IMA currently extends the different TPM banks by padding/truncating the
SHA1 template digest. Although the IMA measurement list only includes
the SHA1 template digest, the template digest could be re-calculated
properly for each bank. Roberto Sassu's proposed "ima: support stronger
algorithms for attestation" kernel patch set makes this change.
In order to test the proposed kernel change, this patch set walks the
IMA measurement list, re-calculating the per TPM bank template digest
and extending the TPM bank PCR with the bank specific digest. The last
step, after walking the measurement list, is comparing the the resulting
TPM per bank PCR values with the actual TPM per bank PCR values.
(Verifying the non SHA1 TPM banks depends on a kernel built with
Roberto's "ima: support stronger algorithms for attestation" patch set.)
Mimi
Mimi Zohar (8):
ima-evm-utils: treat unallocated banks as an error
ima-evm-utils: increase the size of "zero" and "fox" variables
ima-evm-utils: calculate the digests for multiple TPM banks
ima-evm-utils: add support in tpm2_read_pcrs to read different TPM
banks
ima-evm-utils: read the PCRs for the requested TPM banks
ima-evm-utils: compare re-calculated PCRs with the TPM values
ima-evm-utils: use a common bank variable for TPM 1.2 and TPM 2.0
ima-evm-utils: remove TPM 1.2 specific code
src/evmctl.c | 349 ++++++++++++++++++++++++++++++++++++++++++++++++-----------
1 file changed, 284 insertions(+), 65 deletions(-)
--
2.7.5
