Received: by 10.213.65.68 with SMTP id h4csp1129934imn; Wed, 14 Mar 2018 10:26:30 -0700 (PDT) X-Google-Smtp-Source: AG47ELscoRrjzBbZi2ZIFMuofT/d3UH7PqP1y0QouRl7hFTI1JjaeSQdrtFOUCBTnsYnaLQ9Ev9P X-Received: by 10.99.185.77 with SMTP id v13mr4454203pgo.112.1521048390893; Wed, 14 Mar 2018 10:26:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521048390; cv=none; d=google.com; s=arc-20160816; b=Hc6pEmYSykTT15h92bmCHqdmfPjTvzkPMXE86bDAgxHEVUrgpqTozoP8SIsceHlz4C OtPA+9pkA56M5vBOCbO3BQ7XiUy6sv/KXreYDg+JfiZkz+jOfCKVuNk3sIbWuSMkFCyD XtvZdMQJd/A8/g2XGvLGylggYQjAWlOVkKim3bvdO3STj0w4g8MzZpXi0C7TB9XJ1nLW 9ZJ3wrwq0d7MSXVIQhSa3FC6Ie7A99aVgq4jYWZgLpCq6chM2IL/VJlKnGOPbognfVa+ EhbFq/UGkrHweDE+afK0uk7TsOTi2/t4HfTWPezz2xhnvGl9f+PGQ4W33WFXKEWcu3T3 OBEw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :dkim-signature:arc-authentication-results; bh=yg8ItEtbhoo79wYBZdQjCUR2547WfN+B488OHm1bSXk=; b=VMZoMP3AttNHZZySkqOuxwA16yOY5n/sGZPk0epYK3NK4UX3oHkbIDOzUQCYc896YC PT0T4BcEz6zynKD9az1+BYQRV5Bt/P1mYs5548Lc0DMaSdva4CvIcNaNmZJtOKEFmexF GfU4+a3KXvjC8sLpzQuEGTrqo5kpybpQM4AAhbNhxdTYuRPhTgjn3GzMfEExPo6R6S6A bPje9fZd9KJf2XLKdFhYitjo6ajfJp1JLBR6cQA3mGnrhn2Pfwjzba/IxZQJf6T6FkHI 38rFrRrBK4zRJITwdkTfllFPSW1OKy/64uk5yMDrKbir1ybn/oYJjXvlpp6f1c140EWy Pauw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=L84mjWyz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c1si2122239pge.767.2018.03.14.10.26.16; Wed, 14 Mar 2018 10:26:30 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=L84mjWyz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751597AbeCNRZL (ORCPT + 99 others); Wed, 14 Mar 2018 13:25:11 -0400 Received: from bedivere.hansenpartnership.com ([66.63.167.143]:54512 "EHLO bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751279AbeCNRZI (ORCPT ); Wed, 14 Mar 2018 13:25:08 -0400 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 4C3F08EE139; Wed, 14 Mar 2018 10:25:08 -0700 (PDT) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id itlnu4fKuWTo; Wed, 14 Mar 2018 10:25:08 -0700 (PDT) Received: from [153.66.254.194] (unknown [50.35.65.221]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 767AE8EE0CF; Wed, 14 Mar 2018 10:25:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1521048307; bh=EcUWjgMbYtsa0JZTtv0jr84qFWw81JtGl1ebvocr5kg=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=L84mjWyzDd5MxcICurJCbK6JWueCySdkPg4gu9Q+JDby5Y6F7FVXRAvbsDM5YScxA aT8xW7vqG/Rpgf4YwDxGaCqrzeph4GLhmlQoXdSMvSzM0C81JDcnDCcBv/p2RZjy45 5N23Mrh4jpUcpekd418zpcLT6AwhdL2GeE2jWCrM= Message-ID: <1521048306.4508.56.camel@HansenPartnership.com> Subject: Re: [PATCH] security: Fix IMA Kconfig for dependencies on ARM64 From: James Bottomley To: Mimi Zohar , "Safford, David (GE Global Research, US)" , Jiandi An , Jason Gunthorpe Cc: "dmitry.kasatkin@gmail.com" , "jmorris@namei.org" , "serge@hallyn.com" , "linux-integrity@vger.kernel.org" , "linux-ima-devel@lists.sourceforge.net" , "linux-ima-user@lists.sourceforge.net" , "linux-security-module@vger.kernel.org" , "linux-kernel@vger.kernel.org" Date: Wed, 14 Mar 2018 10:25:06 -0700 In-Reply-To: <1521047286.3547.470.camel@linux.vnet.ibm.com> References: <1520400386-17674-1-git-send-email-anjiandi@codeaurora.org> <20180307185132.GA30102@ziepe.ca> <1520448953.10396.565.camel@linux.vnet.ibm.com> <1520449719.5558.28.camel@HansenPartnership.com> <1520450495.10396.587.camel@linux.vnet.ibm.com> <1520451662.24314.5.camel@HansenPartnership.com> <1520461156.10396.654.camel@linux.vnet.ibm.com> <191cfd49-0c66-a5ef-3d2b-b6c4132aa294@codeaurora.org> <1520615461.12216.6.camel@HansenPartnership.com> <1520891598.3547.190.camel@linux.vnet.ibm.com> <1520893847.4522.62.camel@HansenPartnership.com> <1520897400.3547.253.camel@linux.vnet.ibm.com> <1520899605.4522.67.camel@HansenPartnership.com> <1521038471.4508.25.camel@HansenPartnership.com> <1521047286.3547.470.camel@linux.vnet.ibm.