Hi

I'm using xen-3.2.0 with IMA patched on, my kernel version is 2.6.18.8 CentOS 5.2.

I can see that the IMA works well after i make tpm as a kernel module in Dom0.

The patch(ibm_ima_v7.2_2.6.18.3.patch) seems change the module_init to fs_initcall in tpm_tis and other vendor's drivers. However, the front-end tpm driver inside the DomU is different. There are only tpm_xen and tpm_vtpm, and the entry locate in the former, so i try to manually change the init type from module_init to fs_initcall in tpm_xen.c, i intend to initial the tpm driver before the IMA. But, it didn't work. Show as follow:

-----------------------------------------------------
Started domain fc8
                  Linux version 2.6.18.8-xenU (root@localhost.localdomain) (gcc version 4.1.2 20071124 (Red Hat 4.1.2-42)) #4 SMP Mon Jul 28 21:20:05 CST 2008
BIOS-provided physical RAM map:
 Xen: 0000000000000000 - 0000000020800000 (usable)
0MB HIGHMEM available.
520MB LOWMEM available.
NX (Execute Disable) protection: active
Allocating PCI resources starting at 30000000 (gap: 20800000:df800000)
Detected 2992.736 MHz processor.
Built 1 zonelists.  Total pages: 133120
Kernel command line: root=LABEL=/ ima=1 selinux=0
Enabling fast FPU save and restore... done.
Enabling unmasked SIMD FPU exception support... done.
Initializing CPU#0
PID hash table entries: 4096 (order: 12, 16384 bytes)
Xen reported: 2992.500 MHz processor.
Console: colour dummy device 80x25
Dentry cache hash table entries: 131072 (order: 7, 524288 bytes)
Inode-cache hash table entries: 65536 (order: 6, 262144 bytes)
Software IO TLB disabled
vmalloc area: e1000000-f53fe000, maxmem 2d7fe000
Memory: 510096k/532480k available (1955k kernel code, 14104k reserved, 519k data, 148k init, 0k highmem)
Checking if this processor honours the WP bit even in supervisor mode... Ok.
Calibrating delay using timer specific routine.. 5990.76 BogoMIPS (lpj=29953849)
Security Framework v1.0.0 initialized
Mount-cache hash table entries: 512
CPU: Trace cache: 12K uops, L1 D cache: 16K
CPU: L2 cache: 2048K
Checking 'hlt' instruction... OK.
SMP alternatives: switching to UP code
Brought up 1 CPUs
migration_cost=0
checking if image is initramfs... it is
Freeing initrd memory: 4596k freed
NET: Registered protocol family 16
SMP alternatives: switching to SMP code
Initializing CPU#1
CPU: Trace cache: 12K uops, L1 D cache: 16K
CPU: L2 cache: 2048K
migration_cost=1580
Brought up 2 CPUs
suspend: event channel 9
xen_mem: Initialising balloon driver.
xen_tpm_fr: Initialising the vTPM driver.
NET: Registered protocol family 2
IP route cache hash table entries: 32768 (order: 5, 131072 bytes)
TCP established hash table entries: 131072 (order: 8, 1048576 bytes)
TCP bind hash table entries: 65536 (order: 7, 524288 bytes)
TCP: Hash tables configured (established 131072 bind 65536)
TCP reno registered
Initializing Cryptographic API
IBM Integrity Measurement Architecture (IBM IMA v7.2 11/22/2006).
Kernel panic - not syncing: IMA: TPM/no support and IMA not in test mode!

I got an kernel panic but the line "xen_tpm_fr: Initialising the vTPM driver" is just before the IMA, and i try to catch the rc value from the tpm_pcr_read, it is 10, and then by be32_to_cpu it is 31 at last, i should get a 0 to pass through the ima_measure_init. Why is that? IMA can't connect to tpm as it did in the Dom0,? I think the architecture is different.  

I have no idea about using the IMA in DomU. Is there a special patch in xen3.2? Do i need to make more changes in tpm-front driver? Can the IMA work in DomU at present?

Thanks

Oscar