Re: [RFC PATCH 0/8] ima-evm-utils: calculate per TPM bank template digest

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 2/22/20 5:12 PM, Mimi Zohar wrote:



There are two aspects to Roberto's changes - extending the TPM banks
with the bank specific template digest and verifying the boot
aggregate.  This patch set only addresses the first aspect.

Assuming both the sha1 and sha256 TPM banks are enabled,

# tssgetcapability -cap 5
2 PCR selections
     hash TPM_ALG_SHA1
     TPMS
_PCR_SELECTION length 3
     ff ff ff
     hash TPM_ALG_SHA256
     TPMS_PC
R_SELECTION length 3
     ff ff ff

the output would look like:
# evmctl ima_measurement -v --list 
/sys/kernel/security/integrity/ima/binary_runtime_measurements

sha1: PCRAgg  10: 7723f6d980725507e5d0eb643dc179aae0efb719
sha1: TPM PCR-10: 7723f6d980725507e5d0eb643dc179aae0efb719
sha1 PCR-10: succeed

sha256: PCRAgg  10:
5254d6dce62765f884dc67dac8d59a8721ae14495ae4a0cb73426d0c013a82b2
sha256: TPM PCR-10:
5254d6dce62765f884dc67dac8d59a8721ae14495ae4a0cb73426d0c013a82b2
sha256 PCR-10: succeed



Thanks Mimi and Roberto for the update.

tpm2_pcrread command outputs the PCR values.
The one for PCR-10 matches the data output by evmctl.

 -lakshmi
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux