[PATCH 5/6] ima: measure TPM update counter at ima_init

Mimi Zohar zohar at linux.ibm.com
Thu Aug 3 15:15:55 PDT 2023 

On Tue, 2023-08-01 at 11:19 -0700, Tushar Sugandhi wrote:
> IMA log entries can be lost due to a variety of causes, such as code bugs
> or error conditions, leading to a mismatch between TPM PCRs and
> the IMA log.  Measuring TPM PCR update counter during ima_init would
> provide a baseline counter for the number of times the TPM PCRs are
> updated.  The remote attestation service can compare this baseline
> counter with a subsequent measured one (e.g., post-kexec soft-boot) to
> identify if there are any lost IMA log events.
> 
> Measure the TPM update counter at ima init.

No need for separate patches for one line changes like this.  Either
merge patches 5/6 and 6/6 or all three 4/6, 5/6, 6/6 together.

> 
> Signed-off-by: Tushar Sugandhi <tusharsu at linux.microsoft.com>
> ---
>  security/integrity/ima/ima_init.c | 3 +++
>  security/integrity/ima/ima_main.c | 1 +
>  2 files changed, 4 insertions(+)
> 
> diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
> index 63979aefc95f..9bb18d6c2fd6 100644
> --- a/security/integrity/ima/ima_init.c
> +++ b/security/integrity/ima/ima_init.c
> @@ -154,5 +154,8 @@ int __init ima_init(void)
>  				  UTS_RELEASE, strlen(UTS_RELEASE), false,
>  				  NULL, 0);
>  
> +	/* Measures TPM update counter at ima_init */
> +	ima_measure_update_counter("ima_init_tpm_update_counter");
> +

With "ima_policy=critical_data" on the boot command line, the IMA
measurement list record looks like:

6e190cc643ff0b718485966a0300473baedface735 ima_init_tpm_update_counter 7570646174655f636f756e7465723d3330383b

Please change the "ima_init_tpm_update_counter" to something shorter
and the hex encoded ascii string and pcr counter to something readable.
Perhaps name this critical-data "tpm" and "tpm-info", similar to the
SELinux "selinux" and "selinux-state".  Then again, if this is TPM
critical-data we should rethink what other info should be included.

>  	return rc;
>  }
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index 1bcd45cc5a6a..93357c245e82 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -1035,6 +1035,7 @@ void ima_kexec_cmdline(int kernel_fd, const void *buf, int size)
>  				   buf, size, "kexec-cmdline", KEXEC_CMDLINE, 0,
>  				   NULL, false, NULL, 0);
>  	fdput(f);
> +
>  }
>  
>  /**

Unnecessary change.

-- 
thanks,

Mimi

More information about the kexec mailing list