lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 29 Jan 2019 22:14:05 +0200
From:   Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>
To:     Roberto Sassu <roberto.sassu@...wei.com>
Cc:     zohar@...ux.ibm.com, david.safford@...com, monty.wiseman@...com,
        matthewgarrett@...gle.com, linux-integrity@...r.kernel.org,
        linux-security-module@...r.kernel.org,
        linux-kernel@...r.kernel.org, keyrings@...r.kernel.org,
        silviu.vlasceanu@...wei.com
Subject: Re: [PATCH v8 4/7] tpm: retrieve digest size of unknown algorithms
 with PCR read

On Thu, Jan 24, 2019 at 04:49:07PM +0100, Roberto Sassu wrote:
> Currently, the TPM driver retrieves the digest size from a table mapping
> TPM algorithms identifiers to identifiers defined by the crypto subsystem.
> If the algorithm is not defined by the latter, the digest size can be
> retrieved from the output of the PCR read command.
> 
> The patch modifies the definition of tpm_pcr_read() and tpm2_pcr_read() to
> pass the desired hash algorithm and obtain the digest size at TPM startup.
> Algorithms and corresponding digest sizes are stored in the new structure
> tpm_bank_info, member of tpm_chip, so that the information can be used by
> other kernel subsystems.
> 
> tpm_bank_info contains: the TPM algorithm identifier, necessary to generate
> the event log as defined by Trusted Computing Group (TCG); the digest size,
> to pad/truncate a digest calculated with a different algorithm; the crypto
> subsystem identifier, to calculate the digest of event data.
> 
> This patch also protects against data corruption that could happen in the
> bus, by checking that the digest size returned by the TPM during a PCR read
> matches the size of the algorithm passed to tpm2_pcr_read().
> 
> For the initial PCR read, when digest sizes are not yet available, this
> patch ensures that the amount of data copied from the output returned by
> the TPM does not exceed the size of the array data are copied to.
> 
> Signed-off-by: Roberto Sassu <roberto.sassu@...wei.com>
> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>
> Acked-by: Mimi Zohar <zohar@...ux.ibm.com>

Tested-by: Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>

/Jarkko

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