lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1594224793.23056.251.camel@linux.ibm.com>
Date:   Wed, 08 Jul 2020 12:13:13 -0400
From:   Mimi Zohar <zohar@...ux.ibm.com>
To:     Sasha Levin <sashal@...nel.org>, linux-kernel@...r.kernel.org,
        stable@...r.kernel.org
Cc:     Maurizio Drocco <maurizio.drocco@....com>,
        Bruno Meneguele <bmeneg@...hat.com>,
        linux-integrity@...r.kernel.org,
        linux-security-module@...r.kernel.org
Subject: Re: [PATCH AUTOSEL 5.7 03/30] ima: extend boot_aggregate with
 kernel measurements

Hi Sasha,

On Wed, 2020-07-08 at 11:40 -0400, Sasha Levin wrote:
> From: Maurizio Drocco <maurizio.drocco@....com>
> 
> [ Upstream commit 20c59ce010f84300f6c655d32db2610d3433f85c ]
> 
> Registers 8-9 are used to store measurements of the kernel and its
> command line (e.g., grub2 bootloader with tpm module enabled). IMA
> should include them in the boot aggregate. Registers 8-9 should be
> only included in non-SHA1 digests to avoid ambiguity.

Prior to Linux 5.8, the SHA1 template data hashes were padded before
being extended into the TPM.  Support for calculating and extending
the per TPM bank template data digests is only being upstreamed in
Linux 5.8.

How will attestation servers know whether to include PCRs 8 & 9 in the
the boot_aggregate calculation?  Now, there is a direct relationship
between the template data SHA1 padded digest not including PCRs 8 & 9,
and the new per TPM bank template data digest including them.

Mimi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