Sorry, I have now updated the report addding the diff of tpm2_pcrread

** Description changed:

  In my understanding (not an expert on this) the linux integrity measure
  hash should not change unless there is a real change to kernel/modules
  or the aggregate boot measure.
  
  We are tying to use IMA for trusted boot and attestation. However, on
  6.5.0-35-generic (ubuntu 22.04), the IMA hash keeps changing on every
  reboot without any software updates.
  
  I may be wrong about the root cause, but it may be related to the order
  of evaluation of the kernel module files ?
  
  Diff of /sys/kernel/security/ima/ascii_runtime_measurements between 2
  reboots:
  
  --- ascii_runtime_measurements22      2024-06-06 14:00:23.440000000 +0000
  +++ ascii_runtime_measurements21      2024-06-06 13:58:33.229038384 +0000
  @@ -2,14 +2,14 @@
-  10 b1d60291291154dcef902e2a8c23772d48798148 ima-ng 
sha1:b952f8331430d08db2931db38713342a45dcb9e1 
/usr/lib/modules/6.5.0-35-generic/kernel/drivers/usb/host/xhci-pci-renesas.ko
-  10 6489a4f054c3d0c4df0f645a74f8f730dec9af7f ima-ng 
sha1:01f17ddccffb8cbc8651b46f91916b21258ba82b 
/usr/lib/modules/6.5.0-35-generic/kernel/drivers/char/hw_random/virtio-rng.ko
-  10 dc9529d9c1a17ea7d7ada8218068c975bad1153f ima-ng 
sha1:e84dbae74b7f246b964d3b073b9a8847dd8e408f 
/usr/lib/modules/6.5.0-35-generic/kernel/drivers/usb/host/xhci-pci.ko
+  10 b1d60291291154dcef902e2a8c23772d48798148 ima-ng 
sha1:b952f8331430d08db2931db38713342a45dcb9e1 
/usr/lib/modules/6.5.0-35-generic/kernel/drivers/usb/host/xhci-pci-renesas.ko
+  10 6489a4f054c3d0c4df0f645a74f8f730dec9af7f ima-ng 
sha1:01f17ddccffb8cbc8651b46f91916b21258ba82b 
/usr/lib/modules/6.5.0-35-generic/kernel/drivers/char/hw_random/virtio-rng.ko
+  10 dc9529d9c1a17ea7d7ada8218068c975bad1153f ima-ng 
sha1:e84dbae74b7f246b964d3b073b9a8847dd8e408f 
/usr/lib/modules/6.5.0-35-generic/kernel/drivers/usb/host/xhci-pci.ko
  -10 3f5e368749dbff84d3a7410a1b4c4a7fab66b559 ima-ng 
sha1:0bc18fb894d2f5b04331b239e0e6073b51354211 
/usr/lib/modules/6.5.0-35-generic/kernel/drivers/gpu/drm/drm.ko
-  10 17cccb8cb394efb7efbee1aca74c79c1d2f8a38e ima-ng 
sha1:2f902f7314e44bba2d3056e6340d587c376f641a 
/usr/lib/modules/6.5.0-35-generic/kernel/drivers/i2c/i2c-smbus.ko
+  10 17cccb8cb394efb7efbee1aca74c79c1d2f8a38e ima-ng 
sha1:2f902f7314e44bba2d3056e6340d587c376f641a 
/usr/lib/modules/6.5.0-35-generic/kernel/drivers/i2c/i2c-smbus.ko
  -10 d19437485bf5540a30de2cca2de936fd73580369 ima-ng 
sha1:99e31489a8d3a958411ffd6e99c8ea0d0d01c210 
/usr/lib/modules/6.5.0-35-generic/kernel/drivers/ata/libahci.ko
  -10 591a35a9de40e752cfc9f85194a31ef97d0b1623 ima-ng 
sha1:a0919355cf28b07a7ec1a1f641cf1a4ed4219691 
/usr/lib/modules/6.5.0-35-generic/kernel/drivers/i2c/busses/i2c-i801.ko
  +10 3f5e368749dbff84d3a7410a1b4c4a7fab66b559 ima-ng 
sha1:0bc18fb894d2f5b04331b239e0e6073b51354211 
/usr/lib/modules/6.5.0-35-generic/kernel/drivers/gpu/drm/drm.ko
-  10 4d2af98b6a28806abe7e47ac7e830f81fa43878f ima-ng 
sha1:4190f2cc17a89dac6afae4575910487409a47b29 
/usr/lib/modules/6.5.0-35-generic/kernel/drivers/mfd/lpc_ich.ko
+  10 4d2af98b6a28806abe7e47ac7e830f81fa43878f ima-ng 
sha1:4190f2cc17a89dac6afae4575910487409a47b29 
/usr/lib/modules/6.5.0-35-generic/kernel/drivers/mfd/lpc_ich.ko
  +10 d19437485bf5540a30de2cca2de936fd73580369 ima-ng 
