On 12/11/19 12:45 AM, Roberto Sassu wrote:
Hi Lakshmi currently the SHA256 PCR bank is extended with a padded SHA1. Some time ago, I posted some patches to support the TGC Crypto Agile format: https://lkml.org/lkml/2017/5/16/369 However, this is a bit complicate because the current format does not follow the TCG standard. A work to support the new IMA Canonical Event Log format has been presented at LSS: https://static.sched.com/hosted_files/lssna18/03/lss_2018_slides_V4.pdf Given that the patches are very invasive, to me seems a good idea to split this work in two parts: first, extend PCRs with the correct digest and second change the measurement list format. For the first part, the patch will be very simple, as IMA will just query the TPM to get the list of hash algorithms and will calculate all the digests in ima_calc_field_array_hash(). Also, the first part would be sufficient for remote attestation, as the data used to calculate the digests is passed to the verifier. The verifier can calculate by himself the digest of non-SHA1 PCR banks, even if they are not included in the measurement list. Roberto
Thanks Roberto for the info and the link to the related patches posted earlier. I'll take a look at the patches.
thanks, -lakshmi
