Hi Guilherme, On Tue, 2018-06-05 at 21:22 +0000, Magalhaes, Guilherme (Brazil R&D- CL) wrote: > Hi Mimi, > I am trying to understand why violations (tomtou, open writers) cause > the aggregated PCR value to be invalidated. > > Invalidating the PCR makes clear the file measurement errors, but once > violations are common (when using the (TCB) default policy) it seems > difficult to perform a full attestation process if violations are not > handled. > > Is it safe to just report the violations and still perform a full attestation > of the log by replacing zeroed digest with ff..ff? I believe we can safely > detect a violation entry in the log by checking the hash values are zeroes. > Please confirm. It's not clear if you're asking what your attestation server should being do or suggesting that the kernel should not invalidate the PCR. The builtin policies are loaded before the LSM policies. As a result, they can not be defined in terms of LSM labels. The builtin policies can be replaced at run time with a policy based on LSM labels (eg. log files), which should limit a number of these violations. Someone should go through the remaining violations to determine if they're benign, expected or not. Some applications unnecessarily open files rw. Fix those applications. Identify those violations which are acceptable. Only then can the attestation server safely know how to handle violations, whether it is safe to replace the 0x00's with 0xff's. Mimi
