On Fri, 2021-02-05 at 13:07 -0500, Stefan Berger wrote: > When a system is very busy with IMA taking measurements into more than > one bank, then we often do not get the PCR 10 values of the sha1 bank > that represents the same log entry as the reading of the PCR value of > the sha256 bank. In other words, the reading of the PCR 10 value from > the sha1 bank may represent the PCR 10 state at the time of the > n-th entry in the log while the reading of the PCR 10 value from the > sha256 bank may represent the state at the time of the (n+1)-th entry. > The result currently is that the PCR measurements do not match and > on a busy system the tool may not easily report a successful match. > > This patch fixes this issue by separating the TPM bank comparison for > each one of the banks being looked and using a bit mask for checking > which banks have already been matched. Once the mask has become 0 > all PCR banks have been successfully matched. > > A run on a busy system may result in the output as follows indicating > PCR bank matches at the n-th entry for the sha1 bank and at a later > entry, possibly n + 1 or n + 2 or so, for the sha256 bank. The > output is interleaved with a match of the sha1 bank against 'padded > matching'. > > $ evmctl ima_measurement --ignore-violations /sys/kernel/security/ima/binary_runtime_measurements > Matched bank number 1. > Matched padded bank number 1. > Matched bank number 2. > Matched per TPM bank calculated digest(s). > > An idle system may report this here, indicating matches at the n-th > entry. > > $ evmctl ima_measurement --ignore-violations /sys/kernel/security/ima/binary_runtime_measurements > Matched bank number 1. > Matched bank number 2. > Matched per TPM bank calculated digest(s). > > Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx> Thanks, Stefan. The patch itself looks good. However, the "Matched bank number" debugging info should not be displayed at verbose level 0. The output, below, is verbose level 1 (-v). Instead of outputting the bank matched, including the per bank matched measurement list entry number would be more interesting. 10 ffdf6aaba2d153397467d9b536f957315cba9f22 ima-sig sha256:264bc09abacd3d68041f0e1ca767f89cf9543c749684568b7dc747756ea2dc67 /usr/local/bin/evmctl sha1: PCRAgg 10: 276b70c3b600f94e6f442e8f77e65bbf0586fd8c sha1: TPM PCR-10: 276b70c3b600f94e6f442e8f77e65bbf0586fd8c sha1 PCR-10: succeed <=== include measurement entry number sha256: PCRAgg 10: 4694ebe62c7df34e212894b175d24e1bfb3c2c16d9d5000852c3cc7492367acb sha256: TPM PCR-10: 4694ebe62c7df34e212894b175d24e1bfb3c2c16d9d5000852c3cc7492367acb sha256 PCR-10: succeed <=== and here Matched per TPM bank calculated digest(s). thanks, Mimi
