[{"id":1771607,"web_url":"http://patchwork.ozlabs.org/comment/1771607/","msgid":"<87zi9plwo9.fsf@linux.vnet.ibm.com>","list_archive_url":null,"date":"2017-09-20T06:19:02","subject":"Re: [Skiboot] [PATCH 2/3] libstb/stb.c: measure the IMA_CATALOG\n\tpartition","submitter":{"id":48041,"url":"http://patchwork.ozlabs.org/api/people/48041/","name":"Stewart Smith","email":"stewart@linux.vnet.ibm.com"},"content":"Claudio Carvalho writes:\n> This maps a PCR number for the IMA_CATALOG partition so that it can be\n> measured (extended to the mapped PCR).\n>\n> Signed-off-by: Claudio Carvalho \n> ---\n> libstb/stb.c | 1 +\n> 1 file changed, 1 insertion(+)\n>\n> diff --git a/libstb/stb.c b/libstb/stb.c\n> index eab04eb..15aa682 100644\n> --- a/libstb/stb.c\n> +++ b/libstb/stb.c\n> @@ -58,6 +58,7 @@ static struct {\n> \tenum resource_id id;\n> \tTPM_Pcr pcr;\n> } resources[] = {\n> +\t{ RESOURCE_ID_IMA_CATALOG, PCR_4 },\n> \t{ RESOURCE_ID_KERNEL, PCR_4 },\n> \t{ RESOURCE_ID_CAPP, PCR_2 },\n> };\n\nOur current async resource loading *currently* does so serially,\nalthough there's no real requirement that this would be the\ncase in the future. Thus, we probably want something here to enforce\norder if we're extending the same PCR?\n\nOtherwise I forsee accepting an amazing patch that subtley makes the\norder non-deterministic and we only find out ages later when somebody is\nlooking at PCR values and wondering why they're only consistent 99/100\nboots.","headers":{"Return-Path":"","X-Original-To":["incoming@patchwork.ozlabs.org","skiboot@lists.ozlabs.org"],"Delivered-To":["patchwork-incoming@bilbo.ozlabs.org","skiboot@lists.ozlabs.org"],"Received":["from lists.ozlabs.org (lists.ozlabs.org [103.22.144.68])\n\t(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xxqMV6dPDz9s7h\n\tfor ;\n\tWed, 20 Sep 2017 16:19:18 +1000 (AEST)","from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3])\n\tby lists.ozlabs.org (Postfix) with ESMTP id 3xxqMV5n55zDqXj\n\tfor ;\n\tWed, 20 Sep 2017 16:19:18 +1000 (AEST)","from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com\n\t[148.163.156.1])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256\n\tbits)) (No client certificate requested)\n\tby lists.ozlabs.org (Postfix) with ESMTPS id 3xxqMP5yLGzDqBd\n\tfor ; Wed, 20 Sep 2017 16:19:13 +1000 (AEST)","from pps.filterd (m0098396.ppops.net [127.0.0.1])\n\tby mx0a-001b2d01.pphosted.com (8.16.0.21/8.16.0.21) with SMTP id\n\tv8K6Cp10108676\n\tfor ; Wed, 20 Sep 2017 02:19:10 -0400","from e34.co.us.ibm.com (e34.co.us.ibm.com [32.97.110.152])\n\tby mx0a-001b2d01.pphosted.com with ESMTP id 2d3cnp4sgu-1\n\t(version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT)\n\tfor ; Wed, 20 Sep 2017 02:19:10 -0400","from localhost\n\tby e34.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use\n\tOnly! Violators will be prosecuted\n\tfor from ;\n\tWed, 20 Sep 2017 00:19:10 -0600","from b03cxnp07028.gho.boulder.ibm.com (9.17.130.15)\n\tby e34.co.us.ibm.com (192.168.1.134) with IBM ESMTP SMTP Gateway:\n\tAuthorized Use Only! Violators will be prosecuted; \n\tWed, 20 Sep 2017 00:19:07 -0600","from b03ledav006.gho.boulder.ibm.com\n\t(b03ledav006.gho.boulder.ibm.com [9.17.130.237])\n\tby b03cxnp07028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with\n\tESMTP id v8K6J6lo4194734; Tue, 19 Sep 2017 23:19:06 -0700","from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1])\n\tby IMSVA (Postfix) with ESMTP id C652BC603C;\n\tWed, 