state,
- print an error if the bank associated with ima_hash is among those
- and warn about discontinued banks.
With that, any unsupported bank will leave a trace at least once in a
kernel log somewhere in the kexec chain (assuming all the kernels
are implementing this logic, of
ss kernels in a
kexec chain, so each booted kernel would re-invalidate the unsupported
banks again. As said above, taking care of this as well will be handled
in a separate patch.
[1] https://github.com/linux-integrity/ima-evm-utils.git
Signed-off-by: Nicolai Stange
---
security/integrity/im
: Nicolai Stange
---
security/integrity/ima/ima.h| 1 +
security/integrity/ima/ima_crypto.c | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 67b78f5512f1..9bfe045ac9d5 100644
--- a/security/integrity/ima
s, make ima_init_digest() to
likewise provision the digests[] elements corresponding to unsupported
banks with 0xfes.
[1] https://github.com/linux-integrity/ima-evm-utils
Signed-off-by: Nicolai Stange
---
security/integrity/ima/Kconfig | 14 ++
security/integrity/ima/ima_
initialize.
Signed-off-by: Nicolai Stange
---
security/integrity/ima/ima_crypto.c | 59 +
1 file changed, 27 insertions(+), 32 deletions(-)
diff --git a/security/integrity/ima/ima_crypto.c
b/security/integrity/ima/ima_crypto.c
index a43080fb8edc..4ac4138d98de 100644
xtension of any bank having its
corresponding bit set there.
Signed-off-by: Nicolai Stange
---
drivers/char/tpm/tpm-interface.c | 29 +++--
drivers/char/tpm/tpm.h | 3 ++-
drivers/char/tpm/tpm2-cmd.c | 29 +++--
include/linux/tpm
Signed-off-by: Nicolai Stange
---
security/integrity/ima/ima_fs.c | 6 ++
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index a8df2fe5f4cb..f030ff7f56da 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/securit
Make the INVALID_PCR() #define available to other compilation units
by moving it from ima_policy.c to ima.h and renaming it to
IMA_INVALID_PCR() in the course.
Signed-off-by: Nicolai Stange
---
security/integrity/ima/ima.h| 4
security/integrity/ima/ima_policy.c | 5 +
2 files
uot;ma: make ima_free_tfm()'s linkage extern"): new,
likewise a prerequisite for [13/13].
[1] https://lore.kernel.org/r/20250313173339.3815589-1-nsta...@suse.de
[2]
https://lore.kernel.org/r/4e760360258bda56fbcb8f67e865a7a4574c305a.ca...@linux.ibm.com
Nicolai Stange (13):
ima: don't expose run
usable PCR bank.
So, in order to make sure that IMA has access to at least one usable bank
on platforms featuring a TPM 2.0 device, make it depend on CRYPTO_SHA256.
Keep the dependency on CRYPTO_SHA1 for the TPM 1 case.
Signed-off-by: Nicolai Stange
---
security/integrity/ima/Kconfig | 1 +
1
startup() -> tpm2_auto_startup()
-> tpm2_sessions_init(),
so there won't be any issues with that.
Signed-off-by: Nicolai Stange
---
drivers/char/tpm/tpm2-cmd.c | 46 +
1 file changed, 42 insertions(+), 4 deletions(-)
diff --git a/drivers/char/tpm/tpm2-cmd.c b/drive
Mimi Zohar writes:
> On Tue, 2025-03-18 at 16:55 +0100, Nicolai Stange wrote:
>> Mimi Zohar writes:
>> > FYI, because the IMA Kconfig selects SHA1, we're guaranteed that SHA1
>> > exists in
>> > the kernel and the subsequent kexec'ed kernel. For th
an
interposer could potentially trick IMA to skip a needed PCR bank
invalidation from a kexeced kernel even with CONFIG_TCG_TPM2_HMAC=y.
Signed-off-by: Nicolai Stange
---
security/integrity/ima/ima.h| 1 +
security/integrity/ima/ima_crypto.c | 125
2 files cha
Mimi Zohar writes:
> On Tue, 2025-03-18 at 11:26 +0100, Nicolai Stange wrote:
>> Mimi Zohar writes:
>>
>> > On Thu, 2025-03-13 at 18:33 +0100, Nicolai Stange wrote:
>> > > Normally IMA would extend a template hash of each bank's associated
>> >
Roberto Sassu writes:
> On Thu, 2025-03-13 at 18:33 +0100, Nicolai Stange wrote:
>> Hi all,
>>
>> if no SHA-1 implementation was available to the kernel, IMA init would
>> currently fail, rendering the whole subsystem unusable.
>>
>> This patch series i
Mimi Zohar writes:
> On Thu, 2025-03-13 at 18:33 +0100, Nicolai Stange wrote:
>> Normally IMA would extend a template hash of each bank's associated
>> algorithm into a PCR. However, if a bank's hash algorithm is unavailable
>> to the kernel at IMA init time,
urements_sha1 as well as the "runtime_measurements" will
remain there, even though the code has provisions already to skip their
creation as well in case SHA-1 was unavailable.
Signed-off-by: Nicolai Stange
---
security/integrity/ima/ima_fs.c | 35 +
1 f
sk value after kexecs yet, that will be the subject of
later patches.
