On Wed, 2017-03-08 at 10:58 +0100, Roberto Sassu wrote: > On 3/7/2017 10:12 PM, Mimi Zohar wrote: > > With the "header" and boot-aggregate records for each kexec, the > > attestation server can determine which hash algorithm was used for > > extending the different TPM banks. The attestation server can then > > pad/truncate the hash as needed, when verifying the TPM quote. > > According to the TCG specs, there should be just one header > at the beginning of the list. Its purpose is to provide the length > for each hash algorithm supported by the TPM. The subset of algorithms > used is defined per measurement entry. > > Regarding modifying the digest before it is passed to the extend > function, can truncating/padding with zeros be considered > a standard? If not, verifiers have to look at the software > implementation, in order to find how the digest was modified. > I add in CC [email protected] also here.
The reason for extending multiple TPM banks is to prevent user space from being able to extend unused TPM banks with whatever they want and then quote those banks, based on a bogus list. I wouldn't say that padding/truncating the unused TPM banks is a standard, but something that is needed. By extending multiple TPM banks, the IMA measurement list can then be validated against any bank, assuming that it is padded/truncated appropriately. At some point, we should probably add support for calculating multiple hashes and including them in the IMA measurement list. Mimi ------------------------------------------------------------------------------ Announcing the Oxford Dictionaries API! The API offers world-renowned dictionary content that is easy and intuitive to access. Sign up for an account today to start using our lexical data to power your apps and projects. Get started today and enter our developer competition. http://sdm.link/oxford _______________________________________________ tpmdd-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/tpmdd-devel
