Hi Petr,
On Thu, 2020-06-18 at 20:10 +0200, Petr Vorel wrote:
> For both kernel with and without CONFIG_IMA=y.
>
> NOTE: ima_boot_aggregate was added in dc00c92, without TPM 2.0
> it just reported:
> EVP_DigestInit() failed
> (null):
>
> Fixes: 917317a ("ima_evm_utils: emit the per TPM PCR bank
> "boot_aggregate" values")
>
> Signed-off-by: Petr Vorel <pvorel@xxxxxxx>
I don't have a problem with accepting this solution, but I think the
real problem is that hash_info.h is not included in the kernel-
headers package on the system. One solution would be to include a
default hash_info.h file in ima-evm-utils and fall back to using it.
Mimi
> ---
> src/evmctl.c | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/src/evmctl.c b/src/evmctl.c
> index 1d065ce..94ec56b 100644
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -1998,11 +1998,17 @@ static int cmd_ima_bootaggr(struct command *cmd)
> * Format: <hash algorithm name>:<boot_aggregate digest>\n ...
> */
> for (i = 0; i < num_banks; i++) {
> - if (!tpm_banks[i].supported)
> + if (!tpm_banks[i].supported || !tpm_banks[i].algo_name)
> continue;
> bootaggr_len += strlen(tpm_banks[i].algo_name) + 1;
> bootaggr_len += (tpm_banks[i].digest_size * 2) + 1;
> }
> +
> + if (!bootaggr_len) {
> + log_info("No TPM 2.0 PCR bank algorithm found (no TPM 2.0?)\n");
> + return -1;
> + }
> +
> bootaggr = malloc(bootaggr_len);
>
> /*
> @@ -2012,7 +2018,7 @@ static int cmd_ima_bootaggr(struct command *cmd)
> * strings.
> */
> for (i = 0; i < num_banks; i++) {
> - if (!tpm_banks[i].supported)
> + if (!tpm_banks[i].supported || !tpm_banks[i].algo_name)
> continue;
> calc_bootaggr(&tpm_banks[i]);
> offset += append_bootaggr(bootaggr + offset, tpm_banks + i);
