Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp689136ybt; Wed, 8 Jul 2020 09:15:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzLo+YTNU+BtO32Y6XZ8PXSPq0PlxIBQbL4wkUe2d75jHwyeZjZQQeLiTAydBOP/qE02FLd X-Received: by 2002:a17:906:1747:: with SMTP id d7mr44368215eje.39.1594224936026; Wed, 08 Jul 2020 09:15:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1594224936; cv=none; d=google.com; s=arc-20160816; b=C6qvKzL0T0jULHBiUPCS4BIGmQafd67a0PJEygqfI7lKfs+SA5eiznPWR6QFsrFWq8 HHBKE4uCM5XumtSzOGCrWRfWT+q7uyxwHTZg4/tA5Zu5aAq8l1ApxGb2MzxfF9RMdVGI N3d9l/zFclCKGvPeLOxMulZNJ0og4kYkcaRDOn6WD5mouLLgh/SUSu9je0MM+M7LMB6V SciIPnYlnzc2zWoCJgv4+N/EPOuTRDxumnFjHudst7UNTLS0GvWOx8T7cR+tW6Lka3y3 drIRbWvHh5LOuRmWJU+pVk6yPKS7DIr4xo+mGzoFdug6cW84FHLPW7fQntvPV81caCz+ Dkzw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id; bh=eu6bLw7rtH4Voj17pfml5TsEQTK6RS7zwwEsEF6Jp5s=; b=o5mr2vKv6mff12kkmeeucIORlgtllX8VQhouhuOt4U60og37ePHVYhHAZQjVhhgYrW moT6XZk82aysMcjOkHFGbwUnmbReHmvYe5ydN27KCuDcNSLI1qB1KBFqpu9Vc0WdjEBE aXAPc0LivHkwuToKYqZ6egn46fHiPr5R57kAaHX1NsViqkh/C0voUuEqTRjPmVPRepfl U5Xo02N8fHhtk6Snw9X0yZzetQt4IPdSLXdU+9/wDXUxG00d6lod6PskDGZBJTGDH0sN uODA8Av3u8lt8nEo5N4xrtHl9cilmeuaemGxJ3nvXcxHjyR77tubFOHZ+8UHHy/Ux/4b HZbA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h1si143282ejj.575.2020.07.08.09.15.12; Wed, 08 Jul 2020 09:15:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730405AbgGHQNW (ORCPT + 99 others); Wed, 8 Jul 2020 12:13:22 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:43820 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1728148AbgGHQNV (ORCPT ); Wed, 8 Jul 2020 12:13:21 -0400 Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 068G1smT029292; Wed, 8 Jul 2020 12:13:19 -0400 Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-001b2d01.pphosted.com with ESMTP id 325h8kggm4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 08 Jul 2020 12:13:19 -0400 Received: from m0098416.ppops.net (m0098416.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 068G2P7X032157; Wed, 8 Jul 2020 12:13:18 -0400 Received: from ppma04ams.nl.ibm.com (63.31.33a9.ip4.static.sl-reverse.com [169.51.49.99]) by mx0b-001b2d01.pphosted.com with ESMTP id 325h8kggka-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 08 Jul 2020 12:13:18 -0400 Received: from pps.filterd (ppma04ams.nl.ibm.com [127.0.0.1]) by ppma04ams.nl.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 068GAtpv010405; Wed, 8 Jul 2020 16:13:17 GMT Received: from b06cxnps4075.portsmouth.uk.ibm.com (d06relay12.portsmouth.uk.ibm.com [9.149.109.197]) by ppma04ams.nl.ibm.com with ESMTP id 322hd7vrdn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 08 Jul 2020 16:13:17 +0000 Received: from d06av26.portsmouth.uk.ibm.com (d06av26.portsmouth.uk.ibm.com [9.149.105.62]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 068GDEqx196934 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 8 Jul 2020 16:13:15 GMT Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id CC23DAE05A; Wed, 8 Jul 2020 16:13:14 +0000 (GMT) Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E1589AE058; Wed, 8 Jul 2020 16:13:13 +0000 (GMT) Received: from localhost.localdomain (unknown [9.80.202.84]) by d06av26.portsmouth.uk.ibm.com (Postfix) with ESMTP; Wed, 8 Jul 2020 16:13:13 +0000 (GMT) Message-ID: <1594224793.23056.251.camel@linux.ibm.com> Subject: Re: [PATCH AUTOSEL 5.7 03/30] ima: extend boot_aggregate with kernel measurements From: Mimi Zohar To: Sasha Levin , linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Maurizio Drocco , Bruno Meneguele , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Date: Wed, 08 Jul 2020 12:13:13 -0400 In-Reply-To: <20200708154116.3199728-3-sashal@kernel.org> References: <20200708154116.3199728-1-sashal@kernel.org> <20200708154116.3199728-3-sashal@kernel.org> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235,18.0.687 definitions=2020-07-08_13:2020-07-08,2020-07-08 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 clxscore=1031 cotscore=-2147483648 bulkscore=0 adultscore=0 lowpriorityscore=0 impostorscore=0 phishscore=0 mlxlogscore=999 spamscore=0 mlxscore=0 malwarescore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2004280000 definitions=main-2007080106 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Sasha, On Wed, 2020-07-08 at 11:40 -0400, Sasha Levin wrote: > From: Maurizio Drocco > > [ Upstream commit 20c59ce010f84300f6c655d32db2610d3433f85c ] > > Registers 8-9 are used to store measurements of the kernel and its > command line (e.g., grub2 bootloader with tpm module enabled). IMA > should include them in the boot aggregate. Registers 8-9 should be > only included in non-SHA1 digests to avoid ambiguity. Prior to Linux 5.8, the SHA1 template data hashes were padded before being extended into the TPM.  Support for calculating and extending the per TPM bank template data digests is only being upstreamed in Linux 5.8. How will attestation servers know whether to include PCRs 8 & 9 in the the boot_aggregate calculation?  Now, there is a direct relationship between the template data SHA1 padded digest not including PCRs 8 & 9, and the new per TPM bank template data digest including them. Mimi