Hi Mimi,

Yes, you are right. Now I got both.
I think the first time IMA wasn't really enabled properly. SO I only saw tpm0 and no ima directory under /sys/kernel/security/.
Now I see both.

Thanks for the help.

David


On Friday, August 5, 2011, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> On Thu, 2011-08-04 at 17:56 -0700, David Li wrote:
>>
>> Hi Mimi,
>>
>> I used your latest test code and added ima_tcb and ima=on to the
>> kernel cmds.  I still got the the same error. Any suggestions? -
>> Thanks.
>>
>>
>> -bash-4.1# ./ima_measure /sys/kernel/security/tpm0/binary_bios_measurements --verbose
>> ### PCR HASH                                  TEMPLATE-NAME
>>   0 000  08 00 00 00 29 8D F1 25 B2 60 EF 64 20 1B DF 08 15 C0 03
>> 87248900926 ERROR: event name too long!
>>
>>
>> -bash-4.1# cat /proc/cmdline
>> initrd=initramfs-2.6.32-131.6.1.el6.cs.x86_64.img mem=8G root=xyz rw
>> ima_tcb ima=on BOOT_IMAGE=vmlinuz-2.6.32-131.6.1.el6.cs.x86_64
>>
>> Regards,
>>
>>
>> David
>
> Sorry, it's a bit confusing. There are two similarly named
> files /sys/kernel/security/tpm0/binary_bios_measurements
> and /sys/kernel/security/ima/binary_runtime_measurements.  The input to
> ima_boot_aggregate is the first; the input to ima_measure is the latter.
>
> thanks,
>
> Mimi
>
>

--
Regards,

David