The boot aggragate calculation should never touch PCRs beyond PCR 0-7,
even a PCR extension really manipulates out-of-domain PCRs.
Signed-off-by: Jia Zhang <zhang.jia@xxxxxxxxxxxxxxxxx>
Reviewed-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
---
.../security/integrity/ima/src/ima_boot_aggregate.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c b/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c
index 67be6a7..98893b9 100644
--- a/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c
+++ b/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c
@@ -93,11 +93,16 @@ int main(int argc, char *argv[])
printf("%03u ", event.header.pcr);
display_sha1_digest(event.header.digest);
}
- SHA1_Init(&c);
- SHA1_Update(&c, pcr[event.header.pcr].digest,
- SHA_DIGEST_LENGTH);
- SHA1_Update(&c, event.header.digest, SHA_DIGEST_LENGTH);
- SHA1_Final(pcr[event.header.pcr].digest, &c);
+
+ if (event.header.pcr < NUM_PCRS) {
+ SHA1_Init(&c);
+ SHA1_Update(&c, pcr[event.header.pcr].digest,
+ SHA_DIGEST_LENGTH);
+ SHA1_Update(&c, event.header.digest,
+ SHA_DIGEST_LENGTH);
+ SHA1_Final(pcr[event.header.pcr].digest, &c);
+ }
+
#if MAX_EVENT_DATA_SIZE < USHRT_MAX
if (event.header.len > MAX_EVENT_DATA_SIZE) {
printf("Error event too long\n");
--
1.8.3.1