20 Sep 2017 00:19:06 -0600 (MDT)","from birb.localdomain (unknown [9.185.16.148])\n\tby b03ledav006.gho.boulder.ibm.com (Postfix) with ESMTP id 5A4B1C603E;\n\tWed, 20 Sep 2017 00:19:06 -0600 (MDT)","by birb.localdomain (Postfix, from userid 1000)\n\tid 9E8074F0F8F; Wed, 20 Sep 2017 16:19:02 +1000 (AEST)"],"Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=linux.vnet.ibm.com\n\t(client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com;\n\tenvelope-from=stewart@linux.vnet.ibm.com; receiver=)","From":"Stewart Smith ","To":"Claudio Carvalho , skiboot@lists.ozlabs.org","In-Reply-To":"<1504166040-16531-3-git-send-email-cclaudio@linux.vnet.ibm.com>","References":"<1504166040-16531-1-git-send-email-cclaudio@linux.vnet.ibm.com>\n\t<1504166040-16531-3-git-send-email-cclaudio@linux.vnet.ibm.com>","Date":"Wed, 20 Sep 2017 16:19:02 +1000","MIME-Version":"1.0","X-TM-AS-GCONF":"00","x-cbid":"17092006-0016-0000-0000-0000078AD251","X-IBM-SpamModules-Scores":"","X-IBM-SpamModules-Versions":"BY=3.00007766; HX=3.00000241; KW=3.00000007;\n\tPH=3.00000004; SC=3.00000230; SDB=6.00919621; UDB=6.00462025;\n\tIPR=6.00699847; \n\tBA=6.00005598; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009;\n\tZB=6.00000000; \n\tZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00017218;\n\tXFM=3.00000015; UTC=2017-09-20 06:19:08","X-IBM-AV-DETECTION":"SAVI=unused REMOTE=unused XFE=unused","x-cbparentid":"17092006-0017-0000-0000-00003B8A8F41","Message-Id":"<87zi9plwo9.fsf@linux.vnet.ibm.com>","X-Proofpoint-Virus-Version":"vendor=fsecure engine=2.50.10432:, ,\n\tdefinitions=2017-09-20_01:, , signatures=0","X-Proofpoint-Spam-Details":"rule=outbound_notspam policy=outbound score=0\n\tspamscore=0 suspectscore=1\n\tmalwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam\n\tadjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000\n\tdefinitions=main-1709200085","Subject":"Re: [Skiboot] [PATCH 2/3] libstb/stb.c: measure the IMA_CATALOG\n\tpartition","X-BeenThere":"skiboot@lists.ozlabs.org","X-Mailman-Version":"2.1.24","Precedence":"list","List-Id":"Mailing list for skiboot development ","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org","Sender":"\"Skiboot\"\n\t"}},{"id":1771608,"web_url":"http://patchwork.ozlabs.org/comment/1771608/","msgid":"<87vakdlwma.fsf@linux.vnet.ibm.com>","list_archive_url":null,"date":"2017-09-20T06:20:13","subject":"Re: [Skiboot] [PATCH 2/3] libstb/stb.c: measure the IMA_CATALOG\n\tpartition","submitter":{"id":48041,"url":"http://patchwork.ozlabs.org/api/people/48041/","name":"Stewart Smith","email":"stewart@linux.vnet.ibm.com"},"content":"Claudio Carvalho writes:\n> This maps a PCR number for the IMA_CATALOG partition so that it can be\n> measured (extended to the mapped PCR).\n>\n> Signed-off-by: Claudio Carvalho \n> ---\n> libstb/stb.c | 1 +\n> 1 file changed, 1 insertion(+)\n>\n> diff --git a/libstb/stb.c b/libstb/stb.c\n> index eab04eb..15aa682 100644\n> --- a/libstb/stb.c\n> +++ b/libstb/stb.c\n> @@ -58,6 +58,7 @@ static struct {\n> \tenum resource_id id;\n> \tTPM_Pcr pcr;\n> } resources[] = {\n> +\t{ RESOURCE_ID_IMA_CATALOG, PCR_4 },\n> \t{ RESOURCE_ID_KERNEL, PCR_4 },\n> \t{ RESOURCE_ID_CAPP, PCR_2 },\n\nAny reason why PCR4 rather than PCR2?