[PATCH v9 06/19] x86: Add early SHA-1 support for Secure Launch early measurements
ross.philipson at oracle.com
ross.philipson at oracle.com
Fri May 31 09:18:13 PDT 2024
On 5/30/24 7:16 PM, Eric Biggers wrote:
> On Thu, May 30, 2024 at 06:03:18PM -0700, Ross Philipson wrote:
>> From: "Daniel P. Smith" <dpsmith at apertussolutions.com>
>>
>> For better or worse, Secure Launch needs SHA-1 and SHA-256. The
>> choice of hashes used lie with the platform firmware, not with
>> software, and is often outside of the users control.
>>
>> Even if we'd prefer to use SHA-256-only, if firmware elected to start us
>> with the SHA-1 and SHA-256 backs active, we still need SHA-1 to parse
>> the TPM event log thus far, and deliberately cap the SHA-1 PCRs in order
>> to safely use SHA-256 for everything else.
>>
>> The SHA-1 code here has its origins in the code from the main kernel:
>>
>> commit c4d5b9ffa31f ("crypto: sha1 - implement base layer for SHA-1")
>>
>> A modified version of this code was introduced to the lib/crypto/sha1.c
>> to bring it in line with the SHA-256 code and allow it to be pulled into the
>> setup kernel in the same manner as SHA-256 is.
>>
>> Signed-off-by: Daniel P. Smith <dpsmith at apertussolutions.com>
>> Signed-off-by: Ross Philipson <ross.philipson at oracle.com>
>
> Thanks. This explanation doesn't seem to have made it into the actual code or
> documentation. Can you please get it into a more permanent location?
>
> Also, can you point to where the "deliberately cap the SHA-1 PCRs" thing happens
> in the code?
>
> That paragraph is also phrased as a hypothetical, "Even if we'd prefer to use
> SHA-256-only". That implies that you do not, in fact, prefer SHA-256 only. Is
> that the case? Sure, maybe there are situations where you *have* to use SHA-1,
> but why would you not at least *prefer* SHA-256?
Yes those are fair points. We will address them and indicate we prefer
SHA-256 or better.
>
>> /*
>> * An implementation of SHA-1's compression function. Don't use in new code!
>> * You shouldn't be using SHA-1, and even if you *have* to use SHA-1, this isn't
>> * the correct way to hash something with SHA-1 (use crypto_shash instead).
>> */
>> #define SHA1_DIGEST_WORDS (SHA1_DIGEST_SIZE / 4)
>> #define SHA1_WORKSPACE_WORDS 16
>> void sha1_init(__u32 *buf);
>> void sha1_transform(__u32 *digest, const char *data, __u32 *W);
>> +void sha1(const u8 *data, unsigned int len, u8 *out);
> > Also, the comment above needs to be updated.
Ack, will address.
Thank you
>
> - Eric
More information about the kexec
mailing list