The boot aggragate calculation should never touch PCRs beyond PCR 0-7, even a PCR extension really manipulates out-of-domain PCRs. Signed-off-by: Jia Zhang <zhang.jia@xxxxxxxxxxxxxxxxx> --- .../security/integrity/ima/src/ima_boot_aggregate.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c b/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c index 67be6a7..98893b9 100644 --- a/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c +++ b/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c @@ -93,11 +93,16 @@ int main(int argc, char *argv[]) printf("%03u ", event.header.pcr); display_sha1_digest(event.header.digest); } - SHA1_Init(&c); - SHA1_Update(&c, pcr[event.header.pcr].digest, - SHA_DIGEST_LENGTH); - SHA1_Update(&c, event.header.digest, SHA_DIGEST_LENGTH); - SHA1_Final(pcr[event.header.pcr].digest, &c); + + if (event.header.pcr < NUM_PCRS) { + SHA1_Init(&c); + SHA1_Update(&c, pcr[event.header.pcr].digest, + SHA_DIGEST_LENGTH); + SHA1_Update(&c, event.header.digest, + SHA_DIGEST_LENGTH); + SHA1_Final(pcr[event.header.pcr].digest, &c); + } + #if MAX_EVENT_DATA_SIZE < USHRT_MAX if (event.header.len > MAX_EVENT_DATA_SIZE) { printf("Error event too long\n"); -- 1.8.3.1