From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by mx.groups.io with SMTP id smtpd.web11.7982.1634908415282495662 for ; Fri, 22 Oct 2021 06:13:35 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@ibm.com header.s=pp1 header.b=Q90FFhVh; spf=pass (domain: linux.ibm.com, ip: 148.163.156.1, mailfrom: stefanb@linux.ibm.com) Received: from pps.filterd (m0098393.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 19MCVOnr016165; Fri, 22 Oct 2021 09:13:33 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=subject : to : cc : references : from : message-id : date : mime-version : in-reply-to : content-type : content-transfer-encoding; s=pp1; bh=moJqAmC6Z5NBd0LGcYyiLYLmPARZx3CldNENw2zRqD4=; b=Q90FFhVhLPqCPLu1oEMtW5bIQgA4nlRdm5D0iroUR0kzj1KMzpSKLhA/NMYYK4n4H0UY 9bSgro3mM/QiIPssEdsItCpMxXibWl1Lqy6H7saFmbctES9b06x/GeUeZT8Qw6AAcLF/ xJHCLWsbG8Fo4X7cihpVDbQNjDYixiioIFxFNFSe2HohDCuVfyq2Wg+hWTYpkCBVhNvB GCoYqBvSZs0bldPTc/xHT3oeLYs8v+gNh5H7dBGtx5x3pQRpVimrECvbw6OAl1cXh0Rd 4l4ZPfQDd6CaTjp5lNi2c79W/KYsWtQiMMtw/9iDHNwK/gbBfQrhm5fJ0ab+aQ/CkwwV /w== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 3bukh544qd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 22 Oct 2021 09:13:32 -0400 Received: from m0098393.ppops.net (m0098393.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 19MB7tjk022494; Fri, 22 Oct 2021 09:13:32 -0400 Received: from ppma02wdc.us.ibm.com (aa.5b.37a9.ip4.static.sl-reverse.com [169.55.91.170]) by mx0a-001b2d01.pphosted.com with ESMTP id 3bukh544pv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 22 Oct 2021 09:13:32 -0400 Received: from pps.filterd (ppma02wdc.us.ibm.com [127.0.0.1]) by ppma02wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 19MDC49t017406; Fri, 22 Oct 2021 13:13:31 GMT Received: from b01cxnp22033.gho.pok.ibm.com (b01cxnp22033.gho.pok.ibm.com [9.57.198.23]) by ppma02wdc.us.ibm.com with ESMTP id 3bqpcd3jnp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 22 Oct 2021 13:13:31 +0000 Received: from b01ledav004.gho.pok.ibm.com (b01ledav004.gho.pok.ibm.com [9.57.199.109]) by b01cxnp22033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 19MDDUdW21234136 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 22 Oct 2021 13:13:30 GMT Received: from b01ledav004.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 10291112061; Fri, 22 Oct 2021 13:13:30 +0000 (GMT) Received: from b01ledav004.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id F0F91112065; Fri, 22 Oct 2021 13:13:29 +0000 (GMT) Received: from [9.47.158.152] (unknown [9.47.158.152]) by b01ledav004.gho.pok.ibm.com (Postfix) with ESMTP; Fri, 22 Oct 2021 13:13:29 +0000 (GMT) Subject: Re: [PATCH 4/4] OvmfPkg: add TPM2_SHA1_ENABLE build option To: jejb@linux.ibm.com, Gerd Hoffmann Cc: devel@edk2.groups.io, Min Xu , Jordan Justen , Erdem Aktas , Ard Biesheuvel , =?UTF-8?Q?Marc-Andr=c3=a9_Lureau?= , Jiewen Yao , Tom Lendacky , Brijesh Singh References: <20211021122003.2008499-1-kraxel@redhat.com> <20211021122003.2008499-5-kraxel@redhat.com> <03a75199-000f-5575-8898-6d9b113f2bee@linux.ibm.com> <20211022063948.mratwrzgponwiulg@sirius.home.kraxel.org> <46963c6b6e0eea2bf0b3629031f6f04232ea7528.camel@linux.ibm.com> <84d94886-bc85-9b98-6c7e-59207e6ea741@linux.ibm.com> From: "Stefan Berger" Message-ID: Date: Fri, 22 Oct 2021 09:13:29 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 MIME-Version: 1.0 In-Reply-To: X-TM-AS-GCONF: 00 X-Proofpoint-GUID: JURIi6HBmDQkn8IzaWPtHs9JuZjok0u6 X-Proofpoint-ORIG-GUID: onJGjoaHJs3iqywJqAOe4lOR0IBu-eRR X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.425,FMLib:17.0.607.475 