linux-ima-user — Q&A for users of IMA

Re: [Linux-ima-user] SML contains numbers in the filename-hint

[Sohail K. <soh...@gm...>]

Thanks for the prompt reply. I am going for the newer kernel now and will
update on the problem (if persist) soon.

Regards,

--
sohail

On Fri, Apr 8, 2011 at 7:56 PM, Mimi Zohar <zo...@li...> wrote:

> On Fri, 2011-04-08 at 11:27 +0800, Sohail Khan wrote:
> > Hi,
> >
> > The measurement list shows numbers in the filename-hint. Some
> > measurements are given below. Can anyone specify what are these
> > numbers and what should I do if I don't want to measure whatever the
> > numbers represent?
> >
> > I've comment out the BPRM_CHECK & the FILE_CHECK but again getting
> > these numbers. The Kernel version is 2.6.30.
> >
> > ---------------------------------------------------------
> > 10 1508a15636cdbce65789204533e16308d7318b9f ima
> > 10b3c3c4461920e3823e0190168f5a6134c78acc libswt-gnome-gtk-3659.so
> > 10 d8283931375705ce28a09e2e300b033c2de46eae ima
> > 5188431849b4613152fd7bdba6a3ff0a4fd6424b 6450
> > 10 a51b159cce6296eddcc40c5046f513829a87de96 ima
> > 5188431849b4613152fd7bdba6a3ff0a4fd6424b 6468
> > 10 cdc372dce5550ce20dceffd46c809e0b5ac612b5 ima
> > 5188431849b4613152fd7bdba6a3ff0a4fd6424b 6485
> > 10 fdc01dac5eaedf77599667109078e2409bc9670e ima
> > 5188431849b4613152fd7bdba6a3ff0a4fd6424b 6502
> > 10 bf2bb4bb74175a793cda379617371fc8a6b6adca ima
> > ceb7eb4c7d34ebcbaa0837e70bf6b7d5603ecc5a firefox
> > 10 23088bdc778e63ac862c9d218f246941bd84d0e5 ima
> > ad918da9521707e09f2188696e8412e420ad974a libsqlite3.so
> >
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> >
> > Thanks.
>
> Identifying records in the measurement list is a known issue, which will
> be addressed by 'templates'.  Two new templates are being defined,
> ima-ng and ima-nglong, containing additional 'hint' information.  For
> more details on templates, refer to
> http://sourceforge.net/mailarchive/message.php?msg_id=25460938.
>
> Controlling which files to measure, or not, is specified in the IMA
> measurement policy.  Refer to Documentation/ABI/testing/ima_policy of
> the specific kernel. (Changes are backwards compatible, but not forward
> compatible. FILE_CHECK, for example, was previously called PATH_CHECK.)
>
> As IMA was first enabled in 2.6.30 and has gone through numerous changes
> since, how about upgrading to something a bit newer?
>
> thanks,
>
> Mimi
>
>

Re: [Linux-ima-user] SML contains numbers in the filename-hint

[Mimi Z. <zo...@li...>]

On Fri, 2011-04-08 at 11:27 +0800, Sohail Khan wrote:
> Hi,
> 
> The measurement list shows numbers in the filename-hint. Some
> measurements are given below. Can anyone specify what are these
> numbers and what should I do if I don't want to measure whatever the
> numbers represent?
> 
> I've comment out the BPRM_CHECK & the FILE_CHECK but again getting
> these numbers. The Kernel version is 2.6.30.
> 
> ---------------------------------------------------------
> 10 1508a15636cdbce65789204533e16308d7318b9f ima
> 10b3c3c4461920e3823e0190168f5a6134c78acc libswt-gnome-gtk-3659.so
> 10 d8283931375705ce28a09e2e300b033c2de46eae ima
> 5188431849b4613152fd7bdba6a3ff0a4fd6424b 6450
> 10 a51b159cce6296eddcc40c5046f513829a87de96 ima
> 5188431849b4613152fd7bdba6a3ff0a4fd6424b 6468
> 10 cdc372dce5550ce20dceffd46c809e0b5ac612b5 ima
> 5188431849b4613152fd7bdba6a3ff0a4fd6424b 6485
> 10 fdc01dac5eaedf77599667109078e2409bc9670e ima
> 5188431849b4613152fd7bdba6a3ff0a4fd6424b 6502
> 10 bf2bb4bb74175a793cda379617371fc8a6b6adca ima
> ceb7eb4c7d34ebcbaa0837e70bf6b7d5603ecc5a firefox
> 10 23088bdc778e63ac862c9d218f246941bd84d0e5 ima
> ad918da9521707e09f2188696e8412e420ad974a libsqlite3.so
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> 
> Thanks.

