From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Nasim, Kam" Subject: IMA running as a Kernel module against TPM 2.0 driver Date: Mon, 11 Sep 2017 21:29:39 +0000 Message-ID: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6309788755453881862==" Return-path: Content-Language: en-US List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: tpmdd-devel-bounces-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org To: "tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org" List-Id: tpmdd-devel@lists.sourceforge.net --===============6309788755453881862== Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_CA352AD04C14CE4985F6AEB6AB8C130E3EDB8737ALAMBCcorpadwrs_" --_000_CA352AD04C14CE4985F6AEB6AB8C130E3EDB8737ALAMBCcorpadwrs_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi folks, Im stumped with some issues with getting IMA to talk to the TPM interface d= river, and was hoping you guys could help me out. I am building IMA as an out-of-tree Kernel module. We are based off CentOS = v7.3 which is still sitting at the Linux v3.10 baseline (sad I know!). Ever= ything seems to be fine but when I load the IMA module, it cannot seem to d= o a PCR read from the TPM driver: 2017-09-11T19:06:47.438 controller-1 kernel: info [ 228.152893] ima: No TP= M chip found, activating TPM-bypass! (rc=3D-19) We also had to build TPM as an out-of-tree Kernel module, since we had to u= se the in-Kernel TPM resource manager which was unavailable till Jan 2017. = TPM driver is loaded and operational: 2017-09-11T19:03:07.818 controller-1 kernel: info [ 5.929071] tpm_tis MS= FT0101:00: 2.0 TPM (device-id 0x1A, rev-id 16) controller-1:~$ sudo lsmod | grep ima ima 47169 0 integrity 6430 1 ima controller-1:~$ sudo lsmod | grep tpm tpm_crb 6458 0 tpm_tis 5950 0 tpm_tis_core 10054 1 tpm_tis tpm 48093 3 tpm_crb,tpm_tis,tpm_tis_core I've tracked down the failure to the tpm_pcr_read() in tpm-interface.c, thi= s was added as an interface to integrity: commit 659aaf2bb5496a425ba14036b5b5900f593e4484 Author: Rajiv Andrade > Date: Mon Feb 2 15:23:44 2009 -0200 TPM: integrity interface This patch adds internal kernel support for: - reading/extending a pcr value - looking up the tpm_chip for a given chip number Signed-off-by: Rajiv Andrade > Signed-off-by: Mimi Zohar > Signed-off-by: James Morris jmorris-gx6/JNMH7DfYtjvyW6yDsg@public.gmane.org The comment above the function implies that it cannot be executed if TPM is= built as a Kernel module? "The TPM driver should be built-in, but for whatever reason it * isn't, protect against the chip disappearing, by incrementing * the module usage count." Is this understanding correct? If so then how do I get the IMA Kernel modul= e to do a Kernel PCR read? Any help you guys can offer me would be greatly appreciated. Thanks, Kam P.S: I don't see a /sys/devices/pnp0//pcrs file on my system although= TSS2 commands seem to indicate that the PCR list is active --_000_CA352AD04C14CE4985F6AEB6AB8C130E3EDB8737ALAMBCcorpadwrs_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi folks,

 

Im stumped with some issues wit= h getting IMA to talk to the TPM interface driver, and was hoping you guys = could help me out.


I am building IMA as an out-of-tree Kernel module. We are based off CentOS = v7.3 which is still sitting at the Linux v3.10 baseline (sad I know!). Ever= ything seems to be fine but when I load the IMA module, it cannot seem to d= o a PCR read from the TPM driver:

 

2017-09-11T19:06:47.438 control= ler-1 kernel: info [  228.152893] ima: No TPM chip found, activating T= PM-bypass! (rc=3D-19)

 

 

We also had to build TPM as an = out-of-tree Kernel module, since we had to use the in-Kernel TPM resource m= anager which was unavailable till Jan 2017. TPM driver is loaded and operat= ional:

 

2017-09-11T19:03:07.818 control= ler-1 kernel: info [    5.929071] tpm_tis MSFT0101:00: 2.0 T= PM (device-id 0x1A, rev-id 16)

 

 

 

controller-1:~$ sudo lsmod | gr= ep ima

ima    &nbs= p;            &= nbsp;  47169  0

integrity   &nbs= p;           6430  1= ima

 

 

controller-1:~$ sudo lsmod | gr= ep tpm

tpm_crb    =              64= 58  0

tpm_tis    =              59= 50  0

tpm_tis_core   &= nbsp;       10054  1 tpm_tis<= /span>

tpm    &nbs= p;            &= nbsp;  48093  3 tpm_crb,tpm_tis,tpm_tis_core

 

 

I’ve tracked down the fai= lure to the tpm_pcr_read() in tpm-interface.c, this was added as an interfa= ce to integrity:

 

commit 659aaf2bb5496a425ba14036= b5b5900f593e4484

Author: Rajiv Andrade <srajiv-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>

Date:   Mon Feb 2 15:= 23:44 2009 -0200

 

    TPM: integri= ty interface

 

    This patch a= dds internal kernel support for:

     - read= ing/extending a pcr value

     - look= ing up the tpm_chip for a given chip number

 

    Signed-off-b= y: Rajiv Andrade <srajiv@li= nux.vnet.ibm.com>

    Signed-off-b= y: Mimi Zohar <zohar-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org&= gt;

    Signed-off-b= y: James Morris jmorris-gx6/JNMH7DfYtjvyW6yDsg@public.gmane.org

 

 

The comment above the function = implies that it cannot be executed if TPM is built as a Kernel module?=

 

“The TPM driver should be= built-in, but for whatever reason it

* isn't, protect against the ch= ip disappearing, by incrementing

* the module usage count.”= ;



Is this understanding correct? If so then how do I get the IMA Kernel modul= e to do a Kernel PCR read?

 

 

Any help you guys can offer me = would be greatly appreciated.

 

 

Thanks,
Kam

 

 

P.S: I don’t see a /sys/d= evices/pnp0/<pnp#>/pcrs file on my system although TSS2 commands seem= to indicate that the PCR list is active

 

 

--_000_CA352AD04C14CE4985F6AEB6AB8C130E3EDB8737ALAMBCcorpadwrs_-- --===============6309788755453881862== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot --===============6309788755453881862== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ tpmdd-devel mailing list tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org https://lists.sourceforge.net/lists/listinfo/tpmdd-devel --===============6309788755453881862==--