| Message ID | 20200618181007.148765-1-pvorel@suse.cz (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [ima-evm-utils] cmd_ima_bootaggr: Fix for systems without TPM 2.0 | expand |
Hi Petr, On Thu, 2020-06-18 at 20:10 +0200, Petr Vorel wrote: > For both kernel with and without CONFIG_IMA=y. > > NOTE: ima_boot_aggregate was added in dc00c92, without TPM 2.0 > it just reported: > EVP_DigestInit() failed > (null): > > Fixes: 917317a ("ima_evm_utils: emit the per TPM PCR bank > "boot_aggregate" values") > > Signed-off-by: Petr Vorel <pvorel@suse.cz> I don't have a problem with accepting this solution, but I think the real problem is that hash_info.h is not included in the kernel- headers package on the system. One solution would be to include a default hash_info.h file in ima-evm-utils and fall back to using it. Mimi > --- > src/evmctl.c | 10 ++++++++-- > 1 file changed, 8 insertions(+), 2 deletions(-) > > diff --git a/src/evmctl.c b/src/evmctl.c > index 1d065ce..94ec56b 100644 > --- a/src/evmctl.c > +++ b/src/evmctl.c > @@ -1998,11 +1998,17 @@ static int cmd_ima_bootaggr(struct command *cmd) > * Format: <hash algorithm name>:<boot_aggregate digest>\n ... > */ > for (i = 0; i < num_banks; i++) { > - if (!tpm_banks[i].supported) > + if (!tpm_banks[i].supported || !tpm_banks[i].algo_name) > continue; > bootaggr_len += strlen(tpm_banks[i].algo_name) + 1; > bootaggr_len += (tpm_banks[i].digest_size * 2) + 1; > } > + > + if (!bootaggr_len) { > + log_info("No TPM 2.0 PCR bank algorithm found (no TPM 2.0?)\n"); > + return -1; > + } > + > bootaggr = malloc(bootaggr_len); > > /* > @@ -2012,7 +2018,7 @@ static int cmd_ima_bootaggr(struct command *cmd) > * strings. > */ > for (i = 0; i < num_banks; i++) { > - if (!tpm_banks[i].supported) > + if (!tpm_banks[i].supported || !tpm_banks[i].algo_name) > continue; > calc_bootaggr(&tpm_banks[i]); > offset += append_bootaggr(bootaggr + offset, tpm_banks + i);
Hi Mimi, NOTE: this is for systems with TPM 1.2 (not for system without any TPM). > On Thu, 2020-06-18 at 20:10 +0200, Petr Vorel wrote: > > For both kernel with and without CONFIG_IMA=y. > > NOTE: ima_boot_aggregate was added in dc00c92, without TPM 2.0 > > it just reported: > > EVP_DigestInit() failed > > (null): > > Fixes: 917317a ("ima_evm_utils: emit the per TPM PCR bank > > "boot_aggregate" values") > > Signed-off-by: Petr Vorel <pvorel@suse.cz> > I don't have a problem with accepting this solution, but I think the > real problem is that hash_info.h is not included in the kernel- > headers package on the system. One solution would be to include a > default hash_info.h file in ima-evm-utils and fall back to using it. Thanks for a quick answer. I'm not sure if this is a best approach. But I have /usr/include/linux/hash_info.h on all systems I tested (4.15 from openSUSE and 5.6.13 on Debian). Kind regards, Petr
diff --git a/src/evmctl.c b/src/evmctl.c index 1d065ce..94ec56b 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -1998,11 +1998,17 @@ static int cmd_ima_bootaggr(struct command *cmd) * Format: <hash algorithm name>:<boot_aggregate digest>\n ... */ for (i = 0; i < num_banks; i++) { - if (!tpm_banks[i].supported) + if (!tpm_banks[i].supported || !tpm_banks[i].algo_name) continue; bootaggr_len += strlen(tpm_banks[i].algo_name) + 1; bootaggr_len += (tpm_banks[i].digest_size * 2) + 1; } + + if (!bootaggr_len) { + log_info("No TPM 2.0 PCR bank algorithm found (no TPM 2.0?)\n"); + return -1; + } + bootaggr = malloc(bootaggr_len); /* @@ -2012,7 +2018,7 @@ static int cmd_ima_bootaggr(struct command *cmd) * strings. */ for (i = 0; i < num_banks; i++) { - if (!tpm_banks[i].supported) + if (!tpm_banks[i].supported || !tpm_banks[i].algo_name) continue; calc_bootaggr(&tpm_banks[i]); offset += append_bootaggr(bootaggr + offset, tpm_banks + i);
For both kernel with and without CONFIG_IMA=y. NOTE: ima_boot_aggregate was added in dc00c92, without TPM 2.0 it just reported: EVP_DigestInit() failed (null): Fixes: 917317a ("ima_evm_utils: emit the per TPM PCR bank "boot_aggregate" values") Signed-off-by: Petr Vorel <pvorel@suse.cz> --- src/evmctl.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-)