| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <50e5cfff-94f8-4a45-a32d-9cce4f48d5b4@linux.ibm.com>
Date: Fri, 11 Oct 2024 11:40:30 -0400
From: Stefan Berger <stefanb@...ux.ibm.com>
To: linux-integrity@...r.kernel.org, linux-security-module@...r.kernel.org
Cc: linux-kernel@...r.kernel.org, zohar@...ux.ibm.com,
roberto.sassu@...wei.com,
Tushar Sugandhi <tusharsu@...ux.microsoft.com>
Subject: Re: [PATCH] ima: Suspend PCR extends and log appends when rebooting
On 10/11/24 11:05 AM, Stefan Berger wrote:
> To avoid the following types of error messages from the TPM driver, suspend
> PCR extends once the reboot notifier has been called. This avoids trying to
> use the TPM after the TPM subsystem has been shut down.
>
> [111707.685315][ T1] ima: Error Communicating to TPM chip, result: -19
> [111707.685960][ T1] ima: Error Communicating to TPM chip, result: -19
>
> This error could be observed on a ppc64 machine running SuSE Linux.
>
> Signed-off-by: Tushar Sugandhi <tusharsu@...ux.microsoft.com>
Some of the code is taken from Tushar's series:
https://lore.kernel.org/linux-integrity/20240214153827.1087657-1-tusharsu@linux.microsoft.com/T/#m2d5f23959510ea2ada534febe03beff4a3f97ac7
See patch 6/8.
Tushar's series is still needed for carrying the log across kexec
properly since without it it can still happen that the state of the PCR
10 does not match with the IMA log if a new measurements is taken after
the freezing of the log (currently at 'kexec load') and before the
'kexec exec'.
Powered by blists - more mailing lists