Re: [RFC PATCH v2 0/4] tsm: Runtime measurement registers ABI

From: Xing, Cedric
Date: Thu Feb 15 2024 - 21:05:24 EST

On 2/14/2024 10:14 PM, Dan Williams wrote:
Xing, Cedric wrote:
On 2/13/2024 8:05 AM, James Bottomley wrote:
The TCG crypto agile log format is

index (32 bit),
event tag (32 bit),
digests array,
sized event entry (up to 4GB)

So an IMA log entry can definitely be transformed into this format
(providing someone agrees to the tag or set of tags). The slight
problem would be that none of the current IMA tools would understand
it, but that could be solved over time (the kernel could use the TCG
format internally but transform to the IMA format for the current
securityfs IMA log).

Hi James,

Another problem of CEL is that NOT every byte of an event is
hashed/extended. CEL spec has defined for each "content_type" the subset
of bytes to hash, so a verifier must understand ALL content types to be
able to verify the integrity of a log. In other words, the integrity of
a "systemd" log can never be verified by a CEL conformant verifier.

Wait, James said, "crypto agile log format", not CEL. Crypto agile log
format looks more generic, no "recnum" for example.

If I'm not mistaken, "crypto agile log" refers to the same format as "TCG2 log". It's "crypto agile" because it allows a plurality of hash algorithms/digests (specified in the "digests" array) to be extended to one PCR - each algorithm supported is called a "bank" of the PCR.

CEL is also "crypto agile". I'm not familiar with its history but it seems emerged after the TCG2 log format, as CEL's information model is a superset of TCG2's. Specifically, CEL's information model covers 3 applications - "CEL management" (owned by TCG/CEL), "PC Client STD" (owned by TCG PC Client WG and equivalent to TCG2 log), and IMA. Supporting any new applications would require expanding CEL's information model - i.e., by changing the CEL spec.

IMHO, we don't have to follow TCG2 format..

That is funny :-D

I can't agree more, so "no log" I think is always an option.

So to me, "no log" means that instead of going from 14 standards going
to 15, the kernel is saying "whee, infinite userspace log formats!", an
abdication of its role to support a stable application ABI.

If we look at how CEL is defined, it separates information model from encoding. Information models have to be contextualized within specific applications, but encodings don't. The reason for 14 standards is because there are 14 different applications. The 15th may be able to combine the existing 14 into a single one, but probably cannot accommodate the 16th.

So I think the only practical approach is to abandon the information model and focus on the encoding only. For example, JSON is just a set of encoding rules without an information model, hence can serialize data for all applications.

Coming back to the TSM log, the real question is: Can we just specify the encoding without an information model? The answer is yes and no. The kernel does need to know something, such as what to log, what to hash, and extend to which MR, but does NOT need to understand anything else about the event. So a potential ABI definition could be:
- Take the MR index and an *encoded* log entry as parameters from user mode.
- Hash the whole entry as-is using the same algorithm as used in MR extension, and extend the resulted digest to the specified MR.
- Append the whole entry as-is to the log file.

The key difference between the aforementioned and CEL is that the former takes the *encoded* log entry as a single input to alleviate the kernel from the necessity of comprehending the logger's information model.

The job here to define a kernel de-facto standard for the tags that this
configs implementation of a cryto agile log emits, right? As James says:

"(providing someone agrees to the tag or set of tags)"

I don't think we should define any tags because that can only be done for existing applications but can never address the needs of future applications.

We don't have to maintain a log. The existing TPM module doesn't maintain a log either. systemd on the other hand is an example of keeping measurement logs in user mode.

But if we agree that a log is indeed necessary, I'd recommend the aforementioned approach. We can then focus discussions on the options for encoding log entries.