Signed-off-by: Nicolai Stange
---
security/integrity/ima/ima.h | 8 ++--
security/integrity/ima/ima_queue.c | 17 +
2 files changed, 19 insertions(+), 6 deletions(-)
diff --git a/security/integrity/ima/i
Mimi Zohar writes:
> On Sun, 2025-03-23 at 15:09 +0100, Nicolai Stange wrote:
>
>> diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
>> index dfdcbd009720..23ded8ea47dc 100644
>> --- a/drivers/char/tpm/tpm2-cmd.c
>> +++ b/drivers/char/tpm/tp
Jarkko Sakkinen writes:
> On Sun, Mar 23, 2025 at 03:09:05PM +0100, Nicolai Stange wrote:
>> The existing tpm_pcr_extend() extends all of a PCR's allocated banks with
>> the corresponding digest from the provided digests[] argument.
>
> Why not "just" tpm_pcr_
Mimi Zohar writes:
> On Wed, 2025-03-26 at 09:21 +0100, Nicolai Stange wrote:
>> Mimi Zohar writes:
>>
>> > On Sun, 2025-03-23 at 15:09 +0100, Nicolai Stange wrote:
>> > "ima_hash" is the default file hash algorithm. Re-using it as the default
>
Mimi Zohar writes:
> On Wed, 2025-03-26 at 10:01 +0100, Nicolai Stange wrote:
>> Mimi Zohar writes:
>>
>> > > diff --git a/security/integrity/ima/ima_crypto.c
>> > > b/security/integrity/ima/ima_crypto.c
>> > > index 6f5696d999d0..a430
Mimi Zohar writes:
> On Sun, 2025-03-23 at 15:08 +0100, Nicolai Stange wrote:
>> IMA creates one runtime_measurements_ sysfs file for every TPM
>> bank + for SHA1 if not covered by any such. These differ only in that the
>> template hash value for each record is of
Mimi Zohar writes:
> On Sun, 2025-03-23 at 15:09 +0100, Nicolai Stange wrote:
>> runtime_measurements_ sysfs files are getting created for
>> each PCR bank + for SHA-1.
>>
>> Now that runtime_measurements_ sysfs file creation is being
>> skipped for unsupporte
James Bottomley writes:
> On Sun, 2025-03-23 at 15:09 +0100, Nicolai Stange wrote:
>> PCR reads aren't currently authenticated even with
>> CONFIG_TCG_TPM2_HMAC=y yet.
>
> The reason being TPM2_PCR_Read can only support an audit session, so it
> has even more overhea
James Bottomley writes:
> On Mon, 2025-03-24 at 21:03 -0400, Mimi Zohar wrote:
>> On Sun, 2025-03-23 at 17:18 -0400, James Bottomley wrote:
> [...]
>> > Instead of any of that, why not do what the TCG tells us to do for
>> > unsupported banks and simply cap them with 0x record
>> > EV_SEP
Mimi Zohar writes:
>> diff --git a/security/integrity/ima/ima_crypto.c
>> b/security/integrity/ima/ima_crypto.c
>> index 6f5696d999d0..a43080fb8edc 100644
>> --- a/security/integrity/ima/ima_crypto.c
>> +++ b/security/integrity/ima/ima_crypto.c
>> @@ -625,26 +625,43 @@ int ima_calc_field_array_h
Mimi Zohar writes:
> On Sun, 2025-03-23 at 15:09 +0100, Nicolai Stange wrote:
>> Right now, PCR banks with unsupported hash algorithms are getting
>> invalidated over and over again for each new measurement list entry
>> recorded.
>>
>> A subsequent patch will
-- for the time being
I only ran a couple of brief smoke tests in a VM w/o a TPM (w/ and w/o
SHA-1 disabled of course).
Many thanks!
Nicolai
[1]
https://www.nist.gov/news-events/news/2022/12/nist-retires-sha-1-cryptographic-algorithm
[2] https://github.com/linux-integrity/ima-evm-utils.git
Ni
urements_sha1 as well as the "runtime_measurements" will
remain there, even though the code has provisions already to skip their
creation as well in case SHA-1 was unavailable.
Signed-off-by: Nicolai Stange
---
security/integrity/ima/ima_fs.c | 35 +
1 f
Signed-off-by: Nicolai Stange
---
security/integrity/ima/ima_fs.c | 6 ++
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index a8df2fe5f4cb..f030ff7f56da 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/securit
Make the INVALID_PCR() #define available to other compilation units
by moving it from ima_policy.c to ima.h and renaming it to
IMA_INVALID_PCR() in the course.
Signed-off-by: Nicolai Stange
---
security/integrity/ima/ima.h| 4
security/integrity/ima/ima_policy.c | 5 +
2 files
xtension of any bank having its
corresponding bit set there.
Signed-off-by: Nicolai Stange
---
drivers/char/tpm/tpm-interface.c | 29 +++--
drivers/char/tpm/tpm.h | 3 ++-
drivers/char/tpm/tpm2-cmd.c | 29 +++--
include/linux/tpm
i.e.
to set the currently extented PCR's corresponding bit.
Make ima_restore_measurement_list() to restore the ima_extended_pcrs_mask
from the measurement list in order to maintain it across kexecs.
Signed-off-by: Nicolai Stange
---
security/integrity/ima/ima.h | 8 ++--
se
ks_mask with one bit set for each bank with
an unavailable hash algorithm at init.
[1] https://github.com/linux-integrity/ima-evm-utils
Signed-off-by: Nicolai Stange
---
security/integrity/ima/Kconfig | 14 ++
security/integrity/ima/ima.h| 1 +
security/integrity/ima/
initialize.
Signed-off-by: Nicolai Stange
---
security/integrity/ima/ima_crypto.c | 60 ++---
1 file changed, 28 insertions(+), 32 deletions(-)
diff --git a/security/integrity/ima/ima_crypto.c
b/security/integrity/ima/ima_crypto.c
index 118ea15d737b..f68435f2679f 100644
36 matches
Mail list logo
