On Tue, 2020-07-21 at 08:30 -0400, Mimi Zohar wrote:
> Hi James,
>
> On Mon, 2020-07-20 at 08:00 -0700, James Bottomley wrote:
> > use macro magic to create sysfs per hash groups with 24 PCR files
> > in them one for each possible agile hash of the TPM. The files are
> > plugged in to a read function which is TPM version agnostic, so
> > this works also for TPM 1.2 although the hash is only sha1 in that
> > case. For every hash the TPM supports, a group named pcr-<hash> is
> > created and each of the PCR read files placed under it.
> >
> > Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.c
> > om>
>
> Nice! Being able to read the TPM 2.0 PCRs, without requiring a TSS,
> will really simplify regression testing - re-calculating the IMA
> "boot_aggregate" and verifying the IMA measurement list.
>
> With the following code snippet all of the PCRs for all the exported
> TPM banks are displayed, but unfortunately the digests are not
> ordered or prefixed with the PCR.
>
> banks=$(echo -n $(ls -d /sys/class/tpm/tpm0/pcr-*))
>
> for bank in ${banks[@]}; do
> echo "$bank:"
> find "${bank}/" -type f -exec cat {} \;
> echo " "
> done
>
> Either this code snippet needs to be fixed or, perhaps, instead of
> returning just the digest, the digest could be prefixed with the PCR
> number (eg. PCR-00:<digest>).
I think the sysfs output should be a pure hash to save having to
massage it. However, if you want the 1.2 format, this is the script I
use:
a=0; while [ $a -lt 24 ]; do printf "PCR-%02d: " $a; cat
/sys/class/tpm/tpm0/pcr-sha1/$a; a=$[$a+1]; done
> FYI, with this patch on a system with TPM 1.2, IMA goes into TPM-
> bypass mode.
Hm, got to say I ran this in a virtual environment with the emulator
and I don't have a TPM 1.2. I'm sure I have a physical system with TPM
1.2 somewhere I can dig out.
> From dmesg (with some extra debugging):
> tpm_chip_register: tpm_add_legacy_sysfs failed
> tpm_tis: probe of 00:05 failed with error -2
Oh, it's assuming chip->groups[0] is the unnamed group. I can put that
back. I only added the pcr groups first so they could be counted to
make sure a warning triggered if we had too many.
James
