Re: [PATCH 1/2] ima: use the IMA configured hash algo to calculate the boot aggregate

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2020-01-27 at 13:49 -0700, Jerry Snitselaar wrote:
> On Mon Jan 27 20, Mimi Zohar wrote:
> >The boot aggregate is a cumulative SHA1 hash over TPM registers 0 - 7.
> >NIST has depreciated the usage of SHA1 in most instances.  Instead of
> >continuing to use SHA1 to calculate the boot_aggregate, use the
> >configured IMA default hash algorithm.
> >
> >Although the IMA measurement list boot_aggregate template data contains
> >the hash algorithm followed by the digest, allowing verifiers (e.g.
> >attesttaion servers) to calculate and verify the boot_aggregate, the
> >verifiers might not have the knowledge of what constitutes a good value
> >based on a different hash algorithm.
> >
> >Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
> >---
> > security/integrity/ima/ima_init.c | 8 ++++----
> > 1 file changed, 4 insertions(+), 4 deletions(-)
> >
> >diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
> >index 195cb4079b2b..b1b334fe0db5 100644
> >--- a/security/integrity/ima/ima_init.c
> >+++ b/security/integrity/ima/ima_init.c
> >@@ -27,7 +27,7 @@ struct tpm_chip *ima_tpm_chip;
> > /* Add the boot aggregate to the IMA measurement list and extend
> >  * the PCR register.
> >  *
> >- * Calculate the boot aggregate, a SHA1 over tpm registers 0-7,
> >+ * Calculate the boot aggregate, a hash over tpm registers 0-7,
> >  * assuming a TPM chip exists, and zeroes if the TPM chip does not
> >  * exist.  Add the boot aggregate measurement to the measurement
> >  * list and extend the PCR register.
> >@@ -51,14 +51,14 @@ static int __init ima_add_boot_aggregate(void)
> > 	int violation = 0;
> > 	struct {
> > 		struct ima_digest_data hdr;
> >-		char digest[TPM_DIGEST_SIZE];
> >+		char digest[TPM_MAX_DIGEST_SIZE];
> > 	} hash;
> >
> > 	memset(iint, 0, sizeof(*iint));
> > 	memset(&hash, 0, sizeof(hash));
> > 	iint->ima_hash = &hash.hdr;
> >-	iint->ima_hash->algo = HASH_ALGO_SHA1;
> >-	iint->ima_hash->length = SHA1_DIGEST_SIZE;
> >+	iint->ima_hash->algo = ima_hash_algo;
> >+	iint->ima_hash->length = hash_digest_size[ima_hash_algo];
> >
> > 	if (ima_tpm_chip) {
> > 		result = ima_calc_boot_aggregate(&hash.hdr);
> >-- 
> >2.7.5
> >
> 
> Tested the patches on the Dell and no longer spits out the error messages on boot.
> /sys/kernel/security/ima/ascii_runtime_measurements shows the boot aggregate.
> 
> Is there something else I should look at to verify it is functioning properly?

The original LTP ima_boot_aggregate.c test needed to be updated to
support TPM 2.0 before this change.  For TPM 2.0, the PCRs are not
exported.  With this change, the kernel could be reading PCRs from a
TPM bank other than SHA1 and calculating the boot_aggregate based on a
different hash algorithm as well.  I'm not sure how a remote verifier
would know which TPM bank was read, when calculating the boot-
aggregate.

At the moment, the only test would be to make sure that the LTP test
still works for TPM 1.2 properly.

Mimi




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux