lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 12 Jun 2020 12:47:57 +0800
From:   kernel test robot <lkp@...el.com>
To:     Maurizio Drocco <maurizio.drocco@....com>,
        linux-integrity@...r.kernel.org
Cc:     kbuild-all@...ts.01.org, clang-built-linux@...glegroups.com,
        jejb@...ux.ibm.com, Maurizio Drocco <maurizio.drocco@....com>,
        Mimi Zohar <zohar@...ux.ibm.com>,
        Dmitry Kasatkin <dmitry.kasatkin@...il.com>,
        James Morris <jmorris@...ei.org>,
        "Serge E. Hallyn" <serge@...lyn.com>,
        "open list:SECURITY SUBSYSTEM" 
        <linux-security-module@...r.kernel.org>,
        open list <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] extend IMA boot_aggregate with kernel measurements

Hi Maurizio,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on integrity/next-integrity]
[also build test WARNING on next-20200611]
[cannot apply to v5.7]
[if your patch is applied to the wrong git tree, please drop us a note to help
improve the system. BTW, we also suggest to use '--base' option to specify the
base tree in git format-patch, please see https://stackoverflow.com/a/37406982]

url:    https://github.com/0day-ci/linux/commits/Maurizio-Drocco/extend-IMA-boot_aggregate-with-kernel-measurements/20200612-091504
base:   https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git next-integrity
config: x86_64-allyesconfig (attached as .config)
compiler: clang version 11.0.0 (https://github.com/llvm/llvm-project 3b43f006294971b8049d4807110032169780e5b8)
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # install x86_64 cross compiling tool for clang build
        # apt-get install binutils-x86-64-linux-gnu
        # save the attached .config to linux build tree
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=x86_64 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@...el.com>

All warnings (new ones prefixed by >>, old ones prefixed by <<):

>> security/integrity/ima/ima_crypto.c:838:35: warning: size argument in 'memcmp' call is a comparison [-Wmemsize-comparison]
crypto_shash_digestsize(tfm) != 0))
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~
security/integrity/ima/ima_crypto.c:837:7: note: did you mean to compare the result of 'memcmp' instead?
if (memcmp(d.digest, d0.digest,
^
security/integrity/ima/ima_crypto.c:838:6: note: explicitly cast the argument to size_t to silence this warning
crypto_shash_digestsize(tfm) != 0))
^
(size_t)(                        )
1 warning generated.

vim +/memcmp +838 security/integrity/ima/ima_crypto.c

   797	
   798	/*
   799	 * The boot_aggregate is a cumulative hash over TPM registers 0 - 7.  With
   800	 * TPM 1.2 the boot_aggregate was based on reading the SHA1 PCRs, but with
   801	 * TPM 2.0 hash agility, TPM chips could support multiple TPM PCR banks,
   802	 * allowing firmware to configure and enable different banks.
   803	 *
   804	 * Knowing which TPM bank is read to calculate the boot_aggregate digest
   805	 * needs to be conveyed to a verifier.  For this reason, use the same
   806	 * hash algorithm for reading the TPM PCRs as for calculating the boot
   807	 * aggregate digest as stored in the measurement list.
   808	 */
   809	static int ima_calc_boot_aggregate_tfm(char *digest, u16 alg_id,
   810					       struct crypto_shash *tfm)
   811	{
   812		struct tpm_digest d = { .alg_id = alg_id, .digest = {0} }, d0 = d;
   813		int rc;
   814		u32 i;
   815		SHASH_DESC_ON_STACK(shash, tfm);
   816	
   817		shash->tfm = tfm;
   818	
   819		pr_devel("calculating the boot-aggregate based on TPM bank: %04x\n",
   820			 d.alg_id);
   821	
   822		rc = crypto_shash_init(shash);
   823		if (rc != 0)
   824			return rc;
   825	
   826		/* cumulative sha1 over tpm registers 0-7 */
   827		for (i = TPM_PCR0; i < TPM_PCR8; i++) {
   828			ima_pcrread(i, &d);
   829			/* now accumulate with current aggregate */
   830			rc = crypto_shash_update(shash, d.digest,
   831						 crypto_shash_digestsize(tfm));
   832		}
   833		/* extend cumulative sha1 over tpm registers 8-9 */
   834		for (i = TPM_PCR8; i < TPM_PCR10; i++) {
   835			ima_pcrread(i, &d);
   836			/* if not zero, accumulate with current aggregate */
   837			if (memcmp(d.digest, d0.digest,
 > 838						crypto_shash_digestsize(tfm) != 0))
   839				rc = crypto_shash_update(shash, d.digest,
   840						crypto_shash_digestsize(tfm));
   841		}
   842		if (!rc)
   843			crypto_shash_final(shash, digest);
   844		return rc;
   845	}
   846	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

Download attachment ".config.gz" of type "application/gzip" (73441 bytes)

Powered by blists - more mailing lists