Identifying records in the measurement list is a known issue, which will
be addressed by 'templates'.  Two new templates are being defined,
ima-ng and ima-nglong, containing additional 'hint' information.  For
more details on templates, refer to
http://sourceforge.net/mailarchive/message.php?msg_id=25460938. 

Controlling which files to measure, or not, is specified in the IMA
measurement policy.  Refer to Documentation/ABI/testing/ima_policy of
the specific kernel. (Changes are backwards compatible, but not forward
compatible. FILE_CHECK, for example, was previously called PATH_CHECK.)

As IMA was first enabled in 2.6.30 and has gone through numerous changes
since, how about upgrading to something a bit newer?

thanks,

Mimi

[Linux-ima-user] SML contains numbers in the filename-hint

[Sohail K. <soh...@gm...>]

Hi,

The measurement list shows numbers in the filename-hint. Some measurements
are given below. Can anyone specify what are these numbers and what should I
do if I don't want to measure whatever the numbers represent?

I've comment out the BPRM_CHECK & the FILE_CHECK but again getting these
numbers. The Kernel version is 2.6.30.

---------------------------------------------------------
10 1508a15636cdbce65789204533e16308d7318b9f ima
10b3c3c4461920e3823e0190168f5a6134c78acc libswt-gnome-gtk-3659.so
10 d8283931375705ce28a09e2e300b033c2de46eae ima
5188431849b4613152fd7bdba6a3ff0a4fd6424b *6450*
10 a51b159cce6296eddcc40c5046f513829a87de96 ima
5188431849b4613152fd7bdba6a3ff0a4fd6424b *6468*
10 cdc372dce5550ce20dceffd46c809e0b5ac612b5 ima
5188431849b4613152fd7bdba6a3ff0a4fd6424b *6485*
10 fdc01dac5eaedf77599667109078e2409bc9670e ima
5188431849b4613152fd7bdba6a3ff0a4fd6424b *6502*
10 bf2bb4bb74175a793cda379617371fc8a6b6adca ima
ceb7eb4c7d34ebcbaa0837e70bf6b7d5603ecc5a firefox
10 23088bdc778e63ac862c9d218f246941bd84d0e5 ima
ad918da9521707e09f2188696e8412e420ad974a libsqlite3.so
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Thanks.

--
sohail

Re: [Linux-ima-user] No IMA in Fedora 14

[waqar a. <afr...@gm...>]

On Fri, Apr 1, 2011 at 4:13 PM, Stefan Berger <st...@li...>wrote:

> On 04/01/2011 06:51 AM, waqar afridi wrote:
>
>> Hello Dear List
>>
>> I have Fedora 14 and I didnt found Ascii Measurement in
>> /sys/kernel/security/
>>
>> So I compiled a new kernel with IMA Enabled, I have also set the Boot
>> parameter ima_tcb=1 but still not getting anything in /sys/kernel/security/
>>
> Did you mount this directory as securityfs?
>
> cd /sys/kernel
> mount -t securityfs ./security ./security
>

Ohh man, Totally forgot :)

Thanx


>
> That should then show the directories 'tpm0' and 'ima'.
>
>   Stefan
>
>


-- 
*Waqar Afridi*

Re: [Linux-ima-user] No IMA in Fedora 14

[Stefan B. <st...@li...>]

On 04/01/2011 06:51 AM, waqar afridi wrote:
> Hello Dear List
>
> I have Fedora 14 and I didnt found Ascii Measurement in 
> /sys/kernel/security/
>
> So I compiled a new kernel with IMA Enabled, I have also set the Boot 
> parameter ima_tcb=1 but still not getting anything in 
> /sys/kernel/security/
Did you mount this directory as securityfs?

cd /sys/kernel
mount -t securityfs ./security ./security

That should then show the directories 'tpm0' and 'ima'.

