linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.ibm.com>
To: Sasha Levin <sashal@kernel.org>,
	linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Maurizio Drocco <maurizio.drocco@ibm.com>,
	Bruno Meneguele <bmeneg@redhat.com>,
	linux-integrity@vger.kernel.org,
	linux-security-module@vger.kernel.org
Subject: Re: [PATCH AUTOSEL 5.7 03/30] ima: extend boot_aggregate with kernel measurements
Date: Wed, 08 Jul 2020 12:13:13 -0400	[thread overview]
Message-ID: <1594224793.23056.251.camel@linux.ibm.com> (raw)
In-Reply-To: <20200708154116.3199728-3-sashal@kernel.org>

Hi Sasha,

On Wed, 2020-07-08 at 11:40 -0400, Sasha Levin wrote:
> From: Maurizio Drocco <maurizio.drocco@ibm.com>
> 
> [ Upstream commit 20c59ce010f84300f6c655d32db2610d3433f85c ]
> 
> Registers 8-9 are used to store measurements of the kernel and its
> command line (e.g., grub2 bootloader with tpm module enabled). IMA
> should include them in the boot aggregate. Registers 8-9 should be
> only included in non-SHA1 digests to avoid ambiguity.

Prior to Linux 5.8, the SHA1 template data hashes were padded before
being extended into the TPM.  Support for calculating and extending
the per TPM bank template data digests is only being upstreamed in
Linux 5.8.

How will attestation servers know whether to include PCRs 8 & 9 in the
the boot_aggregate calculation?  Now, there is a direct relationship
between the template data SHA1 padded digest not including PCRs 8 & 9,
and the new per TPM bank template data digest including them.

Mimi

  reply	other threads:[~2020-07-08 16:13 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-08 15:40 [PATCH AUTOSEL 5.7 01/30] drm/msm: fix potential memleak in error branch Sasha Levin
2020-07-08 15:40 ` [PATCH AUTOSEL 5.7 02/30] drm/msm/dpu: allow initialization of encoder locks during encoder init Sasha Levin
2020-07-08 15:40 ` [PATCH AUTOSEL 5.7 03/30] ima: extend boot_aggregate with kernel measurements Sasha Levin
2020-07-08 16:13   ` Mimi Zohar [this message]
2020-07-09  1:27     ` Sasha Levin
2020-11-29 13:17       ` Mimi Zohar
2020-12-01  0:21         ` Sasha Levin
2020-12-01  3:13           ` Mimi Zohar
2020-12-02 23:53             ` Sasha Levin
2020-12-11  3:10         ` Tyler Hicks
2020-12-11 11:01           ` Mimi Zohar
2020-12-11 17:46             ` James Bottomley
2020-12-13  2:22               ` Mimi Zohar
2020-12-28 19:28                 ` Ken Goldman
2020-12-29  2:01                   ` Mimi Zohar
2020-12-14 16:42             ` Tyler Hicks
2021-01-12 15:35               ` Tyler Hicks
2021-01-12 16:56                 ` Mimi Zohar
2020-07-08 15:40 ` [PATCH AUTOSEL 5.7 04/30] drm/exynos: Properly propagate return value in drm_iommu_attach_device() Sasha Levin
2020-07-08 15:40 ` [PATCH AUTOSEL 5.7 05/30] drm/exynos: fix ref count leak in mic_pre_enable Sasha Levin
2020-07-08 15:40 ` [PATCH AUTOSEL 5.7 06/30] x86/fpu: Reset MXCSR to default in kernel_fpu_begin() Sasha Levin
2020-07-08 15:40 ` [PATCH AUTOSEL 5.7 07/30] exfat: Set the unused characters of FileName field to the value 0000h Sasha Levin
2020-07-08 15:40 ` [PATCH AUTOSEL 5.7 08/30] exfat: call sync_filesystem for read-only remount Sasha Levin
2020-07-08 15:40 ` [PATCH AUTOSEL 5.7 09/30] thermal/drivers: imx: Fix missing of_node_put() at probe time Sasha Levin
2020-07-08 15:40 ` [PATCH AUTOSEL 5.7 10/30] ACPI: DPTF: Add battery participant for TigerLake Sasha Levin
2020-07-08 15:40 ` [PATCH AUTOSEL 5.7 11/30] blk-mq-debugfs: update blk_queue_flag_name[] accordingly for new flags Sasha Levin
2020-07-08 15:40 ` [PATCH AUTOSEL 5.7 12/30] m68k: nommu: register start of the memory with memblock Sasha Levin
2020-07-08 15:40 ` [PATCH AUTOSEL 5.7 13/30] m68k: mm: fix node memblock init Sasha Levin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1594224793.23056.251.camel@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=bmeneg@redhat.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=maurizio.drocco@ibm.com \
    --cc=sashal@kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).