Hi Mimi,

A few more questions. Maybe this is because I am not familiar with the TPM specs.

 1. For boot measurements, I don't quite understand the contents in tpm0/ascii_bios_measurements:
------------------------
-bash-4.1# cat ascii_bios_measurements
 0 298df125b260ef64201bdf0815c003873eedd50e 08 [S-CRTM Version]
 0 601c176e940570ac499814b48464e40e3ace1e24 80000008 []
 0 530983fd9caddb20e6f0da59e05f1c66b4d170c8 80000008 []
 2 753287ecae33ed00090081a45280a2b81777b7a5 80000004 []
 2 94c047a4256e04cccc99e43fdc6bb4c1cdef1ec3 80000004 []
 2 b3b175a24d63c62c2c64bfd66a4a0de41bef105b 80000004 []
 2 6b5a2268e60f5bdaa80f164f9e5d8bf88cb130c2 80000005 []
 2 6b5a2268e60f5bdaa80f164f9e5d8bf88cb130c2 80000005 []
 2 6b5a2268e60f5bdaa80f164f9e5d8bf88cb130c2 80000005 []
 2 6b5a2268e60f5bdaa80f164f9e5d8bf88cb130c2 80000005 []
<snip>

The 1st col is the PCR#.

Is the 2nd col the hash value corresponding to some BIOS executable or file?  Why do some of them have the same hash value for the same PCR?

What's the 3rd col? 

Are all BIOS boot measurements stored in PCR0-7?

Which PCR stores the boot_aggregate hash value?

2. For run time measurements in /sys/kernel/security/ima/ascii_runtime_measurements:
----------------------------------------------------------------
10 69d8e44453545591bedff7503598be62f0182cc6 ima ee3b9bfb435482e64a5fca0ea60f2d3de0698dd9 boot_aggregate
10 9ac8605fbbfa5d8ba909b635c7b7ad4a654a8eb5 ima 78cdc547d4a9930ad6e7880f18a496785538e13e /init
10 d0ac68b0927683a741efc10b886a76cb4c99926a ima b30285be1079de1138b669180955a3ba54e1ee84 /init
10 5c1abd04e37ae96ab0eea44ca8edb628c3053ae4 ima 06309cd5fae6e9bddc73cd2fe8f3e6167106c227 ld-2.12.so
10 516910c25617785536dd83ee8b621ce4a8097a0a ima d0960a31ea00318947d0e2d7b866dbda69d1dc88 ld.so.cache

why do we need both template and filedata hash values? It seems ima_measure only uses the template hash value.

My calculated PCRAggr (re-calculated): DE C7 CC ED 07 06 22 F0 C8 2D 95 2E A4 DE D5 AC F7 24 2B 99-bash-4.1#
doesn't match
-bash-4.1# cat /sys/devices/pnp0/00:09/pcrs | grep PCR-10
PCR-10: B0 C0 81 C2 93 A7 42 09 60 01 99 68 80 69 C2 E1 25 04 38 0C

I noticed that in http://linux-ima.sourceforge.net/, it's /sys/devices/pnp0/00.0a/pcrs but in my case, "pcrs" in is in /sys/devices/pnp0/00.09/. Does this make a difference?
Or maybe this is because the real-time measurement is continuously changing and being updated but the values in "pcrs" doesn't. Is this true?

Thanks.and Regards,

David



On Fri, Aug 5, 2011 at 8:23 AM, David Li <w.david.li@gmail.com> wrote:
Hi Mimi,

Yes, you are right. Now I got both.
I think the first time IMA wasn't really enabled properly. SO I only saw tpm0 and no ima directory under /sys/kernel/security/.
Now I see both.

Thanks for the help.

David



On Friday, August 5, 2011, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> On Thu, 2011-08-04 at 17:56 -0700, David Li wrote:
>>
>> Hi Mimi,
>>
>> I used your latest test code and added ima_tcb and ima=on to the
>> kernel cmds.  I still got the the same error. Any suggestions? -
>> Thanks.
>>
>>
>> -bash-4.1# ./ima_measure /sys/kernel/security/tpm0/binary_bios_measurements --verbose
>> ### PCR HASH                                  TEMPLATE-NAME
>>   0 000  08 00 00 00 29 8D F1 25 B2 60 EF 64 20 1B DF 08 15 C0 03
>> 87248900926 ERROR: event name too long!
>>
>>
>> -bash-4.1# cat /proc/cmdline
>> initrd=initramfs-2.6.32-131.6.1.el6.cs.x86_64.img mem=8G root=xyz rw
>> ima_tcb ima=on BOOT_IMAGE=vmlinuz-2.6.32-131.6.1.el6.cs.x86_64
>>
>> Regards,
>>
>>
>> David
>
> Sorry, it's a bit confusing. There are two similarly named
> files /sys/kernel/security/tpm0/binary_bios_measurements
> and /sys/kernel/security/ima/binary_runtime_measurements.  The input to
> ima_boot_aggregate is the first; the input to ima_measure is the latter.
>
> thanks,
>
> Mimi
>
>

--
Regards,

David