Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp1461246pxu; Sat, 12 Dec 2020 13:44:09 -0800 (PST) X-Google-Smtp-Source: ABdhPJybbrjKrGZzgbDjYtar1smxOMDsc2nUbl88Z4SLc6jQJqFV42IsneLrJqFo/ptPHIbcRjob X-Received: by 2002:a05:6402:4d2:: with SMTP id n18mr18035609edw.169.1607809448995; Sat, 12 Dec 2020 13:44:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1607809448; cv=none; d=google.com; s=arc-20160816; b=P/5SWO6kKXkm3kIMiq1H+tZBg1qE7GPPMyRZJvhlqvOM4n3TKuHe2Cu+QZA4LmCGty bB4oi1JT3bsCI6IiFFzvidswFn8kuF9fovlFTwUthb3cKBoD8yV9SBC4OaBmegUhyHSx 1iI0Sh6sbiMKChWqZkoO3WrrYXrzNTVddhT4bcnRCYwnQ1Ht8v5PExd8VuV94dkTAE1f /gEmGA/ck9/ewXYkQJLdGQs7k6bywduOAhh2KRw1UKi2z1URKgI8NB7Bpk9R54tLQ1sp KnIpjgl11j425saztaW3Ugv6Billnah35u4fOwz4kxf1Vnl9MoCxEGYCY4OR4BWi9jmD 4+tQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id:dkim-signature:dkim-signature; bh=vfcIvV6G2oov8e0polEK/CZyGP3A/8mo6sh6kYhtN3k=; b=RUp5a7r35FVkzForYGHv+n7gSu+eEvpyMki5huAP5f1YmeM1Emm+unY+Gm+UZ5LXWs nkRlFnGl/Oc+wwkLS0wLZt7DorHRM7BxP8YaunlGpv4+7yGjPSf7bEoXxzae8fsUlb7H M4zk6i3T42TB7AMMKV+0YA36h5q/dAmWUPd6hqKxzijkj7D1YTCvi0s0THhvX7jJrmkY SVY48IHVIOEW+S72e+vUpXkLs/WzUEMxPuo9U3gcXKsYHplRNmjKBStl8nm+g2Y3DkAx N3SLeL1CW6XZdnEXLS+wB4pvZ8CfA7UNggyXpBCr+W5vw5G1AheJCEMgXqDtJRUsY9q2 NCjw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=aSCTaU08; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=aSCTaU08; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e9si7816019ejq.721.2020.12.12.13.43.46; Sat, 12 Dec 2020 13:44:08 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=aSCTaU08; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=aSCTaU08; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2405682AbgLKRrz (ORCPT + 99 others); Fri, 11 Dec 2020 12:47:55 -0500 Received: from bedivere.hansenpartnership.com ([96.44.175.130]:59906 "EHLO bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2405633AbgLKRrS (ORCPT ); Fri, 11 Dec 2020 12:47:18 -0500 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id A4A201280195; Fri, 11 Dec 2020 09:46:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1607708796; bh=eES7dkAWAETGlrB/U5ZcYdxiZYF5ERyWxz5zpk5XS54=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=aSCTaU08AIo2KulFz0YKW5uDbOoeqsKWNO8rT5OQkooKfvQgZoFprGW9Hij4XfqTn U6PBJKECnnVooKjlRbbwv/O+OMIQxkgFYOrYx4KGngF+2bMuaHYc7bQbSrXlhucPGg 1E0wiTJzYVG7ZyXVanYziUzjN9e8C++KrjAVm4iI= Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wC4SYAMM1k4E; Fri, 11 Dec 2020 09:46:36 -0800 (PST) Received: from jarvis.int.hansenpartnership.com (unknown [IPv6:2601:600:8280:66d1::527]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 114BA1280193; Fri, 11 Dec 2020 09:46:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1607708796; bh=eES7dkAWAETGlrB/U5ZcYdxiZYF5ERyWxz5zpk5XS54=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=aSCTaU08AIo2KulFz0YKW5uDbOoeqsKWNO8rT5OQkooKfvQgZoFprGW9Hij4XfqTn U6PBJKECnnVooKjlRbbwv/O+OMIQxkgFYOrYx4KGngF+2bMuaHYc7bQbSrXlhucPGg 1E0wiTJzYVG7ZyXVanYziUzjN9e8C++KrjAVm4iI= Message-ID: <76710d8ec58c440ed7a7b446696b8659f694d0db.camel@HansenPartnership.com> Subject: Re: [PATCH AUTOSEL 5.7 03/30] ima: extend boot_aggregate with kernel measurements From: James Bottomley To: Mimi Zohar , Tyler Hicks Cc: Sasha Levin , linux-kernel@vger.kernel.org, stable@vger.kernel.org, Maurizio Drocco , Bruno Meneguele , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Date: Fri, 11 Dec 2020 09:46:35 -0800 In-Reply-To: <659c09673affe9637a5d1391c12af3aa710ba78a.camel@linux.ibm.com> References: <20200708154116.3199728-1-sashal@kernel.org> <20200708154116.3199728-3-sashal@kernel.org> <1594224793.23056.251.camel@linux.ibm.com> <20200709012735.GX2722994@sasha-vm> <5b8dcdaf66fbe2a39631833b03772a11613fbbbf.camel@linux.ibm.com> <20201211031008.GN489768@sequoia> <659c09673affe9637a5d1391c12af3aa710ba78a.camel@linux.ibm.com> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.34.4 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 2020-12-11 at 06:01 -0500, Mimi Zohar wrote: > On Thu, 2020-12-10 at 21:10 -0600, Tyler Hicks wrote: > > On 2020-11-29 08:17:38, Mimi Zohar wrote: > > > Hi Sasha, > > > > > > On Wed, 2020-07-08 at 21:27 -0400, Sasha Levin wrote: > > > > On Wed, Jul 08, 2020 at 12:13:13PM -0400, Mimi Zohar wrote: > > > > > Hi Sasha, > > > > > > > > > > On Wed, 2020-07-08 at 11:40 -0400, Sasha Levin wrote: > > > > > > From: Maurizio Drocco > > > > > > > > > > > > [ Upstream commit 20c59ce010f84300f6c655d32db2610d3433f85c > > > > > > ] > > > > > > > > > > > > Registers 8-9 are used to store measurements of the kernel > > > > > > and its command line (e.g., grub2 bootloader with tpm > > > > > > module enabled). IMA should include them in the boot > > > > > > aggregate. Registers 8-9 should be only included in non- > > > > > > SHA1 digests to avoid ambiguity. > > > > > > > > > > Prior to Linux 5.8, the SHA1 template data hashes were padded > > > > > before being extended into the TPM. Support for calculating > > > > > and extending the per TPM bank template data digests is only > > > > > being upstreamed in Linux 5.8. > > > > > > > > > > How will attestation servers know whether to include PCRs 8 & > > > > > 9 in the the boot_aggregate calculation? Now, there is a > > > > > direct relationship between the template data SHA1 padded > > > > > digest not including PCRs 8 & 9, and the new per TPM bank > > > > > template data digest including them. > > > > > > > > Got it, I'll drop it then, thank you! > > > > > > After re-thinking this over, I realized that the attestation > > > server can verify the "boot_aggregate" based on the quoted PCRs > > > without knowing whether padded SHA1 hashes or per TPM bank hash > > > values were extended into the TPM[1], but non-SHA1 boot aggregate > > > values [2] should always include PCRs 8 & 9. > > > > I'm still not clear on how an attestation server would know to > > include PCRs 8 and 9 after this change came through a stable kernel > > update. It doesn't seem like something appropriate for stable since > > it requires code changes to attestation servers to handle the > > change. > > > > I know this has already been released in some stable releases, so > > I'm too late, but perhaps I'm missing something. > > The point of adding PCRs 8 & 9 only to non-SHA1 boot_aggregate values > was to avoid affecting existing attestation servers. The intention > was when attestation servers added support for the non-sha1 > boot_aggregate values, they'd also include PCRs 8 & 9. The existing > SHA1 boot_aggregate value remains PCRs 0 - 7. > > To prevent this or something similar from happening again, what > should have been the proper way of including PCRs 8 & 9? Just to be pragmatic: this is going to happen again. Shim is already measuring the Mok variables through PCR 14, so if we want an accurate boot aggregate, we're going to have to include PCR 14 as well (or persuade shim to measure through a PCR we're already including, which isn't impossible since I think shim should be measuring the Mok variables using the EV_EFI_VARIABLE_DRIVER_CONFIG event and, since it affects secure boot policy, that does argue it should be measured through PCR 7). James