Menu
▾
▴
Re: [Linux-ima-user] no TPM chip found
|
From: Reiner S. <sa...@us...> - 2008-05-10 17:18:52
|
Hi Lavina, IMA does simply require that there is a device interface such as a hardware TPM offers. This can either be implemented by a kernel driver based on a real Hardware TPM or by a kernel driver based on a 'vritual TPM' (software TPM). Hence, IMA runs within a virtual machines but to leverage it for attestation, the VM must have configured either a hardware or a virtual TPM. IMA runs the same way inside a VM as it runs inside a normal Linux Kernel. Trust model: There have been multiple approaches. Here what we have been thinking about: http://www.usenix.org/events/sec06/tech/full_papers/berger/berger.pdf Xen Implementation of vTPM (there is a xen-user mailing list if you have deeper questions about the Xen-vTPM): http://www.cl.cam.ac.uk/research/srg/netos/xen/readmes/user/user.html#SECTION03240000000000000000 Reiner __________________________________________________________ Reiner Sailer, RSM and Manager Security Services (GSAL) Team IBM T J Watson Research Ctr, 19 Skyline Drive, Hawthorne NY 10532 Phone: 914 784 6280 (t/l 863) Fax: 914 784 6205, sa...@us... http://www.research.ibm.com/people/s/sailer/ |------------> | From: | |------------> >------------------------------------------------------------------------------------------------------------------------------------------| |"Lavina Jain" <lav...@gm...> | >------------------------------------------------------------------------------------------------------------------------------------------| |------------> | To: | |------------> >------------------------------------------------------------------------------------------------------------------------------------------| |Reiner Sailer/Watson/IBM@IBMUS | >------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Cc: | |------------> >------------------------------------------------------------------------------------------------------------------------------------------| |lin...@li... | >------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Date: | |------------> >------------------------------------------------------------------------------------------------------------------------------------------| |05/10/2008 03:50 AM | >------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Subject: | |------------> >------------------------------------------------------------------------------------------------------------------------------------------| |Re: [Linux-ima-user] no TPM chip found | >------------------------------------------------------------------------------------------------------------------------------------------| Hi Reiner, Many thanks. Compiling TPM into the kernel worked. I was earlier loading it as a module. Another question: Does IMA work in a virtual machine? Or for that matter is there any way to talk to TPM (using trousers or tpm-tools) from a virtual machine. I guess this depends on the virtualization tool being used. I have not been able to figure out a way to access the underlying TPM chip directly from a virtual machine. Another approach could be to write an application which talks to TPM in host OS and then let an application in guest OS call this application in host OS. Can you please give me some pointers in this direction? Kind Regards, Lavina On Fri, May 9, 2008 at 10:09 PM, Reiner Sailer <sa...@us...> wrote: Hi Lavina, did you compile the TPM into the kernel or is it loaded as a module? It must be compiled into the kernel. IMA requires the TPM to be available early at boot time before modules can be loaded. Reiner __________________________________________________________ Reiner Sailer, RSM and Manager Security Services (GSAL) Team IBM T J Watson Research Ctr, 19 Skyline Drive, Hawthorne NY 10532 Phone: 914 784 6280 (t/l 863) Fax: 914 784 6205, sa...@us... http://www.research.ibm.com/people/s/sailer/ From: "Lavina Jain" <lav...@gm...> To: lin...@li... Date: 05/09/2008 06:49 AM Subject: [Linux-ima-user] no TPM chip found Hi, I compiled new kernel with ima support by applying ibm-ima-patch-2.6.22.9.patch and following the instructions in the INSTALL file. I am able to boot the new kernel, but it cannot find the TPM chip on my laptop. The output of "dmesg | grep IMA" is as follows: [ 5.360000] IBM Integrity Measurement Architecture (IBM IMA v8.3 10/09/2007). [ 5.360000] IMA (test mode) [ 5.360000] IMA (TPM/BYPASS - no TPM chip found) I am using Lenovo X61 laptop that has Atmel TPM chip. I am able to talk to TPM using trousers and tpm-tools. Commands like tpm_version are working. Modules tpm_bios, tpm and tpm_tis are loaded. Any ideas why IMA cannot find the TPM chip? Kind Regards, Lavina -- "Unravelling life's mysteries and discovering life's secrets may take the courage and determination found only in a self-motivated pursuit." - Peter McWilliams ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone _______________________________________________ Linux-ima-user mailing list Lin...@li... https://lists.sourceforge.net/lists/listinfo/linux-ima-user -- "Unravelling life's mysteries and discovering life's secrets may take the courage and determination found only in a self-motivated pursuit." - Peter McWilliams |
