On Fri, 2020-07-24 at 15:12 -0400, Mimi Zohar wrote: > On Fri, 2020-07-24 at 10:52 -0400, Stephen Smalley wrote: > > Extend the ima_measurement --pcrs option to support per-bank pcr files. > > The extended syntax is "--pcrs algorithm,pathname". If no algorithm > > is specified, it defaults to sha1 as before. Multiple --pcrs options > > are now supported, one per bank of PCRs. The file format remains > > unchanged. If --pcrs is specified, only try to read PCRs from the > > specified file(s); do not fall back to trying to read from sysfs > > or the TPM itself in this case since the user requested use of > > the files. > > > > Create per-bank pcr files, depends on "tpm: add sysfs exports for all > > banks of PCR registers" kernel patch: > > $ cat tpm2pcrread.sh > > #!/bin/sh > > for alg in sha1 sha256 > > do > > rm -f pcr-$alg > > pcr=0; > > while [ $pcr -lt 24 ]; > > do > > printf "PCR-%02d: " $pcr >> pcr-$alg; > > cat /sys/class/tpm/tpm0/pcr-$alg/$pcr >> pcr-$alg; > > pcr=$[$pcr+1]; > > done > > done > > $ sh ./tpm2pcrread.sh > > > > Pass only the sha1 PCRs to evmctl defaulting to sha1: > > $ sudo evmctl ima_measurement --pcrs pcr-sha1 /sys/kernel/security/integrity/ima/binary_runtime_measurements > > > > Pass only the sha1 PCRs to evmctl with explicit selection of sha1: > > $ sudo evmctl ima_measurement --pcrs sha1,pcr-sha1 /sys/kernel/security/integrity/ima/binary_runtime_measurements > > > > Pass both sha1 and sha256 PCRs to evmctl: > > $ sudo evmctl ima_measurement --pcrs sha1,pcr-sha1 --pcrs sha256,pcr-sha256 /sys/kernel/security/integrity/ima/binary_runtime_measurements > > > > Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx> > > I reviewed the patch and everything looks good, other than a few > comments below. Weirdly the order in which the TPM bank files > containing the PCRs are supplied on the command line is affecting > being able to verify the measurement list - sha1, sha256 versus > sha256, sha1. Perhaps during the time it takes to read the different > banks, the PCRs have changed? Not quite sure what is happening. Never mind, problem solved. Mimi
