Received: by 10.213.65.68 with SMTP id h4csp56102imn; Thu, 15 Mar 2018 09:22:48 -0700 (PDT) X-Google-Smtp-Source: AG47ELsYCiko4HYpLUlzUnqDktDdu3X8+YJ4nZnH9b4cLIo6Jj54iM5ILFY+xW7tTEtDUOAR8WEs X-Received: by 10.98.9.134 with SMTP id 6mr5873995pfj.149.1521130967987; Thu, 15 Mar 2018 09:22:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521130967; cv=none; d=google.com; s=arc-20160816; b=D0WP8Dy1dF26ZOe5/eIfJdDZrXlTQg5fQnzJofAoF804iZab54hOkyOZWtg53av+ea gGCOd+ZcMt7KyKUXnadP+ugT+8yU2hTfliQ5FbVJ5fHvpg0Zj6Cekwwtl/OKcbYjc4+r Pqa2f9VRxxMhZmMQ9w0mjeApR3KS7XHI3U42xYaY23NeYsPilu9Z0IIS9zZxlgr2nRHC t3S6WDBCabd6edGzuxigq/00fJHy1oLE44vgH5TRvnbQSHz4hLtsjaO5W2FRH0blxb/G t0ZlH/1+ahcWjnuYye8Aok2EWGeLHPvBp+LzlzmorPtNLAkeTSzCzdBvrUrt5ouWQeYo 15mQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-transfer-encoding :mime-version:references:in-reply-to:date:cc:to:from:subject :arc-authentication-results; bh=DItIXQQZTMLpb8p2sQ8pmSIcUKNmTL73TBJrxPXq4Kc=; b=Mc1J2jcZPuqDhJ3Ogw9PZGdEE6MQ+7kqYbuJgtZJrUzxf9D2wJt7HxCmAAWpJ8KIZC gD+rsHr3TXD6t3ny5ah2Z0X5o2RUA//i2UIgEAtfLHoJShfz0Z4KiaxnAaqaYQSA6Wgs lTxWmTMM9cxnjt2SNC9qksN9HT8LvxXZdl/9c7JuSZM7kD9Ojm78xZPzCHY/QQmu142n 9XOF+RE467kzT8nDkJzG61IZ+v48/SlCL2O/WYEtTkEOjUxbZthj2gCtMt6ZXh09cx8u pUkllx5p3ujipWb6WX+m8pu5OP1SpS2MuTOksm1bAfeC6xhjumcXaoqxD0Zma4CNCY0N C3KA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e74si2829766pfd.97.2018.03.15.09.22.33; Thu, 15 Mar 2018 09:22:47 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751943AbeCOQUD (ORCPT + 99 others); Thu, 15 Mar 2018 12:20:03 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:35544 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752131AbeCOQTT (ORCPT ); Thu, 15 Mar 2018 12:19:19 -0400 Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w2FGIXnF069651 for ; Thu, 15 Mar 2018 12:19:19 -0400 Received: from e06smtp15.uk.ibm.com (e06smtp15.uk.ibm.com [195.75.94.111]) by mx0a-001b2d01.pphosted.com with ESMTP id 2gqrygkn53-1 (version=TLSv1.2 cipher=AES256-SHA256 bits=256 verify=NOT) for ; Thu, 15 Mar 2018 12:19:18 -0400 Received: from localhost by e06smtp15.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 15 Mar 2018 16:19:16 -0000 Received: from b06cxnps3074.portsmouth.uk.ibm.com (9.149.109.194) by e06smtp15.uk.ibm.com (192.168.101.145) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Thu, 15 Mar 2018 16:19:12 -0000 Received: from d06av24.portsmouth.uk.ibm.com (d06av24.portsmouth.uk.ibm.com [9.149.105.60]) by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w2FGJC1R524636; Thu, 15 Mar 2018 16:19:12 GMT Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 757BA42041; Thu, 15 Mar 2018 16:11:25 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 27F0B4204B; Thu, 15 Mar 2018 16:11:24 +0000 (GMT) Received: from localhost.localdomain (unknown [9.80.100.228]) by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 15 Mar 2018 16:11:23 +0000 (GMT) Subject: Re: [PATCH] security: Fix IMA Kconfig for dependencies on ARM64 From: Mimi Zohar To: James Bottomley , "Safford, David (GE Global Research, US)" , Jiandi An , Jason Gunthorpe Cc: "dmitry.kasatkin@gmail.com" , "jmorris@namei.org" , "serge@hallyn.com" , "linux-integrity@vger.kernel.org" , "linux-security-module@vger.kernel.org" , "linux-kernel@vger.kernel.org" Date: Thu, 15 Mar 2018 12:19:09 -0400 In-Reply-To: <1521048306.4508.56.camel@HansenPartnership.com> References: <1520400386-17674-1-git-send-email-anjiandi@codeaurora.org> <20180307185132.GA30102@ziepe.ca> <1520448953.10396.565.camel@linux.vnet.ibm.com> <1520449719.5558.28.camel@HansenPartnership.com> <1520450495.10396.587.camel@linux.vnet.ibm.com> <1520451662.24314.5.camel@HansenPartnership.com> <1520461156.10396.654.camel@linux.vnet.ibm.com> <191cfd49-0c66-a5ef-3d2b-b6c4132aa294@codeaurora.org> <1520615461.12216.6.camel@HansenPartnership.com> <1520891598.3547.190.camel@linux.vnet.ibm.com> <1520893847.4522.62.camel@HansenPartnership.com> <1520897400.3547.253.camel@linux.vnet.ibm.com> <1520899605.4522.67.camel@HansenPartnership.com> <1521038471.4508.25.camel@HansenPartnership.com> <1521047286.3547.470.camel@linux.vnet.ibm.com> <1521048306.4508.56.camel@HansenPartnership.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 x-cbid: 18031516-0020-0000-0000-0000040556FB X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18031516-0021-0000-0000-000042996080 Message-Id: <1521130749.3547.608.camel@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2018-03-15_08:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1803150178 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 2018-03-14 at 10:25 -0700, James Bottomley wrote: > On Wed, 2018-03-14 at 13:08 -0400, Mimi Zohar wrote: [..] > > Adding additional support for post IMA-initialization for TPM's built > > as kernel modules is clearly not optimal for all of the reasons > > provided to now and will be confusing, but could be supported.  This > > delayed loading of the TPM needs to be clearly indicated in both the > > audit log and in IMA's measurement list. > > Why if the measurement chain isn't broken?  The way I'm thinking of > implementing it, IMA wouldn't even know. I'm not sure this is good news. > What would happen is that a > NULL tpm chip in tpm_pcr_read/tpm_pcr_extend would trigger the usual > search for the first TPM but if none were found and we'd booted on an > EFI system, we'd just use the EFI driver to do perform the operation. If EFI is extending the TPM, will the events be added to the TPM event log or to the IMA measurement list?   Up to now the IMA boot aggregate record includes PCRs from 0 - 7.  With these PCRs, the boot aggregate wouldn't change when booting the same kernel.  Would you change the boot-aggregate to include these other PCRs? > There's probably a bit of additional subtlety making the kernel and EFI > agree which TPM they're using in a multi-TPM situation. Agreed > The EFI driver isn't full featured: it only does measurement and > logging, but it looks like that's all IMA needs. What happens for non EFI systems, when you can't extend the TPM? Mimi