Calculating the boot_aggregate assumes that the TPM SHA1 bank is
enabled. Before trying to read the TPM SHA1 bank, ensure it is enabled.
If it isn't enabled, calculate the boot_aggregate using the first bank
enabled.
Reported-by: Jerry Snitselaar <jsnitsel@xxxxxxxxxx>
Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
---
security/integrity/ima/ima_crypto.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
index 7967a6904851..1253a2c187ef 100644
--- a/security/integrity/ima/ima_crypto.c
+++ b/security/integrity/ima/ima_crypto.c
@@ -663,6 +663,7 @@ static int __init ima_calc_boot_aggregate_tfm(char *digest,
struct crypto_shash *tfm)
{
struct tpm_digest d = { .alg_id = TPM_ALG_SHA1, .digest = {0} };
+ int found = 0;
int rc;
u32 i;
SHASH_DESC_ON_STACK(shash, tfm);
@@ -673,6 +674,22 @@ static int __init ima_calc_boot_aggregate_tfm(char *digest,
if (rc != 0)
return rc;
+ /*
+ * For backward's compatibility use TPM PCR SHA1 bank if allocated,
+ * otherwise use first enabled bank.
+ */
+ for (i = 0; i < ima_tpm_chip->nr_allocated_banks; i++) {
+ if (ima_tpm_chip->allocated_banks[i].alg_id == TPM_ALG_SHA1) {
+ found = 1;
+ break;
+ }
+ }
+ if (!found) {
+ d.alg_id = ima_tpm_chip->allocated_banks[0].alg_id;
+ pr_info("Calculating the boot-aggregregate (TPM algorithm: %d)",
+ d.alg_id);
+ }
+
/* cumulative sha1 over tpm registers 0-7 */
for (i = TPM_PCR0; i < TPM_PCR8; i++) {
ima_pcrread(i, &d);
--
2.7.5
