On Fri, 2020-01-17 at 15:29 -0700, Jerry Snitselaar wrote:
> On Mon Jan 13 20, Mimi Zohar wrote:
> > On Mon, 2020-01-13 at 17:06 -0700, Jerry Snitselaar wrote:
> > > We had a report of messages from ima saying "Error communicating
> > > with
> > > TPM". Looking into it a bit, it looks like with some Dell
> > > systems
> > > (possibly others as well) in the bios they can set the hash
> > > algorithm
> > > being used. In this case with that set to sha256 the messages
> > > appear. Flipping the system to using sha1 makes them disappear.
> > > Looking at the ima code, ima_calc_boot_aggregate_tfm hard codes
> > > using
> > > sha1. Should that be changed to use whatever the default is in
> > > the
> > > config, or possibly find out from the tpm what algorithm is being
> > > used?
> >
> > The ima-ng template contains two digests. The first digest is the
> > value being extended into the TPM, while the second digest is
> > either
> > the boot aggregate or file data hash. It sounds like the problem
> > is
> > with the first digest. Changing the boot-aggregate to use sha256
> > might be a good idea, but probably won't fix the problem.
> >
> > Mimi
> >
>
> The error message is coming from ima_pcrread, and the tpm_digest that
> gets passed
> by ima_calc_boot_aggregate_tfm to ima_pcrread is declared:
>
> struct tpm_digest d = { .alg_id = TPM_ALG_SHA1, .digest = {0}
> };
>
> According to Dell their default BIOS setting is to use sha256. What
> they see with that
> setting is:
>
> [ 5.475036] ima: Error Communicating to TPM chip
> [ 5.475083] tsc: Refined TSC clocksource calibration: 3311.999 MHz
> [ 5.475092] clocksource: tsc: mask: 0xffffffffffffffff max_cycles:
> 0x2fbd936b72f, max_idle_ns: 440795283163 ns
> [ 5.475118] ima: Error Communicating to TPM chip
> [ 5.475165] ima: Error Communicating to TPM chip
> [ 5.475235] clocksource: Switched to clocksource tsc
> [ 5.475266] ima: Error Communicating to TPM chip
> [ 5.475311] ima: Error Communicating to TPM chip
> [ 5.475341] ima: Error Communicating to TPM chip
> [ 5.475371] ima: Error Communicating to TPM chip
> [ 5.475402] ima: Error Communicating to TPM chip
> [ 5.489049] ima: No architecture policies found
The implication seems to be that on a DELL setting the bios default to
sha256 turns off the TPM's sha1 pcr banks ... is that the case?
tssgetcapability -cap 5
should confirm or deny this.
James