\n\nThe IMA_CATALOG seems more like CAPP than KERNEL, as in, bits of\ndata/microcode rather than other firmware component.","headers":{"Return-Path":"","X-Original-To":["incoming@patchwork.ozlabs.org","skiboot@lists.ozlabs.org"],"Delivered-To":["patchwork-incoming@bilbo.ozlabs.org","skiboot@lists.ozlabs.org"],"Received":["from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3])\n\t(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xxqNn3xf4z9sNw\n\tfor ;\n\tWed, 20 Sep 2017 16:20:25 +1000 (AEST)","from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3])\n\tby lists.ozlabs.org (Postfix) with ESMTP id 3xxqNn353qzDqXj\n\tfor ;\n\tWed, 20 Sep 2017 16:20:25 +1000 (AEST)","from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com\n\t[148.163.156.1])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256\n\tbits)) (No client certificate requested)\n\tby lists.ozlabs.org (Postfix) with ESMTPS id 3xxqNh443YzDqBd\n\tfor ; Wed, 20 Sep 2017 16:20:20 +1000 (AEST)","from pps.filterd (m0098393.ppops.net [127.0.0.1])\n\tby mx0a-001b2d01.pphosted.com (8.16.0.21/8.16.0.21) with SMTP id\n\tv8K6Jqsb053342\n\tfor ; Wed, 20 Sep 2017 02:20:18 -0400","from e19.ny.us.ibm.com (e19.ny.us.ibm.com [129.33.205.209])\n\tby mx0a-001b2d01.pphosted.com with ESMTP id 2d3cmv4mwa-1\n\t(version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT)\n\tfor ; Wed, 20 Sep 2017 02:20:18 -0400","from localhost\n\tby e19.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use\n\tOnly! Violators will be prosecuted\n\tfor from ;\n\tWed, 20 Sep 2017 02:20:17 -0400","from b01cxnp22034.gho.pok.ibm.com (9.57.198.24)\n\tby e19.ny.us.ibm.com (146.89.104.206) with IBM ESMTP SMTP Gateway:\n\tAuthorized Use Only! Violators will be prosecuted; \n\tWed, 20 Sep 2017 02:20:15 -0400","from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com\n\t[9.57.199.108])\n\tby b01cxnp22034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP\n\tid v8K6KFRp53477386; Wed, 20 Sep 2017 06:20:15 GMT","from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1])\n\tby IMSVA (Postfix) with ESMTP id 2AB6AB204D;\n\tWed, 20 Sep 2017 02:17:36 -0400 (EDT)","from birb.localdomain (unknown [9.185.16.148])\n\tby b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP id 9F2C9B204E;\n\tWed, 20 Sep 2017 02:17:35 -0400 (EDT)","by birb.localdomain (Postfix, from userid 1000)\n\tid 580564F0F8F; Wed, 20 Sep 2017 16:20:13 +1000 (AEST)"],"Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=linux.vnet.ibm.com\n\t(client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com;\n\tenvelope-from=stewart@linux.vnet.ibm.com; receiver=)","From":"Stewart Smith ","To":"Claudio Carvalho , skiboot@lists.ozlabs.org","In-Reply-To":"<1504166040-16531-3-git-send-email-cclaudio@linux.vnet.ibm.com>","References":"<1504166040-16531-1-git-send-email-cclaudio@linux.vnet.ibm.com>\n\t<1504166040-16531-3-git-send-email-cclaudio@linux.vnet.ibm.com>","Date":"Wed, 20 Sep 2017 16:20:13 +1000","MIME-Version":"1.0","X-TM-AS-GCONF":"00","x-cbid":"17092006-0056-0000-0000-000003CBF8CC","X-IBM-SpamModules-Scores":"","X-IBM-SpamModules-Versions":"BY=3.00007766; HX=3.00000241; KW=3.00000007;\n\tPH=3.00000004; SC=3.00000230; SDB=6.00919621; UDB=6.00462025;\n\tIPR=6.00699847; \n\tBA=6.00005598; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009;\n\tZB=6.00000000; \n\tZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00017218;\n\tXFM=3.00000015; UTC=2017-09-20 06:20:16","X-IBM-AV-DETECTION":"SAVI=unused REMOTE=unused XFE=unused","x-cbparentid":"17092006-0057-0000-0000-00000802FC92","Message-Id":"<87vakdlwma.fsf@linux.vnet.ibm.com>","X-Proofpoint-Virus-Version":"vendor=fsecure