linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Jiandi An <anjiandi@codeaurora.org>,
	James Bottomley <James.Bottomley@HansenPartnership.com>,
	Jason Gunthorpe <jgg@ziepe.ca>
Cc: dmitry.kasatkin@gmail.com, jmorris@namei.org, serge@hallyn.com,
	linux-integrity@vger.kernel.org,
	linux-ima-devel@lists.sourceforge.net,
	linux-ima-user@lists.sourceforge.net,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH] security: Fix IMA Kconfig for dependencies on ARM64
Date: Thu, 08 Mar 2018 15:06:01 -0500	[thread overview]
Message-ID: <1520539561.3605.92.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <191cfd49-0c66-a5ef-3d2b-b6c4132aa294@codeaurora.org>

On Thu, 2018-03-08 at 12:42 -0600, Jiandi An wrote:

> So from the discussion, I hear James suggests to overhaul the current
> IMA driver to not do measurement (calling tpm_pcr_read(), etc) until
> after initrd phase so TPM drivers can be built as modules.
> 
> I hear Mimi insists TPM drivers should be built-in when IMA driver is
> enabled and set to Y in Kconfig.
> 
> Do we have a consensus on which way we should go?
> 
> I'm no expert on IMA and its driver.  James, will you be kind enough
> to look into overhauling the IMA driver to not measure until after 
> initrd phase if that's the consensus on resolving this?

IMA selecting the TPM forces the TPM to be builtin.  There's nothing
keeping you from directly configuring the TPM driver as builtin.

For remote attestation to validate the IMA measurement list against
the PCRs, the existing "ima_tcb" and "ima_policy=tcb" builtin policies
require the TPM to be builtin.

Not building the TPM into the kernel will also affect EVM.

I don't have a problem accepting your patch now; and if/when there is
a real use case for building the TPM driver as a kernel module for use
with IMA-measurement, accepting those changes then.

Mimi

  reply	other threads:[~2018-03-08 20:06 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-03-07  5:26 [PATCH] security: Fix IMA Kconfig for dependencies on ARM64 Jiandi An
2018-03-07 18:51 ` Jason Gunthorpe
2018-03-07 18:55   ` Mimi Zohar
2018-03-07 19:08     ` James Bottomley
2018-03-07 19:21       ` Mimi Zohar
2018-03-07 19:41         ` James Bottomley
2018-03-07 21:12           ` Jiandi An
2018-03-07 21:16             ` James Bottomley
2018-03-07 22:19           ` Mimi Zohar
2018-03-08 18:42             ` Jiandi An
2018-03-08 20:06               ` Mimi Zohar [this message]
2018-03-09 17:11               ` James Bottomley
2018-03-12 21:53                 ` Mimi Zohar
2018-03-12 21:59                   ` Jason Gunthorpe
2018-03-12 22:58                     ` Mimi Zohar
2018-03-12 23:05                       ` Jason Gunthorpe
2018-03-12 23:19                         ` Mimi Zohar
2018-03-12 22:30                   ` James Bottomley
2018-03-12 23:30                     ` Mimi Zohar
2018-03-13  0:06                       ` James Bottomley
2018-03-13 12:57                         ` Safford, David (GE Global Research, US)
2018-03-14 14:41                           ` James Bottomley
2018-03-14 17:08                             ` Mimi Zohar
2018-03-14 17:25                               ` James Bottomley
2018-03-15 16:19                                 ` Mimi Zohar
2018-03-15 17:08                                   ` James Bottomley
2018-03-15 17:14                                     ` Mimi Zohar
2018-03-15 17:29                                       ` James Bottomley
2018-03-16 16:51                                         ` Mimi Zohar
2018-03-11 22:06 ` Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1520539561.3605.92.camel@linux.vnet.ibm.com \
    --to=zohar@linux.vnet.ibm.com \
    --cc=James.Bottomley@HansenPartnership.com \
    --cc=anjiandi@codeaurora.org \
    --cc=dmitry.kasatkin@gmail.com \
    --cc=jgg@ziepe.ca \
    --cc=jmorris@namei.org \
    --cc=linux-ima-devel@lists.sourceforge.net \
    --cc=linux-ima-user@lists.sourceforge.net \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=serge@hallyn.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).