From: Ken Goldman <kgold@linux.ibm.com>
To: William Roberts <bill.c.roberts@gmail.com>,
linux-integrity@vger.kernel.org
Subject: Re: Question on permissions of runtime and bios measurements files
Date: Thu, 19 May 2022 17:01:48 -0400 [thread overview]
Message-ID: <05559904-7fa9-bcaa-c5fe-b511b1d42d36@linux.ibm.com> (raw)
In-Reply-To: <CAFftDdrGYV=VwNPjypoOs1SmpNeZMTfrAFhht=zVOgC0hDrHSA@mail.gmail.com>
On 5/5/2022 9:59 AM, William Roberts wrote:
> Currently the tss command line tools can't access the system
> measurement logs for users even if they are in the group tss:
>
> crw-rw---- 1 tss root 10, 224 Mai 3 17:22 /dev/tpm0
> -r--r----- 1 root root 0 Mai 3 17:22
> /sys/kernel/security/ima/binary_runtime_measurements
> -r--r----- 1 root root 0 Mai 3 17:22
> /sys/kernel/security/tpm0/binary_bios_measurements
>
> So with tss2_quote, a quote can be computed but not the pcrLog for the
> system PCRs.
> The problem could be solved if the log files would be owned by tss.
> But that could create privacy issues because the pcrLog would e.g.
> contain executables in user home directories.
> Do you have any suggestions how the problem could be addressed?
If it were me, I'd change the group to tss.
The privacy issue doesn't bother me because
- the attestation program has to get the log in some way.
- typically, only root executed files are measured.
- it contains the hashes, not the executables.
keylime opens the file as root, keeps it open forever, and
then drops its privilege.
prev parent reply other threads:[~2022-05-19 21:01 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-05 13:59 Question on permissions of runtime and bios measurements files William Roberts
2022-05-19 21:01 ` Ken Goldman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=05559904-7fa9-bcaa-c5fe-b511b1d42d36@linux.ibm.com \
--to=kgold@linux.ibm.com \
--cc=bill.c.roberts@gmail.com \
--cc=linux-integrity@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.