lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Thu, 30 Jan 2020 15:40:57 +0000
From:   Roberto Sassu <roberto.sassu@...wei.com>
To:     Roberto Sassu <roberto.sassu@...wei.com>,
        Mimi Zohar <zohar@...ux.ibm.com>, Petr Vorel <pvorel@...e.cz>
CC:     Jerry Snitselaar <jsnitsel@...hat.com>,
        "linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org>,
        James Bottomley <James.Bottomley@...senpartnership.com>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        Silviu Vlasceanu <Silviu.Vlasceanu@...wei.com>
Subject: RE: [PATCH 1/2] ima: use the IMA configured hash algo to calculate
 the boot aggregate

> -----Original Message-----
> From: linux-integrity-owner@...r.kernel.org [mailto:linux-integrity-
> owner@...r.kernel.org] On Behalf Of Roberto Sassu
> Sent: Thursday, January 30, 2020 4:27 PM
> To: Mimi Zohar <zohar@...ux.ibm.com>; Petr Vorel <pvorel@...e.cz>
> Cc: Jerry Snitselaar <jsnitsel@...hat.com>; linux-integrity@...r.kernel.org;
> James Bottomley <James.Bottomley@...senpartnership.com>; linux-
> kernel@...r.kernel.org
> Subject: RE: [PATCH 1/2] ima: use the IMA configured hash algo to calculate
> the boot aggregate
> 
> > -----Original Message-----
> > From: linux-integrity-owner@...r.kernel.org [mailto:linux-integrity-
> > owner@...r.kernel.org] On Behalf Of Mimi Zohar
> > Sent: Wednesday, January 29, 2020 11:51 PM
> > To: Petr Vorel <pvorel@...e.cz>
> > Cc: Jerry Snitselaar <jsnitsel@...hat.com>; linux-
> integrity@...r.kernel.org;
> > James Bottomley <James.Bottomley@...senpartnership.com>; linux-
> > kernel@...r.kernel.org; Roberto Sassu <roberto.sassu@...wei.com>
> > Subject: Re: [PATCH 1/2] ima: use the IMA configured hash algo to
> calculate
> > the boot aggregate
> >
> > On Wed, 2020-01-29 at 09:30 +0100, Petr Vorel wrote:
> > > Hi Mimi,
> > >
> > > Reviewed-by: Petr Vorel <pvorel@...e.cz>
> > >
> > > > The original LTP ima_boot_aggregate.c test needed to be updated to
> > > > support TPM 2.0 before this change.  For TPM 2.0, the PCRs are not
> > > > exported.  With this change, the kernel could be reading PCRs from a
> > > > TPM bank other than SHA1 and calculating the boot_aggregate based
> on
> > a
> > > > different hash algorithm as well.  I'm not sure how a remote verifier
> > > > would know which TPM bank was read, when calculating the boot-
> > > > aggregate.
> > > Mimi, do you plan to do update LTP test?
> >
> > In order to test Roberto's patches that calculates and extends the
> > different TPM banks with the appropriate hashes, we'll need some test
> > to verify that it is working properly.  As to whether this will be in
> > LTP or ima-evm-utils, I'm not sure.
> 
> attest-tools (https://github.com/euleros/attest-tools, branch 0.2-devel) has
> the
> ability to parse the BIOS and IMA event logs, and to compare
> boot_aggregate
> with the digest of final PCR values obtained by performing in software the
> PCR
> extend operation with digests in the BIOS event log.
> 
> To perform the test, it is necessary to have a complete BIOS event log.
> 
> Create req.json with this content:
> ---
> {
>   "reqs":{
>     "dummy|verify":"",
>     "ima_boot_aggregate|verify":""
>   }
> }
> ---
> 
> With the requirements above, we are telling attest-tools to verify only
> boot_aggregate. Without the dummy requirement, verification would
> fail (BIOS and remaining IMA measurement entries are not processed).
> 
> On server side run:
> # attest_ra_server -p 10 -r req.json -s -i
> 
> -s disables TPM signature verification
> -i allows IMA violations
> 
> To enable TPM signature verification it is necessary to have a valid AK
> certificate. It can be obtained by following the instructions at:
> 
> https://github.com/euleros/attest-tools/blob/0.2-devel/README
> 
> On client side run:
> # echo test > aik_cert.pem
> # echo aik_cert.pem > list_privacy_ca
> # attest_ra_client -A
> 
> The command above generates an AK.
> 
> # attest_ra_client -s <server IP> -q -p 10 -P <PCR algo> -b -i
> 
> The command above sends the TPM quote and the event logs
> to the RA server and gets the response (successful/failed
> verification).
> 
> -b includes the BIOS event log from securityfs
> -i includes the IMA event log from securityfs
> 
> To check that boot_aggregate is calculated properly, use -P sha256

and to check that IMA extends non-SHA1 PCR banks with an appropriate
digest,

> in attest_ra_client and set ima_hash=sha256 in the kernel command
> line.

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