Thanks Reiner, I will look into these options.
- Lavina

On Sat, May 10, 2008 at 9:34 AM, Reiner Sailer <sailer@us.ibm.com> wrote:
Hi Lavina,

IMA does simply require that there is a device interface such as a hardware
TPM offers. This can either be implemented by a kernel driver based on a
real Hardware TPM or by a kernel driver based on a 'vritual TPM' (software
TPM). Hence, IMA runs within a virtual machines but to leverage it for
attestation, the VM must have configured either a hardware or a virtual
TPM.  IMA runs the same way inside a VM as it runs inside a normal Linux
Kernel.

Trust model:
There have been multiple approaches. Here what we have been thinking about:
http://www.usenix.org/events/sec06/tech/full_papers/berger/berger.pdf

Xen Implementation of vTPM (there is a xen-user mailing list if you have
deeper questions about the Xen-vTPM):
http://www.cl.cam.ac.uk/research/srg/netos/xen/readmes/user/user.html#SECTION03240000000000000000

Reiner
__________________________________________________________
Reiner Sailer, RSM and Manager Security Services (GSAL) Team
IBM T J Watson Research Ctr, 19 Skyline Drive, Hawthorne NY 10532
Phone: 914 784 6280  (t/l 863)  Fax: 914 784 6205, sailer@us.ibm.com
http://www.research.ibm.com/people/s/sailer/


|------------>
| From:      |
|------------>
 >------------------------------------------------------------------------------------------------------------------------------------------|
 |"Lavina Jain" <lavina.jain@gmail.com>                                                                                                     |
 >------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| To:        |
|------------>
 >------------------------------------------------------------------------------------------------------------------------------------------|
 |Reiner Sailer/Watson/IBM@IBMUS                                                                                                            |
 >------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Cc:        |
|------------>
 >------------------------------------------------------------------------------------------------------------------------------------------|
 |linux-ima-user@lists.sourceforge.net                                                                                                      |
 >------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Date:      |
|------------>
 >------------------------------------------------------------------------------------------------------------------------------------------|
 |05/10/2008 03:50 AM                                                                                                                       |
 >------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Subject:   |
|------------>
 >------------------------------------------------------------------------------------------------------------------------------------------|
 |Re: [Linux-ima-user] no TPM chip found                                                                                                    |
 >------------------------------------------------------------------------------------------------------------------------------------------|





Hi Reiner,

Many thanks. Compiling TPM into the kernel worked. I was earlier loading it
as a module.
Another question: Does IMA work in a virtual machine? Or for that matter is
there any way to talk to TPM (using trousers or tpm-tools) from a virtual
machine. I guess this depends on the virtualization tool being used. I have
not been able to figure out a way to access the underlying TPM chip
directly from a virtual machine.

Another approach could be to write an application which talks to TPM in
host OS and then let an application in guest OS call this application in
host OS. Can you please give me some pointers in this direction?

Kind Regards,
Lavina

On Fri, May 9, 2008 at 10:09 PM, Reiner Sailer <sailer@us.ibm.com> wrote:
 Hi Lavina,

 did you compile the TPM into the kernel or is it loaded as a module?  It
 must be compiled into the kernel.

 IMA requires the TPM to be available early at boot time before modules
 can
 be loaded.

 Reiner
 __________________________________________________________
 Reiner Sailer, RSM and Manager Security Services (GSAL) Team
 IBM T J Watson Research Ctr, 19 Skyline Drive, Hawthorne NY 10532
 Phone: 914 784 6280  (t/l 863)  Fax: 914 784 6205, sailer@us.ibm.com
 http://www.research.ibm.com/people/s/sailer/



  From:       "Lavina Jain" <lavina.jain@gmail.com>

  To:         linux-ima-user@lists.sourceforge.net

  Date:       05/09/2008 06:49 AM

  Subject:    [Linux-ima-user] no TPM chip found






 Hi,

 I compiled new kernel with ima support by applying
 ibm-ima-patch-2.6.22.9.patch and following the instructions in the
 INSTALL
 file. I am able to boot the new kernel, but it cannot find the TPM chip
 on
 my laptop.
 The output of "dmesg | grep IMA" is as follows:

 [    5.360000] IBM Integrity Measurement Architecture (IBM IMA v8.3
 10/09/2007).
 [    5.360000]     IMA (test mode)
 [    5.360000]     IMA (TPM/BYPASS - no TPM chip found)

 I am using Lenovo X61 laptop that has Atmel TPM chip. I am able to talk
 to
 TPM using trousers and tpm-tools. Commands like tpm_version are working.
 Modules tpm_bios, tpm and tpm_tis are loaded. Any ideas why IMA cannot
 find
 the TPM chip?

 Kind Regards,
 Lavina

 --
 "Unravelling life's mysteries and discovering life's secrets may take the
 courage and determination found only in a self-motivated pursuit."
 - Peter McWilliams
 -------------------------------------------------------------------------
 This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
 Don't miss this year's exciting event. There's still time to save $100.
 Use priority code J8TL2D2.
 http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

 _______________________________________________
 Linux-ima-user mailing list
 Linux-ima-user@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/linux-ima-user






--
"Unravelling life's mysteries and discovering life's secrets may take the
courage and determination found only in a self-motivated pursuit."
- Peter McWilliams





--
"Unravelling life's mysteries and discovering life's secrets may take the courage and determination found only in a self-motivated pursuit."
- Peter McWilliams