LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Joe Richey <joerichey@google.com>
To: Matthew Garrett <matthewgarrett@google.com>
Cc: linux-integrity@vger.kernel.org, peterhuewe@gmx.de,
	jarkko.sakkinen@linux.intel.com, jgg@ziepe.ca,
	roberto.sassu@huawei.com, linux-efi@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	"Thiébaud Weksteen" <tweek@google.com>,
	bsz@semihalf.com
Subject: Re: [PATCH V7 0/4] Add support for crypto agile logs
Date: Fri, 31 May 2019 11:07:37 -0700	[thread overview]
Message-ID: <CAKpBdu1_U37u88rJQUJoh5bJ4pA6Qhek0jR4p8sV3dsz49+rJw@mail.gmail.com> (raw)
In-Reply-To: <20190520205501.177637-1-matthewgarrett@google.com>

[-- Attachment #1: Type: text/plain, Size: 1275 bytes --]

On Mon, May 20, 2019 at 1:56 PM Matthew Garrett
<matthewgarrett@google.com> wrote:
>
> Identical to previous version except without the KSAN workaround - Ard
> has a better solution for that.

I just tested this on x86_64 with the systemd-boot (previously gummiboot)
bootloader. For context, this bootloader is essentially just an EFI
chainloader. This bootloader measures the kernel cmdline into PCR 8.
However, it calls GetEventLog before calling HashLogExtendEvent, intending
to have the log entry written to the "EFI TCG 2.0 final events table". See:
    https://github.com/systemd/systemd/blob/75e40119a471454516ad0acc96f6f4094e7fb652/src/boot/efi/measure.c#L212-L227

With the current patchset, this log entry appears _twice_ in the sysfs file.
This is caused by the fact that the sysfs event log unconditionally appends
the entire final event log to the output of GetEventLog. However, the correct
behavior would be to append only the _new_ entries that appear in the final
event log to the output of GetEventLog.

This could be done by first calculating the length of the final events log
table, then recalculating the length of the final events log after the
kernel calls ExitBootServices. This would let us know for sure that we are
only appending new log entries.

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4849 bytes --]

      parent reply	other threads:[~2019-05-31 18:07 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-20 20:54 Matthew Garrett
2019-05-20 20:54 ` [PATCH V7 1/4] tpm: Abstract crypto agile event size calculations Matthew Garrett
2019-05-20 20:54 ` [PATCH V7 2/4] tpm: Reserve the TPM final events table Matthew Garrett
2019-05-21  9:29   ` Ard Biesheuvel
2019-05-31  8:24   ` Joe Richey
2019-05-20 20:55 ` [PATCH V7 3/4] tpm: Append the final event log to the TPM event log Matthew Garrett
2019-05-20 20:55 ` [PATCH V7 4/4] efi: Attempt to get the TCG2 event log in the boot stub Matthew Garrett
2019-05-21  9:26   ` Ard Biesheuvel
2019-05-21 11:45 ` [PATCH V7 0/4] Add support for crypto agile logs Jarkko Sakkinen
2019-05-23 12:14 ` Jarkko Sakkinen
2019-05-23 12:26   ` Jarkko Sakkinen
2019-05-23 16:54     ` James Morris
2019-05-24 10:38       ` Jarkko Sakkinen
2019-05-24 19:22         ` James Morris
2019-05-27 14:31           ` Jarkko Sakkinen
2019-05-23 16:15 ` Bartosz Szczepanek
2019-05-31 18:07 ` Joe Richey [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAKpBdu1_U37u88rJQUJoh5bJ4pA6Qhek0jR4p8sV3dsz49+rJw@mail.gmail.com \
    --to=joerichey@google.com \
    --cc=bsz@semihalf.com \
    --cc=jarkko.sakkinen@linux.intel.com \
    --cc=jgg@ziepe.ca \
    --cc=linux-efi@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=matthewgarrett@google.com \
    --cc=peterhuewe@gmx.de \
    --cc=roberto.sassu@huawei.com \
    --cc=tweek@google.com \
    --subject='Re: [PATCH V7 0/4] Add support for crypto agile logs' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).