lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <877c4cqi76.fsf@>
Date: Wed, 26 Mar 2025 10:01:17 +0100
From: Nicolai Stange <nstange@...e.de>
To: Mimi Zohar <zohar@...ux.ibm.com>
Cc: Nicolai Stange <nstange@...e.de>,  Roberto Sassu
 <roberto.sassu@...wei.com>,  Dmitry Kasatkin <dmitry.kasatkin@...il.com>,
  Eric Snowberg <eric.snowberg@...cle.com>,  Jarkko Sakkinen
 <jarkko@...nel.org>,  James Bottomley
 <James.Bottomley@...senPartnership.com>,  linux-integrity@...r.kernel.org,
  linux-security-module@...r.kernel.org,  linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH v2 03/13] ima: invalidate unsupported PCR banks

Mimi Zohar <zohar@...ux.ibm.com> writes:

>> diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
>> index 6f5696d999d0..a43080fb8edc 100644
>> --- a/security/integrity/ima/ima_crypto.c
>> +++ b/security/integrity/ima/ima_crypto.c
>> @@ -625,26 +625,43 @@ int ima_calc_field_array_hash(struct ima_field_data *field_data,
>>  	u16 alg_id;
>>  	int rc, i;
>>  
>> +#if IS_ENABLED(CONFIG_IMA_COMPAT_FALLBACK_TPM_EXTEND)
>>  	rc = ima_calc_field_array_hash_tfm(field_data, entry, ima_sha1_idx);
>>  	if (rc)
>>  		return rc;
>>  
>>  	entry->digests[ima_sha1_idx].alg_id = TPM_ALG_SHA1;
>> +#endif
>>  
>>  	for (i = 0; i < NR_BANKS(ima_tpm_chip) + ima_extra_slots; i++) {
>> +#if IS_ENABLED(CONFIG_IMA_COMPAT_FALLBACK_TPM_EXTEND)
>>  		if (i == ima_sha1_idx)
>>  			continue;
>> +#endif
>>  
>>  		if (i < NR_BANKS(ima_tpm_chip)) {
>>  			alg_id = ima_tpm_chip->allocated_banks[i].alg_id;
>>  			entry->digests[i].alg_id = alg_id;
>>  		}
>>  
>> -		/* for unmapped TPM algorithms digest is still a padded SHA1 */
>> +		/*
>> +		 * For unmapped TPM algorithms, the digest is still a
>> +		 * padded SHA1 if backwards-compatibility fallback PCR
>> +		 * extension is enabled. Otherwise fill with
>> +		 * 0xfes. This is the value to invalidate unsupported
>> +		 * PCR banks with. Also, a non-all-zeroes value serves
>> +		 * as an indicator to kexec measurement restoration
>> +		 * that the entry is not a violation and all its
>> +		 * template digests need to get recomputed.
>> +		 */
>>  		if (!ima_algo_array[i].tfm) {
>> +#if IS_ENABLED(CONFIG_IMA_COMPAT_FALLBACK_TPM_EXTEND)
>>  			memcpy(entry->digests[i].digest,
>>  			       entry->digests[ima_sha1_idx].digest,
>>  			       TPM_DIGEST_SIZE);

                               ^
That's been here before, just for the record for the below.

>> +#else
>> +			memset(entry->digests[i].digest, 0xfe, TPM_DIGEST_SIZE);
>> +#endif
>
> Using TPM_DIGEST_SIZE will result in a padded 0xfe value.

Yes, but as the sysfs files for unsupported algos are gone, this will be
used only for extending the PCR banks. tpm[12]_pcr_extend()
(necessarily) truncate the digests to the correct size before sending
them to the TPM.

But if you prefer I can absolutely replace TPM_DIGEST_SIZE by
hash_digest_size[ima_algo_array[i].algo].

Thanks,

Nicolai

>
>>  			continue;
>>  		}
>>  
>

-- 
SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nürnberg, Germany
GF: Ivo Totev, Andrew McDonald, Werner Knoblich
(HRB 36809, AG Nürnberg)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