The "boot_aggregate" contained in the IMA measurement list has always been a SHA1 hash. With Roberto's "ima: support stronger algorithms for attestation" patch set, the hash algorithm used to calculate the "boot_aggregate" will either be the IMA default hash algorithm or fall back to using SHA1 for TPM 1.2 or SHA256 for TPM 2.0, assuming a SHA256 TPM bank exists. This test may be used to verify the "boot_aggregate" based on a physical TPM or a software TPM. If a software TPM is not running on the system, one is started and initialized by walking a sample binary_bios_measurements log and extending the software TPM with those values. The "boot_aggregate" is then calculated and compared against the sample ascii_runtime_measurements record. This test depends on Vitaly's "ima-evm-utils: Add some tests for evmctl" patch being upstreamed. I would appreciate some review on both his patch and on this patch set. To help facilitate this review, I've pushed out a next-testing topic branch. Included in this topic branch is Patrick Uiterwijk's support for reading the TPM PCRs using Intel's TSS2. Thanks! Mimi Mimi Zohar (3): ima-evm-utils: tests: verify boot_aggregate ima-evm-utils: tests: verify the last "boot_aggregate" record ima_evm_utils: tests: color boot_aggregate.test tty output tests/Makefile.am | 2 +- tests/boot_aggregate.test | 150 ++++++++++++++++++++++++++++++++++ tests/test_ascii_runtime_measurements | 3 + tests/test_binary_bios_measurements | Bin 0 -> 23248 bytes 4 files changed, 154 insertions(+), 1 deletion(-) create mode 100755 tests/boot_aggregate.test create mode 100644 tests/test_ascii_runtime_measurements create mode 100644 tests/test_binary_bios_measurements -- 2.7.5
