Re: [PATCH v6 4/7] tpm: modify tpm_pcr_read() definition to pass a TPM hash algorithm
On Thu, Dec 06, 2018 at 01:44:58PM +0530, Nayna Jain wrote: > > On 12/05/2018 05:10 AM, Jarkko Sakkinen wrote: > > On Tue, Dec 04, 2018 at 09:21:35AM +0100, Roberto Sassu wrote: > > > Currently the TPM driver allows other kernel subsystems to read only the > > > SHA1 PCR bank. This patch modifies the parameters of tpm_pcr_read() and > > > tpm2_pcr_read() to pass a tpm_digest structure, which contains the desired > > > hash algorithm. Also, since commit 125a22105410 ("tpm: React correctly to > > > RC_TESTING from TPM 2.0 self tests") removed the call to tpm2_pcr_read(), > > > the new parameter is expected to be always not NULL. > > > > > > Due to the API change, IMA functions have been modified. > > > > > > Signed-off-by: Roberto Sassu > > > Acked-by: Mimi Zohar > > Reviewed-by: Jarkko Sakkinen > > > > Mimi, Nayna, can you help with testing this (because of the IMA change)? > > Sure, I will try to do by end of my day tomorrow, Awesome, thank you. /Jarkko
Re: [PATCH v6 4/7] tpm: modify tpm_pcr_read() definition to pass a TPM hash algorithm
On 12/9/2018 9:32 PM, Mimi Zohar wrote: On Fri, 2018-12-07 at 15:51 +0100, Roberto Sassu wrote: On 12/6/2018 8:49 PM, Mimi Zohar wrote: PCRs for sha1 and sha256 algorithms are being updated and the measurement list verifies against the SHA1 PCR-10. Roberto, have you added support in ima-evm-utils to validate the other banks? I modified IMA LTP. I'm not finding it. Was the test for the current code, where the same value is being padded for different algorithms, or for walking the proposed hash agile format? I did not send the patch yet. Roberto Mimi -- HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 Managing Director: Bo PENG, Jian LI, Yanli SHI
Re: [PATCH v6 4/7] tpm: modify tpm_pcr_read() definition to pass a TPM hash algorithm
On Fri, 2018-12-07 at 15:51 +0100, Roberto Sassu wrote: > On 12/6/2018 8:49 PM, Mimi Zohar wrote: > > PCRs for sha1 and sha256 algorithms are being updated and the > > measurement list verifies against the SHA1 PCR-10. > > > > Roberto, have you added support in ima-evm-utils to validate the other > > banks? > > I modified IMA LTP. I'm not finding it. Was the test for the current code, where the same value is being padded for different algorithms, or for walking the proposed hash agile format? Mimi
Re: [PATCH v6 4/7] tpm: modify tpm_pcr_read() definition to pass a TPM hash algorithm
On 12/05/2018 05:10 AM, Jarkko Sakkinen wrote: On Tue, Dec 04, 2018 at 09:21:35AM +0100, Roberto Sassu wrote: Currently the TPM driver allows other kernel subsystems to read only the SHA1 PCR bank. This patch modifies the parameters of tpm_pcr_read() and tpm2_pcr_read() to pass a tpm_digest structure, which contains the desired hash algorithm. Also, since commit 125a22105410 ("tpm: React correctly to RC_TESTING from TPM 2.0 self tests") removed the call to tpm2_pcr_read(), the new parameter is expected to be always not NULL. Due to the API change, IMA functions have been modified. Signed-off-by: Roberto Sassu Acked-by: Mimi Zohar Reviewed-by: Jarkko Sakkinen Mimi, Nayna, can you help with testing this (because of the IMA change)? Tested-by: Nayna Jain Thanks & Regards, - Nayna /Jarkko
Re: [PATCH v6 4/7] tpm: modify tpm_pcr_read() definition to pass a TPM hash algorithm