engine=2.50.10432:, ,\n\tdefinitions=2017-09-20_01:, , signatures=0","X-Proofpoint-Spam-Details":"rule=outbound_notspam policy=outbound score=0\n\tspamscore=0 suspectscore=1\n\tmalwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam\n\tadjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000\n\tdefinitions=main-1709200086","Subject":"Re: [Skiboot] [PATCH 2/3] libstb/stb.c: measure the IMA_CATALOG\n\tpartition","X-BeenThere":"skiboot@lists.ozlabs.org","X-Mailman-Version":"2.1.24","Precedence":"list","List-Id":"Mailing list for skiboot development ","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org","Sender":"\"Skiboot\"\n\t"}},{"id":1776656,"web_url":"http://patchwork.ozlabs.org/comment/1776656/","msgid":"<7f0ca093-672e-c0e0-3338-2f8665e8b396@linux.vnet.ibm.com>","list_archive_url":null,"date":"2017-09-27T22:21:30","subject":"Re: [Skiboot] [PATCH 2/3] libstb/stb.c: measure the IMA_CATALOG\n\tpartition","submitter":{"id":69305,"url":"http://patchwork.ozlabs.org/api/people/69305/","name":"Claudio Carvalho","email":"cclaudio@linux.vnet.ibm.com"},"content":"On 20/09/2017 03:19, Stewart Smith wrote:\n> Claudio Carvalho writes:\n>> This maps a PCR number for the IMA_CATALOG partition so that it can be\n>> measured (extended to the mapped PCR).\n>>\n>> Signed-off-by: Claudio Carvalho \n>> ---\n>> libstb/stb.c | 1 +\n>> 1 file changed, 1 insertion(+)\n>>\n>> diff --git a/libstb/stb.c b/libstb/stb.c\n>> index eab04eb..15aa682 100644\n>> --- a/libstb/stb.c\n>> +++ b/libstb/stb.c\n>> @@ -58,6 +58,7 @@ static struct {\n>> \tenum resource_id id;\n>> \tTPM_Pcr pcr;\n>> } resources[] = {\n>> +\t{ RESOURCE_ID_IMA_CATALOG, PCR_4 },\n>> \t{ RESOURCE_ID_KERNEL, PCR_4 },\n>> \t{ RESOURCE_ID_CAPP, PCR_2 },\n>> };\n> Our current async resource loading *currently* does so serially,\n> although there's no real requirement that this would be the\n> case in the future. Thus, we probably want something here to enforce\n> order if we're extending the same PCR?\n\nGood catch. Ideally, we should measure the resource just before it is \nconsumed.\nPerhaps we could verify and measure the resource in the \nflash_resource_loaded() function. If so, we may need to find the \nsub-partition from there, in case the request is for a sub-partition. \nWhat do you think?\n\n> Otherwise I forsee accepting an amazing patch that subtley makes the\n> order non-deterministic and we only find out ages later when somebody is\n> looking at PCR values and wondering why they're only consistent 99/100\n> boots.\n>","headers":{"Return-Path":"","X-Original-To":["incoming@patchwork.ozlabs.org","skiboot@lists.ozlabs.org"],"Delivered-To":["patchwork-incoming@bilbo.ozlabs.org","skiboot@lists.ozlabs.org"],"Received":["from lists.ozlabs.org (lists.ozlabs.org [103.22.144.68])\n\t(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3y2XNn49sTz9t6C\n\tfor ;\n\tThu, 28 Sep 2017 08:21:45 +1000 (AEST)","from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3])\n\tby lists.ozlabs.org (Postfix) with ESMTP id 3y2XNn3MVGzDsPd\n\tfor ;\n\tThu, 28 Sep 2017 08:21:45 +1000 (AEST)","from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com\n\t[148.163.158.5])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256\n\tbits)) (No client certificate requested)\n\tby lists.ozlabs.org (Postfix) with ESMTPS id 3y2XNh0XGFzDsPT\n\tfor ; Thu, 28 Sep 2017 08:21:38 +1000 (AEST)","from pps.filterd (m0098419.ppops.net [127.0.0.1])\n\tby mx0b-001b2d01.pphosted.com (8.16.0.21/8.16.0.21) with SMTP id\n\tv8RMJHeC042995\n\tfor ; Wed, 27 Sep 2017 18:21:35 -0400","from e34.co.us.ibm.com (e34.co.us.ibm.com [32.97.110.152])\n\tby mx0b-001b2d01.pphosted.com with ESMTP id 2d8kkvu8nb-1\n\t(version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT)\n\tfor ; Wed, 27 Sep 2017 18:21:35 -0400","from localhost\n\tby e34.