Message ID | 20200929165021.11731-1-pvorel@suse.cz |
---|---|
Headers | show |
Series | TPM 2.0 fixes in IMA tests | expand |
Hi Mimi, Lakshmi, sorry for late version. FYI Cyril is planning to release LTP tomorrow evening, thus To get it into this release require review and testing till tomorrow lunch or something. Thus understand if you don't have time for it. NOTE: crazy support for old versions was important to get support for older SLES versions. Kind regards, Petr > Hi, > few more fixes, mostly touching older kernels or evmctl versions. > Changes in 3rd and 4th commit. > Kind regards, > Petr > Petr Vorel (4): > IMA: Move get_algorithm_digest(), set_digest_index() to ima_setup.sh > IMA: Rewrite ima_boot_aggregate.c to new API > ima_tpm.sh: Fix calculating boot aggregate > ima_tpm.sh: Fix calculating PCR aggregate > .../integrity/ima/src/ima_boot_aggregate.c | 113 ++++---- > .../integrity/ima/tests/ima_measurements.sh | 62 +--- > .../security/integrity/ima/tests/ima_setup.sh | 70 +++++ > .../security/integrity/ima/tests/ima_tpm.sh | 265 ++++++++++++++---- > 4 files changed, 341 insertions(+), 169 deletions(-)
Hi Petr, On Tue, 2020-09-29 at 18:53 +0200, Petr Vorel wrote: > Hi Mimi, Lakshmi, > > sorry for late version. FYI Cyril is planning to release LTP tomorrow evening, > thus To get it into this release require review and testing till tomorrow lunch > or something. > Thus understand if you don't have time for it. > > NOTE: crazy support for old versions was important to get support for older SLES > versions. Thank you so much for updating the ima_tpm.sh test. Of all the comments, it would be nice to re-verify the measurement list with " --ignore-violations" to provide more context. Anyone running with just the ima_policy=tcb, would have violations. You should be able to test that yourself with the logs, PCRs, and directions, I sent you. In terms of supporting the "ima" template, I think it would only be for old, existing systems, but then I doubt they would be running ltp. The "boot_aggregate" to "sha1" change works on a system with TPM 1.2. Mimi
On Tue, Sep 29, 2020 at 06:50:17PM +0200, Petr Vorel wrote: > Hi, > > few more fixes, mostly touching older kernels or evmctl versions. > Changes in 3rd and 4th commit. > > Kind regards, > Petr > > Petr Vorel (4): > IMA: Move get_algorithm_digest(), set_digest_index() to ima_setup.sh > IMA: Rewrite ima_boot_aggregate.c to new API > ima_tpm.sh: Fix calculating boot aggregate > ima_tpm.sh: Fix calculating PCR aggregate > > .../integrity/ima/src/ima_boot_aggregate.c | 113 ++++---- > .../integrity/ima/tests/ima_measurements.sh | 62 +--- > .../security/integrity/ima/tests/ima_setup.sh | 70 +++++ > .../security/integrity/ima/tests/ima_tpm.sh | 265 ++++++++++++++---- > 4 files changed, 341 insertions(+), 169 deletions(-) > > -- > 2.28.0 > Hi, is there something specific I should look at in this patch set? /Jarkko
Hi Jarkko, > Hi, is there something specific I should look at in this patch set? I'm sorry to bother you with LTP specific code. Can you have a quick look if I didn't overlook anything obvious in reading PCR files (read_pcr_tpm*())? I'm surprised that it's working on my TPM 2.0 which does not export /sys/kernel/security/tpm0/binary_bios_measurements (using evmctl). > /Jarkko Kind regards, Petr
On Wed, Sep 30, 2020 at 07:53:14AM +0200, Petr Vorel wrote: > Hi Jarkko, > > > Hi, is there something specific I should look at in this patch set? > > I'm sorry to bother you with LTP specific code. Can you have a quick look if I > didn't overlook anything obvious in reading PCR files (read_pcr_tpm*())? > > I'm surprised that it's working on my TPM 2.0 which does not export > /sys/kernel/security/tpm0/binary_bios_measurements (using evmctl). Thank you, this was actually really important remark and reminder. OK so I think James' patch is stuck because of me, i.e. https://lore.kernel.org/linux-integrity/20200911114820.GB6877@linux.intel.com/ I'm sorry about this. The final final conclusion is that the way it exports PCRs is just fine. Can you test this version? https://patchwork.kernel.org/patch/11759729/ I can then add reviewd-by and apply it and you don't have to do any sort of stupid hacks. /Jarkkko
Hi Jarkko, > On Wed, Sep 30, 2020 at 07:53:14AM +0200, Petr Vorel wrote: > > Hi Jarkko, > > > Hi, is there something specific I should look at in this patch set? > > I'm sorry to bother you with LTP specific code. Can you have a quick look if I > > didn't overlook anything obvious in reading PCR files (read_pcr_tpm*())? > > I'm surprised that it's working on my TPM 2.0 which does not export > > /sys/kernel/security/tpm0/binary_bios_measurements (using evmctl). > Thank you, this was actually really important remark and reminder. > OK so I think James' patch is stuck because of me, i.e. > https://lore.kernel.org/linux-integrity/20200911114820.GB6877@linux.intel.com/ > I'm sorry about this. The final final conclusion is that the way it > exports PCRs is just fine. That's a great, thank you for going to upstream James' patch. James, thanks for implementing it! > Can you test this version? Sure, I'll test it next week. > https://patchwork.kernel.org/patch/11759729/ > I can then add reviewd-by and apply it and you don't have to do any sort > of stupid hacks. I'll need to keep these hacks for older kernels, but it's great that there is a better solution. Other thing: do you know anybody practically uses more TPM devices in single machine? I'm asking that I work with tpm0 in ima_tpm.sh, but maybe I should allow user to redefine it to choose different device (or even run tests for all available devices). Kind regards, Petr > /Jarkkko
On Thu, Oct 01, 2020 at 02:01:25PM +0200, Petr Vorel wrote: > I'll need to keep these hacks for older kernels, but it's great that there is a > better solution. > > Other thing: do you know anybody practically uses more TPM devices in single > machine? I'm asking that I work with tpm0 in ima_tpm.sh, but maybe I should > allow user to redefine it to choose different device (or even run tests for all > available devices). You can create a proxy TPM device for a TPM emulator or a software TPM (e.g. could be an SGX enclave) by using ioctl interface /dev/vtpmx, provided by tpm_vtpm_proxy driver. QEMU provides a passthrough interface from TPM devices to the VM, which can be utilized for this. This one I know at least. > Kind regards, > Petr /Jarkko