lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ef770532-6db6-4262-8225-2d3ee09b7d23@intel.com>
Date: Wed, 14 Feb 2024 00:54:09 -0800
From: "Xing, Cedric" <cedric.xing@...el.com>
To: James Bottomley <James.Bottomley@...senPartnership.com>, Dan Williams
	<dan.j.williams@...el.com>, Kuppuswamy Sathyanarayanan
	<sathyanarayanan.kuppuswamy@...ux.intel.com>, Dan Middleton
	<dan.middleton@...ux.intel.com>, Samuel Ortiz <sameo@...osinc.com>
CC: Qinkun Bao <qinkun@...gle.com>, "Yao, Jiewen" <jiewen.yao@...el.com>,
	Dionna Amalie Glaze <dionnaglaze@...gle.com>, <biao.lu@...el.com>,
	<linux-coco@...ts.linux.dev>, <linux-integrity@...r.kernel.org>,
	<linux-kernel@...r.kernel.org>
Subject: Re: [RFC PATCH v2 0/4] tsm: Runtime measurement registers ABI

On 2/13/2024 8:05 AM, James Bottomley wrote:
> On Mon, 2024-02-12 at 23:36 -0800, Xing, Cedric wrote:
>> On 2/9/2024 12:58 PM, Dan Williams wrote:
>>> James Bottomley wrote:
>>>> Just to correct this: IMA uses its own log format, but I think
>>>> this was a mistake long ago and the new log should use TCG2
>>>> format so all the tools know how to parse it.
>>>
>>> Is this a chance to nudge IMA towards a standard log format? In
>>> other words, one of the goals alongside userspace consumers of the
>>> RTMR log would be for IMA to support it as well as an alternate in-
>>> kernel backend next to TPM. IMA-over-TPM continues with its current
>>> format, IMA-over-RTMR internally unifies with the log format that
>>> is shared with RTMR-user-ABI.
>>>
>> I'm not a TCG expert. As far as I know,
>> https://trustedcomputinggroup.org/wp-content/uploads/TCG-PC-Client-Platform-Firmware-Profile-Version-1.06-Revision-52_pub-1.pdf
>>   
>> defines the event types for TCG2 logs for firmware uses only. I
>> cannot  find a spec that defines event types for OS or applications.
>> We may  reuse the firmware event types for Linux but I doubt they can
>> accommodate IMA.
> 
> The TCG crypto agile log format is
> 
>   index (32 bit),
>   event tag (32 bit),
>   digests array,
>   sized event entry (up to 4GB)
> 
> So an IMA log entry can definitely be transformed into this format
> (providing someone agrees to the tag or set of tags).  The slight
> problem would be that none of the current IMA tools would understand
> it, but that could be solved over time (the kernel could use the TCG
> format internally but transform to the IMA format for the current
> securityfs IMA log).
> 
Hi James,

As Mikko mentioned in his reply, TCG has defined the "Canonical Event 
Log Format" (aka. CEL) [1], while systemd-pcr* services use a subset of 
CEL format in their user space log.

I skimmed through the CEL spec today. Comparing to TCG2 log, CEL follows 
the same design (i.e., each event has a type field that determines the 
structure of the event data) but separates the encoding from the 
information model.

IMHO, CEL only works for applications defined in its information model 
(currently UEFI BIOS and IMA) but wouldn't work for any other 
applications like systemd. The systemd source code has documented the 
difference [2] between their log format and CEL.

One problem of CEL is its "content_type", which contains numeric values 
assigned by the spec. systemd doesn't have a numeric "content_type" 
assigned so has to use a string value - "systemd", which can only be 
encoded in JSON but not in TLV or CBOR. Technically, the systemd log is 
NOT CEL even though they claim that's a subset of it.

Another problem of CEL is that NOT every byte of an event is 
hashed/extended. CEL spec has defined for each "content_type" the subset 
of bytes to hash, so a verifier must understand ALL content types to be 
able to verify the integrity of a log. In other words, the integrity of 
a "systemd" log can never be verified by a CEL conformant verifier.

So I wouldn't recommend CEL to be the log format here.

We are looking for, as I believe, is a format that can accommodate all 
applications and allow application-agnostic verifiers. For every event, 
the kernel only needs to know what to store in the log, and what to 
hash/extend and to which measurement registers, but isn't concerned by 
the semantics of the event. If reusing CEL terms, what needs to be 
defined here is the "encoding" (so that every application can 
store/extend "something" in a log that every verifier knows how to 
replay); while every application should be allowed to define its own 
"information model".

-Cedric

[1] https://trustedcomputinggroup.org/resource/canonical-event-log-format/

[2] 
https://github.com/systemd/systemd/blob/e1390da0256bbe2017c4c2fbc636c54fe02c84cb/src/shared/tpm2-util.c#L6112

>> IMHO, we don't have to follow TCG2 format because TDX is never TPM,
>> nor are any other TEEs that support runtime measurements. The
>> existing TCG2 format looks to me somewhat like ASN.1 - well defined
>> but schema is needed to decode. In contrast, JSON is a lot more
>> popular than ASN.1  nowadays because it's human readable and doesn't
>> require a schema. I just wonder if we should introduce a text based
>> log format. We could make the log a text file, in which each line is
>> an event record and the digest of the line is extended to the
>> specified runtime measurement register. The content of each line
>> could be free-form at the ABI level, but we can still recommend a
>> convention for applications - e.g., the first word/column must be an
>> URL for readers to find out the format/syntax of the rest of the
>> line. Thoughts?
> 
> https://xkcd.com/927/
> 
That is funny :-D

I can't agree more, so "no log" I think is always an option.

>>   For the new TEE measurement log, I don't think it has to be
>> collocated with the BIOS log, because TEEs are never TPMs.
> 
> This depends.  Logs are separable by PCRs.  As in every entry for the
> same PCR could be in a separate, correctly ordered, log.  However, you
> can't have separate logs that both use the same PCR because they won't
> replay.
> 
We can have separate logs for the same PCR as long as there's a way to 
order those logs. A simple way is to record the current PCR value at the 
beginning of every log, then a verifier can always replay the log to get 
the PCR value at exit, and use that value to match the next log.

Anyway, those details are unimportant. What I intended to say was that 
those logs don't have to be in the same format.

> James
> 
> 
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