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use\n\tOnly! Violators will be prosecuted\n\tfor from ;\n\tWed, 27 Sep 2017 16:21:35 -0600","from b03cxnp08025.gho.boulder.ibm.com (9.17.130.17)\n\tby e34.co.us.ibm.com (192.168.1.134) with IBM ESMTP SMTP Gateway:\n\tAuthorized Use Only! Violators will be prosecuted; \n\tWed, 27 Sep 2017 16:21:33 -0600","from b03ledav006.gho.boulder.ibm.com\n\t(b03ledav006.gho.boulder.ibm.com [9.17.130.237])\n\tby b03cxnp08025.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with\n\tESMTP id v8RMLWBZ1573188; Wed, 27 Sep 2017 15:21:32 -0700","from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1])\n\tby IMSVA (Postfix) with ESMTP id CAF78C603E;\n\tWed, 27 Sep 2017 16:21:32 -0600 (MDT)","from [9.85.192.5] (unknown [9.85.192.5])\n\tby b03ledav006.gho.boulder.ibm.com (Postfix) with ESMTP id 10595C603C;\n\tWed, 27 Sep 2017 16:21:31 -0600 (MDT)"],"Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=linux.vnet.ibm.com\n\t(client-ip=148.163.158.5; helo=mx0a-001b2d01.pphosted.com;\n\tenvelope-from=cclaudio@linux.vnet.ibm.com; receiver=)","To":"Stewart Smith , skiboot@lists.ozlabs.org","References":"<1504166040-16531-1-git-send-email-cclaudio@linux.vnet.ibm.com>\n\t<1504166040-16531-3-git-send-email-cclaudio@linux.vnet.ibm.com>\n\t<87zi9plwo9.fsf@linux.vnet.ibm.com>","From":"Claudio Carvalho ","Date":"Wed, 27 Sep 2017 19:21:30 -0300","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101\n\tThunderbird/52.3.0","MIME-Version":"1.0","In-Reply-To":"<87zi9plwo9.fsf@linux.vnet.ibm.com>","Content-Language":"en-US","X-TM-AS-GCONF":"00","x-cbid":"17092722-0016-0000-0000-0000079418B7","X-IBM-SpamModules-Scores":"","X-IBM-SpamModules-Versions":"BY=3.00007801; HX=3.00000241; KW=3.00000007;\n\tPH=3.00000004; SC=3.00000232; SDB=6.00923294; UDB=6.00464148;\n\tIPR=6.00703436; \n\tBA=6.00005609; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009;\n\tZB=6.00000000; \n\tZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00017295;\n\tXFM=3.00000015; UTC=2017-09-27 22:21:34","X-IBM-AV-DETECTION":"SAVI=unused REMOTE=unused XFE=unused","x-cbparentid":"17092722-0017-0000-0000-00003BA40FC2","Message-Id":"<7f0ca093-672e-c0e0-3338-2f8665e8b396@linux.vnet.ibm.com>","X-Proofpoint-Virus-Version":"vendor=fsecure engine=2.50.10432:, ,\n\tdefinitions=2017-09-27_08:, , signatures=0","X-Proofpoint-Spam-Details":"rule=outbound_notspam policy=outbound score=0\n\tspamscore=0 suspectscore=0\n\tmalwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam\n\tadjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000\n\tdefinitions=main-1709270312","Subject":"Re: [Skiboot] [PATCH 2/3] libstb/stb.c: measure the IMA_CATALOG\n\tpartition","X-BeenThere":"skiboot@lists.ozlabs.org","X-Mailman-Version":"2.1.24","Precedence":"list","List-Id":"Mailing list for skiboot development ","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Content-Transfer-Encoding":"base64","Content-Type":"text/plain; charset=\"utf-8\"; Format=\"flowed\"","Errors-To":"skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org","Sender":"\"Skiboot\"\n\t"}},{"id":1776676,"web_url":"http://patchwork.ozlabs.org/comment/1776676/","msgid":"","list_archive_url":null,"date":"2017-09-27T22:58:14","subject":"Re: [Skiboot] [PATCH 2/3] libstb/stb.c: measure the IMA_CATALOG\n\tpartition","submitter":{"id":69305,"url":"http://patchwork.ozlabs.org/api/people/69305/","name":"Claudio Carvalho","email":"cclaudio@linux.vnet.ibm.com"},"content":"On 20/09/2017 03:20, Stewart Smith wrote:\n> Claudio Carvalho writes:\n>> This maps a PCR number for the IMA_CATALOG partition so that it can be\n>> measured (extended to the mapped PCR).\n>>\n>> Signed-off-by: Claudio Carvalho \n>> ---\n>> libstb/stb.c | 1 +\n>> 1 file changed, 1 insertion(+)\n>>\n>> diff --git a/libstb/stb.c b/libstb/stb.c\n>> index eab04eb..15aa682 100644\n>> --- a/libstb/stb.c\n>> +++ b/libstb/stb.c\n>> @@ -58,6 +58,7 @@ static struct {\n>> \tenum resource_id id;\n>> \tTPM_Pcr pcr;\n>> } resources[] = {\n>> +\t{ RESOURCE_ID_IMA_CATALOG, PCR_4 },\n>> \t{ RESOURCE_ID_KERNEL, PCR_4 },\n>> \t{ RESOURCE_ID_CAPP, PCR_2 },\n> Any reason why PCR4 rather than PCR2?\n\nThe TCG PC Client spec for tpm 2.0 defines the PCR usage (Table 1):\nPCR2 : UEFI driver and application code\nPCR4 : UEFI Boot Manager Code (usually the MBR) and Boot Attempts\n\nAs you can see even PCR 2 and 4 are not a perfect match for CAPP and \nBOOTKERNEL. We have actively discussed about PCR usage and event types \nthese days and the current proposal we are discussing is to start to \nmeasure all skiboot events in PCR 4 because the only event type that \ncould be used with PCR 2 are EV_EFI_BOOT_SERVICES_APPLICATION, \nEV_EFI_BOOT_SERVICES_DRIVER and EV_EFI_RUNTIME_SERVICES_DRIVER. However, \nall of them refers to UEFI and the event field MUST contain a \nUEFI_IMAGE_LOAD_EVENT structure.\n\nIf we measure all skiboot events in PCR 4 we can use the EV_COMPACT_HASH \nevent type, which says that the content of the event field is specified \nby the caller. In other words we could continue to put a string in the \nevent field that describes the event, for example:\n\n---------- EVENT 14 ----------\npcr_index            4\nevent_type           12 (EV_COMPACT_HASH)\ndigests.count        2\nalgorithm_id         11 (SHA1)\ndigest\n83 3c 20 b9 f4 fc 0c 18 33 4f\n88 0a 94 2f 02 a1 47 77 df 1f\na1 3f 66 3d f5 72 61 18 73 0c\n6f c3\nalgorithm_id         4 (SHA256)\ndigest\n83 3c 20 b9 f4 fc 0c 18 33 4f\n88 0a 94 2f 02 a1 47 77 df 1f\nevent_size           4\nevent                'CAPP'\n\n> The IMA_CATALOG seems more like CAPP than KERNEL, as in, bits of\n> data/microcode rather than other firmware component.\n>","headers":{"Return-Path":"","X-Original-To":["incoming@patchwork.ozlabs.org","skiboot@lists.ozlabs.org"],"Delivered-To":["patchwork-incoming@bilbo.ozlabs.org","skiboot@lists.ozlabs.org"],"Received":["from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3])\n\t(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3y2YC73sjYz9t5l\n\tfor ;\n\tThu, 28 Sep 2017 08:58:27 +1000 (AEST)","from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3])\n\tby lists.ozlabs.org (Postfix) with ESMTP id 3y2YC72S31zDsPd\n\tfor ;\n\tThu, 28 Sep 2017 08:58:27 +1000 (AEST)","from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com\n\t[148.163.156.1])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256\n\tbits)) (No client certificate requested)\n\tby lists.ozlabs.org (Postfix) with ESMTPS id 3y2YC267bMzDsPT\n\tfor ; Thu, 28 Sep 2017 08:58:21 +1000 (AEST)","from pps.filterd (m0098393.ppops.net [127.0.0.1])\n\tby mx0a-001b2d01.pphosted.com (8.16.0.21/8.16.0.21) with SMTP id\n\tv8RMvckL126798\n\tfor ; Wed, 27 Sep 2017 18:58:19 -0400","from e36.co.us.ibm.com (e36.co.us.ibm.com [32.97.110.154])\n\tby mx0a-001b2d01.pphosted.com with ESMTP id 2d8n2wreer-1\n\t(version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT)\n\tfor ; Wed, 27 Sep 2017 18:58:18 -0400","from localhost\n\tby e36.