[PATCH 4/6] ima: implement functionality to measure TPM update counter
Mimi Zohar
zohar at linux.ibm.com
Thu Aug 3 18:22:35 PDT 2023
On Thu, 2023-08-03 at 16:01 -0700, Tushar Sugandhi wrote:
> >> + scnprintf(buf, IMA_TPM_UPDATE_CTR_BUF_SIZE, "update_counter=%u;",
> >> + update_counter);
> >> +
> >> + buf_len = strlen(buf);
> >> +
> >> + result = ima_measure_critical_data("tpm_pcr_update_counter", event_name,
> >> + buf, buf_len, false, NULL, 0);
> >>
> > The new record should contain everything needed to verify the
> > pcrCounter. For example, each IMA measurement record updates the
> > pcrCounter for each TPM bank enabled. So the number of enabled TPM
> > banks and number of IMA measurements should also be included in this
> > record.
> Agreed. That should be valuable information.
> How does the below format look like for the buf above?
>
> version=<N>.<N>.<N>;num_enabled_pcr_banks=<N>;pcrUpdateCounter=<N>;num_ima_measurements=<N>;
Refer to comment in 5/6.
> > Perhaps include a version number as well, so that if we ever want to
> > include other information, we could.
> By version number, do you mean kernel_version, or a new version
> number specific to this record? Or something else?
This is a record version type number. The record format shouldn't
change, but we should be prepared for it changing. A single number
should be fine.
--
thanks,
Mimi
More information about the kexec
mailing list