| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20200623181357.GC4983@glitch>
Date: Tue, 23 Jun 2020 15:13:57 -0300
From: Bruno Meneguele <bmeneg@...hat.com>
To: Maurizio Drocco <maurizio.drocco@....com>
Cc: zohar@...ux.ibm.com, Silviu.Vlasceanu@...wei.com,
dmitry.kasatkin@...il.com, jejb@...ux.ibm.com, jmorris@...ei.org,
linux-integrity@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org, mdrocco@...ux.vnet.ibm.com,
roberto.sassu@...wei.com, serge@...lyn.com
Subject: Re: [PATCH v2] ima_evm_utils: extended calc_bootaggr to PCRs 8 - 9
On Tue, Jun 23, 2020 at 02:01:22PM -0400, Maurizio Drocco wrote:
> From: Maurizio <maurizio.drocco@....com>
>
> If PCRs 8 - 9 are set (i.e. not all-zeros), cal_bootaggr should include
> them into the digest.
>
> Signed-off-by: Maurizio Drocco <maurizio.drocco@....com>
> ---
> Changelog:
> v2:
> - Always include PCRs 8 & 9 to non-sha1 hashes
> v1:
> - Include non-zero PCRs 8 & 9 to boot aggregates
>
> src/evmctl.c | 15 +++++++++++++--
> 1 file changed, 13 insertions(+), 2 deletions(-)
>
> diff --git a/src/evmctl.c b/src/evmctl.c
> index 1d065ce..46b7092 100644
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -1930,6 +1930,16 @@ static void calc_bootaggr(struct tpm_bank_info *bank)
> }
> }
>
> + if (strcmp(bank->algo_name, "sha1") != 0) {
> + for (i = 8; i < 10; i++) {
> + err = EVP_DigestUpdate(pctx, bank->pcr[i], bank->digest_size);
> + if (!err) {
> + log_err("EVP_DigestUpdate() failed\n");
> + return;
> + }
> + }
> + }
> +
> err = EVP_DigestFinal(pctx, bank->digest, &mdlen);
> if (!err) {
> log_err("EVP_DigestFinal() failed\n");
> @@ -1972,8 +1982,9 @@ static int append_bootaggr(char *bootaggr, struct tpm_bank_info *tpm_banks)
> /*
> * The IMA measurement list boot_aggregate is the link between the preboot
> * event log and the IMA measurement list. Read and calculate all the
> - * possible per TPM bank boot_aggregate digests based on the existing
> - * PCRs 0 - 7 to validate against the IMA boot_aggregate record.
> + * possible per TPM bank boot_aggregate digests based on the existing PCRs
> + * 0 - 9 to validate against the IMA boot_aggregate record. If the digest
> + * algorithm is SHA1, only PCRs 0 - 7 are considered to avoid ambiguity.
> */
> static int cmd_ima_bootaggr(struct command *cmd)
> {
> --
> 2.17.1
>
Reviewed-by: Bruno Meneguele <bmeneg@...hat.com>
--
bmeneg
PGP Key: http://bmeneg.com/pubkey.txt
Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)
Powered by blists - more mailing lists