From patchwork Thu Nov 5 15:04:36 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Vorel X-Patchwork-Id: 11884619 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B0E07921 for ; Thu, 5 Nov 2020 15:04:51 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 9842822227 for ; Thu, 5 Nov 2020 15:04:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730862AbgKEPEv (ORCPT ); Thu, 5 Nov 2020 10:04:51 -0500 Received: from mx2.suse.de ([195.135.220.15]:41756 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730669AbgKEPEu (ORCPT ); Thu, 5 Nov 2020 10:04:50 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id B7161ABD1; Thu, 5 Nov 2020 15:04:49 +0000 (UTC) From: Petr Vorel To: linux-integrity@vger.kernel.org Cc: Petr Vorel , Mimi Zohar , Maurizio Drocco , Bruno Meneguele Subject: [PATCH 1/1] ima: Update doc for TPM 2.0 for calculating boot_aggregate Date: Thu, 5 Nov 2020 16:04:36 +0100 Message-Id: <20201105150436.30785-1-pvorel@suse.cz> X-Mailer: git-send-email 2.29.1 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org 20c59ce010f8 ("ima: extend boot_aggregate with kernel measurements") added registers 8-9 for TPM 2.0. Documented it in the code, but it should be mentioned in the docs above the function. Signed-off-by: Petr Vorel --- Hi, feel free to further change docs (if I wasn't correct). I omit the fact that reg. 8-9 are only for ! sha1 Kind regards, Petr security/integrity/ima/ima_crypto.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c index 21989fa0c107..56b587fd4f9d 100644 --- a/security/integrity/ima/ima_crypto.c +++ b/security/integrity/ima/ima_crypto.c @@ -796,10 +796,10 @@ static void ima_pcrread(u32 idx, struct tpm_digest *d) } /* - * The boot_aggregate is a cumulative hash over TPM registers 0 - 7. With - * TPM 1.2 the boot_aggregate was based on reading the SHA1 PCRs, but with - * TPM 2.0 hash agility, TPM chips could support multiple TPM PCR banks, - * allowing firmware to configure and enable different banks. + * The boot_aggregate is a cumulative hash over TPM registers 0-7 (TPM 1.2) + * or 0-9 (TPM 2.0). With TPM 1.2 the boot_aggregate was based on reading the + * SHA1 PCRs, but with TPM 2.0 hash agility, TPM chips could support multiple + * TPM PCR banks, allowing firmware to configure and enable different banks. * * Knowing which TPM bank is read to calculate the boot_aggregate digest * needs to be conveyed to a verifier. For this reason, use the same