IMA running as a Kernel module against TPM 2.0 driver

From: "Nasim, Kam" <Kam.Nasim-CWA4WttNNZF54TAoqtyWWQ@public.gmane.org>
To: "tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org"
	<tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org>
Subject: IMA running as a Kernel module against TPM 2.0 driver
Date: Mon, 11 Sep 2017 21:29:39 +0000	[thread overview]
Message-ID: <CA352AD04C14CE4985F6AEB6AB8C130E3EDB8737@ALA-MBC.corp.ad.wrs.com> (raw)

[-- Attachment #1.1: Type: text/plain, Size: 2703 bytes --]

Hi folks,

Im stumped with some issues with getting IMA to talk to the TPM interface driver, and was hoping you guys could help me out.

I am building IMA as an out-of-tree Kernel module. We are based off CentOS v7.3 which is still sitting at the Linux v3.10 baseline (sad I know!). Everything seems to be fine but when I load the IMA module, it cannot seem to do a PCR read from the TPM driver:

2017-09-11T19:06:47.438 controller-1 kernel: info [  228.152893] ima: No TPM chip found, activating TPM-bypass! (rc=-19)

We also had to build TPM as an out-of-tree Kernel module, since we had to use the in-Kernel TPM resource manager which was unavailable till Jan 2017. TPM driver is loaded and operational:

2017-09-11T19:03:07.818 controller-1 kernel: info [    5.929071] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1A, rev-id 16)

controller-1:~$ sudo lsmod | grep ima
ima                    47169  0
integrity               6430  1 ima

controller-1:~$ sudo lsmod | grep tpm
tpm_crb                 6458  0
tpm_tis                 5950  0
tpm_tis_core           10054  1 tpm_tis
tpm                    48093  3 tpm_crb,tpm_tis,tpm_tis_core

I've tracked down the failure to the tpm_pcr_read() in tpm-interface.c, this was added as an interface to integrity:

commit 659aaf2bb5496a425ba14036b5b5900f593e4484
Author: Rajiv Andrade <srajiv-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org<mailto:srajiv-23VcF4HTsmI+71yUvRxsjw@public.gmane.orgbm.com>>
Date:   Mon Feb 2 15:23:44 2009 -0200

    TPM: integrity interface

    This patch adds internal kernel support for:
     - reading/extending a pcr value
     - looking up the tpm_chip for a given chip number

    Signed-off-by: Rajiv Andrade <srajiv-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org<mailto:srajiv@linux.vnet.ibm.com>>
    Signed-off-by: Mimi Zohar <zohar-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org<mailto:zohar-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>>
    Signed-off-by: James Morris jmorris-gx6/JNMH7DfYtjvyW6yDsg@public.gmane.org<mailto:jmorris-gx6/JNMH7DfYtjvyW6yDsg@public.gmane.org>

The comment above the function implies that it cannot be executed if TPM is built as a Kernel module?

"The TPM driver should be built-in, but for whatever reason it
* isn't, protect against the chip disappearing, by incrementing
* the module usage count."

Is this understanding correct? If so then how do I get the IMA Kernel module to do a Kernel PCR read?

Any help you guys can offer me would be greatly appreciated.

Thanks,
Kam

P.S: I don't see a /sys/devices/pnp0/<pnp#>/pcrs file on my system although TSS2 commands seem to indicate that the PCR list is active

[-- Attachment #1.2: Type: text/html, Size: 8888 bytes --]

[-- Attachment #2: Type: text/plain, Size: 202 bytes --]

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

[-- Attachment #3: Type: text/plain, Size: 192 bytes --]

_______________________________________________
tpmdd-devel mailing list
tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
https://lists.sourceforge.net/lists/listinfo/tpmdd-devel