Re: [RFC PATCH -next] ima: Make tpm hash configurable

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Scott,

This patch changes the TPM PCR hash algorithm and value in the IMA
measurement list.  The Subject line doesn't convey that.

On Thu, 2023-08-17 at 14:13 +0800, GUO Zihua wrote:
> TPM2 chips supports algorithms other than SHA1. However, the original
> IMA design hardcode template hash to be SHA1.

True, IMA initially calculated and extended a SHA1 hash into the TPM,
but Roberto addressed that years ago.  Refer to commit  1ea973df6e21
("ima: Calculate and extend PCR with digests in ima_template_entry").

IMA now calculates and extends each of the enabled TPM banks with the
appropriate hash value.  The PCR value in the IMA measurement list
remains SHA1.  Attestation servers can first verify the SHA1 template
hash as stored in the measurement list.  Then it can walk the IMA
measurement list calculating the template data hash based on the per
TPM bank algorithm to verify the TPM bank PCR value. 

> 
> This patch added CONFIG_IMA_TEMPLATE_HASH as well as ima_tpm_hash=
> cmdline argument for configurating template hash. The usage is simuliar
> to CONFIG_IMA_DEFAULT_HASH and ima_hash=. The configured hash is checked
> against TPM and make sure that the hash algorithm is supported by
> ima_tpm_chip.
> 
> To accommodate the change, we must put a digest length into binary
> measurement list items. The binary measurement list item format is
> changed to this:
> 	16bit-le=pcr#
> 	16bit-le=template digest size
> 	char[n]=template digest
> 	32bit-le=template name size
> 	char[n]=template name
> 	[eventdata length]
> 	eventdata[n]=template specific data
> The first element is now a 16bit pcr number and a 16bit template digest
> size, instead of the original 32bit pcr number.
> 
> The format of ascii_measurement_list is also changed. For sha1 template
> hash, the format is the same as before. For other hash algorithms, a
> hash name is prepended as such:
> "sha256:30ee3e25620478759600be00e06fda7b4fe23bbf575621d480400d536cf54f5b"
> Signed-off-by: GUO Zihua <guozihua@xxxxxxxxxx>

Other proposals have changed the hard coded hash algorithm and PCR
value from SHA1 to SHA256.  Both that proposal and this will break
existing userspace applications.

Before we can introduce this sort of change, we would need to introduce
an IMA measurement list version.  Perhaps its time to define an IMA
security critical-data record, which would include this and other
information.  The measurement list itself would need to include a
version number.

-- 
thanks,

Mimi
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux