On 3/8/2017 5:29 PM, Mimi Zohar wrote: > The reason for extending multiple TPM banks is to prevent user space > from being able to extend unused TPM banks with whatever they want and > then quote those banks, based on a bogus list. I wouldn't say that > padding/truncating the unused TPM banks is a standard, but something > that is needed.
The problem is that by doing this for each measurement, the boot time will increase significantly due to the higher number of extend operations. Preventing use of unused banks can be achieved by extending all PCR banks with a known value only once during IMA initialization and reporting this in the event log. Example: 0 0000... ima-header sha1:20|sha256:32 10 sha1:ffff...|sha256:<digest> ima-ng sha1:<digest> boot_aggregate > By extending multiple TPM banks, the IMA measurement list can then be > validated against any bank, assuming that it is padded/truncated > appropriately. Another benefit of the proposal above is that verifiers do not need to know how digests are padded/truncated, as the event log will report the digest for each bank. Roberto ------------------------------------------------------------------------------ Announcing the Oxford Dictionaries API! The API offers world-renowned dictionary content that is easy and intuitive to access. Sign up for an account today to start using our lexical data to power your apps and projects. Get started today and enter our developer competition. http://sdm.link/oxford _______________________________________________ tpmdd-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/tpmdd-devel
