lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87h63gp1ka.fsf@>
Date: Wed, 26 Mar 2025 10:45:57 +0100
From: Nicolai Stange <nstange@...e.de>
To: Jarkko Sakkinen <jarkko@...nel.org>
Cc: Nicolai Stange <nstange@...e.de>,  Mimi Zohar <zohar@...ux.ibm.com>,
  Roberto Sassu <roberto.sassu@...wei.com>,  Dmitry Kasatkin
 <dmitry.kasatkin@...il.com>,  Eric Snowberg <eric.snowberg@...cle.com>,
  James Bottomley <James.Bottomley@...senpartnership.com>,
  linux-integrity@...r.kernel.org,  linux-security-module@...r.kernel.org,
  linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH v2 07/13] tpm: enable bank selection for PCR extend

Jarkko Sakkinen <jarkko@...nel.org> writes:

> On Sun, Mar 23, 2025 at 03:09:05PM +0100, Nicolai Stange wrote:
>> The existing tpm_pcr_extend() extends all of a PCR's allocated banks with
>> the corresponding digest from the provided digests[] argument.
>
> Why not "just" tpm_pcr_extend(). We don't have a concept of
> "non-existing tpm_pcr_extend()".
>
> "tpm_pcr_extend() extends the allocated PCR banks ..."
>
> or something.

Right.


>> 
>> An upcoming code change to IMA will introduce the need to skip over those
>
> Don't talk about upcoming code changes. Just explain why IMA depends on
> the change.

Ok.


>> banks it does not have a hash algorithm implementation available for.
>> 
>> Introduce tpm_pcr_extend_sel() to support this.
>> 
>> tpm_pcr_extend_sel() also expects a digests[] array, always being the
>> number of allocated PCR banks in size, just as it's the case for the
>> existing tpm_pcr_extend(). In addition to that however, it takes a
>> 'banks_skip_mask', and will skip the extension of any bank having its
>> corresponding bit set there.
>> 
>> Signed-off-by: Nicolai Stange <nstange@...e.de>
>> ---
>>  drivers/char/tpm/tpm-interface.c | 29 +++++++++++++++++++++++++++--
>>  drivers/char/tpm/tpm.h           |  3 ++-
>>  drivers/char/tpm/tpm2-cmd.c      | 29 +++++++++++++++++++++++++++--
>>  include/linux/tpm.h              |  3 +++
>>  4 files changed, 59 insertions(+), 5 deletions(-)
>> 
>> diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c
>> index b1daa0d7b341..88b4496de1df 100644
>> --- a/drivers/char/tpm/tpm-interface.c
>> +++ b/drivers/char/tpm/tpm-interface.c
>> @@ -314,6 +314,26 @@ EXPORT_SYMBOL_GPL(tpm_pcr_read);
>>   */
>>  int tpm_pcr_extend(struct tpm_chip *chip, u32 pcr_idx,
>>  		   struct tpm_digest *digests)
>> +{
>> +	return tpm_pcr_extend_sel(chip, pcr_idx, digests, 0);
>> +}
>> +EXPORT_SYMBOL_GPL(tpm_pcr_extend);
>
> I'd add just an extra argument to tpm_pcr_extend().

Perfect, will do.

Thanks!

Nicolai

-- 
SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nürnberg, Germany
GF: Ivo Totev, Andrew McDonald, Werner Knoblich
(HRB 36809, AG Nürnberg)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