On 12/6/2018 8:49 PM, Mimi Zohar wrote: On Wed, 2018-12-05 at 15:31 -0500, Mimi Zohar wrote: On Tue, 2018-12-04 at 15:40 -0800, Jarkko Sakkinen wrote: On Tue, Dec 04, 2018 at 09:21:35AM +0100, Roberto Sassu wrote: Currently the TPM driver allows other kernel subsystems to read only the SHA1 PCR bank. This patch modifies the parameters of tpm_pcr_read() and tpm2_pcr_read() to pass a tpm_digest structure, which contains the desired hash algorithm. Also, since commit 125a22105410 ("tpm: React correctly to RC_TESTING from TPM 2.0 self tests") removed the call to tpm2_pcr_read(), the new parameter is expected to be always not NULL. Due to the API change, IMA functions have been modified. Signed-off-by: Roberto Sassu Acked-by: Mimi Zohar Reviewed-by: Jarkko Sakkinen Mimi, Nayna, can you help with testing this (because of the IMA change)? It's up & running and the measurement list verifies against the TPM PCR. Although this system has two algorithms enabled, all of the PCRs are allocated for one algorithm and none for the other. I'm still looking around for another system with PCR 10 enabled for multiple algorithms. PCRs for sha1 and sha256 algorithms are being updated and the measurement list verifies against the SHA1 PCR-10. Roberto, have you added support in ima-evm-utils to validate the other banks? I modified IMA LTP. Roberto Mimi -- HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 Managing Director: Bo PENG, Jian LI, Yanli SHI
Re: [PATCH v6 4/7] tpm: modify tpm_pcr_read() definition to pass a TPM hash algorithm
On 12/6/2018 8:49 PM, Mimi Zohar wrote: On Wed, 2018-12-05 at 15:31 -0500, Mimi Zohar wrote: On Tue, 2018-12-04 at 15:40 -0800, Jarkko Sakkinen wrote: On Tue, Dec 04, 2018 at 09:21:35AM +0100, Roberto Sassu wrote: Currently the TPM driver allows other kernel subsystems to read only the SHA1 PCR bank. This patch modifies the parameters of tpm_pcr_read() and tpm2_pcr_read() to pass a tpm_digest structure, which contains the desired hash algorithm. Also, since commit 125a22105410 ("tpm: React correctly to RC_TESTING from TPM 2.0 self tests") removed the call to tpm2_pcr_read(), the new parameter is expected to be always not NULL. Due to the API change, IMA functions have been modified. Signed-off-by: Roberto Sassu Acked-by: Mimi Zohar Reviewed-by: Jarkko Sakkinen Mimi, Nayna, can you help with testing this (because of the IMA change)? It's up & running and the measurement list verifies against the TPM PCR. Although this system has two algorithms enabled, all of the PCRs are allocated for one algorithm and none for the other. I'm still looking around for another system with PCR 10 enabled for multiple algorithms. PCRs for sha1 and sha256 algorithms are being updated and the measurement list verifies against the SHA1 PCR-10. Roberto, have you added support in ima-evm-utils to validate the other banks? I modified IMA LTP. Roberto Mimi -- HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 Managing Director: Bo PENG, Jian LI, Yanli SHI
Re: [PATCH v6 4/7] tpm: modify tpm_pcr_read() definition to pass a TPM hash algorithm
On Wed, 2018-12-05 at 15:31 -0500, Mimi Zohar wrote: > On Tue, 2018-12-04 at 15:40 -0800, Jarkko Sakkinen wrote: > > On Tue, Dec 04, 2018 at 09:21:35AM +0100, Roberto Sassu wrote: > > > Currently the TPM driver allows other kernel subsystems to read only the > > > SHA1 PCR bank. This patch modifies the parameters of tpm_pcr_read() and > > > tpm2_pcr_read() to pass a tpm_digest structure, which contains the desired > > > hash algorithm. Also, since commit 125a22105410 ("tpm: React correctly to > > > RC_TESTING from TPM 2.0 self tests") removed the call to tpm2_pcr_read(), > > > the new parameter is expected to be always not NULL. > > > > > > Due to the API change, IMA functions have been modified. > > > > > > Signed-off-by: Roberto Sassu > > > Acked-by: Mimi Zohar > > > > Reviewed-by: Jarkko Sakkinen > > > > Mimi, Nayna, can you help with testing this (because of the IMA change)? > > It's up & running and the measurement list verifies against the TPM > PCR. Although this system has two algorithms enabled, all of the PCRs > are allocated for one algorithm and none for the other. I'm still > looking around for another system with PCR 10 enabled for multiple > algorithms. PCRs for sha1 and sha256 algorithms are being updated and the measurement list verifies against the SHA1 PCR-10. Roberto, have you added support in ima-evm-utils to validate the other banks? Mimi
