On Thu, Mar 13, 2025 at 10:13 AM Sumit Garg wrote:
>
> + Jens
>
> Hi Stefano,
>
> On Tue, Mar 11, 2025 at 11:01:29AM +0100, Stefano Garzarella wrote:
> > This driver does not support interrupts, and receiving the response is
> > synchronous with sending the command.
> >
> > It used an internal buf
Hi all,
if no SHA-1 implementation was available to the kernel, IMA init would
currently fail, rendering the whole subsystem unusable.
This patch series is an attempt to make SHA-1 availability non-mandatory
for IMA. The main motivation is that NIST announced to sunset SHA-1 by
2030 ([1]), whereb
IMA creates one runtime_measurements_ sysfs file for every TPM
bank + for SHA1 if not covered by any such. These differ only in that the
template hash value for each record is of the file's associated algorithm
each.
The kernel does not necessarily support each hash algorithm associated
with some
runtime_measurements_ sysfs files are getting created for
each PCR bank + for SHA-1.
Now that runtime_measurements_ sysfs file creation is being
skipped for unsupported hash algorithms, it will become possible that no
such file would be provided at all once SHA-1 is made optional in a
later patch.
Make the INVALID_PCR() #define available to other compilation units
by moving it from ima_policy.c to ima.h and renaming it to
IMA_INVALID_PCR() in the course.
Signed-off-by: Nicolai Stange
---
security/integrity/ima/ima.h| 4
security/integrity/ima/ima_policy.c | 5 +
2 files c
The existing tpm_pcr_extend() extends all of a PCR's allocated banks with
the corresponding digest from the provided digests[] argument.
An upcoming code change to IMA will introduce the need to skip over those
banks it does not have a hash algorithm implementation available for.
Introduce tpm_pc
A subsequent patch will make IMA to invalidate PCR banks associated with
unsupported hash algorithms once at a PCR's first use. To prepare for
that, make it track the set of PCRs ever extended.
Maintain the set of touched PCRs in an unsigned long bitmask,
'ima_extended_pcrs_mask'.
Amend the IMA_I
Normally IMA would extend a template hash of each bank's associated
algorithm into a PCR. However, if a bank's hash algorithm is unavailable
to the kernel at IMA init time, it would fallback to extending padded
SHA1 hashes instead.
That is, if e.g. SHA-256 was missing at IMA init, it would extend
For CONFIG_IMA_COMPAT_FALLBACK_TPM_EXTEND=n, SHA-1 is not a hard
requirement anymore. Make ima_init_crypto() continue on SHA-1
instantiation errors.
Note that the configure ima_hash must still be available. If that
happened to be set to SHA-1 and SHA-1 was missing, then IMA would
still fail to ini
+ Jens
Hi Stefano,
On Tue, Mar 11, 2025 at 11:01:29AM +0100, Stefano Garzarella wrote:
> This driver does not support interrupts, and receiving the response is
> synchronous with sending the command.
>
> It used an internal buffer to cache the response when .send() is called,
> and then return i
The `state` member in `struct ftpm_tee_private` is in the documentation,
but it has never been in the implementation since the commit 09e574831b27
("tpm/tpm_ftpm_tee: A driver for firmware TPM running inside TEE") that
introduced it.
Remove it to have a match between documentation and implementati
Add documentation providing details of how the CRB driver interacts
with FF-A.
Reviewed-by: Jarkko Sakkinen
Signed-off-by: Stuart Yoder
---
Documentation/security/tpm/index.rst | 1 +
Documentation/security/tpm/tpm_ffa_crb.rst | 65 ++
2 files changed, 66 insertions(+
12 matches
Mail list logo
