Received: by 10.213.65.68 with SMTP id h4csp82165imn; Thu, 15 Mar 2018 10:10:29 -0700 (PDT) X-Google-Smtp-Source: AG47ELuHJoi+Gt48uWVrEPf+1x6kQJDzy2qL0rN+V3lq5x15n0xc7ljzjS5N0o5eqcqkzke0M1I9 X-Received: by 10.167.130.208 with SMTP id f16mr6437151pfn.164.1521133829755; Thu, 15 Mar 2018 10:10:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521133829; cv=none; d=google.com; s=arc-20160816; b=CQNZZ8spY+ujCMQ1wMwjDvoYQhNJGvu15+x8HKuwR2rLP/Nmd4NYzZrhRX+pGATLE8 dYaG/tuHSMdLOFthzXPWlBHhYgvg36xSQa7eUF3t5ksrP/LB0P0dhOSeE7TMMhQOl9cE SHEIdolyMt53aS7jEbe5W67FxWponqO54hBZNc2Z0TJ4RuqiOVo3Dil9u0ORbgPIu/Tw 9P0rvr1NGdO+cDdTj1aipKjR5elY1XEVnftP2ENXfk56YHk9DBG2Dv3kbI+odXaT/uCd Ly6GlnqBNBPDnM3A7k+SwTh9+Cape1frBI/9cAuOX3FRj2+Z1jvpfzGaq7ESmhe5wTfX wnnQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :dkim-signature:arc-authentication-results; bh=y1l5mPfXApdZPPE7uWNRTX/qaNzg3QPcqcunEbpcQwM=; b=eSbIGl/ofziMrSsFCU9l0ckxovJZpxTRcbm5il3Z4hhJn1qhg4MfhmkyXAfXs66pb2 nmURI7U6M9F6NuOnhtCuTzJKg/hg+6aCPo/DMNefJIdvs3f6vXhDE/71bhYUYSqjgxVo /KeCbS3vw57SZ1x6BWBns5Fop0sDpXcwMz2h70LHW8n9Pq2kawzeiWljamezNerglG1U Te/pNgr1KzRjQw0BRaGIlJafJvMY4z0JCuSgZ2wkaFtQnJ+fTLv0mD/lHciKJNFTSasv kygxukByfadgCmHEb1Y/ltGvt0ZxQrFpygCSU1JgaPClzEUP2YB9PJI3Nzy8D8JpQe3Y bcUQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=EkpAEd1E; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 89si4128002pfo.111.2018.03.15.10.10.14; Thu, 15 Mar 2018 10:10:29 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=EkpAEd1E; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752485AbeCORIx (ORCPT + 99 others); Thu, 15 Mar 2018 13:08:53 -0400 Received: from bedivere.hansenpartnership.com ([66.63.167.143]:38544 "EHLO bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751466AbeCORIu (ORCPT ); Thu, 15 Mar 2018 13:08:50 -0400 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 226CB8EE139; Thu, 15 Mar 2018 10:08:50 -0700 (PDT) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IZcPNeMZV-1O; Thu, 15 Mar 2018 10:08:49 -0700 (PDT) Received: from [153.66.254.194] (unknown [50.35.65.221]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 792E38EE0C7; Thu, 15 Mar 2018 10:08:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1521133729; bh=zdGrj+V01oI4NQFCnI9LN9PlzG49dd5v3slRtdiXv0g=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=EkpAEd1Ed/6SUkjEjRP405FcTk0KM/Ls/TKRqjLx8hS+DZukjaLvPuQ1TqMomz3Z4 oLV0GQha6tRkybyeXotyD9OC42MuQcK+JOq2B/PFl9AJGPVIlNPJva9aI4pJcOmTOX xUJ5ePqfL2Gfwu4voBwj25064rQ+1O8g0pO6/3mg= Message-ID: <1521133728.5348.51.camel@HansenPartnership.com> Subject: Re: [PATCH] security: Fix IMA Kconfig for dependencies on ARM64 From: James Bottomley To: Mimi Zohar , "Safford, David (GE Global Research, US)" , Jiandi An , Jason Gunthorpe Cc: "dmitry.kasatkin@gmail.com" , "jmorris@namei.org" , "serge@hallyn.com" , "linux-integrity@vger.kernel.org" , "linux-security-module@vger.kernel.org" , "linux-kernel@vger.kernel.org" Date: Thu, 15 Mar 2018 10:08:48 -0700 In-Reply-To: <1521130749.3547.608.camel@linux.vnet.ibm.com> References: <1520400386-17674-1-git-send-email-anjiandi@codeaurora.org> <20180307185132.GA30102@ziepe.ca> <1520448953.10396.565.camel@linux.vnet.ibm.com> <1520449719.5558.28.camel@HansenPartnership.com> <1520450495.10396.587.camel@linux.vnet.ibm.com> <1520451662.24314.5.camel@HansenPartnership.com> <1520461156.10396.654.camel@linux.vnet.ibm.com> <191cfd49-0c66-a5ef-3d2b-b6c4132aa294@codeaurora.org> <1520615461.12216.6.camel@HansenPartnership.com> <1520891598.3547.190.camel@linux.vnet.ibm.com> <1520893847.4522.62.camel@HansenPartnership.com> <1520897400.3547.253.camel@linux.vnet.ibm.com> <1520899605.4522.67.camel@HansenPartnership.com> <1521038471.4508.25.camel@HansenPartnership.com> <1521047286.3547.470.camel@linux.vnet.ibm.com> <1521048306.4508.56.camel@HansenPartnership.com> <1521130749.3547.608.camel@linux.vnet.ibm.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 2018-03-15 at 12:19 -0400, Mimi Zohar wrote: > On Wed, 2018-03-14 at 10:25 -0700, James Bottomley wrote: > > > > On Wed, 2018-03-14 at 13:08 -0400, Mimi Zohar wrote: > [..] > > > > > > > > Adding additional support for post IMA-initialization for TPM's > > > built as kernel modules is clearly not optimal for all of the > > > reasons provided to now and will be confusing, but could be > > > supported.  This delayed loading of the TPM needs to be clearly > > > indicated in both the audit log and in IMA's measurement list. > > > > Why if the measurement chain isn't broken?  The way I'm thinking of > > implementing it, IMA wouldn't even know. > > I'm not sure this is good news. > > > What would happen is that a NULL tpm chip in > > tpm_pcr_read/tpm_pcr_extend would trigger the usual > > search for the first TPM but if none were found and we'd booted on > > an EFI system, we'd just use the EFI driver to do perform the > > operation. > > If EFI is extending the TPM, will the events be added to the TPM > event log or to the IMA measurement list? I'm not proposing any changes to the tpm_pcr_extend API.  At the moment it does an extend without logging, so that's what it will do in the EFI driver case as well.  That means logging is still the responsibility of the caller. >   Up to now the IMA boot aggregate record includes PCRs from 0 - 7. >  With these PCRs, the boot aggregate wouldn't change when booting the > same kernel.  Would you change the boot-aggregate to include these > other PCRs? This is all IMA internal stuff that's up to you.  All I would do is make the tpm_pcr API work with an EFI driver.  That has no impact on what the PCRs return (well, unless we start using it to log early components of the kernel boot, which is a possibility). > > There's probably a bit of additional subtlety making the kernel and > > EFI agree which TPM they're using in a multi-TPM situation. > > Agreed > > > > > The EFI driver isn't full featured: it only does measurement and > > logging, but it looks like that's all IMA needs. > > What happens for non EFI systems, when you can't extend the TPM? The same as happens today if there's no TPM available: you'd get an error return.  Since older bios is essentially legacy, I wouldn't propose fixing this, but the TCG does define a non-EFI BIOS interface which could theoretically be used in the same way as the BIOS one if someone with a legacy box were interested in implementing it. James