ima_evm_utils: extended calc_bootaggr to PCRs 8 - 9

Message ID	20200616120228.16068-1-maurizio.drocco@ibm.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=e4Xp=75=vger.kernel.org=linux-integrity-owner@kernel.org> From: Maurizio Drocco <maurizio.drocco@ibm.com> To: linux-integrity@vger.kernel.org Cc: zohar@linux.ibm.com, Maurizio <maurizio.drocco@ibm.com> Subject: [PATCH] ima_evm_utils: extended calc_bootaggr to PCRs 8 - 9 Date: Tue, 16 Jun 2020 08:02:28 -0400 Message-Id: <20200616120228.16068-1-maurizio.drocco@ibm.com> Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk
Series	ima_evm_utils: extended calc_bootaggr to PCRs 8 - 9 \| expand ima_evm_utils: extended calc_bootaggr to PCRs 8 - 9

Message ID

20200616120228.16068-1-maurizio.drocco@ibm.com (mailing list archive)

State

New, archived

Headers

From: Maurizio Drocco <maurizio.drocco@ibm.com>
To: linux-integrity@vger.kernel.org
Cc: zohar@linux.ibm.com, Maurizio <maurizio.drocco@ibm.com>
Subject: [PATCH] ima_evm_utils: extended calc_bootaggr to PCRs 8 - 9
Date: Tue, 16 Jun 2020 08:02:28 -0400
Message-Id: <20200616120228.16068-1-maurizio.drocco@ibm.com>
Sender: linux-integrity-owner@vger.kernel.org
Precedence: bulk

Series

ima_evm_utils: extended calc_bootaggr to PCRs 8 - 9 | expand

Commit Message

Maurizio Drocco June 16, 2020, 12:02 p.m. UTC

From: Maurizio <maurizio.drocco@ibm.com>

If PCRs 8 - 9 are set (i.e. not all-zeros), cal_bootaggr should include
them into the digest.

Signed-off-by: Maurizio Drocco <maurizio.drocco@ibm.com>
---
 src/evmctl.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

Comments

Mimi Zohar June 16, 2020, 5:19 p.m. UTC | #1

Hi Maurizio,

On Tue, 2020-06-16 at 08:02 -0400, Maurizio Drocco wrote:
> From: Maurizio <maurizio.drocco@ibm.com>
> 
> If PCRs 8 - 9 are set (i.e. not all-zeros), cal_bootaggr should include
> them into the digest.
> 
> Signed-off-by: Maurizio Drocco <maurizio.drocco@ibm.com>

Thank you, this patch seems to be working properly.  As a separate
patch, could you fix the tests/boot_aggregate.test comments "PCRs 0
-7" and other things, like displaying just PCRs 0 - 7?

thanks,

Mimi

diff --git a/src/evmctl.c b/src/evmctl.c
index 1d065ce..701d643 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1930,6 +1930,16 @@  static void calc_bootaggr(struct tpm_bank_info *bank)
 		}
 	}
 
+	for (i = 8; i < 10; i++) {
+		if (memcmp(bank->pcr[i], zero, bank->digest_size) != 0) {
+			err = EVP_DigestUpdate(pctx, bank->pcr[i], bank->digest_size);
+			if (!err) {
+				log_err("EVP_DigestUpdate() failed\n");
+				return;
+			}
+		}
+	}
+
 	err = EVP_DigestFinal(pctx, bank->digest, &mdlen);
 	if (!err) {
 		log_err("EVP_DigestFinal() failed\n");
@@ -1973,7 +1983,8 @@  static int append_bootaggr(char *bootaggr, struct tpm_bank_info *tpm_banks)
  * The IMA measurement list boot_aggregate is the link between the preboot
  * event log and the IMA measurement list.  Read and calculate all the
  * possible per TPM bank boot_aggregate digests based on the existing
- * PCRs 0 - 7 to validate against the IMA boot_aggregate record.
+ * PCRs 0 - 9 to validate against the IMA boot_aggregate record. If PCRs
+ * 8 - 9 are not set (i.e. all-zeros), only PCRs 0 - 7 are considered.
  */
 static int cmd_ima_bootaggr(struct command *cmd)
 {

ima_evm_utils: extended calc_bootaggr to PCRs 8 - 9

Commit Message

Comments

Patch