-----Original Message-----
From: owner-linux-security-module@vger.kernel.org [mailto:owner-linux-
security-module@vger.kernel.org] On Behalf Of Mimi Zohar
Sent: Tuesday, March 3, 2020 5:04 AM
To: Roberto Sassu <roberto.sassu@huawei.com>;
James.Bottomley@HansenPartnership.com;
jarkko.sakkinen@linux.intel.com
Cc: linux-integrity@vger.kernel.org; linux-security-module@vger.kernel.org;
linux-kernel@vger.kernel.org; Silviu Vlasceanu
[off-list ref]
Subject: Re: [PATCH v3 7/8] ima: Calculate and extend PCR with digests in
ima_template_entry

On Mon, 2020-02-10 at 11:04 +0100, Roberto Sassu wrote:

quoted

@@ -219,6 +214,8 @@ int ima_restore_measurement_entry(struct

ima_template_entry *entry)

quoted

 int __init ima_init_digests(void)
 {
+	u16 digest_size;
+	u16 crypto_id;
 	int i;

 	if (!ima_tpm_chip)

@@ -229,8 +226,17 @@ int __init ima_init_digests(void)
 	if (!digests)
 		return -ENOMEM;

-	for (i = 0; i < ima_tpm_chip->nr_allocated_banks; i++)
+	for (i = 0; i < ima_tpm_chip->nr_allocated_banks; i++) {
 		digests[i].alg_id = ima_tpm_chip->allocated_banks[i].alg_id;
+		digest_size = ima_tpm_chip->allocated_banks[i].digest_size;
+		crypto_id = ima_tpm_chip->allocated_banks[i].crypto_id;
+
+		/* for unmapped TPM algorithms digest is still a padded

SHA1 */

quoted

+		if (crypto_id == HASH_ALGO__LAST)
+			digest_size = SHA1_DIGEST_SIZE;
+
+		memset(digests[i].digest, 0xff, digest_size);

Shouldn't the memset here be of the actual digest size even for
unmapped TPM algorithms.

This is consistent with ima_calc_field_array_hash(), so that a verifier
will always pad the SHA1 digest with zeros to obtain the final PCR value.

I can set all bytes if you prefer.

Thanks

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli

quoted

+	}

 	return 0;
 }