sha1:99e31489a8d3a958411ffd6e99c8ea0d0d01c210 
/usr/lib/modules/6.5.0-35-generic/kernel/drivers/ata/libahci.ko
-  10 2a4b0265d5807763cd7784617d61ab8dd97d4844 ima-ng 
sha1:32a600680fd22682c12fb34d2e16ceb4c6415fd6 
/usr/lib/modules/6.5.0-35-generic/kernel/drivers/input/mouse/psmouse.ko
+  10 2a4b0265d5807763cd7784617d61ab8dd97d4844 ima-ng 
sha1:32a600680fd22682c12fb34d2e16ceb4c6415fd6 
/usr/lib/modules/6.5.0-35-generic/kernel/drivers/input/mouse/psmouse.ko
  -10 6239ce08348df615bc4056538fc98543c4ccb33b ima-ng 
sha1:4b0216c96c99bfbab72daa30df057e378029123b 
/usr/lib/modules/6.5.0-35-generic/kernel/crypto/cryptd.ko
-  10 41b5ef647a337225aff73c125320db0101f87825 ima-ng 
sha1:27856f6182f8e76688055184db94e1756d77da59 
/usr/lib/modules/6.5.0-35-generic/kernel/drivers/ata/ahci.ko
+  10 41b5ef647a337225aff73c125320db0101f87825 ima-ng 
sha1:27856f6182f8e76688055184db94e1756d77da59 
/usr/lib/modules/6.5.0-35-generic/kernel/drivers/ata/ahci.ko
  +10 591a35a9de40e752cfc9f85194a31ef97d0b1623 ima-ng 
sha1:a0919355cf28b07a7ec1a1f641cf1a4ed4219691 
/usr/lib/modules/6.5.0-35-generic/kernel/drivers/i2c/busses/i2c-i801.ko
  +10 6239ce08348df615bc4056538fc98543c4ccb33b ima-ng 
sha1:4b0216c96c99bfbab72daa30df057e378029123b 
/usr/lib/modules/6.5.0-35-generic/kernel/crypto/cryptd.ko
-  10 1d2d52cc82f2ff0943dc00008c43bf6a78722247 ima-ng 
sha1:f0c245e28ca906a8b3ced94eaaf872175095c24e 
/usr/lib/modules/6.5.0-35-generic/kernel/crypto/crypto_simd.ko
-  10 9d233b196dac726c5e188f18b6efb38d24066917 ima-ng 
sha1:0b4ba623e888760dee0d1227d820058ff7e3e9d2 
/usr/lib/modules/6.5.0-35-generic/kernel/drivers/gpu/drm/drm_kms_helper.ko
-  10 8283f095fbd71a3fd6ea8ee96299a8697386b6fa ima-ng 
sha1:c4c9542d63c603275d08468045e56d45a3f06dee 
/usr/lib/modules/6.5.0-35-generic/kernel/arch/x86/crypto/aesni-intel.ko
+  10 1d2d52cc82f2ff0943dc00008c43bf6a78722247 ima-ng 
sha1:f0c245e28ca906a8b3ced94eaaf872175095c24e 
/usr/lib/modules/6.5.0-35-generic/kernel/crypto/crypto_simd.ko
+  10 9d233b196dac726c5e188f18b6efb38d24066917 ima-ng 
sha1:0b4ba623e888760dee0d1227d820058ff7e3e9d2 
/usr/lib/modules/6.5.0-35-generic/kernel/drivers/gpu/drm/drm_kms_helper.ko
+  10 8283f095fbd71a3fd6ea8ee96299a8697386b6fa ima-ng 
sha1:c4c9542d63c603275d08468045e56d45a3f06dee 
/usr/lib/modules/6.5.0-35-generic/kernel/arch/x86/crypto/aesni-intel.ko
  --snipped-----
+ 
+ 
+ Diff of tpm2_pcrread:
+ --- pcr22     2024-06-06 14:00:20.196000000 +0000
+ +++ pcr21     2024-06-06 13:58:27.795767357 +0000
+ @@ -10,7 +10,7 @@
+      7 : 0x9A4E36070648A8DF6FCE7CA435446C541729BF6D93E4C41915655C77D152CEBB
+      8 : 0xC3BFD21B69B10AD69421BBF0B5DD649A99B8C45BB4025A096FDCD300C71193C5
+      9 : 0x32D3F1ABC6F853A521F985CD516AB2ED5FE12D8E3F3E40CD60E6D613A70B53EC
+ -    10: 0xE1781081A5D620A58482C5F81B71B22198D535B66B6F490DF5CFC5D4D2009522
+ +    10: 0xA35CF31BFAC4A1E547CAFE9CFE5BFCFC6D5E0E9EA8E6C520D93156A8C743CA1E
+      11: 0x0000000000000000000000000000000000000000000000000000000000000000
+      12: 0x0000000000000000000000000000000000000000000000000000000000000000
+      13: 0x0000000000000000000000000000000000000000000000000000000000000000

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2068627

Title:
  IMA Hashes keep changing on every reboot (PCR10)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2068627/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to