Message ID | 20180314155731.5943-4-pvorel@suse.cz |
---|---|
State | Changes Requested |
Delegated to: | Petr Vorel |
Headers | show |
Series | Rewrite tests into new API + fixes | expand |
[Cc'ing George Wilson] On Wed, 2018-03-14 at 16:57 +0100, Petr Vorel wrote: > This is needed as according IMA developers there are BIOS events larger > than 4k [1]. Actual size for TPM 1.2 is undefined, TPM 2.0 specifies: > "For software parsing the event log, the parser can choose an arbitrary > maximum size, but this specification recommends a maximum value for the > TCG_PCR_EVENT2.eventSize field of 1MB." [2]. > > So hope 8k is enough. Is there a way of making this value system dependent? On my laptop this is fine, but for PowerVM w/TPM 1.2 I've been told this is too small. > [1] http://lists.linux.it/pipermail/ltp/2018-January/006970.html > [2] http://lists.linux.it/pipermail/ltp/2018-January/007002.html > > Signed-off-by: Petr Vorel <pvorel@suse.cz> Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com> > --- > testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c b/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c > index f7ae77cb1..c52cea4c9 100644 > --- a/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c > +++ b/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c > @@ -30,7 +30,7 @@ char *TCID = "ima_boot_aggregate"; > #if HAVE_LIBCRYPTO > #include <openssl/sha.h> > > -#define MAX_EVENT_SIZE 500 > +#define MAX_EVENT_SIZE 8192 > #define EVENT_HEADER_SIZE 32 > #define MAX_EVENT_DATA_SIZE (MAX_EVENT_SIZE - EVENT_HEADER_SIZE) > #define NUM_PCRS 8 /* PCR registers 0-7 in boot aggregate */
Mimi Zohar <zohar@linux.vnet.ibm.com> wrote on 03/27/2018 02:44:15 PM: > From: Mimi Zohar <zohar@linux.vnet.ibm.com> > To: Petr Vorel <pvorel@suse.cz>, ltp@lists.linux.it > Cc: linux-integrity@vger.kernel.org, George Wilson/Austin/IBM@IBMUS > Date: 03/27/2018 02:44 PM > Subject: Re: [RFC PATCH v2 3/4] ima/ima_boot_aggregate: Increase MAX_EVENT_SIZE to 8k > > [Cc'ing George Wilson] > > On Wed, 2018-03-14 at 16:57 +0100, Petr Vorel wrote: > > This is needed as according IMA developers there are BIOS events larger > > than 4k [1]. Actual size for TPM 1.2 is undefined, TPM 2.0 specifies: > > "For software parsing the event log, the parser can choose an arbitrary > > maximum size, but this specification recommends a maximum value for the > > TCG_PCR_EVENT2.eventSize field of 1MB." [2]. > > > > So hope 8k is enough. > > Is there a way of making this value system dependent? On my > laptop this is fine, but for PowerVM w/TPM 1.2 I've been told this is > too small. Why not follow the spec? PowerVM has enormous events because they were allowed by the 1.2 spec. The 2.0 spec recommends 1M so I think they should be at least 1M. Because they're large, they should really be dynamically allocated. > > > [1] http://lists.linux.it/pipermail/ltp/2018-January/006970.html > > [2] http://lists.linux.it/pipermail/ltp/2018-January/007002.html > > > > Signed-off-by: Petr Vorel <pvorel@suse.cz> > > Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com> > > > --- > > testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c b/testcases/kernel/security/integrity/ > ima/src/ima_boot_aggregate.c > > index f7ae77cb1..c52cea4c9 100644 > > --- a/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c > > +++ b/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c > > @@ -30,7 +30,7 @@ char *TCID = "ima_boot_aggregate"; > > #if HAVE_LIBCRYPTO > > #include <openssl/sha.h> > > > > -#define MAX_EVENT_SIZE 500 > > +#define MAX_EVENT_SIZE 8192 > > #define EVENT_HEADER_SIZE 32 > > #define MAX_EVENT_DATA_SIZE (MAX_EVENT_SIZE - EVENT_HEADER_SIZE) > > #define NUM_PCRS 8 /* PCR registers 0-7 in boot aggregate */ <html><body><p><tt><font size="2">Mimi Zohar <zohar@linux.vnet.ibm.com> wrote on 03/27/2018 02:44:15 PM:<br><br>> From: Mimi Zohar <zohar@linux.vnet.ibm.com></font></tt><br><tt><font size="2">> To: Petr Vorel <pvorel@suse.cz>, ltp@lists.linux.it</font></tt><br><tt><font size="2">> Cc: linux-integrity@vger.kernel.org, George Wilson/Austin/IBM@IBMUS</font></tt><br><tt><font size="2">> Date: 03/27/2018 02:44 PM</font></tt><br><tt><font size="2">> Subject: Re: [RFC PATCH v2 3/4] ima/ima_boot_aggregate: Increase MAX_EVENT_SIZE to 8k</font></tt><br><tt><font size="2">> <br>> [Cc'ing George Wilson]<br>> <br>> On Wed, 2018-03-14 at 16:57 +0100, Petr Vorel wrote:<br>> > This is needed as according IMA developers there are BIOS events larger<br>> > than 4k [1]. Actual size for TPM 1.2 is undefined, TPM 2.0 specifies:<br>> > "For software parsing the event log, the parser can choose an arbitrary<br>> > maximum size, but this specification recommends a maximum value for the<br>> > TCG_PCR_EVENT2.eventSize field of 1MB." [2].