* IMA running as a Kernel module against TPM 2.0 driver
@ 2017-09-11 21:29 Nasim, Kam
0 siblings, 0 replies; only message in thread
From: Nasim, Kam @ 2017-09-11 21:29 UTC (permalink / raw)
[-- Attachment #1.1: Type: text/plain, Size: 2703 bytes --]
Im stumped with some issues with getting IMA to talk to the TPM interface driver, and was hoping you guys could help me out.
I am building IMA as an out-of-tree Kernel module. We are based off CentOS v7.3 which is still sitting at the Linux v3.10 baseline (sad I know!). Everything seems to be fine but when I load the IMA module, it cannot seem to do a PCR read from the TPM driver:
2017-09-11T19:06:47.438 controller-1 kernel: info [ 228.152893] ima: No TPM chip found, activating TPM-bypass! (rc=-19)
We also had to build TPM as an out-of-tree Kernel module, since we had to use the in-Kernel TPM resource manager which was unavailable till Jan 2017. TPM driver is loaded and operational:
2017-09-11T19:03:07.818 controller-1 kernel: info [ 5.929071] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1A, rev-id 16)
controller-1:~$ sudo lsmod | grep ima
ima 47169 0
integrity 6430 1 ima
controller-1:~$ sudo lsmod | grep tpm
tpm_crb 6458 0
tpm_tis 5950 0
tpm_tis_core 10054 1 tpm_tis
tpm 48093 3 tpm_crb,tpm_tis,tpm_tis_core
I've tracked down the failure to the tpm_pcr_read() in tpm-interface.c, this was added as an interface to integrity:
Author: Rajiv Andrade <srajiv-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org<mailto:srajiv-23VcF4HTsmI+71yUvRxsjw@public.gmane.orgbm.com>>
Date: Mon Feb 2 15:23:44 2009 -0200
TPM: integrity interface
This patch adds internal kernel support for:
- reading/extending a pcr value
- looking up the tpm_chip for a given chip number
Signed-off-by: Rajiv Andrade <srajiv-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org<mailto:firstname.lastname@example.org>>
Signed-off-by: Mimi Zohar <zohar-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org<mailto:zohar-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>>
Signed-off-by: James Morris jmorris-gx6/JNMH7DfYtjvyW6yDsg@public.gmane.org<mailto:jmorris-gx6/JNMH7DfYtjvyW6yDsg@public.gmane.org>
The comment above the function implies that it cannot be executed if TPM is built as a Kernel module?
"The TPM driver should be built-in, but for whatever reason it
* isn't, protect against the chip disappearing, by incrementing
* the module usage count."
Is this understanding correct? If so then how do I get the IMA Kernel module to do a Kernel PCR read?
Any help you guys can offer me would be greatly appreciated.
P.S: I don't see a /sys/devices/pnp0/<pnp#>/pcrs file on my system although TSS2 commands seem to indicate that the PCR list is active
[-- Attachment #1.2: Type: text/html, Size: 8888 bytes --]
[-- Attachment #2: Type: text/plain, Size: 202 bytes --]
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
[-- Attachment #3: Type: text/plain, Size: 192 bytes --]
tpmdd-devel mailing list
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2017-09-11 21:29 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-09-11 21:29 IMA running as a Kernel module against TPM 2.0 driver Nasim, Kam
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).