| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 11 Jun 2020 20:29:55 -0400
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Maurizio Drocco <maurizio.drocco@....com>,
linux-integrity@...r.kernel.org
Cc: jejb@...ux.ibm.com, Dmitry Kasatkin <dmitry.kasatkin@...il.com>,
James Morris <jmorris@...ei.org>,
"Serge E. Hallyn" <serge@...lyn.com>,
"open list:SECURITY SUBSYSTEM"
<linux-security-module@...r.kernel.org>,
open list <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] extend IMA boot_aggregate with kernel measurements
Hi Maurizo,
On Thu, 2020-06-11 at 15:54 -0400, Maurizio Drocco wrote:
> IMA is not considering TPM registers 8-9 when calculating the boot
> aggregate. When registers 8-9 are used to store measurements of the
> kernel and its command line (e.g., grub2 bootloader with tpm module
> enabled), IMA should include them in the boot aggregate.
>
> Signed-off-by: Maurizio Drocco <maurizio.drocco@....com>
Looks good. Just a minor comment below. Could you be a bit more
specific as to what is being measured into which PCR. Perhaps include
a reference to some doc or spec.
In order to test, ima-evm-utils needs to be updated as well. Could
you post the corresponding evmctl change? Please post the patch
against the ima-evm-utils next-testing branch.
> ---
> security/integrity/ima/ima.h | 2 +-
> security/integrity/ima/ima_crypto.c | 11 ++++++++++-
> 2 files changed, 11 insertions(+), 2 deletions(-)
>
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index df93ac258e01..9d94080bdad8 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -30,7 +30,7 @@
>
> enum ima_show_type { IMA_SHOW_BINARY, IMA_SHOW_BINARY_NO_FIELD_LEN,
> IMA_SHOW_BINARY_OLD_STRING_FMT, IMA_SHOW_ASCII };
> -enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 };
> +enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8, TPM_PCR10 = 10 };
>
> /* digest size for IMA, fits SHA1 or MD5 */
> #define IMA_DIGEST_SIZE SHA1_DIGEST_SIZE
> diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
> index 220b14920c37..6f0137bdaf61 100644
> --- a/security/integrity/ima/ima_crypto.c
> +++ b/security/integrity/ima/ima_crypto.c
> @@ -809,7 +809,7 @@ static void ima_pcrread(u32 idx, struct tpm_digest *d)
> static int ima_calc_boot_aggregate_tfm(char *digest, u16 alg_id,
> struct crypto_shash *tfm)
> {
> - struct tpm_digest d = { .alg_id = alg_id, .digest = {0} };
> + struct tpm_digest d = { .alg_id = alg_id, .digest = {0} }, d0 = d;
> int rc;
> u32 i;
> SHASH_DESC_ON_STACK(shash, tfm);
> @@ -830,6 +830,15 @@ static int ima_calc_boot_aggregate_tfm(char *digest, u16 alg_id,
> rc = crypto_shash_update(shash, d.digest,
> crypto_shash_digestsize(tfm));
> }
> + /* extend cumulative sha1 over tpm registers 8-9 */
> + for (i = TPM_PCR8; i < TPM_PCR10; i++) {
> + ima_pcrread(i, &d);
> + /* if not zero, accumulate with current aggregate */
> + if (memcmp(d.digest, d0.digest,
> + crypto_shash_digestsize(tfm) != 0))
The formatting here is a bit off.
thanks,
Mimi
> + rc = crypto_shash_update(shash, d.digest,
> + crypto_shash_digestsize(tfm));
> + }
> if (!rc)
> crypto_shash_final(shash, digest);
> return rc;
Powered by blists - more mailing lists