On 2023/8/29 5:05, Ken Goldman wrote: > I'd like to present three possible cases, expanding on Mimi's > observation that the template hash is currently the hash of the > template data. > > My vote is #2, but all have merits. > > ---------- > > 1. Leave the SHA-1 template hash. > > A. This does not break existing applications. > > B. The template data is protected by the TPM quote, which does not > have to be SHA-1. > > C. The SHA-1 digest provides some debug usefulness against a > non-malicious alteration of the template data. The application can > report which event record is incorrect. What the verifier can't do as of now is to tell which file has been corrupted, given the attacker managed to achieve a SHA-1 collision while keeping the measurement items reasonable. Even worse, as the TPM quote contains only an accumulated digest, there leaves a chance for the attacker to "fix" the TPM digest by generating additional measurement items. Without the ability to verify each and every individual measurement item verifier could produce a false negative result. > > ---------- > > 2. Include template hashes for all PCR banks. > > A. This breaks existing applications on the attestor side, but could > be made backward compatible / deprecated at the verifier side. > > B. The redundant data is an attack surface, in that the verifier must > remember to check the hashes against the quote AND against the > template data. > > C. The digest provides debug usefulness against malicious attacks on > the template data. > > D. This permits the use case where the template hash is NOT a hash of > the template data. In the UEFI event log (using IMA terms), the > template hash can be a digest of some other data and the template data > is a hint as to where and what that data is. > > E.g., the UEFI event EV_CPU_MICROCODE template data field has a patch > descriptor, while the template hash is a digest of the patch itself. As of now, IMA stores template hash with it's measurement item in the memory, and storing digest value from all banks would make the digest list N times bigger, where N would be an increasing number of supported algorithms by TPM. > > ---------- > > 3. Include a template hash for the strongest hash algorithm. > > A. It's not always clear what the strongest algorithm is. > > Otherwise, this is the same as #2. "strongest" algorithm does not exist. I think it would be better to find a extensible solution allowing for future upgrade. > > On 8/18/2023 7:17 PM, Mimi Zohar wrote: >> On Fri, 2023-08-18 at 09:25 +0800, Guozihua (Scott) wrote: >>> On 2023/8/17 22:19, Mimi Zohar wrote: >>>> On Thu, 2023-08-17 at 14:13 +0800, GUO Zihua wrote: >> >> True SHA1 is being phased out due to hash collisions. Verifying the >> template data hash against the template data isn't necessary for the >> attestation server to verify a TPM quote against any of the enabled TPM >> banks. The attestation server walks the measurement list calculating >> the bank specific template data hash. Breaking existing applications >> is unreasonable. > > -- Best GUO Zihua
