On 2023/8/29 4:35, Ken Goldman wrote: > On 8/17/2023 2:13 AM, GUO Zihua wrote: >> TPM2 chips supports algorithms other than SHA1. However, the original >> IMA design hardcode template hash to be SHA1. >> >> This patch added CONFIG_IMA_TEMPLATE_HASH as well as ima_tpm_hash= >> cmdline argument for configurating template hash. The usage is simuliar >> to CONFIG_IMA_DEFAULT_HASH and ima_hash=. The configured hash is checked >> against TPM and make sure that the hash algorithm is supported by >> ima_tpm_chip. >> >> To accommodate the change, we must put a digest length into binary >> measurement list items. The binary measurement list item format is >> changed to this: >> 16bit-le=pcr# >> 16bit-le=template digest size >> char[n]=template digest >> 32bit-le=template name size >> char[n]=template name >> [eventdata length] >> eventdata[n]=template specific data >> The first element is now a 16bit pcr number and a 16bit template digest >> size, instead of the original 32bit pcr number. >> >> The format of ascii_measurement_list is also changed. For sha1 template >> hash, the format is the same as before. For other hash algorithms, a >> hash name is prepended as such: >> "sha256:30ee3e25620478759600be00e06fda7b4fe23bbf575621d480400d536cf54f5b" > > I would not change the PCR handle to 16 bits. The TPM supports NVRAM > based PCRs, and their handles would be 0x01xxxxxx. In the future, there > may be other 'first byte' values. > > A template digest size does not describe the digest algorithm. E.g., > SM3 and SHA-256 are both 32 bytes. Oops that's a miss. We would need a brand new format for this I guess. > > If one wants to describe the digest algorithm in 2 bytes, a reasonable > choice would be the values in the TCG Algorithm registry. Se TPM Spec > Part 2 Table 9 — Definition of (UINT16) TPM_ALG_ID Constants <IN/OUT, S> > > E.g., SHA-256 is 000b and SM3 is 0012. > -- Best GUO Zihua