    Stefan

[Linux-ima-user] No IMA in Fedora 14

[waqar a. <afr...@gm...>]

Hello Dear List

I have Fedora 14 and I didnt found Ascii Measurement in
/sys/kernel/security/

So I compiled a new kernel with IMA Enabled, I have also set the Boot
parameter ima_tcb=1 but still not getting anything in /sys/kernel/security/

My kernel version linux-2.6.35.6

Thanx in advance

-- 
*Waqar Afridi*

Re: [Linux-ima-user] [GRUB-IMA] black screen with only GRUB

[Andreas C. <fli...@gm...>]

And you're using the patch from?
I've tried disabling TPM and it boots ok, somethings wrong with the
TPM I guess...
What TPM chip does your computers have?

Thanks!

2011/4/1 Seiji Munetoh <sei...@gm...>:
> 2011/3/31 Andreas Calvo Gómez <an...@an...>:
>> It does boot grub, but when request "tpm test" it complains about
>> checksums (although it should be fine).
>> However, it never boots the OS.
>
> something wrong...
>
>> My goal is to build grub with IMA for x86_64 under CentOS (and then
>> the kernel, which is a different league...).
>
> Currently, I'm using both Fedora15 and RHEL6 on Lenovo Thinkpad X200
> with transitive trust through CRTM to Linux (IMA) kernel.
> They are x86_64 images.
>
> regards,
> --
> Seiji
>
> ------------------------------------------------------------------------------
> Create and publish websites with WebMatrix
> Use the most popular FREE web apps or write code yourself;
> WebMatrix provides all the features you need to develop and
> publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
> _______________________________________________
> Linux-ima-user mailing list
> Lin...@li...
> https://lists.sourceforge.net/lists/listinfo/linux-ima-user
>

Re: [Linux-ima-user] [GRUB-IMA] black screen with only GRUB

[Seiji M. <sei...@gm...>]

2011/3/31 Andreas Calvo Gómez <an...@an...>:
> It does boot grub, but when request "tpm test" it complains about
> checksums (although it should be fine).
> However, it never boots the OS.

something wrong...

> My goal is to build grub with IMA for x86_64 under CentOS (and then
> the kernel, which is a different league...).

Currently, I'm using both Fedora15 and RHEL6 on Lenovo Thinkpad X200
with transitive trust through CRTM to Linux (IMA) kernel.
They are x86_64 images.

regards,
--
Seiji

Re: [Linux-ima-user] [GRUB-IMA] black screen with only GRUB

[Andreas C. G. <an...@an...>]

Hi,
Thanks for your link.
It does boot grub, but when request "tpm test" it complains about
checksums (although it should be fine).

However, it never boots the OS.

My goal is to build grub with IMA for x86_64 under CentOS (and then
the kernel, which is a different league...).

Regards,

2011/3/31 Seiji Munetoh <sei...@gm...>:
> 2011/3/31 Andreas Calvo Gómez <an...@an...>:
>> It's an HP Compaq 8000.
>> Should it be a problem?
>
> Sorry, I don' know much about this PC.
> If this PC supports BitLocker. The TCG BIOS could be fine.
> I think you already use the latest BIOS.
>
> I used this LiveCd to investigate the Trusted-Boot capability.
> http://unit.aist.go.jp/itri/knoppix/http-fuse/HTTP-FUSE-Knoppix-TC-Geeks-101.iso
>
> regards,
> --
> Seiji
>
> ------------------------------------------------------------------------------
> Create and publish websites with WebMatrix
> Use the most popular FREE web apps or write code yourself;
> WebMatrix provides all the features you need to develop and
> publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
> _______________________________________________
> Linux-ima-user mailing list
> Lin...@li...
> https://lists.sourceforge.net/lists/listinfo/linux-ima-user
>

Re: [Linux-ima-user] [GRUB-IMA] black screen with only GRUB

[Andreas C. G. <an...@an...>]

Hi Seji,
Thanks for your response.

It's an HP Compaq 8000.
Should it be a problem?

Regards,

On Thu, Mar 31, 2011 at 5:27 AM, Seiji Munetoh <sei...@gm...> wrote:
> On Thu, Mar 31, 2011 at 2:20 AM, Andreas Calvo <fli...@gm...> wrote:
>> Sorry if it's not the right place to ask for that, but I haven't found
>> a specific forum for GRUB-IMA related questions.
>>
>> I've built a grub version which should be IMA ready, but after
>> installing it does not boot, just hangs with a black screen and the
>> message GRUB.
>> However, if I do install it in a computer without TPM, it does boot.
>
> What is your hardware?
>
> If the BIOS does not supports TCG int calls properly, the system will hang.
>
> regards,
> --
> Seiji
>

Re: [Linux-ima-user] [GRUB-IMA] black screen with only GRUB

[Seiji M. <sei...@gm...>]

2011/3/31 Andreas Calvo Gómez <an...@an...>:
> It's an HP Compaq 8000.
> Should it be a problem?

Sorry, I don' know much about this PC.
If this PC supports BitLocker. The TCG BIOS could be fine.
I think you already use the latest BIOS.

I used this LiveCd to investigate the Trusted-Boot capability.
http://unit.aist.go.jp/itri/knoppix/http-fuse/HTTP-FUSE-Knoppix-TC-Geeks-101.iso

regards,
--
Seiji

Re: [Linux-ima-user] [GRUB-IMA] black screen with only GRUB

[Seiji M. <sei...@gm...>]

On Thu, Mar 31, 2011 at 2:20 AM, Andreas Calvo <fli...@gm...> wrote:
> Sorry if it's not the right place to ask for that, but I haven't found
> a specific forum for GRUB-IMA related questions.
>
> I've built a grub version which should be IMA ready, but after
> installing it does not boot, just hangs with a black screen and the
> message GRUB.
> However, if I do install it in a computer without TPM, it does boot.

What is your hardware?

If the BIOS does not supports TCG int calls properly, the system will hang.

regards,
--
Seiji

[Linux-ima-user] [GRUB-IMA] black screen with only GRUB

[Andreas C. <fli...@gm...>]

Sorry if it's not the right place to ask for that, but I haven't found
a specific forum for GRUB-IMA related questions.

I've built a grub version which should be IMA ready, but after
installing it does not boot, just hangs with a black screen and the
message GRUB.
However, if I do install it in a computer without TPM, it does boot.

Am I missing something?

Does anyone have a RPM for x86_64? (latest SRPM for RHEL5/CentOS5 seem
to have a bug).

Thanks

[Linux-ima-user] IMA Kernel ready for RHEL5/CentOS5

[Andreas C. <fli...@gm...>]

Is there any source to download an IMA ready kernel for CentOS 5.5?

Re: [Linux-ima-user] [Linux-ima-devel] ReCaculate PCR value from IMA measurement list

[Mimi Z. <zo...@li...>]

On Wed, 2011-03-30 at 10:47 +0800, Yu Xi wrote:
> Thank you very much, Mimi. Following the "ima_measure.c" program in
> LTP, I have succeeded in finishing the remote attestation demo
> program. However, I notice one minor problem of ima. When validating
> the composite hash (the hash caculated from struct<file content hash,
> file name>), one has to set up the size of the char array, which is
> used for storing file name, to be as exact as 256 and fill the rest
> space of the array to be "0" to get things work. This is not quite
> friendly for programmers. Why not caculate the composite hash from the
> valid bytes in the struct(not including the whole filename char array,
> but only the valid filename bytes), but not from the whole struct? I
> think that might make more sense.