Re: [PATCH v6 4/7] tpm: modify tpm_pcr_read() definition to pass a TPM hash algorithm
On Wed, 2018-12-05 at 15:31 -0500, Mimi Zohar wrote: > On Tue, 2018-12-04 at 15:40 -0800, Jarkko Sakkinen wrote: > > On Tue, Dec 04, 2018 at 09:21:35AM +0100, Roberto Sassu wrote: > > > Currently the TPM driver allows other kernel subsystems to read only the > > > SHA1 PCR bank. This patch modifies the parameters of tpm_pcr_read() and > > > tpm2_pcr_read() to pass a tpm_digest structure, which contains the desired > > > hash algorithm. Also, since commit 125a22105410 ("tpm: React correctly to > > > RC_TESTING from TPM 2.0 self tests") removed the call to tpm2_pcr_read(), > > > the new parameter is expected to be always not NULL. > > > > > > Due to the API change, IMA functions have been modified. > > > > > > Signed-off-by: Roberto Sassu > > > Acked-by: Mimi Zohar > > > > Reviewed-by: Jarkko Sakkinen > > > > Mimi, Nayna, can you help with testing this (because of the IMA change)? > > It's up & running and the measurement list verifies against the TPM > PCR. Although this system has two algorithms enabled, all of the PCRs > are allocated for one algorithm and none for the other. I'm still > looking around for another system with PCR 10 enabled for multiple > algorithms. PCRs for sha1 and sha256 algorithms are being updated and the measurement list verifies against the SHA1 PCR-10. Roberto, have you added support in ima-evm-utils to validate the other banks? Mimi
Re: [PATCH v6 4/7] tpm: modify tpm_pcr_read() definition to pass a TPM hash algorithm
On 12/05/2018 05:10 AM, Jarkko Sakkinen wrote: On Tue, Dec 04, 2018 at 09:21:35AM +0100, Roberto Sassu wrote: Currently the TPM driver allows other kernel subsystems to read only the SHA1 PCR bank. This patch modifies the parameters of tpm_pcr_read() and tpm2_pcr_read() to pass a tpm_digest structure, which contains the desired hash algorithm. Also, since commit 125a22105410 ("tpm: React correctly to RC_TESTING from TPM 2.0 self tests") removed the call to tpm2_pcr_read(), the new parameter is expected to be always not NULL. Due to the API change, IMA functions have been modified. Signed-off-by: Roberto Sassu Acked-by: Mimi Zohar Reviewed-by: Jarkko Sakkinen Mimi, Nayna, can you help with testing this (because of the IMA change)? Sure, I will try to do by end of my day tomorrow, Thanks & Regards, - Nayna /Jarkko
Re: [PATCH v6 4/7] tpm: modify tpm_pcr_read() definition to pass a TPM hash algorithm
On 12/05/2018 05:10 AM, Jarkko Sakkinen wrote: On Tue, Dec 04, 2018 at 09:21:35AM +0100, Roberto Sassu wrote: Currently the TPM driver allows other kernel subsystems to read only the SHA1 PCR bank. This patch modifies the parameters of tpm_pcr_read() and tpm2_pcr_read() to pass a tpm_digest structure, which contains the desired hash algorithm. Also, since commit 125a22105410 ("tpm: React correctly to RC_TESTING from TPM 2.0 self tests") removed the call to tpm2_pcr_read(), the new parameter is expected to be always not NULL. Due to the API change, IMA functions have been modified. Signed-off-by: Roberto Sassu Acked-by: Mimi Zohar Reviewed-by: Jarkko Sakkinen Mimi, Nayna, can you help with testing this (because of the IMA change)? Sure, I will try to do by end of my day tomorrow, Thanks & Regards, - Nayna /Jarkko
Re: [PATCH v6 4/7] tpm: modify tpm_pcr_read() definition to pass a TPM hash algorithm