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 2018-03-14 at 13:08 -0400, Mimi Zohar wrote: > On Wed, 2018-03-14 at 07:41 -0700, James Bottomley wrote: [...] > > What about a compromise: we > > already get the boot loader to do measurements and PCR extensions > > using the BIOS TPM driver, there's no reason why we can't do the > > same in the early kernel until a real TPM driver is found. > > Your proposal requires changes to the existing boot loaders, not all > of which are X86 based. I don't believe it does, see below. >  Grub, to the best of my knowledge, is not interested in having > anything to do with TPM based measurements.  Many attempts have been > made to upstream trusted boot patches, but none have been accepted. Just for the sake of accuracy, even though it has nothing to do with the current proposal, grub does actually measure the booting components.  It does this via a shim protocol trick, so when grub passes the kernel to shim to verify the signature, shim also stores its measurement in the TPM boot log. >  Any support would need to piggyback on the callback hooks introduced > for secure boot and then be carried by the distros. Right, that's how it does actually work today. This is more or less what made me think of the compromise: the way shim does measurements is using the EFI TPM protocol.  Although this is technically a boot time UEFI driver, we can make it serve us until we're ready to load the real TPM driver, so we could write measurements to a PCR without any kernel drivers loaded. > As for Linux based boot loaders, the driver needs to be builtin for > these measurements.  So this wouldn't help you. > > > > > That way IMA would have no dependency on any built in TPM driver > > ... is that an acceptable compromise to everyone? > > Adding additional support for post IMA-initialization for TPM's built > as kernel modules is clearly not optimal for all of the reasons > provided to now and will be confusing, but could be supported.  This > delayed loading of the TPM needs to be clearly indicated in both the > audit log and in IMA's measurement list. Why if the measurement chain isn't broken?  The way I'm thinking of implementing it, IMA wouldn't even know.  What would happen is that a NULL tpm chip in tpm_pcr_read/tpm_pcr_extend would trigger the usual search for the first TPM but if none were found and we'd booted on an EFI system, we'd just use the EFI driver to do perform the operation. There's probably a bit of additional subtlety making the kernel and EFI agree which TPM they're using in a multi-TPM situation. The EFI driver isn't full featured: it only does measurement and logging, but it looks like that's all IMA needs. James > In terms of attestation, if a measurement policy is enabled before > the TPM is loaded, any records up to the delayed TPM entry in the IMA > measurement list would need to be ignored. > > In addition, your changes should not in any way change the existing > IMA-measurement initialization. > > Mimi >