<br>> > <br>> > So hope 8k is enough.<br>> <br>> Is there a way of making this value system dependent? On my <br>> laptop this is fine, but for PowerVM w/TPM 1.2 I've been told this is<br>> too small.</font></tt><br><br><tt><font size="2">Why not follow the spec? PowerVM has enormous events because they</font></tt><br><tt><font size="2">were allowed by the 1.2 spec. The 2.0 spec recommends 1M so I think</font></tt><br><tt><font size="2">they should be at least 1M. Because they're large, they should really</font></tt><br><tt><font size="2">be dynamically allocated.</font></tt><br><tt><font size="2"><br>> <br>> > [1] <a href="http://lists.linux.it/pipermail/ltp/2018-January/006970.html">http://lists.linux.it/pipermail/ltp/2018-January/006970.html</a><br>> > [2] <a href="http://lists.linux.it/pipermail/ltp/2018-January/007002.html">http://lists.linux.it/pipermail/ltp/2018-January/007002.html</a><br>> > <br>> > Signed-off-by: Petr Vorel <pvorel@suse.cz><br>> <br>> Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com><br>> <br>> > ---<br>> > testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c | 2 +-<br>> > 1 file changed, 1 insertion(+), 1 deletion(-)<br>> > <br>> > diff --git a/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c b/testcases/kernel/security/integrity/<br>> ima/src/ima_boot_aggregate.c<br>> > index f7ae77cb1..c52cea4c9 100644<br>> > --- a/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c<br>> > +++ b/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c<br>> > @@ -30,7 +30,7 @@ char *TCID = "ima_boot_aggregate";<br>> > #if HAVE_LIBCRYPTO<br>> > #include <openssl/sha.h><br>> > <br>> > -#define MAX_EVENT_SIZE 500<br>> > +#define MAX_EVENT_SIZE 8192<br>> > #define EVENT_HEADER_SIZE 32<br>> > #define MAX_EVENT_DATA_SIZE (MAX_EVENT_SIZE - EVENT_HEADER_SIZE)<br>> > #define NUM_PCRS 8 /* PCR registers 0-7 in boot aggregate */<br></font></tt><BR> </body></html>
Hi George, > > Is there a way of making this value system dependent? On my > > laptop this is fine, but for PowerVM w/TPM 1.2 I've been told this is > > too small. > Why not follow the spec? PowerVM has enormous events because they > were allowed by the 1.2 spec. The 2.0 spec recommends 1M so I think > they should be at least 1M. Because they're large, they should really > be dynamically allocated. Make sense. Lets try 1M. Thanks a lot for your input. Kind regards, Petr
diff --git a/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c b/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c index f7ae77cb1..c52cea4c9 100644 --- a/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c +++ b/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c @@ -30,7 +30,7 @@ char *TCID = "ima_boot_aggregate"; #if HAVE_LIBCRYPTO #include <openssl/sha.h> -#define MAX_EVENT_SIZE 500 +#define MAX_EVENT_SIZE 8192 #define EVENT_HEADER_SIZE 32 #define MAX_EVENT_DATA_SIZE (MAX_EVENT_SIZE - EVENT_HEADER_SIZE) #define NUM_PCRS 8 /* PCR registers 0-7 in boot aggregate */
This is needed as according IMA developers there are BIOS events larger than 4k [1]. Actual size for TPM 1.2 is undefined, TPM 2.0 specifies: "For software parsing the event log, the parser can choose an arbitrary maximum size, but this specification recommends a maximum value for the TCG_PCR_EVENT2.eventSize field of 1MB." [2]. So hope 8k is enough. [1] http://lists.linux.it/pipermail/ltp/2018-January/006970.html [2] http://lists.linux.it/pipermail/ltp/2018-January/007002.html Signed-off-by: Petr Vorel <pvorel@suse.cz> --- testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)