On Tue, 2021-02-09 at 07:21 -0500, Stefan Berger wrote: > When a system is very busy with IMA taking measurements into more than > one bank, then we often do not get the PCR 10 values of the sha1 bank > that represents the same log entry as the reading of the PCR value of > the sha256 bank. In other words, the reading of the PCR 10 value from > the sha1 bank may represent the PCR 10 state at the time of the > n-th entry in the log while the reading of the PCR 10 value from the > sha256 bank may represent the state at the time of a later-than-n entry. > The result currently is that the PCR measurements do not match and > on a busy system the tool may not easily report a successful match. > > This patch fixes this issue by separating the TPM bank comparison for > each one of the banks being looked and using a bit mask for checking > which banks have already been matched. Once the mask has become 0 > all PCR banks have been successfully matched. > > A run on a busy system may result in the output as follows indicating > PCR bank matches at the n-th entry for the sha1 bank and at a later > entry, possibly n + 1 or n + 2 or so, for the sha256 bank. The > output is interleaved with a match of the sha1 bank against 'padded > matching'. > > $ evmctl ima_measurement --ignore-violations /sys/kernel/security/ima/binary_runtime_measurements -v > sha1: PCRAgg 10: 381cc6139e2fbda76037ec0946089aeccaaa5374 > sha1: TPM PCR-10: 381cc6139e2fbda76037ec0946089aeccaaa5374 > sha1 PCR-10: succeed at entry 4918 > sha1: PCRAgg 10: 381cc6139e2fbda76037ec0946089aeccaaa5374 > sha1: TPM PCR-10: 381cc6139e2fbda76037ec0946089aeccaaa5374 > sha1 PCR-10: succeed at entry 4918 > [...] > sha256: PCRAgg 10: c21dcb7098b3d7627f7aaeddf8aff68a65209027274d82af52be2fd302193eb7 > sha256: TPM PCR-10: c21dcb7098b3d7627f7aaeddf8aff68a65209027274d82af52be2fd302193eb7 > sha256 PCR-10: succeed at entry 4922 > Matched per TPM bank calculated digest(s). > > Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx> > --- > v1->v2: > - Reporting entry number that resulted in a match when in verbose mode Thanks, Stefan. This and your other two patches are now queued in next-testing. Mimi