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use\n\tOnly! Violators will be prosecuted\n\tfor from ;\n\tWed, 27 Sep 2017 16:58:18 -0600","from b03cxnp08027.gho.boulder.ibm.com (9.17.130.19)\n\tby e36.co.us.ibm.com (192.168.1.136) with IBM ESMTP SMTP Gateway:\n\tAuthorized Use Only! Violators will be prosecuted; \n\tWed, 27 Sep 2017 16:58:16 -0600","from b03ledav006.gho.boulder.ibm.com\n\t(b03ledav006.gho.boulder.ibm.com [9.17.130.237])\n\tby b03cxnp08027.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with\n\tESMTP id v8RMwGUk62455868; Wed, 27 Sep 2017 15:58:16 -0700","from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1])\n\tby IMSVA (Postfix) with ESMTP id 36456C6047;\n\tWed, 27 Sep 2017 16:58:16 -0600 (MDT)","from [9.85.192.5] (unknown [9.85.192.5])\n\tby b03ledav006.gho.boulder.ibm.com (Postfix) with ESMTP id 73E49C603C;\n\tWed, 27 Sep 2017 16:58:15 -0600 (MDT)"],"Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=linux.vnet.ibm.com\n\t(client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com;\n\tenvelope-from=cclaudio@linux.vnet.ibm.com; receiver=)","To":"Stewart Smith , skiboot@lists.ozlabs.org","References":"<1504166040-16531-1-git-send-email-cclaudio@linux.vnet.ibm.com>\n\t<1504166040-16531-3-git-send-email-cclaudio@linux.vnet.ibm.com>\n\t<87vakdlwma.fsf@linux.vnet.ibm.com>","From":"Claudio Carvalho ","Date":"Wed, 27 Sep 2017 19:58:14 -0300","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101\n\tThunderbird/52.3.0","MIME-Version":"1.0","In-Reply-To":"<87vakdlwma.fsf@linux.vnet.ibm.com>","Content-Language":"en-US","X-TM-AS-GCONF":"00","x-cbid":"17092722-0020-0000-0000-00000CC587D8","X-IBM-SpamModules-Scores":"","X-IBM-SpamModules-Versions":"BY=3.00007801; HX=3.00000241; KW=3.00000007;\n\tPH=3.00000004; SC=3.00000232; SDB=6.00923306; UDB=6.00464155;\n\tIPR=6.00703447; \n\tBA=6.00005609; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009;\n\tZB=6.00000000; \n\tZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00017296;\n\tXFM=3.00000015; UTC=2017-09-27 22:58:17","X-IBM-AV-DETECTION":"SAVI=unused REMOTE=unused XFE=unused","x-cbparentid":"17092722-0021-0000-0000-00005E4D09DF","Message-Id":"","X-Proofpoint-Virus-Version":"vendor=fsecure engine=2.50.10432:, ,\n\tdefinitions=2017-09-27_08:, , signatures=0","X-Proofpoint-Spam-Details":"rule=outbound_notspam policy=outbound score=0\n\tspamscore=0 suspectscore=0\n\tmalwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam\n\tadjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000\n\tdefinitions=main-1709270321","Subject":"Re: [Skiboot] [PATCH 2/3] libstb/stb.c: measure the IMA_CATALOG\n\tpartition","X-BeenThere":"skiboot@lists.ozlabs.org","X-Mailman-Version":"2.1.24","Precedence":"list","List-Id":"Mailing list for skiboot development ","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Content-Transfer-Encoding":"base64","Content-Type":"text/plain; charset=\"utf-8\"; Format=\"flowed\"","Errors-To":"skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org","Sender":"\"Skiboot\"\n\t"}}]