On Mon, 2020-02-10 at 11:00 +0100, Roberto Sassu wrote:
My initial patch attempted to use any common TPM and kernel hash algorithm to calculate the boot_aggregate. The discussion with James was pretty clear, which you even stated in the Changelog. Either we use the IMA default hash algorithm, SHA256 for TPM 2.0 or SHA1 for TPM 1.2 for the boot-aggregate.
Ok, I didn't understand fully. I thought we should use the default IMA algorithm and select SHA256 as fallback choice for TPM 2.0 if there is no PCR bank for default algorithm.
Yes, preference is given to the IMA default algorithm, but it should fall back to using SHA256 or SHA1, based on the TPM.
I additionally implemented the logic to select the first PCR bank if the SHA256 PCR bank is not available but I can remove it.
SHA256 should be the minimum requirement for boot aggregate. The advantage of using the default IMA algorithm is that it will be possible to select stronger algorithms when they are supported by the TPM. We might introduce a new option to specify only the algorithm for boot aggregate, like James suggested to support embedded systems. Let me know which option you prefer.
I don't remember James saying that, but if the community really wants that support, then it should be upstreamed independently, as a separate patch. Let's first get the basics working.
thanks,
Mimi