On 8/17/2023 2:13 AM, GUO Zihua wrote:
TPM2 chips supports algorithms other than SHA1. However, the original
IMA design hardcode template hash to be SHA1.
This patch added CONFIG_IMA_TEMPLATE_HASH as well as ima_tpm_hash=
cmdline argument for configurating template hash. The usage is simuliar
to CONFIG_IMA_DEFAULT_HASH and ima_hash=. The configured hash is checked
against TPM and make sure that the hash algorithm is supported by
ima_tpm_chip.
To accommodate the change, we must put a digest length into binary
measurement list items. The binary measurement list item format is
changed to this:
16bit-le=pcr#
16bit-le=template digest size
char[n]=template digest
32bit-le=template name size
char[n]=template name
[eventdata length]
eventdata[n]=template specific data
The first element is now a 16bit pcr number and a 16bit template digest
size, instead of the original 32bit pcr number.
The format of ascii_measurement_list is also changed. For sha1 template
hash, the format is the same as before. For other hash algorithms, a
hash name is prepended as such:
"sha256:30ee3e25620478759600be00e06fda7b4fe23bbf575621d480400d536cf54f5b"
I would not change the PCR handle to 16 bits. The TPM supports NVRAM
based PCRs, and their handles would be 0x01xxxxxx. In the future, there
may be other 'first byte' values.
A template digest size does not describe the digest algorithm. E.g.,
SM3 and SHA-256 are both 32 bytes.
If one wants to describe the digest algorithm in 2 bytes, a reasonable
choice would be the values in the TCG Algorithm registry. Se TPM Spec
Part 2 Table 9 — Definition of (UINT16) TPM_ALG_ID Constants <IN/OUT, S>
E.g., SHA-256 is 000b and SM3 is 0012.