From: Shaz <sha...@gm...> - 2009-06-13 04:51:58
|
On Sat, Jun 13, 2009 at 9:36 AM, Shahbaz Khan <sha...@gm...> wrote: > > On Fri, 2009-06-12 at 20:44 +0600, Shahbaz Khan wrote: > > On Fri, Jun 12, 2009 at 8:33 PM, Shahbaz Khan<sha...@gm...> wrote: > > > On Fri, Jun 12, 2009 at 11:59 AM, Shahbaz Khan<sha...@gm...> wrote: > > >> Hi, > > >> > > >> I am using Intel Q45 Express chipset with TPM version 1.2 specs of > > >> TCG. The kernel version is 2.6.30. Problem is that the TPM drivers > > >> cannot provide functionality to the TCG TSS giving error message: > > >> > > >> "TCSD TDDL ERROR: Could not find a device to open!" > > >> > > >> The device node in /dev is also not being created which should be > > >> "/dev/tpm". If created manually then still it does not work. > > Someone mentioned that there are problems with the Intel chip, but > you're better off searching the tpmdd-devel list. Perhaps this applies: > hhttp://sourceforge.net/mailarchive/forum.php?thread_name=200811280943427180885%40gmail.com&forum_name=tpmdd-devel > > > > The same is true for the IMA service. I checked the kernel security > > > configuration for IMA test mode like in conventional IMA but could not > > > find any IMA test mode. Can we somehow run this new integrity module > > > without IMA? > > > > Sorry, i meant without TPM. Can IMA service run without TPM? > > Thanks for clarifying. Yes, it goes into Bypass mode if it doesn't find > a TPM. The first entry containing the boot-aggregate > in /sys/kernel/security/ima/ascii_runtime_measurements will be 0. > > > > > > > I get "TPM Device not found: TPM Bypass" and no directories are > > > created in /sys/kernel/security for IMA. Similar issues are also being > > > faced in 2.6.26-rc8. > > Is securityfs mounted? In addition, you'll want to mount the filesystem > with i_version support. Thanks Mimi. Got IMA working without TPM. I have no idea what this i_version is and how to enable it? Can someone please indicate some information on this? > > > >> > > >> What should be done? > > >> > > >> Thanks. > > >> > > >> -- > > >> Shaz > > I've added IMA testcases to LTP. I am interested in measuring SELinux policies, especially the loadable policy modules. I was not able to comprehend LTP scripts clearly. /sys/kernel/security/ima/policy vanishes if I try to open it for writing into it! This was my comprehension of the LTP script load_policy.sh :( Please some help needed here to understand. Some indication to good literature will be appreciated. I am well read on conventional IMA (LSM based) and SELinux so what else should be read to understand how LIM based IMA works. > > Mimi Apologies for the messy email. Had to do this for record. -- Shaz |
From: Mimi Z. <zo...@li...> - 2009-06-17 20:59:46
|
On Sat, 2009-06-13 at 10:51 +0600, Shaz wrote: > On Sat, Jun 13, 2009 at 9:36 AM, Shahbaz Khan <sha...@gm...> wrote: < snip > > > Is securityfs mounted? In addition, you'll want to mount the filesystem > > with i_version support. > > Thanks Mimi. Got IMA working without TPM. I have no idea what this > i_version is and how to enable it? Can someone please indicate some > information on this? Please take a look at the updated linux-ima web page http://linux-ima.sourceforge.net/. Hopefully this will help get you started using the in kernel IMA. Mimi |
From: Shaz <sha...@gm...> - 2009-06-19 03:14:36
|
On Thu, Jun 18, 2009 at 2:59 AM, Mimi Zohar <zo...@li...>wrote: > On Sat, 2009-06-13 at 10:51 +0600, Shaz wrote: > > On Sat, Jun 13, 2009 at 9:36 AM, Shahbaz Khan <sha...@gm...> > wrote: > < snip > > > > Is securityfs mounted? In addition, you'll want to mount the > filesystem > > > with i_version support. > > > > Thanks Mimi. Got IMA working without TPM. I have no idea what this > > i_version is and how to enable it? Can someone please indicate some > > information on this? > > Please take a look at the updated linux-ima web page > http://linux-ima.sourceforge.net/. Hopefully this will help get you > started using the in kernel IMA. It has a good description, especially pointing to the documentation of ima_policy in Documentation. :) Thanks. > > Mimi > > > > -- Shaz |
From: Shaz <sha...@gm...> - 2009-06-13 07:43:35
|
On Sat, Jun 13, 2009 at 10:51 AM, Shaz<sha...@gm...> wrote: > On Sat, Jun 13, 2009 at 9:36 AM, Shahbaz Khan <sha...@gm...> wrote: >> >> On Fri, 2009-06-12 at 20:44 +0600, Shahbaz Khan wrote: >> > On Fri, Jun 12, 2009 at 8:33 PM, Shahbaz Khan<sha...@gm...> wrote: >> > > On Fri, Jun 12, 2009 at 11:59 AM, Shahbaz Khan<sha...@gm...> wrote: >> > >> Hi, >> > >> >> > >> I am using Intel Q45 Express chipset with TPM version 1.2 specs of >> > >> TCG. The kernel version is 2.6.30. Problem is that the TPM drivers >> > >> cannot provide functionality to the TCG TSS giving error message: >> > >> >> > >> "TCSD TDDL ERROR: Could not find a device to open!" >> > >> >> > >> The device node in /dev is also not being created which should be >> > >> "/dev/tpm". If created manually then still it does not work. >> >> Someone mentioned that there are problems with the Intel chip, but >> you're better off searching the tpmdd-devel list. Perhaps this applies: >> hhttp://sourceforge.net/mailarchive/forum.php?thread_name=200811280943427180885%40gmail.com&forum_name=tpmdd-devel >> >> > > The same is true for the IMA service. I checked the kernel security >> > > configuration for IMA test mode like in conventional IMA but could not >> > > find any IMA test mode. Can we somehow run this new integrity module >> > > without IMA? >> > >> > Sorry, i meant without TPM. Can IMA service run without TPM? >> >> Thanks for clarifying. Yes, it goes into Bypass mode if it doesn't find >> a TPM. The first entry containing the boot-aggregate >> in /sys/kernel/security/ima/ascii_runtime_measurements will be 0. >> >> > > >> > > I get "TPM Device not found: TPM Bypass" and no directories are >> > > created in /sys/kernel/security for IMA. Similar issues are also being >> > > faced in 2.6.26-rc8. >> >> Is securityfs mounted? In addition, you'll want to mount the filesystem >> with i_version support. > > Thanks Mimi. Got IMA working without TPM. I have no idea what this > i_version is and how to enable it? Can someone please indicate some > information on this? > >> >> > >> >> > >> What should be done? >> > >> >> > >> Thanks. >> > >> >> > >> -- >> > >> Shaz >> >> I've added IMA testcases to LTP. > > I am interested in measuring SELinux policies, especially the loadable > policy modules. I was not able to comprehend LTP scripts clearly. I am confusing something but got the selinux policy and LPM measurements as I needed it. So my issues are solved but would appreciate help in my confusions regarding "i_version" and LTP. Thanks. > > /sys/kernel/security/ima/policy vanishes if I try to open it for > writing into it! This was my comprehension of the LTP script > load_policy.sh :( > > Please some help needed here to understand. Some indication to good > literature will be appreciated. I am well read on conventional IMA > (LSM based) and SELinux so what else should be read to understand how > LIM based IMA works. > >> >> Mimi > > Apologies for the messy email. Had to do this for record. > > -- > Shaz > -- Shaz |