From: James Bottomley <James.Bottomley@HansenPartnership.com> To: Lakshmi Ramasubramanian <email@example.com>, Mimi Zohar <firstname.lastname@example.org>, email@example.com Subject: Re: ima_tpm_chip is queried and saved only at IMA init, but never later Date: Tue, 24 Sep 2019 18:37:04 -0400 [thread overview] Message-ID: <1569364624.5364.23.camel@HansenPartnership.com> (raw) In-Reply-To: <firstname.lastname@example.org> On Tue, 2019-09-24 at 15:31 -0700, Lakshmi Ramasubramanian wrote: [...] > In one configuration I am testing, I see the TPM appear post IMA > Init. Likely this is rare, but I was wondering if there was a reason > why TPM information is only queried during IMA init, but never > updated at a later point. IMA involves a chain of custody attested through the TPM. If the TPM isn't present on IMA init then that custody chain is broken and the measurements can't be relied upon. For this reason to use the TPM, it must be present when IMA is initialized ... so the drivers all need building in to the kernel. There has been some discussion that we could, for UEFI systems, use the UEFI runtime drivers for the TPM until the actual driver is inserted but no-one's looked into doing that. James
next prev parent reply other threads:[~2019-09-24 22:37 UTC|newest] Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-09-24 22:31 Lakshmi Ramasubramanian 2019-09-24 22:37 ` James Bottomley [this message] 2019-10-03 15:40 ` Lakshmi Ramasubramanian 2019-10-03 15:49 ` Mimi Zohar 2019-10-04 0:39 ` Lakshmi Ramasubramanian 2019-10-03 15:58 ` James Bottomley
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1569364624.5364.23.camel@HansenPartnership.com \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --subject='Re: ima_tpm_chip is queried and saved only at IMA init, but never later' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).