Hi Maurizo, On Thu, 2020-06-11 at 15:54 -0400, Maurizio Drocco wrote: > IMA is not considering TPM registers 8-9 when calculating the boot > aggregate. When registers 8-9 are used to store measurements of the > kernel and its command line (e.g., grub2 bootloader with tpm module > enabled), IMA should include them in the boot aggregate. > > Signed-off-by: Maurizio Drocco <maurizio.drocco@xxxxxxx> Looks good. Just a minor comment below. Could you be a bit more specific as to what is being measured into which PCR. Perhaps include a reference to some doc or spec. In order to test, ima-evm-utils needs to be updated as well. Could you post the corresponding evmctl change? Please post the patch against the ima-evm-utils next-testing branch. > --- > security/integrity/ima/ima.h | 2 +- > security/integrity/ima/ima_crypto.c | 11 ++++++++++- > 2 files changed, 11 insertions(+), 2 deletions(-) > > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h > index df93ac258e01..9d94080bdad8 100644 > --- a/security/integrity/ima/ima.h > +++ b/security/integrity/ima/ima.h > @@ -30,7 +30,7 @@ > > enum ima_show_type { IMA_SHOW_BINARY, IMA_SHOW_BINARY_NO_FIELD_LEN, > IMA_SHOW_BINARY_OLD_STRING_FMT, IMA_SHOW_ASCII }; > -enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 }; > +enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8, TPM_PCR10 = 10 }; > > /* digest size for IMA, fits SHA1 or MD5 */ > #define IMA_DIGEST_SIZE SHA1_DIGEST_SIZE > diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c > index 220b14920c37..6f0137bdaf61 100644 > --- a/security/integrity/ima/ima_crypto.c > +++ b/security/integrity/ima/ima_crypto.c > @@ -809,7 +809,7 @@ static void ima_pcrread(u32 idx, struct tpm_digest *d) > static int ima_calc_boot_aggregate_tfm(char *digest, u16 alg_id, > struct crypto_shash *tfm) > { > - struct tpm_digest d = { .alg_id = alg_id, .digest = {0} }; > + struct tpm_digest d = { .alg_id = alg_id, .digest = {0} }, d0 = d; > int rc; > u32 i; > SHASH_DESC_ON_STACK(shash, tfm); > @@ -830,6 +830,15 @@ static int ima_calc_boot_aggregate_tfm(char *digest, u16 alg_id, > rc = crypto_shash_update(shash, d.digest, > crypto_shash_digestsize(tfm)); > } > + /* extend cumulative sha1 over tpm registers 8-9 */ > + for (i = TPM_PCR8; i < TPM_PCR10; i++) { > + ima_pcrread(i, &d); > + /* if not zero, accumulate with current aggregate */ > + if (memcmp(d.digest, d0.digest, > + crypto_shash_digestsize(tfm) != 0)) The formatting here is a bit off. thanks, Mimi > + rc = crypto_shash_update(shash, d.digest, > + crypto_shash_digestsize(tfm)); > + } > if (!rc) > crypto_shash_final(shash, digest); > return rc;