On Mon, 2020-02-24 at 15:04 -0800, patrick@xxxxxxxxxxxxxx wrote:
> From: Patrick Uiterwijk <patrick@xxxxxxxxxxxxxx>
>
> This patch makes it possible to use the Intel TSS2 for getting
> PCR values from the SHA1/SHA256 banks on a TPM2.
> It is somewhat naive as it doesn't use the multi-PCR selection
> that TSS2 is capable of, that is for a future patch.
>
> Signed-off-by: Patrick Uiterwijk <patrick@xxxxxxxxxxxxxx>
Thanks, Patrick. There was a missing include in pcr_tsspcrread.c,
which I've included. This patch is now in the ima-evm-utils next-
testing branch. I'd appreciate some Review/Test tags for at least the
pcr_tss.c aspect.
IMA support for extending the TPM 2.0 banks with the hash appropriate
algorithm will, hopefully, be upstreamed in Linux 5.8 The new
"boot_aggregate" test calculates a per TPM bank "boot_aggregate"
value. One of which should match the "boot_aggregate" value in the
IMA measurement list.
Please note that the new "boot_aggregate" test[1] can be run as root,
which accesses the exported TPM securityfs event log, or as a user,
which uses the sample TPM 2.0 sample event log and associated IMA
measurement list. To calculate the "boot_aggregate" based on the
sample TPM 2.0 event log, requires starting a software TPM and
initializing it based on the TPM event log. The code currently
initializes the TPM using tsseventextend.
Testing ima-evm-utils support for multiple crypto and TSS packages
requires building a matrix. As I'm new to travis, the travis code is
in the next-testing-travis branch, but will not be upstreamed at this
point. To prevent running the "boot_aggregate" test when using the
tpm2-tss, the software TPM is not installed.
Mimi
[1] VERBOSE=1 make check TESTS=boot_aggregate.test
[2] tsseventextend" -tpm -if "${BINARY_BIOS_MEASUREMENTS}" -v
