On Thu, 2022-12-15 at 11:54 +0100, Michaël Musset wrote: > Hi, > > I've enabled IMA , policy that are enabled, checked only binary file and module. > > The problem is that the booting of systemd is not predictable, so > after each boot the PCR 10 is different. Hi Michael yes, this is one of the problems of doing file measurements with parallel execution. It is a property of the TPM PCR extension, to bind the current measurement to the previous ones. It is for security reasons, to avoid an attacker to go back to when there were only good measurements. > Then I'm unable to use tpm_unsealdata at PCR 10 . Yes, with the current measurement approach it is not feasible. > I would like to have your opinion on that. What is the point of PCR 10 > if it's not the same at a certain moment on the linux boot. PCR 10 was intended to protect the integrity of measurements, to be sent to remote verifiers. Those verifiers, by seeing the measurements, can conclude if the properties they are interested in are successfully verified or not. > I wanted to use PCR 10 to protect a key based on the hash of each > binary in my linux SD. I have developed a solution that does what you want. It is called DIGLIM: https://lore.kernel.org/linux-integrity/20210914163401.864635-1-roberto.sassu@xxxxxxxxxx/ At boot time, before init, it extends a PCR with a list of digests of files from your disk (or better, from your Linux distribution, signed by the vendor). IMA then searches the digest of the files being accessed at run-time in that preloaded list. If it finds it, it does not further extend the PCR. Otherwise, it extends the PCR. With this scheme, the PCR is again predictable and you can seal keys with it. After an unknown file was accessed, the key becomes unusable (due to the PCR extend). I actually implemented a library: https://github.com/openeuler-mirror/attest-tools to generate keys and certificates to be used for a TLS connection. The key is bound to the list of file digests (and to the other components involved in the boot process). It requires openssl_tpm2_engine from James Bottomley. > looks like this is not the correct way, > > I've an idea to fix it : > > sort -k 5 /sys/kernel/security/ima/ascii_runtime_measurements > somefile.txt > sha1sum somefile.txt > with this somefile.txt contain a hash that is always the same after each boot Yes, this is more or less what DIGLIM was at the beginning. Roberto