On Tue, 2018-12-04 at 15:40 -0800, Jarkko Sakkinen wrote: > On Tue, Dec 04, 2018 at 09:21:35AM +0100, Roberto Sassu wrote: > > Currently the TPM driver allows other kernel subsystems to read only the > > SHA1 PCR bank. This patch modifies the parameters of tpm_pcr_read() and > > tpm2_pcr_read() to pass a tpm_digest structure, which contains the desired > > hash algorithm. Also, since commit 125a22105410 ("tpm: React correctly to > > RC_TESTING from TPM 2.0 self tests") removed the call to tpm2_pcr_read(), > > the new parameter is expected to be always not NULL. > > > > Due to the API change, IMA functions have been modified. > > > > Signed-off-by: Roberto Sassu > > Acked-by: Mimi Zohar > > Reviewed-by: Jarkko Sakkinen > > Mimi, Nayna, can you help with testing this (because of the IMA change)? It's up & running and the measurement list verifies against the TPM PCR. Although this system has two algorithms enabled, all of the PCRs are allocated for one algorithm and none for the other. I'm still looking around for another system with PCR 10 enabled for multiple algorithms. Mimi
Re: [PATCH v6 4/7] tpm: modify tpm_pcr_read() definition to pass a TPM hash algorithm
On Tue, 2018-12-04 at 15:40 -0800, Jarkko Sakkinen wrote: > On Tue, Dec 04, 2018 at 09:21:35AM +0100, Roberto Sassu wrote: > > Currently the TPM driver allows other kernel subsystems to read only the > > SHA1 PCR bank. This patch modifies the parameters of tpm_pcr_read() and > > tpm2_pcr_read() to pass a tpm_digest structure, which contains the desired > > hash algorithm. Also, since commit 125a22105410 ("tpm: React correctly to > > RC_TESTING from TPM 2.0 self tests") removed the call to tpm2_pcr_read(), > > the new parameter is expected to be always not NULL. > > > > Due to the API change, IMA functions have been modified. > > > > Signed-off-by: Roberto Sassu > > Acked-by: Mimi Zohar > > Reviewed-by: Jarkko Sakkinen > > Mimi, Nayna, can you help with testing this (because of the IMA change)? It's up & running and the measurement list verifies against the TPM PCR. Although this system has two algorithms enabled, all of the PCRs are allocated for one algorithm and none for the other. I'm still looking around for another system with PCR 10 enabled for multiple algorithms. Mimi
Re: [PATCH v6 4/7] tpm: modify tpm_pcr_read() definition to pass a TPM hash algorithm
On Tue, Dec 04, 2018 at 09:21:35AM +0100, Roberto Sassu wrote: > Currently the TPM driver allows other kernel subsystems to read only the > SHA1 PCR bank. This patch modifies the parameters of tpm_pcr_read() and > tpm2_pcr_read() to pass a tpm_digest structure, which contains the desired > hash algorithm. Also, since commit 125a22105410 ("tpm: React correctly to > RC_TESTING from TPM 2.0 self tests") removed the call to tpm2_pcr_read(), > the new parameter is expected to be always not NULL. > > Due to the API change, IMA functions have been modified. > > Signed-off-by: Roberto Sassu > Acked-by: Mimi Zohar Reviewed-by: Jarkko Sakkinen Mimi, Nayna, can you help with testing this (because of the IMA change)? /Jarkko
Re: [PATCH v6 4/7] tpm: modify tpm_pcr_read() definition to pass a TPM hash algorithm
On Tue, Dec 04, 2018 at 09:21:35AM +0100, Roberto Sassu wrote: > Currently the TPM driver allows other kernel subsystems to read only the > SHA1 PCR bank. This patch modifies the parameters of tpm_pcr_read() and > tpm2_pcr_read() to pass a tpm_digest structure, which contains the desired > hash algorithm. Also, since commit 125a22105410 ("tpm: React correctly to > RC_TESTING from TPM 2.0 self tests") removed the call to tpm2_pcr_read(), > the new parameter is expected to be always not NULL. > > Due to the API change, IMA functions have been modified. > > Signed-off-by: Roberto Sassu > Acked-by: Mimi Zohar Reviewed-by: Jarkko Sakkinen Mimi, Nayna, can you help with testing this (because of the IMA change)? /Jarkko