[PATCH 4/6] ima: implement functionality to measure TPM update counter
Tushar Sugandhi
tusharsu at linux.microsoft.com
Fri Aug 4 10:13:26 PDT 2023
On 8/3/23 18:22, Mimi Zohar wrote:
> On Thu, 2023-08-03 at 16:01 -0700, Tushar Sugandhi wrote:
>>>> + scnprintf(buf, IMA_TPM_UPDATE_CTR_BUF_SIZE, "update_counter=%u;",
>>>> + update_counter);
>>>> +
>>>> + buf_len = strlen(buf);
>>>> +
>>>> + result = ima_measure_critical_data("tpm_pcr_update_counter", event_name,
>>>> + buf, buf_len, false, NULL, 0);
>>>>
>>> The new record should contain everything needed to verify the
>>> pcrCounter. For example, each IMA measurement record updates the
>>> pcrCounter for each TPM bank enabled. So the number of enabled TPM
>>> banks and number of IMA measurements should also be included in this
>>> record.
>> Agreed. That should be valuable information.
>> How does the below format look like for the buf above?
>>
>> version=<N>.<N>.<N>;num_enabled_pcr_banks=<N>;pcrUpdateCounter=<N>;num_ima_measurements=<N>;
> Refer to comment in 5/6.
Responded.
>>> Perhaps include a version number as well, so that if we ever want to
>>> include other information, we could.
>> By version number, do you mean kernel_version, or a new version
>> number specific to this record? Or something else?
> This is a record version type number. The record format shouldn't
> change, but we should be prepared for it changing. A single number
> should be fine.
>
Sounds good.
More information about the kexec
mailing list