Re: [RFC PATCH v2 03/13] ima: invalidate unsupported PCR banks
From: Nicolai Stange
Date: Wed Mar 26 2025 - 10:31:49 EST
Mimi Zohar <zohar@xxxxxxxxxxxxx> writes:
> On Wed, 2025-03-26 at 10:01 +0100, Nicolai Stange wrote:
>> Mimi Zohar <zohar@xxxxxxxxxxxxx> writes:
>>
>> > > diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
>> > > index 6f5696d999d0..a43080fb8edc 100644
>> > > --- a/security/integrity/ima/ima_crypto.c
>> > > +++ b/security/integrity/ima/ima_crypto.c
>> > > @@ -625,26 +625,43 @@ int ima_calc_field_array_hash(struct ima_field_data *field_data,
>> > > u16 alg_id;
>> > > int rc, i;
>> > >
>> > > +#if IS_ENABLED(CONFIG_IMA_COMPAT_FALLBACK_TPM_EXTEND)
>> > > rc = ima_calc_field_array_hash_tfm(field_data, entry, ima_sha1_idx);
>> > > if (rc)
>> > > return rc;
>> > >
>> > > entry->digests[ima_sha1_idx].alg_id = TPM_ALG_SHA1;
>> > > +#endif
>> > >
>> > > for (i = 0; i < NR_BANKS(ima_tpm_chip) + ima_extra_slots; i++) {
>> > > +#if IS_ENABLED(CONFIG_IMA_COMPAT_FALLBACK_TPM_EXTEND)
>> > > if (i == ima_sha1_idx)
>> > > continue;
>> > > +#endif
>> > >
>> > > if (i < NR_BANKS(ima_tpm_chip)) {
>> > > alg_id = ima_tpm_chip->allocated_banks[i].alg_id;
>> > > entry->digests[i].alg_id = alg_id;
>> > > }
>> > >
>> > > - /* for unmapped TPM algorithms digest is still a padded SHA1 */
>> > > + /*
>> > > + * For unmapped TPM algorithms, the digest is still a
>> > > + * padded SHA1 if backwards-compatibility fallback PCR
>> > > + * extension is enabled. Otherwise fill with
>> > > + * 0xfes. This is the value to invalidate unsupported
>> > > + * PCR banks with. Also, a non-all-zeroes value serves
>> > > + * as an indicator to kexec measurement restoration
>> > > + * that the entry is not a violation and all its
>> > > + * template digests need to get recomputed.
>> > > + */
>> > > if (!ima_algo_array[i].tfm) {
>> > > +#if IS_ENABLED(CONFIG_IMA_COMPAT_FALLBACK_TPM_EXTEND)
>> > > memcpy(entry->digests[i].digest,
>> > > entry->digests[ima_sha1_idx].digest,
>> > > TPM_DIGEST_SIZE);
>>
>> ^
>> That's been here before, just for the record for the below.
>
> And it is correct.
>
>>
>> > > +#else
>> > > + memset(entry->digests[i].digest, 0xfe, TPM_DIGEST_SIZE);
>> > > +#endif
>> >
>> > Using TPM_DIGEST_SIZE will result in a padded 0xfe value.
>>
>> Yes, but as the sysfs files for unsupported algos are gone, this will be
>> used only for extending the PCR banks. tpm[12]_pcr_extend()
>> (necessarily) truncate the digests to the correct size before sending
>> them to the TPM.
>>
>> But if you prefer I can absolutely replace TPM_DIGEST_SIZE by
>> hash_digest_size[ima_algo_array[i].algo].
>
> Unlike violations, which are the full digest size, a padded sha1 is extended
> into the unsupported algos TPM banks. I assume you'd want it to be the full
> digest size like violations.
You are so right, thanks for spotting! What I wanted is
TPM_MAX_DIGEST_SIZE, not TPM_DIGEST_SIZE (== 20).
Thanks,
Nicolai
--
SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nürnberg, Germany
GF: Ivo Totev, Andrew McDonald, Werner Knoblich
(HRB 36809, AG Nürnberg)