lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20180312215957.GI24717@ziepe.ca>
Date:   Mon, 12 Mar 2018 15:59:57 -0600
From:   Jason Gunthorpe <jgg@...pe.ca>
To:     Mimi Zohar <zohar@...ux.vnet.ibm.com>
Cc:     James Bottomley <James.Bottomley@...senPartnership.com>,
        Jiandi An <anjiandi@...eaurora.org>, dmitry.kasatkin@...il.com,
        jmorris@...ei.org, serge@...lyn.com,
        linux-integrity@...r.kernel.org,
        linux-ima-devel@...ts.sourceforge.net,
        linux-ima-user@...ts.sourceforge.net,
        linux-security-module@...r.kernel.org,
        linux-kernel@...r.kernel.org, David Safford <david.safford@...com>
Subject: Re: [PATCH] security: Fix IMA Kconfig for dependencies on ARM64

On Mon, Mar 12, 2018 at 05:53:18PM -0400, Mimi Zohar wrote:

> Using Kconfig to force the TPM to be builtin is not required, but
> helpful.  Users interested in IMA-measurement could configure the TPM
> as builtin themselves.  Without the TPM builtin, IMA goes into TPM-
> bypass mode.

This issues, broadly speaking, we have lots of TPM drivers, selecting
only some to actually support IMA shows we have some kind of problem
here.

eg a distro on ARM should not have some TPM hardware work with IMA and
some fail just because of this kconfig.

IMHO if we want to do this, then IMA should completely disable modular
TPM drivers across the board.

Or, IMA folks need to figure out how to safely load TPM modules under
their constraints.

But this current kconfig approach is pretty weird..

Jason

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