From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.9 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,USER_AGENT_SANE_1,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 84AB3C11D34 for ; Mon, 24 Feb 2020 16:23:21 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 530E321744 for ; Mon, 24 Feb 2020 16:23:21 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="rMG006gD" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727708AbgBXQXU (ORCPT ); Mon, 24 Feb 2020 11:23:20 -0500 Received: from linux.microsoft.com ([13.77.154.182]:38688 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727378AbgBXQXU (ORCPT ); Mon, 24 Feb 2020 11:23:20 -0500 Received: from [10.137.112.108] (unknown [131.107.174.108]) by linux.microsoft.com (Postfix) with ESMTPSA id 2DF5820B9C02; Mon, 24 Feb 2020 08:23:19 -0800 (PST) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 2DF5820B9C02 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1582561399; bh=R8hTPYQqDrNUi0y6hhzMys/hXPO9LcfPiXtdMT63Z30=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=rMG006gDb4sYdaogCe5sPL0Qnk108XZEh+z6qmb13n6q8iImHc5M/TJHCxbJpPwW8 KBq31oW50vKKZHYOSSFB1iGnGWaZIsKLiPufyAUxsKe18cPEXHvZwRX4n9O2HWT7d/ JYu/41eYIgHAlEBpN71wYgB+S28SCcglhuXAzW4A= Subject: Re: [RFC PATCH 0/8] ima-evm-utils: calculate per TPM bank template digest To: Mimi Zohar , linux-integrity@vger.kernel.org Cc: Roberto Sassu , Vitaly Chikunov , Patrick Uiterwijk , Petr Vorel References: <1582310338-1562-1-git-send-email-zohar@linux.ibm.com> <1582420362.10443.18.camel@linux.ibm.com> From: Lakshmi Ramasubramanian Message-ID: Date: Mon, 24 Feb 2020 08:23:19 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1 MIME-Version: 1.0 In-Reply-To: <1582420362.10443.18.camel@linux.ibm.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org On 2/22/20 5:12 PM, Mimi Zohar wrote: > > There are two aspects to Roberto's changes - extending the TPM banks > with the bank specific template digest and verifying the boot > aggregate.  This patch set only addresses the first aspect. > > Assuming both the sha1 and sha256 TPM banks are enabled, > > # tssgetcapability -cap 5 > 2 PCR selections >     hash TPM_ALG_SHA1 >     TPMS > _PCR_SELECTION length 3 >     ff ff ff >     hash TPM_ALG_SHA256 >     TPMS_PC > R_SELECTION length 3 >     ff ff ff > > the output would look like: > > # evmctl ima_measurement -v --list > /sys/kernel/security/integrity/ima/binary_runtime_measurements > > sha1: PCRAgg  10: 7723f6d980725507e5d0eb643dc179aae0efb719 > sha1: TPM PCR-10: 7723f6d980725507e5d0eb643dc179aae0efb719 > sha1 PCR-10: succeed > > sha256: PCRAgg  10: > 5254d6dce62765f884dc67dac8d59a8721ae14495ae4a0cb73426d0c013a82b2 > sha256: TPM PCR-10: > 5254d6dce62765f884dc67dac8d59a8721ae14495ae4a0cb73426d0c013a82b2 > sha256 PCR-10: succeed > Thanks Mimi and Roberto for the update. tpm2_pcrread command outputs the PCR values. The one for PCR-10 matches the data output by evmctl. -lakshmi