Bug 1977422

Hi Gheorghe,

The PCRs 8 and 9 are only considered for the boot_aggregate in upstream when a TPM 2.0 using a non-SHA1 bank/algorithm is found, otherwise only PCRs 0-7 is taken in account.
In RHEL, this support for TPM with non-SHA1 banks [1] was added/backported in 8.3 only, which is now EOL.
With that, this backport would indeed make sense for 8.4 though. I'm going to make some further checking before agreeing with the zstream backport. 
I should be back with some feedback pretty soon.

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6f1a1d103b48b1533a9c804e7a069e2c8e937ce7

Maurizio said "Bruno will know what to do". I guess he's right. Apparently you helped him upstream the original patch at the time.

The backstory is that IBM cloud is trying to put IMA into production on TPM2.0 enabled machines. We would be extremely happy to see it in 8.4, but best from our pov to have the backport "institutionalized" looking forward to RHEL 9 as well. 

-- George

Hi Bruno,

thanks for remarking the "SHA1 vs non-SHA1" issue, that I forgot to mention in our internal discussions at IBM about this. However, as you said, I think backporting the support for non-SHA1 would make sense for anything > 8.3. Let us know if we can help with testing or whatever.

Maurizio

Hi George and Maurizio,

(In reply to g-almasi from comment #4)
> Maurizio said "Bruno will know what to do". I guess he's right. Apparently
> you helped him upstream the original patch at the time.
> 
> The backstory is that IBM cloud is trying to put IMA into production on
> TPM2.0 enabled machines. We would be extremely happy to see it in 8.4, but
> best from our pov to have the backport "institutionalized" looking forward
> to RHEL 9 as well. 
> 

Got it. Thanks for the context! :)

(In reply to Maurizio Drocco from comment #5)
> Hi Bruno,
> 
> thanks for remarking the "SHA1 vs non-SHA1" issue, that I forgot to mention
> in our internal discussions at IBM about this. However, as you said, I think
> backporting the support for non-SHA1 would make sense for anything > 8.3.
> Let us know if we can help with testing or whatever.
> 
> Maurizio

I've added the patch to our current 8.5 development release, could you guys give it a try in the infra you're building?
A generic test should be enough, but if you guys already have some machines and environment ready for testing it, I would really appreciate the verification :)

From the BZ description, it seems you were testing it using the x86_64 arch, but I also prepared a ppc64le just in case..
x86_64:
https://people.redhat.com/~brdeoliv/.test/kbuilds/4.18.0-320.el8.1.ima_boot_aggr.x86_64/
ppc64le:
https://people.redhat.com/~brdeoliv/.test/kbuilds/4.18.0-320.el8.1.ima_boot_aggr.ppc64le/

Thank you Bruno. Much appreciated. We will attempt to have this tested within a week or so - in this particular case I guess we don't need an IBM cloud image built, just take a normal VM and boot it with this kernel. 

-- George

(In reply to g-almasi from comment #7)
> Thank you Bruno. Much appreciated. We will attempt to have this tested
> within a week or so - in this particular case I guess we don't need an IBM
> cloud image built, just take a normal VM and boot it with this kernel. 
> 
> -- George

Got it. Many thanks George!

Hi,
I am not familiar with IMA, but regarding TPM2-enabled machines, those I know of are described at https://wiki.test.redhat.com/Kernel/HardwareEnablement/TPM_testing_status#ListofknownBeakermachineswithTPM20 .

Hi Bruno, 

I *finally* got to the point where I built a reference RHEL 8.4 virtual machine, then tried to download the files from your directory.
That is how I noticed that a bunch of these files have zero length. 

Specifically https://people.redhat.com/~brdeoliv/.test/kbuilds/4.18.0-320.el8.1.ima_boot_aggr.x86_64/kernel-modules-4.18.0-320.el8.1.ima_boot_aggr.x86_64.rpm has zero length, and of course is not a valid RPM package to install.

Can you please fix? ... I have the reference system ready, all I need to do is change the kernel version, reboot then check that the boot aggregate generated by IMA matches the PCR10 value :) 

Many thanks!

-- George

(In reply to g-almasi from comment #12)
> Hi Bruno, 
> 
> I *finally* got to the point where I built a reference RHEL 8.4 virtual
> machine, then tried to download the files from your directory.
> That is how I noticed that a bunch of these files have zero length. 
> 
> Specifically
> https://people.redhat.com/~brdeoliv/.test/kbuilds/4.18.0-320.el8.1.
> ima_boot_aggr.x86_64/kernel-modules-4.18.0-320.el8.1.ima_boot_aggr.x86_64.
> rpm has zero length, and of course is not a valid RPM package to install.
> 
> Can you please fix? ... I have the reference system ready, all I need to do
> is change the kernel version, reboot then check that the boot aggregate
> generated by IMA matches the PCR10 value :) 
> 
> Many thanks!
> 
> -- George

Hi George,

sorry for the late reply.. I was on PTO for the past 3 weeks and wasn't able to check your reply.

I'll get back to you with new build files. Not sure how I missed this zero length packages!

Will be back soon :)

George,

I uploaded only the necessary packages (instead of the whole set of lateral, not necessary for testing, packages) in:
https://people.redhat.com/~brdeoliv/.test/kbuilds/4.18.0-327.el8.1.ima_bootaggr.x86_64/

These are the x86_64 related ones. If you think ppc64le would be also interesting, please let me know.

(In reply to Bruno Meneguele from comment #15)
> George,
> 
> I uploaded only the necessary packages (instead of the whole set of lateral,
> not necessary for testing, packages) in:
> https://people.redhat.com/~brdeoliv/.test/kbuilds/4.18.0-327.el8.1.
> ima_bootaggr.x86_64/
> 
> These are the x86_64 related ones. If you think ppc64le would be also
> interesting, please let me know.

Hi George,

any feedback from your side?

This BZ should be backported to 8.4.z too: the userspace package is the same version as in 8.5.0 and observes both PCR 8 and 9, meaning the kernel bug is also there.

Apologies for taking long to test it.

The kernel passes the test -- if ima is set to sha256 mode, the boot aggregate is now generated using PCRs 0 to 9.

I don't know how to attach code here, but I have created a public gist with the python code that I used to perform the testing.

https://gist.github.com/galmasi/2806d06f16ff3ef3f122c9654cf5bee5

^^^^ requires python3 and tpm2-tools to be installed. For the test I added the kernel cmdline ima_hash=sha256, since that's the case we are interested in.

(In reply to g-almasi from comment #55)
> I don't know how to attach code here, but I have created a public gist with
> the python code that I used to perform the testing.
> 
> https://gist.github.com/galmasi/2806d06f16ff3ef3f122c9654cf5bee5
> 
> ^^^^ requires python3 and tpm2-tools to be installed. For the test I added
> the kernel cmdline ima_hash=sha256, since that's the case we are interested
> in.

Thanks for the update with testing details!

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: kernel security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4356