Hi Xu Yi,

Agreed. Support for different types of template data was discussed last
spring, resulting in the following patches:

  ima: add template length to binary_runtime_measurements log
  ima: add support for additional template hash algorithms
  ima: define ima-nglong template
  ima: add LSM labels to the ima-nglong template

The LSS 2010 EVM slides have examples of the different templates:
http://userweb.kernel.org/~jmorris/lss2010_slides/EVM-security-summit.odp

thanks,

Mimi

Re: [Linux-ima-user] [Linux-ima-devel] ReCaculate PCR value from IMA measurement list

[Yu Xi <ge...@gm...>]

Thank you very much, Mimi. Following the "ima_measure.c" program in LTP, I
have succeeded in finishing the remote attestation demo program. However, I
notice one minor problem of ima. When validating the composite hash (the
hash caculated from struct<file content hash, file name>), one has to set up
the size of the char array, which is used for storing file name, to be as
exact as 256 and fill the rest space of the array to be "0" to get things
work. This is not quite friendly for programmers. Why not caculate the
composite hash from the valid bytes in the struct(not including the whole
filename char array, but only the valid filename bytes), but not from the
whole struct? I think that might make more sense.

On Mon, Mar 28, 2011 at 10:05 PM, Mimi Zohar <zo...@li...>wrote:

> On Mon, 2011-03-28 at 21:34 +0800, Yu Xi wrote:
> > Dear all,
>
> >
> > I'm writing a testing program to recaculate the pcr value from IMA
> > measurement list following the procedure below:
> >
> >
> >
> >
> >  {
> >    uchar PCR_tmp[20] = {0...0}  // the initial value of pcr assigned
> > to zero
> >
> >    for (i=0; i<MList.len; i++)
> >         PCR_tmp = SHA1(PCR_tmp || MList[i])  // where || means
> > concatenation
> >
> >    if (PCR == PCR_tmp)
> >         return OK
> >    else
> >         return INVALID
> >  }
> >
> >
> > However the newly calculated value doesn't match the real PCR.
> > I found that some measurement enty in the list is
> > "0000000000000000000000", is this the reason for the problem? Could
> > anybody help me to solve the problem? Thank you very much.
> > --
> > Regards
> > Xi Yu (禹熹)
>
> Yes, the zero hashes are an indication of an invalidation of the PCR,
> either a Time-of-Measure/Time-of-Use(ToMToU) or open-writers error.
> Unlike with executables, where the fs prevents executables from being
> modified when used, or from being executed when being modified, there
> are no such protections when reading a file.
>
> To validate a measurement list that was invalidated, replace the 0x00
> hash values with 0xFF's. Refer to ima_tpm.sh: test02 (IMA LTP testsuite)
> for an example.
>
> Mimi
>
>
>


-- 
Regards
Xi Yu (禹熹)

Re: [Linux-ima-user] [Linux-ima-devel] ReCaculate PCR value from IMA measurement list

[Mimi Z. <zo...@li...>]

On Mon, 2011-03-28 at 21:34 +0800, Yu Xi wrote:
> Dear all,

> 
> I'm writing a testing program to recaculate the pcr value from IMA
> measurement list following the procedure below:
> 
> 
> 
> 
>  {
>    uchar PCR_tmp[20] = {0...0}  // the initial value of pcr assigned
> to zero
> 
>    for (i=0; i<MList.len; i++)
>         PCR_tmp = SHA1(PCR_tmp || MList[i])  // where || means
> concatenation
> 
>    if (PCR == PCR_tmp)
>         return OK
>    else
>         return INVALID
>  }
> 
> 
> However the newly calculated value doesn't match the real PCR.  
> I found that some measurement enty in the list is
> "0000000000000000000000", is this the reason for the problem? Could
> anybody help me to solve the problem? Thank you very much.
> -- 
> Regards
> Xi Yu (禹熹)

Yes, the zero hashes are an indication of an invalidation of the PCR,
either a Time-of-Measure/Time-of-Use(ToMToU) or open-writers error.
Unlike with executables, where the fs prevents executables from being
modified when used, or from being executed when being modified, there
are no such protections when reading a file.

To validate a measurement list that was invalidated, replace the 0x00
hash values with 0xFF's. Refer to ima_tpm.sh: test02 (IMA LTP testsuite)
for an example.

