| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 23 Jun 2020 15:53:00 -0300
From: Bruno Meneguele <bmeneg@...hat.com>
To: Maurizio Drocco <maurizio.drocco@....com>
Cc: zohar@...ux.ibm.com, Silviu.Vlasceanu@...wei.com,
dmitry.kasatkin@...il.com, jejb@...ux.ibm.com, jmorris@...ei.org,
linux-integrity@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org, mdrocco@...ux.vnet.ibm.com,
roberto.sassu@...wei.com, serge@...lyn.com
Subject: Re: [PATCH v4] ima: extend boot_aggregate with kernel measurements
On Tue, Jun 23, 2020 at 11:57:32AM -0400, Maurizio Drocco wrote:
> Registers 8-9 are used to store measurements of the kernel and its
> command line (e.g., grub2 bootloader with tpm module enabled). IMA
> should include them in the boot aggregate. Registers 8-9 should be
> only included in non-SHA1 digests to avoid ambiguity.
>
> Signed-off-by: Maurizio Drocco <maurizio.drocco@....com>
> ---
> Changelog:
> v4:
> - Reworded comments: PCRs 8 & 9 are always included in non-sha1 digests
> v3:
> - Limit including PCRs 8 & 9 to non-sha1 hashes
> v2:
> - Minor comment improvements
> v1:
> - Include non zero PCRs 8 & 9 in the boot_aggregate
>
> security/integrity/ima/ima.h | 2 +-
> security/integrity/ima/ima_crypto.c | 15 ++++++++++++++-
> 2 files changed, 15 insertions(+), 2 deletions(-)
>
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index df93ac258e01..9d94080bdad8 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -30,7 +30,7 @@
>
> enum ima_show_type { IMA_SHOW_BINARY, IMA_SHOW_BINARY_NO_FIELD_LEN,
> IMA_SHOW_BINARY_OLD_STRING_FMT, IMA_SHOW_ASCII };
> -enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 };
> +enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8, TPM_PCR10 = 10 };
>
> /* digest size for IMA, fits SHA1 or MD5 */
> #define IMA_DIGEST_SIZE SHA1_DIGEST_SIZE
> diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
> index 220b14920c37..011c3c76af86 100644
> --- a/security/integrity/ima/ima_crypto.c
> +++ b/security/integrity/ima/ima_crypto.c
> @@ -823,13 +823,26 @@ static int ima_calc_boot_aggregate_tfm(char *digest, u16 alg_id,
> if (rc != 0)
> return rc;
>
> - /* cumulative sha1 over tpm registers 0-7 */
> + /* cumulative digest over TPM registers 0-7 */
> for (i = TPM_PCR0; i < TPM_PCR8; i++) {
> ima_pcrread(i, &d);
> /* now accumulate with current aggregate */
> rc = crypto_shash_update(shash, d.digest,
> crypto_shash_digestsize(tfm));
> }
> + /*
> + * Extend cumulative digest over TPM registers 8-9, which contain
> + * measurement for the kernel command line (reg. 8) and image (reg. 9)
> + * in a typical PCR allocation. Registers 8-9 are only included in
> + * non-SHA1 boot_aggregate digests to avoid ambiguity.
> + */
> + if (alg_id != TPM_ALG_SHA1) {
> + for (i = TPM_PCR8; i < TPM_PCR10; i++) {
> + ima_pcrread(i, &d);
> + rc = crypto_shash_update(shash, d.digest,
> + crypto_shash_digestsize(tfm));
> + }
> + }
> if (!rc)
> crypto_shash_final(shash, digest);
> return rc;
> --
> 2.17.1
>
Reviewed-by: Bruno Meneguele <bmeneg@...hat.com>
I've tested this patch with both TPM 1.2 and TPM 2.0 + ima-evm-utils
support patch. Everything seems fine.
Thanks.
--
bmeneg
PGP Key: http://bmeneg.com/pubkey.txt
Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)
Powered by blists - more mailing lists