Support additional binary measurement lists#44
Conversation
stefanberger
force-pushed
the
support_other_hashes
branch
2 times, most recently
from
604a3d9 to
994ef16
Compare
mimizohar
left a comment
mimizohar
left a comment
There was a problem hiding this comment.
ima_show() is used for displaying the original "ima" template. Changing the template_entry structure unfortunately affects ima_show().
There was a problem hiding this comment.
- Update the Subject line to "evmctl: support additional binary measurement lists".
For each enabled TPM bank, the Linux kernel creates an associated securityfs ascii and binary measurement list. "evmctl ima_measurement" calculates and verifies each enabled TPM PCR value, based on the SHA1 binary measurement list. Extend "evmctl ima_measurement" support to calculate and verify the TPM PCR value based on the specific hash algorithm binary measurement list.
- Please use checkpatch.pl
WARNING: 'accomodating' may be misspelled - perhaps 'accommodating'?
- checkpatch.pl
WARNING: break is not useful after a return
107: FILE: src/evmctl.c:2362:
return EVP_get_digestbyname(default_algos[i]);
break;
stefanberger
force-pushed
the
support_other_hashes
branch
4 times, most recently
from
6c7bcfa to
ffd9432
Compare
|
strlcpy is not available in older distros ... |
stefanberger
changed the title
stefanberger
force-pushed
the
support_other_hashes
branch
from
ffd9432 to
3de7c4a
Compare
Instead of removing strlcpy from checkpatch.pl, add STRLCPY to the checkpatch --ignore list. |
stefanberger
force-pushed
the
support_other_hashes
branch
from
3de7c4a to
ff52c88
Compare
Using snprintf now. Dropped the checklist modification. |
There was a problem hiding this comment.
The subject line must describe both what the patch changes, as well as why the patch is necessary. Update the subject line to "Extend "evmctl ima_measurement" to support sha256 binary measurement logs".
The patch description is a bit off as well. Please prefix the patch description with:
For each enabled TPM bank, the Linux kernel creates an associated securityfs ascii and binary measurement list in "<securityfs>/integrity/ima". In addition, even if the TPM sha1 bank is not configured, the Linux kernel for the time being creates sha1 securityfs ascii and binary measurement lists.
"evmctl ima_measurement" currently only supports the sha1 binary
measurement log as input. Therefore, extend the support for ima_measurement to also support sha256 and other binary measurement logs as input.
Both the binary measurement list and the TPM PCRs may be saved and provided as options to "evmctl ima_measurement". Derive the hash algorithm to use for calculations based on the binary measurement log name [...]
That's not true, they are different and that's the reason why this patch series is needed. |
stefanberger
force-pushed
the
support_other_hashes
branch
from
ff52c88 to
e946f61
Compare
The binary_runtime_measurement logs are created based on the TPM enabled PCR banks. There's no difference between adding sha256 and other binary_runtime_measurement logs. (The last patch updates the default_algos[] and algorithm_map[].) Updated: true, this patch adds the additional sha384 and sha612 TPM banks. |
stefanberger
force-pushed
the
support_other_hashes
branch
from
e946f61 to
6a19a1b
Compare
stefanberger
force-pushed
the
support_other_hashes
branch
from
6a19a1b to
5cbc335
Compare
2 participants
This PR extends
evmctl ima_measurementto also allow reading of the sha256, sha384, and sha512 binary logs. So far only the sha1 log was supported.