lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 27 Jan 2020 15:55:20 -0500
From:   Ken Goldman <kgold@...ux.ibm.com>
To:     Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>,
        Mimi Zohar <zohar@...ux.ibm.com>,
        linux-integrity@...r.kernel.org
Cc:     linux-kernel@...r.kernel.org
Subject: Re: [PATCH 2/2] ima: support calculating the boot_aggregate based on
 different TPM banks

On 1/27/2020 11:50 AM, Lakshmi Ramasubramanian wrote:
> Can the number of allocated banks (ima_tpm_chip->nr_allocated_banks) be 
> zero? Should that be checked before accessing "allocated_banks"?

Summary:

It's unlikely that Linux on a PC will encounter a TPM without PCR 10.

It is likely that PCR 10 will be only SHA-256, that there will be no 
SHA-1 PCR 10.

~~

In theory:

Yes, one could have a TPM with no allocated banks.

In practice:

A PC Client TPM must have at least one bank with PCR 0 and PCR 17.

Some other TPMs, like automotive or embedded, may be different.

Most platforms will be designed to meet Windows requirements, which will 
have AFAIK at least one bank of 24 PCRs.

The TPM specification permits allocation of partial banks.  In theory, 
one could encounter a TPM with e.g., PCR 0-7 but not PCR 10.

In practice, AFAIK the hardware TPMs implement only full banks. 
Platform firmware allocates full banks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