Mimi

[Linux-ima-user] ReCaculate PCR value from IMA measurement list

[Yu Xi <ge...@gm...>]

Dear all,

I'm writing a testing program to recaculate the pcr value from IMA
measurement list following the procedure below:
*
*
*
*
* {
   uchar PCR_tmp[20] = {0...0}  // the initial value of pcr assigned to zero

   for (i=0; i<MList.len; i++)
        PCR_tmp = SHA1(PCR_tmp || MList[i])  // where || means concatenation

   if (PCR == PCR_tmp)
        return OK
   else
        return INVALID
 }*
*
*
However the newly calculated value doesn't match the real PCR.
I found that some measurement enty in the list is "0000000000000000000000",
is this the reason for the problem? Could anybody help me to solve the
problem? Thank you very much.
-- 
Regards
Xi Yu (禹熹)

[Linux-ima-user] IMA only displays "boot_aggregate"

[Yu Xi <ge...@gm...>]

Dear all,

I found that ima in linux kernel 2.6.30 would measure all the files loaded,
however, the kernel version afterwards only provide one measurement record,
named "boot_aggregate", as I could see from "ascii_ima_measurement" in
sysfs. I have searched the internet to get into the problem, and found that
I might need to set certain policy for IMA as said in the kernel
documentations "ima_policy". Could anybody pls kindly provide me some
instructions or materials so that I could let ima measure other files
besides the only "boot_aggragate"? I don't quite understand how to set the
policy for it. Thanks a lot.

-- 
Regards
Xi Yu (禹熹)

Re: [Linux-ima-user] Looking for IMA's user API

[Mimi Z. <zo...@li...>]

On Fri, 2011-03-18 at 00:26 +0800, Qingping Hou wrote:
> Hi everybody,
> 
> I want to write some program to interact with IMA to see how far I can
> go with this Architecture.
> 
> So my question is are there any user APIs for IMA? If the answer is
> yes, then where can I get related documents?
> 
> Or users are just supposed to play with files lies in
> /sys/kernel/security/ima directory? At least this is what I learn from
> the test programs provided by LTP. ;-)
> 
> 
> Thanks,
> 
> Hou QIngping

Yes, the IMA LTP testsuite is the correct place to look for examples.

Early last year there was some discussion on this mailing list on
extending the template data and adding additional hash algorithms. For
more information look at the archive. (The work was temporarily put on
hold in order to complete the EVM/IMA-appraisal work.)

thanks,

Mimi

[Linux-ima-user] Looking for IMA's user API

[Qingping H. <dav...@gm...>]

Hi everybody,

I want to write some program to interact with IMA to see how far I can
go with this Architecture.

So my question is are there any user APIs for IMA? If the answer is
yes, then where can I get related documents?

Or users are just supposed to play with files lies in
/sys/kernel/security/ima directory? At least this is what I learn from
the test programs provided by LTP. ;-)


Thanks,

Hou QIngping

Re: [Linux-ima-user] Can't find tpm0 file in /sys/kernel/security/ directory.

[Stefan B. <st...@li...>]

On 03/17/2011 09:49 AM, Qingping Hou wrote:
> To Stefan&  Rajiv,
>
> Thanks for your help. I can now conform that it is caused by
> tpm-emulator. Because it just virtually create a file called tpm in
> /dev directory and relies on its daemon tpmd to watch the commands
> sent to /dev/tpm. So there is no wonder that IMA cannot make use of
> it. So as Stefan said, I need to hack it if I want to use it.
>
> I tried IMA with the real tpm in my notebook, every things work out of box. :-)
>
> BTW, do you have any other tpm-emulator for recommendation?
I have recently posted patches on the Qemu mailing list that will 
integrate a TPM emulator into Qemu and thus make a TPM available to a 
Virtual Machine that will then access it via the TPM TIS driver in Linux 
and provide /dev/tpm0 and will make IMA work as well. However, this will 
take a while until it will be commonly available and the emulator we are 
using cannot be easily put into the kernel so that it could be made 
available via /dev/tpm0. In short, I cannot recommend another TPM emulator.

