Received: by 10.223.185.116 with SMTP id b49csp19532wrg;
        Thu, 8 Mar 2018 12:07:14 -0800 (PST)
X-Google-Smtp-Source: AG47ELt92zC4H4XIwaRFOB64yhjvfiO8VMRhnnb40gcDq3TF1iZALm7SlNF7pTDfKIKK1vCicfZN
X-Received: by 10.101.81.204 with SMTP id i12mr21963696pgq.206.1520539634424;
        Thu, 08 Mar 2018 12:07:14 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1520539634; cv=none;
        d=google.com; s=arc-20160816;
        b=UnqIXkfr1EEgAYxxTNYTgWeGHSOMMie+4cYvCCGp3/W2v8KChLaOL09Hb3wIcBUB0l
         ykH9Idg2JxtIk6WbTSFE2uD4O2tt3VQOL1x/y5v6ozKsDFUBUOqNzaAjTjn+w9JwCoj0
         FpCfkQZJKGjw4CXWVxI8GOKNS9zdngnZNGvTtdNLcEORu/7rCXVgFpmA2tRv3X6zZt2o
         QuCvIUcbF/4tdSpebbN5FJICONTtyLBSBqakpH3N6qTsZn/Q6Nz190wrnVIr+t4Uq8GA
         cbZn5luVMt4oGwbbJA/y69nid2J/u/3iksKGVJcxa6rxwshEwQ8yPbXOmF337R9su77f
         1Vtg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:content-transfer-encoding
         :mime-version:references:in-reply-to:date:cc:to:from:subject
         :arc-authentication-results;
        bh=s6gvHkuomxuOY517gZUHo7iFLDDctuXlikpmbgBOtjE=;
        b=s1gFfA/dsWg4sfamTYy0mgPfeZil1f1PlwbWgHua9k/vRSfVlwtYVEf1gh+cVuFgz+
         HZCNX0qDLORDa0DDRwx3nrwasD6j1+5ZSO89So8u8FMmvHl41EQXWQG7DtsRExxapyGm
         ORvfJU1wP0QIzVlE/H4LOzLli/y8AufYoQ866OWYh8SF+OKR507P3QGs61eFempRT8OB
         AYhvS8GgGSjo4d/1fopHc9PtGBisL9DLhSVx8028sNs2W5OLFLil0n0bxaoyIujPY+0n
         A8g94lIdeYGue0A787yddEgUaXs6OnSf8kj83P8Q3lyLQXwOugOL60Z5onZdTKjZx6Al
         hggA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id h11-v6si15731099plk.720.2018.03.08.12.06.57;
        Thu, 08 Mar 2018 12:07:14 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751982AbeCHUGM (ORCPT <rfc822;arandomawesomegeek@gmail.com>
        + 99 others); Thu, 8 Mar 2018 15:06:12 -0500
Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:44042 "EHLO
        mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S1750867AbeCHUGK (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 8 Mar 2018 15:06:10 -0500
Received: from pps.filterd (m0098414.ppops.net [127.0.0.1])
        by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w28K3KsR015533
        for <linux-kernel@vger.kernel.org>; Thu, 8 Mar 2018 15:06:09 -0500
Received: from e06smtp13.uk.ibm.com (e06smtp13.uk.ibm.com [195.75.94.109])
        by mx0b-001b2d01.pphosted.com with ESMTP id 2gk848j36k-1
        (version=TLSv1.2 cipher=AES256-SHA256 bits=256 verify=NOT)
        for <linux-kernel@vger.kernel.org>; Thu, 08 Mar 2018 15:06:09 -0500
Received: from localhost
        by e06smtp13.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted
        for <linux-kernel@vger.kernel.org> from <zohar@linux.vnet.ibm.com>;
        Thu, 8 Mar 2018 20:06:07 -0000
Received: from b06cxnps4074.portsmouth.uk.ibm.com (9.149.109.196)
        by e06smtp13.uk.ibm.com (192.168.101.143) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted;
        Thu, 8 Mar 2018 20:06:04 -0000
Received: from d06av26.portsmouth.uk.ibm.com (d06av26.portsmouth.uk.ibm.com [9.149.105.62])
        by b06cxnps4074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w28K64qr53543076;
        Thu, 8 Mar 2018 20:06:04 GMT
Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 71F40AE051;
        Thu,  8 Mar 2018 19:56:38 +0000 (GMT)
Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 1201FAE045;
        Thu,  8 Mar 2018 19:56:37 +0000 (GMT)
Received: from localhost.localdomain (unknown [9.80.82.179])
        by d06av26.portsmouth.uk.ibm.com (Postfix) with ESMTP;
        Thu,  8 Mar 2018 19:56:36 +0000 (GMT)
Subject: Re: [PATCH] security: Fix IMA Kconfig for dependencies on ARM64
From:   Mimi Zohar <zohar@linux.vnet.ibm.com>
To:     Jiandi An <anjiandi@codeaurora.org>,
        James Bottomley <James.Bottomley@HansenPartnership.com>,
        Jason Gunthorpe <jgg@ziepe.ca>
Cc:     dmitry.kasatkin@gmail.com, jmorris@namei.org, serge@hallyn.com,
        linux-integrity@vger.kernel.org,
        linux-ima-devel@lists.sourceforge.net,
        linux-ima-user@lists.sourceforge.net,
        linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org
Date:   Thu, 08 Mar 2018 15:06:01 -0500
In-Reply-To: <191cfd49-0c66-a5ef-3d2b-b6c4132aa294@codeaurora.org>
References: <1520400386-17674-1-git-send-email-anjiandi@codeaurora.org>
         <20180307185132.GA30102@ziepe.ca>
         <1520448953.10396.565.camel@linux.vnet.ibm.com>
         <1520449719.5558.28.camel@HansenPartnership.com>
         <1520450495.10396.587.camel@linux.vnet.ibm.com>
         <1520451662.24314.5.camel@HansenPartnership.com>
         <1520461156.10396.654.camel@linux.vnet.ibm.com>
         <191cfd49-0c66-a5ef-3d2b-b6c4132aa294@codeaurora.org>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) 
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-TM-AS-GCONF: 00
x-cbid: 18030820-0012-0000-0000-000005BA88F0
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
x-cbparentid: 18030820-0013-0000-0000-00001936AAAB
Message-Id: <1520539561.3605.92.camel@linux.vnet.ibm.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2018-03-08_11:,,
 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501
 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0
 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000
 definitions=main-1803080220
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, 2018-03-08 at 12:42 -0600, Jiandi An wrote:

> So from the discussion, I hear James suggests to overhaul the current
> IMA driver to not do measurement (calling tpm_pcr_read(), etc) until
> after initrd phase so TPM drivers can be built as modules.
> 
> I hear Mimi insists TPM drivers should be built-in when IMA driver is
> enabled and set to Y in Kconfig.
> 
> Do we have a consensus on which way we should go?
> 
> I'm no expert on IMA and its driver.  James, will you be kind enough
> to look into overhauling the IMA driver to not measure until after 
> initrd phase if that's the consensus on resolving this?

IMA selecting the TPM forces the TPM to be builtin.  There's nothing
keeping you from directly configuring the TPM driver as builtin.

For remote attestation to validate the IMA measurement list against
the PCRs, the existing "ima_tcb" and "ima_policy=tcb" builtin policies
require the TPM to be builtin.

Not building the TPM into the kernel will also affect EVM.

I don't have a problem accepting your patch now; and if/when there is
a real use case for building the TPM driver as a kernel module for use
with IMA-measurement, accepting those changes then.

Mimi