definitions=2021-10-22_04,2021-10-22_01,2020-04-07_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 bulkscore=0 adultscore=0 impostorscore=0 malwarescore=0 lowpriorityscore=0 mlxlogscore=999 spamscore=0 phishscore=0 suspectscore=0 clxscore=1015 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2109230001 definitions=main-2110220074 X-MIME-Autoconverted: from 8bit to quoted-printable by mx0a-001b2d01.pphosted.com id 19MCVOnr016165 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 10/22/21 8:40 AM, James Bottomley wrote: > On Fri, 2021-10-22 at 07:57 -0400, Stefan Berger wrote: >> On 10/22/21 7:49 AM, James Bottomley wrote: >>> On Fri, 2021-10-22 at 06:50 -0400, Stefan Berger wrote: >>> [...] >>>> I see this also but when I get into Linux and run tpm2_pcrread I >>>> see the SHA1 bank active but not having received any PCR >>>> extensions from the firmware, which is not supposed to happen. >>> That's not entirely correct: the TCG firmware profile just requires >>> us to log through at least one bank; it doesn't require that all >>> active banks be logged. I've got several physical systems with >>> three active banks but only one or two measured through. >> =20 >> The problem with this is that you can then fake measured boot on >> that system using it's unused SHA1 bank and extend into it whatever >> you want and create a fake log along with it and the quote is going >> to look alright. > I don't think you can. The measured boot PCRs in unused banks should > always be their default values and the measurement software should > check for this. So on a system that only uses the sha256 bank, the > sha1 bank PCR0-7 should be all zeros ... if they aren't this should be > a measurement failure. > > That means that if you try to replace the sha256 agile log with one > containing fake sha1 entries, the attestation still fails because the > sha256 bank doesn't have default entries. You can still pretend that your system only has an active SHA1 bank and=20 serve the fake log. Which part would raise suspicion about that on the=20 side that looks at that trusted boot log, SHA1 PCR 0-7 state, and quote=20 then? >>>> So I think you should drop this patch and I'll change the set >>>> of active PCR banks on the swtpm_setup level. >>> =20 >>> Even if the firmware deactivated the sha1 bank, the kernel >>> expectation problem is still going to exist. >> Is that older Linux kernels or which part still requires sha1? A >> pointer would be good. I would have to revert the change to not >> activat ethe SHA1 bank from swtpm_setup if that's going to create >> headaches. I thought some hardware TPM 2's today are only providing a >> SHA256 bank and so it shouldn't be a problem. > The problem is IMA: it's hash is a kernel config parameter which > defaults to sha1. It then tries to calculate the boot aggregate over > the configured hash bank and doesn't check if it's unused. > > What IMA should probably be doing is working out which bank the bios is > logging through and using that as the hash instead of having it as a > Kconfig parameter. I think IMA is doing the right thing and extending into SHA1 and SHA256=20 PCRs if the banks are active and with the boot aggregate puts a lid on=20 top of the PCRs 0-7(,8-9). IMA may help raise the suspicion about abuse=20 of an unused PCR bank by the firmware but looking at the measured boot=20 log etc. alone I think is not enough. At least a test with a recent kernel seems to work out alright when only=20 the SHA256 bank is active. =C2=A0=C2=A0 Stefan