    Stefan

>
>
> 2011/3/17 Stefan Berger<st...@li...>:
>> On 03/17/2011 12:43 AM, Qingping Hou wrote:
>>> 2011/3/17 Stefan Berger<st...@li...>:
>>>> Unless the TPM emulator was running inside the kernel and hooked itself
>>>> into
>>>> the main tpm.c driver of Linux and thus could make a /dev/tpm0 available
>>>> to
>>>> userspace, you won't be able to use that emulator as a replacement for a
>>>> read hardware TPM device. So, yes, that's likely the cause.
>>> You mean I need to hack the kernel? On the tpm-emulator's official
>>> website I cannot find any instruction for compile it into the kernel.
>>>
>>> Having compiled it as a module, I can get access to /dev/tpm device.
>>> But I just cannot find tpm0 in sys/kernel/security/ directory as the
>>> document for ima describes.
>> IMA makes use of the main tpm.c driver's API. If the tpm-emulator does not
>> even hook itself into tpm.c (like all the other TPM drivers do), you will
>> not be able to use it as a hardware TPM replacement. Hacking that tpm
>> emulator seems to be the only choice then.
>>
>>   Stefan
>>
>>

Re: [Linux-ima-user] Can't find tpm0 file in /sys/kernel/security/ directory.

[Rajiv A. <sr...@li...>]

Hi Hou,

Do you have the tpm modules loaded?
modprobe tpm_tis

Thanks,
Rajiv Andrade
Security Development
IBM Linux Technology Center

On 03/16/2011 02:20 PM, Qingping Hou wrote:
> Hi all,
>
> I am currently learning how to make use of ima. After compile the
> kernel according to the official document, I can now get the measured
> hash value from ascii_runtime_measurements file.
>
> However, I cannot fine tpm0 file in /sys/kernel/security/ directory.
> Actually I am using tpm-emulator, not a real tpm device. Could that be
> the cause?
>
> Best regards,
>
> Hou Qingping
>
> ------------------------------------------------------------------------------
> Colocation vs. Managed Hosting
> A question and answer guide to determining the best fit
> for your organization - today and in the future.
> http://p.sf.net/sfu/internap-sfd2d
> _______________________________________________
> Linux-ima-user mailing list
> Lin...@li...
> https://lists.sourceforge.net/lists/listinfo/linux-ima-user

Re: [Linux-ima-user] Can't find tpm0 file in /sys/kernel/security/ directory.

[Stefan B. <st...@li...>]

On 03/16/2011 02:29 PM, Mimi Zohar wrote:
> On Thu, 2011-03-17 at 01:20 +0800, Qingping Hou wrote:
>> Hi all,
>>
>> I am currently learning how to make use of ima. After compile the
>> kernel according to the official document, I can now get the measured
>> hash value from ascii_runtime_measurements file.
> IMA was upstreamed in 2.6.30. At this point, depending on the Linux
> distro, you might not need to recompile the kernel.  From the boot
> command line, specifying ima_tcb should enable IMA.
>
>> However, I cannot fine tpm0 file in /sys/kernel/security/ directory.
>> Actually I am using tpm-emulator, not a real tpm device. Could that be
>> the cause?
Unless the TPM emulator was running inside the kernel and hooked itself 
into the main tpm.c driver of Linux and thus could make a /dev/tpm0 
available to userspace, you won't be able to use that emulator as a 
replacement for a read hardware TPM device. So, yes, that's likely the 
cause.

    Stefan
>> Best regards,
>>
>> Hou Qingping
> Yes, it depends on the TPM emulator.  Which emulator are you using?
> Others on this mailing list should be able to help you.
>
> thanks,
>
> Mimi
>

Re: [Linux-ima-user] Can't find tpm0 file in /sys/kernel/security/ directory.

[Mimi Z. <zo...@li...>]

On Thu, 2011-03-17 at 01:20 +0800, Qingping Hou wrote:
> Hi all,
> 
> I am currently learning how to make use of ima. After compile the
> kernel according to the official document, I can now get the measured
> hash value from ascii_runtime_measurements file.

IMA was upstreamed in 2.6.30. At this point, depending on the Linux
distro, you might not need to recompile the kernel.  From the boot
command line, specifying ima_tcb should enable IMA.

> However, I cannot fine tpm0 file in /sys/kernel/security/ directory.
> Actually I am using tpm-emulator, not a real tpm device. Could that be
> the cause?
> 
> Best regards,
> 
> Hou Qingping

Yes, it depends on the TPM emulator.  Which emulator are you using?
Others on this mailing list should be able to help you.

thanks,

Mimi