Re: [Linux-ima-user] [Linux-ima-devel] ReCaculate PCR value from IMA measurement list

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Thank you very much, Mimi. Following the "ima_measure.c" program in LTP, I
have succeeded in finishing the remote attestation demo program. However, I
notice one minor problem of ima. When validating the composite hash (the
hash caculated from struct<file content hash, file name>), one has to set up
the size of the char array, which is used for storing file name, to be as
exact as 256 and fill the rest space of the array to be "0" to get things
work. This is not quite friendly for programmers. Why not caculate the
composite hash from the valid bytes in the struct(not including the whole
filename char array, but only the valid filename bytes), but not from the
whole struct? I think that might make more sense.

On Mon, Mar 28, 2011 at 10:05 PM, Mimi Zohar <zo...@li...>wrote:

> On Mon, 2011-03-28 at 21:34 +0800, Yu Xi wrote:
> > Dear all,
>
> >
> > I'm writing a testing program to recaculate the pcr value from IMA
> > measurement list following the procedure below:
> >
> >
> >
> >
> >  {
> >    uchar PCR_tmp[20] = {0...0}  // the initial value of pcr assigned
> > to zero
> >
> >    for (i=0; i<MList.len; i++)
> >         PCR_tmp = SHA1(PCR_tmp || MList[i])  // where || means
> > concatenation
> >
> >    if (PCR == PCR_tmp)
> >         return OK
> >    else
> >         return INVALID
> >  }
> >
> >
> > However the newly calculated value doesn't match the real PCR.
> > I found that some measurement enty in the list is
> > "0000000000000000000000", is this the reason for the problem? Could
> > anybody help me to solve the problem? Thank you very much.
> > --
> > Regards
> > Xi Yu (禹熹)
>
> Yes, the zero hashes are an indication of an invalidation of the PCR,
> either a Time-of-Measure/Time-of-Use(ToMToU) or open-writers error.
> Unlike with executables, where the fs prevents executables from being
> modified when used, or from being executed when being modified, there
> are no such protections when reading a file.
>
> To validate a measurement list that was invalidated, replace the 0x00
> hash values with 0xFF's. Refer to ima_tpm.sh: test02 (IMA LTP testsuite)
> for an example.
>
> Mimi
>
>
>

-- 
Regards
Xi Yu (禹熹)