From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
Mimi Zohar <zohar@linux.ibm.com>,
linux-integrity@vger.kernel.org
Subject: Re: ima_tpm_chip is queried and saved only at IMA init, but never later
Date: Thu, 03 Oct 2019 08:58:39 -0700 [thread overview]
Message-ID: <1570118319.17805.9.camel@HansenPartnership.com> (raw)
In-Reply-To: <d5aef823-9428-65d4-c045-c23d3466033e@linux.microsoft.com>
On Thu, 2019-10-03 at 08:40 -0700, Lakshmi Ramasubramanian wrote:
> On 9/24/19 3:37 PM, James Bottomley wrote:
> > On Tue, 2019-09-24 at 15:31 -0700, Lakshmi Ramasubramanian wrote:
> >
> > There has been some discussion that we could, for UEFI systems, use
> > the
> > UEFI runtime drivers for the TPM until the actual driver is
> > inserted
> > but no-one's looked into doing that.
> >
> > James
>
> Can IMA take a dependency on TPM and postpone IMA initialization
> until a TPM device shows up?
I don't believe we can postpone IMA initialization because it has to
start before any user space execution so it logs everything correctly
and the measurement chain is unbroken.
There are potentially two ways of fixing the IMA before TPM is ready
problem: one is to use the TPM BIOS device ... or really the UEFI
device since getting non-UEFI to measure external things is very non-
standard. And the other is to cache all the measurements and then
replay them through the TPM when it shows up.
> Has anyone looked into this?
I don't believe anyone has, no.
James
prev parent reply other threads:[~2019-10-03 15:58 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-24 22:31 ima_tpm_chip is queried and saved only at IMA init, but never later Lakshmi Ramasubramanian
2019-09-24 22:37 ` James Bottomley
2019-10-03 15:40 ` Lakshmi Ramasubramanian
2019-10-03 15:49 ` Mimi Zohar
2019-10-04 0:39 ` Lakshmi Ramasubramanian
2019-10-03 15:58 ` James Bottomley [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1570118319.17805.9.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=linux-integrity@vger.kernel.org \
--cc=nramas@linux.microsoft.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).