Re: [Linux-ima-user] Possible to have 'fixed' PCR values

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Fri, 2014-08-01 at 04:36 -0700, TEH JIA YEW wrote:
> Good day. I had successfully extended (using TPM_Extend)  two entities
> in the following forms:
> 
> a) memory address in the form of hex i.e. 0x08049d49  and,
> b) contents of WORD at a memory address above i.e. 0xffffffff ,
> 
> into PCR-16  and 15. 
> 
> 
> I discovered that by running "$ cat /sys/class/misc/tpm0/device/pcrs
> " with both a) & b) as input, the PCR contents changes as expected,
> (based on how TPM_Extend works) , even if both a) and b) changes
> NOT . 

Before extending the TPM or adding the measurement to the measurement
list, IMA calls ima_lookup_digest_entry() to prevent duplicate
measurement values from being added.

> What I need is for the PCR-16 and 15 contents NOT to change if a) and
> b) remains constant when extended to PCR-16 and 15.

Either maintain a hash table of previous values (or just the current
value).  Check that the new value (or current value) doesn't already
exist before extending the PCR.

Mimi

> An example of what I require is similar to the contents of PCR 0-7,
> whereby the contents are fixed for a fixed system configuration, i.e.
> as per below.
> 
> 
> PCR-00: 20 57 44 36 7B C6 06 BE D4 F4 69 1A DE F7 0F D9 C7 21 B0 0D 
> PCR-01: A8 9F B8 F8 8C AA 95 90 E6 12 9B 63 3B 14 4A 68 51 44 90 D5 
> PCR-02: A8 9F B8 F8 8C AA 95 90 E6 12 9B 63 3B 14 4A 68 51 44 90 D5 
> PCR-03: A8 9F B8 F8 8C AA 95 90 E6 12 9B 63 3B 14 4A 68 51 44 90 D5 
> PCR-04: AF 83 CE A3 2B 1F 7F FB F7 FA BD FC 27 68 72 45 69 1F 31 CB 
> PCR-05: 0C 4C A3 E3 3A 8B 34 A2 39 9B AF 0C 96 69 56 39 80 80 02 1F 
> PCR-06: A8 9F B8 F8 8C AA 95 90 E6 12 9B 63 3B 14 4A 68 51 44 90 D5 
> PCR-07: A8 9F B8 F8 8C AA 95 90 E6 12 9B 63 3B 14 4A 68 51 44 90 D5 
> 
> 
> I had read the paper : "Design & Implemenation of TCG based IMA" and
> "http://sourceforge.net/p/linux-ima/wiki/Home/" and have looked into
> vanilla kernel sources under 'ima' but have no idea how to implement
> what I seek or where to start off.
> 
> 
> Aprreciate if someone could point out where I can start or point out
> the code segment for implementing a fixed PCR 0-7 contents?  Thanks in
> advance.    
> 
>   
> Rgds
> jyteh
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds
> _______________________________________________
> Linux-ima-user mailing list
> Lin...@li...
> https://lists.sourceforge.net/lists/listinfo/linux-ima-user