-----Original Message-----
From: linux-integrity-owner@vger.kernel.org [mailto:linux-integrity-
owner@vger.kernel.org] On Behalf Of Mimi Zohar
Sent: Wednesday, March 18, 2020 10:55 PM
To: Roberto Sassu <roberto.sassu@huawei.com>;
James.Bottomley@HansenPartnership.com;
jarkko.sakkinen@linux.intel.com
Cc: linux-integrity@vger.kernel.org; linux-security-module@vger.kernel.org;
linux-kernel@vger.kernel.org; Silviu Vlasceanu
[off-list ref]
Subject: Re: [PATCH v3 7/8] ima: Calculate and extend PCR with digests in
ima_template_entry

On Wed, 2020-03-18 at 12:42 +0000, Roberto Sassu wrote:

quoted

quoted

-----Original Message-----
From: owner-linux-security-module@vger.kernel.org [mailto:owner-

linux-

quoted

quoted

security-module@vger.kernel.org] On Behalf Of Mimi Zohar
Sent: Tuesday, March 3, 2020 5:04 AM
To: Roberto Sassu <roberto.sassu@huawei.com>;
James.Bottomley@HansenPartnership.com;
jarkko.sakkinen@linux.intel.com
Cc: linux-integrity@vger.kernel.org; linux-security-

module@vger.kernel.org;

quoted

quoted

linux-kernel@vger.kernel.org; Silviu Vlasceanu
[off-list ref]
Subject: Re: [PATCH v3 7/8] ima: Calculate and extend PCR with digests

in

quoted

quoted

ima_template_entry

On Mon, 2020-02-10 at 11:04 +0100, Roberto Sassu wrote:

quoted

@@ -219,6 +214,8 @@ int ima_restore_measurement_entry(struct

ima_template_entry *entry)

quoted

 int __init ima_init_digests(void)
 {
+	u16 digest_size;
+	u16 crypto_id;
 	int i;

 	if (!ima_tpm_chip)

@@ -229,8 +226,17 @@ int __init ima_init_digests(void)
 	if (!digests)
 		return -ENOMEM;

-	for (i = 0; i < ima_tpm_chip->nr_allocated_banks; i++)
+	for (i = 0; i < ima_tpm_chip->nr_allocated_banks; i++) {
 		digests[i].alg_id = ima_tpm_chip->allocated_banks[i].alg_id;
+		digest_size = ima_tpm_chip->allocated_banks[i].digest_size;
+		crypto_id = ima_tpm_chip->allocated_banks[i].crypto_id;
+
+		/* for unmapped TPM algorithms digest is still a padded

SHA1 */

quoted

+		if (crypto_id == HASH_ALGO__LAST)
+			digest_size = SHA1_DIGEST_SIZE;
+
+		memset(digests[i].digest, 0xff, digest_size);

Shouldn't the memset here be of the actual digest size even for
unmapped TPM algorithms.

This is consistent with ima_calc_field_array_hash(), so that a verifier
will always pad the SHA1 digest with zeros to obtain the final PCR value.

I can set all bytes if you prefer.

My concern is with violations.  The measurement list will be padded
with 0's, but the value being extended into the TPM will only
partially be 0xFF's.  When verifying the measurement list, replacing
all 0x00's with all 0xFF's is simpler.

If the TPM algorithm is unknown, the starting point is the SHA1 digest.
If there is a violation, this should be the one to be modified. Then, after
that, padding is done for all entries in the same way, regardless of
whether the entry is a violation or not.

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli