From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753766AbcL3TCq (ORCPT ); Fri, 30 Dec 2016 14:02:46 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:57916 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752063AbcL3TCp (ORCPT ); Fri, 30 Dec 2016 14:02:45 -0500 From: Nayna Jain To: tpmdd-devel@lists.sourceforge.net, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Cc: peterhuewe@gmx.de, tpmdd@selhorst.net, jarkko.sakkinen@linux.intel.com, jgunthorpe@obsidianresearch.com, Nayna Jain Subject: [PATCH v2 0/2] tpm: enhance TPM 2.0 extend function to support multiple PCR banks Date: Fri, 30 Dec 2016 14:02:28 -0500 X-Mailer: git-send-email 2.5.0 X-TM-AS-MML: disable X-Content-Scanned: Fidelis XPS MAILER x-cbid: 16123019-0012-0000-0000-000001FD7722 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 16123019-0013-0000-0000-000006BA0D7F Message-Id: <1483124550-9529-1-git-send-email-nayna@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2016-12-30_14:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1612300297 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org IMA extends its hash measurements in the TPM PCRs, based on policy. The existing in-kernel TPM extend function extends only the SHA1 PCR bank. TPM 2.0 defines multiple PCR banks, to support different hash algorithms. The TCG TPM 2.0 Specification[1] recommends extending all active PCR banks to prevent malicious users from setting unused PCR banks with fake measurements and quoting them. This patch set adds support for extending all active PCR banks, as recommended. The first patch implements the TPM 2.0 capability to retrieve the list of active PCR banks. The second patch modifies the tpm_pcr_extend() and tpm2_pcr_extend() interface to support extending multiple PCR banks. The existing tpm_pcr_extend() interface expects only a SHA1 digest. Hence, to extend all active PCR banks with differing digest sizes for TPM 2.0, the SHA1 digest is padded with 0's as needed. This approach is taken to maintain backwards compatibility for IMA in order to continue working with both TPM 1.2 and TPM 2.0 without any changes and still comply with TCG TPM 2.0 Specification[1]. [1] TPM 2.0 Specification referred here is "TCG PC Client Specific Platform Firmware Profile for TPM 2.0" Changelog v2: - Patch "tpm: implement TPM 2.0 capability to get active PCR banks" - defined structs definition in tpm2-cmd.c. - no_of_active_banks field is removed. Instead, constant TPM2_MAX_PCR_BANKS is defined. - renamed tpm2_get_active_pcr_banks() to tpm2_get_pcr_allocation() - removed generic function tpm2_get_capability(). - Patch "tpm: enchance TPM 2.0 PCR extend to support multiple banks" - Removed tpm2.h, and defined structs common for extend and event log in tpm_eventlog.h - uses tpm_buf in tpm2_pcr_extend(). Nayna Jain (2): tpm: implement TPM 2.0 capability to get active PCR banks tpm: enhance TPM 2.0 PCR extend to support multiple banks drivers/char/tpm/tpm-interface.c | 16 ++++- drivers/char/tpm/tpm.h | 8 ++- drivers/char/tpm/tpm2-cmd.c | 146 +++++++++++++++++++++++++++++++-------- drivers/char/tpm/tpm_eventlog.h | 15 ++++ 4 files changed, 153 insertions(+), 32 deletions(-) -- 2.5.0