Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp4042466pxu; Mon, 30 Nov 2020 16:25:29 -0800 (PST) X-Google-Smtp-Source: ABdhPJw25TeEPKudxVeQjrMxp+vvjcrsPASxtdcIjvuYYooVEa6RQxjsDaq7VKAiMtTA6VshHuiD X-Received: by 2002:aa7:cc14:: with SMTP id q20mr371320edt.140.1606782329127; Mon, 30 Nov 2020 16:25:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606782329; cv=none; d=google.com; s=arc-20160816; b=B5xQjej9e1/zPy5pneBxv6KKjKtZBO5pQPfPYXItBE7kjTXmG8y/hzoWZuOBcp62g2 uvZR5koJC/NmXvKHknubUSGwCn49/oat3vYbCgUS0oJIFDZ9yyIl/YjOqDdiMOCTSzSa UuZDtbpeZ1eLwl/P2Ll9MjZX5o28N/r+jMWzT9/ABH0DhX755ltkoR09DRug2TR7q/9k 8uMkIuB3EoGKoGpmTL7R6KcwXdXUFVsL0rhvyu2Feqw//7ocCBIiJ14XY4PcOKL902TY d4b4PHgdlmWwmLoYJDi96aZhd9A8M4srP3ivuuF0Wi+nl3+cPq3MtbN7Rn2FYNBB41JZ kXvA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=p58sClbHkDHA0zxo5tOowK7frfB7VqAi7i4LYotPTw0=; b=uNYM/qLsyUkul1crIoiFLha5M4pusKY5x/80nqoS2tc5xwshC5A9/w1tTj783kD1Cu 4hhd+wROU3om/Cs1iEDrJaHwULneiJ1ut+5Hu9Kb0gDH2YiK2PtqdbbRtzXYlHG2h/8d U/F/t+o5yw18qdh8/b1dMV3zuI6GPm7YDiNdJJwCTgnp2edAhhCgZjI9M+fCEMCAsTmh OntJoqom/D5Qi5omiSApCfZ85L+5prCoay3JpXAQLNJh6OoH+R5VGaJGEcJmBOW7Lush Q09SB2pgnCjx1HWYkS8lK7mOpKJDv257ESSQpmgI6G74rU25JYD5f1R8zBjVmOztHEit +UWA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=OZSIUni6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a15si69178edr.228.2020.11.30.16.25.06; Mon, 30 Nov 2020 16:25:29 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=OZSIUni6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730757AbgLAAWk (ORCPT + 99 others); Mon, 30 Nov 2020 19:22:40 -0500 Received: from mail.kernel.org ([198.145.29.99]:53870 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727375AbgLAAWk (ORCPT ); Mon, 30 Nov 2020 19:22:40 -0500 Received: from localhost (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 0E14720706; Tue, 1 Dec 2020 00:21:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1606782119; bh=jidxCeKSZhkwUbNx5KSkEk3WyfcJfqoe6qsuKPa93Xg=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=OZSIUni6CuHazkbY4OgDC4XQpZdATYDeMo2AQrStNF+L0AxXLrQVGpDeIJspqRJdZ igso+8FlvYZAATRbsbBFCBTIx7AYTpkTMfpk5a0BS1kMRmstzrgYG3GCxtzywkfgZ5 pJXoeQtko8JHeg1/5/lv2AZSjNYTxnBM/sTMZH3A= Date: Mon, 30 Nov 2020 19:21:57 -0500 From: Sasha Levin To: Mimi Zohar Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org, Maurizio Drocco , Bruno Meneguele , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: Re: [PATCH AUTOSEL 5.7 03/30] ima: extend boot_aggregate with kernel measurements Message-ID: <20201201002157.GT643756@sasha-vm> References: <20200708154116.3199728-1-sashal@kernel.org> <20200708154116.3199728-3-sashal@kernel.org> <1594224793.23056.251.camel@linux.ibm.com> <20200709012735.GX2722994@sasha-vm> <5b8dcdaf66fbe2a39631833b03772a11613fbbbf.camel@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <5b8dcdaf66fbe2a39631833b03772a11613fbbbf.camel@linux.ibm.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Nov 29, 2020 at 08:17:38AM -0500, Mimi Zohar wrote: >Hi Sasha, > >On Wed, 2020-07-08 at 21:27 -0400, Sasha Levin wrote: >> On Wed, Jul 08, 2020 at 12:13:13PM -0400, Mimi Zohar wrote: >> >Hi Sasha, >> > >> >On Wed, 2020-07-08 at 11:40 -0400, Sasha Levin wrote: >> >> From: Maurizio Drocco >> >> >> >> [ Upstream commit 20c59ce010f84300f6c655d32db2610d3433f85c ] >> >> >> >> Registers 8-9 are used to store measurements of the kernel and its >> >> command line (e.g., grub2 bootloader with tpm module enabled). IMA >> >> should include them in the boot aggregate. Registers 8-9 should be >> >> only included in non-SHA1 digests to avoid ambiguity. >> > >> >Prior to Linux 5.8, the SHA1 template data hashes were padded before >> >being extended into the TPM. Support for calculating and extending >> >the per TPM bank template data digests is only being upstreamed in >> >Linux 5.8. >> > >> >How will attestation servers know whether to include PCRs 8 & 9 in the >> >the boot_aggregate calculation? Now, there is a direct relationship >> >between the template data SHA1 padded digest not including PCRs 8 & 9, >> >and the new per TPM bank template data digest including them. >> >> Got it, I'll drop it then, thank you! > >After re-thinking this over, I realized that the attestation server can >verify the "boot_aggregate" based on the quoted PCRs without knowing >whether padded SHA1 hashes or per TPM bank hash values were extended >into the TPM[1], but non-SHA1 boot aggregate values [2] should always >include PCRs 8 & 9. > >Any place commit 6f1a1d103b48 was backported [2], this commit >20c59ce010f8 ("ima: extend boot_aggregate with kernel measurements") >should be backported as well. Which kernels should it apply to? 5.7 is EOL now, so I looked at 5.4 but it doesn't apply cleanly there. -- Thanks, Sasha