From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
To: Nayna Jain <nayna@linux.vnet.ibm.com>
Cc: linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
tpmdd-devel@lists.sourceforge.net
Subject: Re: [tpmdd-devel] [PATCH v2 0/2] tpm: enhance TPM 2.0 extend function to support multiple PCR banks
Date: Tue, 3 Jan 2017 15:29:43 +0200 [thread overview]
Message-ID: <20170103132943.xhmglzre5le5stx4@intel.com> (raw)
In-Reply-To: <20170102221550.pck4fwir77zss6lz@intel.com>
On Tue, Jan 03, 2017 at 12:15:50AM +0200, Jarkko Sakkinen wrote:
> On Fri, Dec 30, 2016 at 02:02:28PM -0500, Nayna Jain wrote:
> > IMA extends its hash measurements in the TPM PCRs, based on policy.
> > The existing in-kernel TPM extend function extends only the SHA1
> > PCR bank. TPM 2.0 defines multiple PCR banks, to support different
> > hash algorithms. The TCG TPM 2.0 Specification[1] recommends
> > extending all active PCR banks to prevent malicious users from
> > setting unused PCR banks with fake measurements and quoting them.
> > This patch set adds support for extending all active PCR banks,
> > as recommended.
> >
> > The first patch implements the TPM 2.0 capability to retrieve
> > the list of active PCR banks.
> >
> > The second patch modifies the tpm_pcr_extend() and tpm2_pcr_extend()
> > interface to support extending multiple PCR banks. The existing
> > tpm_pcr_extend() interface expects only a SHA1 digest. Hence, to
> > extend all active PCR banks with differing digest sizes for TPM 2.0,
> > the SHA1 digest is padded with 0's as needed.
> >
> > This approach is taken to maintain backwards compatibility for IMA
> > in order to continue working with both TPM 1.2 and TPM 2.0 without
> > any changes and still comply with TCG TPM 2.0 Specification[1].
>
> What is the plan to improve IMA so that it can use better hash
> algorithms? For me this zero padding sounds like a hack.
I'm fine with zero padding if there is also at minimum to improve the
situation. I do not want to apply these patches if they are ought to
become a bottlenek.
/Jarkko
prev parent reply other threads:[~2017-01-03 13:30 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-30 19:02 [PATCH v2 0/2] tpm: enhance TPM 2.0 extend function to support multiple PCR banks Nayna Jain
2016-12-30 19:02 ` [PATCH v2 1/2] tpm: implement TPM 2.0 capability to get active " Nayna Jain
2017-01-03 18:52 ` Jarkko Sakkinen
2016-12-30 19:02 ` [PATCH v2 2/2] tpm: enhance TPM 2.0 PCR extend to support multiple banks Nayna Jain
2016-12-30 20:53 ` kbuild test robot
2016-12-30 21:17 ` kbuild test robot
2017-01-03 18:54 ` Jarkko Sakkinen
2017-01-02 22:15 ` [PATCH v2 0/2] tpm: enhance TPM 2.0 extend function to support multiple PCR banks Jarkko Sakkinen
2017-01-03 12:27 ` [tpmdd-devel] " Mimi Zohar
2017-01-03 13:55 ` Jarkko Sakkinen
2017-01-03 13:29 ` Jarkko Sakkinen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170103132943.xhmglzre5le5stx4@intel.com \
--to=jarkko.sakkinen@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nayna@linux.vnet.ibm.com \
--cc=tpmdd-devel@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).