lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 27 Oct 2009 16:56:50 -0400 From: Eric Paris <eparis@...hat.com> To: David Safford <safford@...son.ibm.com> Cc: Eric Paris <eparis@...isplace.org>, Mimi Zohar <zohar@...ux.vnet.ibm.com>, linux-kernel@...r.kernel.org, James Morris <jmorris@...ei.org>, Rajiv Andrade <srajiv@...ux.vnet.ibm.com>, Jean-Christophe Dubois <jcd@...budubois.net>, Mimi Zohar <zohar@...ibm.com>, Stable Kernel <stable@...nel.org> Subject: Re: [PATCH] ima: remove ACPI dependency On Tue, 2009-10-27 at 16:42 -0400, David Safford wrote: > On Tue, 2009-10-27 at 12:36 -0400, Eric Paris wrote: > > On Tue, 2009-10-27 at 11:59 -0400, David Safford wrote: > > > Basically, if running on a system with a TPM, IMA wants the TPM > > > boot measurement log, which the TPM driver can only get through > > > ACPI. If the platform does not have a TPM, then IMA does not > > > need ACPI. > > > > I'm afraid I'm not seeing the connection. Where does IMA gets the boot > > measurement log? I see that the TPM exports that log in securityfs as 2 > > files (ascii and binary) in tpm_bios.c but I don't see how IMA ever > > makes use of that log either internally to the kernel or through the > > securityfs files. > > > sorry - bad explanation. IMA reads PCR 0-7, and combines them into > a single "boot_aggregate" as the first entry in the IMA list. For full > attestation, a user level program needs access to both IMA's > boot aggregate, and to the detailed TPM event log upon which > the aggregate is based. So IMA does not itself access the logs, > but the boot aggregate is less useful without them. So users of IMA in userspace may want TPM. Shouldn't the kernel really have this as a depends/select in the TPM code? This isn't IMA specific, it's TPM specific. Obviously I'm not a fan of the spurious ACPI requirement in the IMA code. How about a 'CONFIG_TPM_BIOS_LOG' or something which selects ACPI? We'll see what Rajiv thinks. > As a separate issue, IMA requires the TPM driver to be compiled in > (not loaded as a module) so it is available at IMA initialization, and > the driver apparently requires ACPI in this case. I believe Rajiv > will comment more on this. I know it's required to be built in. Didn't know that required ACPI, but if so, that's a good reason to push this to the TPM code and get it out of the IMA code.... -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists