCY8oq3YjK7k9TWt rU9jcNVhtM62EZu8EO9t9uHauxYWzlDa4joPAfMy/bc+R6eyRLpNHPQHzmBWp4ksVaZ3 KcXKQu8CC18LHgIwWRTWkXutDC3KYLjUajcIa/Yg/MSFo8KGEgu5S7WPkxWBzKbqiiRD 9Zg/hDleC+y0oxhhjToI2/89dIDeAA5oTYODogODb+80zDO2agSObzckPD7ER4D5x1TK 9qRl7SJBUarsT7/qJCQ3BRWSNTqEv2je4l2zaeXqU6qc+zzkNEemO0NFwRN2okmEgC1T zYcQ== X-Gm-Message-State: APjAAAURBBtR4Yw/740YvUy0xXrOlrX1+md62SXCMbZwKCyI/i9IgAz0 tvvXx3jzrQ8gb85y8wDReIyDnd4M64UA50OHa+QPutWCuYvdi9dW X-Google-Smtp-Source: APXvYqxzg9XmiS0iSaI9StJim8e+eA3NblMlnd5i1k3SQW26ShdLMEtQlC9w7vyQMOL73cYu5BbJX9Xxoc85HBnJc58= X-Received: by 2002:a6b:6b14:: with SMTP id g20mr7504962ioc.28.1559326068582; Fri, 31 May 2019 11:07:48 -0700 (PDT) MIME-Version: 1.0 References: <20190520205501.177637-1-matthewgarrett@google.com> In-Reply-To: <20190520205501.177637-1-matthewgarrett@google.com> From: Joe Richey Date: Fri, 31 May 2019 11:07:37 -0700 Message-ID: Subject: Re: [PATCH V7 0/4] Add support for crypto agile logs To: Matthew Garrett Cc: linux-integrity@vger.kernel.org, peterhuewe@gmx.de, jarkko.sakkinen@linux.intel.com, jgg@ziepe.ca, roberto.sassu@huawei.com, linux-efi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, =?UTF-8?Q?Thi=C3=A9baud_Weksteen?= , bsz@semihalf.com Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="000000000000730f7f058a32e4a6" Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org --000000000000730f7f058a32e4a6 Content-Type: text/plain; charset="UTF-8" On Mon, May 20, 2019 at 1:56 PM Matthew Garrett wrote: > > Identical to previous version except without the KSAN workaround - Ard > has a better solution for that. I just tested this on x86_64 with the systemd-boot (previously gummiboot) bootloader. For context, this bootloader is essentially just an EFI chainloader. This bootloader measures the kernel cmdline into PCR 8. However, it calls GetEventLog before calling HashLogExtendEvent, intending to have the log entry written to the "EFI TCG 2.0 final events table". See: https://github.com/systemd/systemd/blob/75e40119a471454516ad0acc96f6f4094e7fb652/src/boot/efi/measure.c#L212-L227 With the current patchset, this log entry appears _twice_ in the sysfs file. This is caused by the fact that the sysfs event log unconditionally appends the entire final event log to the output of GetEventLog. However, the correct behavior would be to append only the _new_ entries that appear in the final event log to the output of GetEventLog. This could be done by first calculating the length of the final events log table, then recalculating the length of the final events log after the kernel calls ExitBootServices. This would let us know for sure that we are only appending new log entries. --000000000000730f7f058a32e4a6 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIS7QYJKoZIhvcNAQcCoIIS3jCCEtoCAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0BBwGg ghBTMIIEXDCCA0SgAwIBAgIOSBtqDm4P/739RPqw/wcwDQYJKoZIhvcNAQELBQAwZDELMAkGA1UE BhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExOjA4BgNVBAMTMUdsb2JhbFNpZ24gUGVy c29uYWxTaWduIFBhcnRuZXJzIENBIC0gU0hBMjU2IC0gRzIwHhcNMTYwNjE1MDAwMDAwWhcNMjEw NjE1MDAwMDAwWjBMMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEiMCAG A1UEAxMZR2xvYmFsU2lnbiBIViBTL01JTUUgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBALR23lKtjlZW/17kthzYcMHHKFgywfc4vLIjfq42NmMWbXkNUabIgS8KX4PnIFsTlD6F GO2fqnsTygvYPFBSMX4OCFtJXoikP2CQlEvO7WooyE94tqmqD+w0YtyP2IB5j4KvOIeNv1Gbnnes BIUWLFxs1ERvYDhmk+OrvW7Vd8ZfpRJj71Rb+QQsUpkyTySaqALXnyztTDp1L5d1bABJN/bJbEU3 Hf5FLrANmognIu+Npty6GrA6p3yKELzTsilOFmYNWg7L838NS2JbFOndl+ce89gM36CW7vyhszi6 6LqqzJL8MsmkP53GGhf11YMP9EkmawYouMDP/PwQYhIiUO0CAwEAAaOCASIwggEeMA4GA1UdDwEB /wQEAwIBBjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEgYDVR0TAQH/BAgwBgEB/wIB ADAdBgNVHQ4EFgQUyzgSsMeZwHiSjLMhleb0JmLA4D8wHwYDVR0jBBgwFoAUJiSSix/TRK+xsBtt r+500ox4AAMwSwYDVR0fBEQwQjBAoD6gPIY6aHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9ncy9n c3BlcnNvbmFsc2lnbnB0bnJzc2hhMmcyLmNybDBMBgNVHSAERTBDMEEGCSsGAQQBoDIBKDA0MDIG CCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzANBgkqhkiG 9w0BAQsFAAOCAQEACskdySGYIOi63wgeTmljjA5BHHN9uLuAMHotXgbYeGVrz7+DkFNgWRQ/dNse Qa4e+FeHWq2fu73SamhAQyLigNKZF7ZzHPUkSpSTjQqVzbyDaFHtRBAwuACuymaOWOWPePZXOH9x t4HPwRQuur57RKiEm1F6/YJVQ5UTkzAyPoeND/y1GzXS4kjhVuoOQX3GfXDZdwoN8jMYBZTO0H5h isymlIl6aot0E5KIKqosW6mhupdkS1ZZPp4WXR4frybSkLejjmkTYCTUmh9DuvKEQ1Ge7siwsWgA NS1Ln+uvIuObpbNaeAyMZY0U5R/OyIDaq+m9KXPYvrCZ0TCLbcKuRzCCBB4wggMGoAMCAQICCwQA AAAAATGJxkCyMA0GCSqGSIb3DQEBCwUAMEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9vdCBDQSAt IFIzMRMwEQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWduMB4XDTExMDgwMjEw MDAwMFoXDTI5MDMyOTEwMDAwMFowZDELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24g bnYtc2ExOjA4BgNVBAMTMUdsb2JhbFNpZ24gUGVyc29uYWxTaWduIFBhcnRuZXJzIENBIC0gU0hB MjU2IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCg/hRKosYAGP+P7mIdq5NB Kr3J0tg+8lPATlgp+F6W9CeIvnXRGUvdniO+BQnKxnX6RsC3AnE0hUUKRaM9/RDDWldYw35K+sge C8fWXvIbcYLXxWkXz+Hbxh0GXG61Evqux6i2sKeKvMr4s9BaN09cqJ/wF6KuP9jSyWcyY+IgL6u2 52my5UzYhnbf7D7IcC372bfhwM92n6r5hJx3r++rQEMHXlp/G9J3fftgsD1bzS7J/uHMFpr4MXua eoiMLV5gdmo0sQg23j4pihyFlAkkHHn4usPJ3EePw7ewQT6BUTFyvmEB+KDoi7T4RCAZDstgfpzD rR/TNwrK8/FXoqnFAgMBAAGjgegwgeUwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C AQEwHQYDVR0OBBYEFCYkkosf00SvsbAbba/udNKMeAADMEcGA1UdIARAMD4wPAYEVR0gADA0MDIG CCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzA2BgNVHR8E LzAtMCugKaAnhiVodHRwOi8vY3JsLmdsb2JhbHNpZ24ubmV0L3Jvb3QtcjMuY3JsMB8GA1UdIwQY MBaAFI/wS3+oLkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQACAFVjHihZCV/IqJYt 7Nig/xek+9g0dmv1oQNGYI1WWeqHcMAV1h7cheKNr4EOANNvJWtAkoQz+076Sqnq0Puxwymj0/+e oQJ8GRODG9pxlSn3kysh7f+kotX7pYX5moUa0xq3TCjjYsF3G17E27qvn8SJwDsgEImnhXVT5vb7 qBYKadFizPzKPmwsJQDPKX58XmPxMcZ1tG77xCQEXrtABhYC3NBhu8+c5UoinLpBQC1iBnNpNwXT Lmd4nQdf9HCijG1e8myt78VP+QSwsaDT7LVcLT2oDPVggjhVcwljw3ePDwfGP9kNrR+lc8XrfClk WbrdhC2o4Ui28dtIVHd3MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAw TDEgMB4GA1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNpZ24x EzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4MTAwMDAwWjBMMSAw HgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEG A1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5Bngi FvXAg7aEyiie/QV2EcWtiHL8RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X 17YUhhB5uzsTgHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmm KPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zdQQ4gOsC0p6Hp sk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZXriX7613t2Saer9fwRPvm2L7 DWzgVGkWqQPabumDk3F2xmmFghcCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF MAMBAf8wHQYDVR0OBBYEFI/wS3+oLkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBL QNvAUKr+yAzv95ZURUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25s bwMpjjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK6fBdRoyV 3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQXmcIfeg7jLQitChws/zyr VQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecsMx86OyXShkDOOyyGeMlhLxS67ttVb9+E 7gUJTb0o2HLO02JQZR7rkpeDMdmztcpHWD9fMIIEajCCA1KgAwIBAgIMXsN7dVzFxfwQ99yiMA0G CSqGSIb3DQEBCwUAMEwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSIw IAYDVQQDExlHbG9iYWxTaWduIEhWIFMvTUlNRSBDQSAxMB4XDTE5MDUxMTA2NDYzMFoXDTE5MTEw NzA2NDYzMFowJTEjMCEGCSqGSIb3DQEJAQwUam9lcmljaGV5QGdvb2dsZS5jb20wggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGkVE7rdacPiSx/12FO3NN5C0c1yc+AiyXiniO2uxVJNM9 5CIgh2quuuQsChnlXbLL8b75I9P9yqtIJZkwkGd44a7bLFtQ6f8WIwRB8WDszTLUq5DuAWG9Guij rqF0H/FCPldCCEC+ntqSofAlGOnOfzZ12QoB/UKqceQjLA6XkqrlcipvTE6FIIKi2gix2m54oP3v s3gDqt0wNAtiY1M3qYwVhCUizATa8m2XjFkwpx0zhCgRESnQQCD+sdMbqt7dz9u2PyejpQtBMw0Z 3CEwYf/5WpLrmp+MjoE+YszS7fg3+ozAHY/yAHoLfFVWCq9vEJHe7U6uXwOuEMgKq1L3AgMBAAGj ggFxMIIBbTAfBgNVHREEGDAWgRRqb2VyaWNoZXlAZ29vZ2xlLmNvbTBQBggrBgEFBQcBAQREMEIw QAYIKwYBBQUHMAKGNGh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzaHZzbWlt ZWNhMS5jcnQwHQYDVR0OBBYEFG6/jgVXjk39iBARYUuHmZCsTrTrMB8GA1UdIwQYMBaAFMs4ErDH mcB4koyzIZXm9CZiwOA/MEwGA1UdIARFMEMwQQYJKwYBBAGgMgEoMDQwMgYIKwYBBQUHAgEWJmh0 dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMDsGA1UdHwQ0MDIwMKAuoCyGKmh0 dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NodnNtaW1lY2ExLmNybDAOBgNVHQ8BAf8EBAMCBaAw HQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMA0GCSqGSIb3DQEBCwUAA4IBAQBtJ4NaR/zX 2J1ZDXrnIxYq0ncG1ChsKj1V6wae7E6B4hbWl0aBAcmKc+yuwrQpcaBsD0UnW5r6OBTRVigQrCe9 wuPrZSf0m+W2YtEaIalAY5z4lRk8Ejs9x7ao9IQefPMnlBAu4J3P2yPr2Z/H6kR7IAeoqRh74hRt R0A3/jv+yqtVggpgW+GcSVII3+i6d1UWyZ36pyz/XDPj9U9sxyv0SP/nmVQ/fa84EU3K2waJe3JK 8Ouzzz+TKaX8Z+L0b3BirVkYIWbNig6VTzh75FQwVSOqRSJeSNypbshDB2Hui+ptRyhQxRDKfdWX ravwoP1khGyAfyNl91xqxNPlfqmWMYICXjCCAloCAQEwXDBMMQswCQYDVQQGEwJCRTEZMBcGA1UE ChMQR2xvYmFsU2lnbiBudi1zYTEiMCAGA1UEAxMZR2xvYmFsU2lnbiBIViBTL01JTUUgQ0EgMQIM XsN7dVzFxfwQ99yiMA0GCWCGSAFlAwQCAQUAoIHUMC8GCSqGSIb3DQEJBDEiBCCK3WksVphcsxYy ICZ8bkS+gQtYicNl+9RhJ/vWWGhdODAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3 DQEJBTEPFw0xOTA1MzExODA3NDlaMGkGCSqGSIb3DQEJDzFcMFowCwYJYIZIAWUDBAEqMAsGCWCG SAFlAwQBFjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwCwYJKoZIhvcNAQEKMAsGCSqGSIb3DQEB BzALBglghkgBZQMEAgEwDQYJKoZIhvcNAQEBBQAEggEAQK/SYME1B9CnpYkEFXqlP7FXuIkuP5+3 6tfSqD1PC9UjPBAu4iye9MEdla9XFd5JLLKuVbCdyjwvPKAkVzJOQxatQykQ+eALmhrTlslciTD8 /USZ97O+RScUo5cajIyur+ochBCqsBN8H7WpxRCTlTJQjWY4GuXVMi8vknJ5j5wRalILSdg7XfWm BFGo+HNLJrJ+CsnQQfMnAY/YjkvQuGdwP+oNJqAW4WMm4okBvQ4L+CgU8NObW6VWUWEwCiHTX42i eWEZD+SGnoq5Oc/6V/nen5vtlIcTgxnFTrWAhc9tLMoTPkYbFe6EMtCGCBihsfmDswn+jtMxVNRS 7iItCA== --000000000000730f7f058a32e4a6--