agent: add warning that on kernels <5.10 IMA only works with SHA1

This is the case because kernels <5.10 did not extend PCRs by rehashing the data with the fitting algorithm, instead the SHA1 value was padded with 0s to fit. We do not support validation for that. Signed-off-by: Thore Sommer <mail@thson.de>
keylime · Dec 7, 2021 · e1b45e4 · e1b45e4
1 parent 60b75b9
commit e1b45e4
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/keylime/keylime_agent.py b/keylime/keylime_agent.py
@@ -7,6 +7,7 @@
 
 import asyncio
 import http.server
+import platform
 from http.server import HTTPServer, BaseHTTPRequestHandler
 from socketserver import ThreadingMixIn
 import threading
@@ -38,6 +39,7 @@
 from keylime import registrar_client
 from keylime import secure_mount
 from keylime import api_version as keylime_api_version
+from keylime.common import algorithms
 from keylime.tpm.tpm_main import tpm
 from keylime.tpm.tpm_abstract import TPM_Utilities
 from keylime.tpm.tpm2_objects import pubkey_from_tpm2b_public
@@ -515,6 +517,13 @@ def main():
         'cloud_agent', 'tpm_ownerpassword'))  # this tells initialize not to self activate the AIK
     virtual_agent = instance_tpm.is_vtpm()
 
+    # Warn if kernel version is <5.10 and another algorithm than SHA1 is used,
+    # because otherwise IMA will not work
+    kernel_version = tuple(platform.release().split("-")[0].split("."))
+    if kernel_version < ("5", "10", "0") and instance_tpm.defaults["hash"] != algorithms.Hash.SHA1:
+        logger.warning("IMA attestation only works on kernel versions <5.10 with SHA1 as tpm_hash_alg. "
+                       "Current algorithm is: %s", instance_tpm.defaults["hash"])
+
     if ekcert is None:
         if virtual_agent:
             ekcert = 'virtual'