Menu
▾
▴
Re: [Linux-ima-user] no TPM chip found
|
From: Lavina J. <lav...@gm...> - 2008-05-11 10:31:34
|
Thanks Reiner, I will look into these options. - Lavina On Sat, May 10, 2008 at 9:34 AM, Reiner Sailer <sa...@us...> wrote: > Hi Lavina, > > IMA does simply require that there is a device interface such as a > hardware > TPM offers. This can either be implemented by a kernel driver based on a > real Hardware TPM or by a kernel driver based on a 'vritual TPM' (software > TPM). Hence, IMA runs within a virtual machines but to leverage it for > attestation, the VM must have configured either a hardware or a virtual > TPM. IMA runs the same way inside a VM as it runs inside a normal Linux > Kernel. > > Trust model: > There have been multiple approaches. Here what we have been thinking > about: > http://www.usenix.org/events/sec06/tech/full_papers/berger/berger.pdf > > Xen Implementation of vTPM (there is a xen-user mailing list if you have > deeper questions about the Xen-vTPM): > > http://www.cl.cam.ac.uk/research/srg/netos/xen/readmes/user/user.html#SECTION03240000000000000000 > > Reiner > __________________________________________________________ > Reiner Sailer, RSM and Manager Security Services (GSAL) Team > IBM T J Watson Research Ctr, 19 Skyline Drive, Hawthorne NY 10532 > Phone: 914 784 6280 (t/l 863) Fax: 914 784 6205, sa...@us... > http://www.research.ibm.com/people/s/sailer/ > > > |------------> > | From: | > |------------> > > >------------------------------------------------------------------------------------------------------------------------------------------| > |"Lavina Jain" <lav...@gm...> > | > > >------------------------------------------------------------------------------------------------------------------------------------------| > |------------> > | To: | > |------------> > > >------------------------------------------------------------------------------------------------------------------------------------------| > |Reiner Sailer/Watson/IBM@IBMUS > | > > >------------------------------------------------------------------------------------------------------------------------------------------| > |------------> > | Cc: | > |------------> > > >------------------------------------------------------------------------------------------------------------------------------------------| > |lin...@li... > | > > >------------------------------------------------------------------------------------------------------------------------------------------| > |------------> > | Date: | > |------------> > > >------------------------------------------------------------------------------------------------------------------------------------------| > |05/10/2008 03:50 AM > | > > >------------------------------------------------------------------------------------------------------------------------------------------| > |------------> > | Subject: | > |------------> > > >------------------------------------------------------------------------------------------------------------------------------------------| > |Re: [Linux-ima-user] no TPM chip found > | > > >------------------------------------------------------------------------------------------------------------------------------------------| > > > > > > Hi Reiner, > > Many thanks. Compiling TPM into the kernel worked. I was earlier loading > it > as a module. > Another question: Does IMA work in a virtual machine? Or for that matter > is > there any way to talk to TPM (using trousers or tpm-tools) from a virtual > machine. I guess this depends on the virtualization tool being used. I > have > not been able to figure out a way to access the underlying TPM chip > directly from a virtual machine. > > Another approach could be to write an application which talks to TPM in > host OS and then let an application in guest OS call this application in > host OS. Can you please give me some pointers in this direction? > > Kind Regards, > Lavina > > On Fri, May 9, 2008 at 10:09 PM, Reiner Sailer <sa...@us...> wrote: > Hi Lavina, > > did you compile the TPM into the kernel or is it loaded as a module? It > must be compiled into the kernel. > > IMA requires the TPM to be available early at boot time before modules > can > be loaded. > > Reiner > __________________________________________________________ > Reiner Sailer, RSM and Manager Security Services (GSAL) Team > IBM T J Watson Research Ctr, 19 Skyline Drive, Hawthorne NY 10532 > Phone: 914 784 6280 (t/l 863) Fax: 914 784 6205, sa...@us... > http://www.research.ibm.com/people/s/sailer/ > > > > From: "Lavina Jain" <lav...@gm...> > > To: lin...@li... > > Date: 05/09/2008 06:49 AM > > Subject: [Linux-ima-user] no TPM chip found > > > > > > > Hi, > > I compiled new kernel with ima support by applying > ibm-ima-patch-2.6.22.9.patch and following the instructions in the > INSTALL > file. I am able to boot the new kernel, but it cannot find the TPM chip > on > my laptop. > The output of "dmesg | grep IMA" is as follows: > > [ 5.360000] IBM Integrity Measurement Architecture (IBM IMA v8.3 > 10/09/2007). > [ 5.360000] IMA (test mode) > [ 5.360000] IMA (TPM/BYPASS - no TPM chip found) > > I am using Lenovo X61 laptop that has Atmel TPM chip. I am able to talk > to > TPM using trousers and tpm-tools. Commands like tpm_version are working. > Modules tpm_bios, tpm and tpm_tis are loaded. Any ideas why IMA cannot > find > the TPM chip? > > Kind Regards, > Lavina > > -- > "Unravelling life's mysteries and discovering life's secrets may take the > courage and determination found only in a self-motivated pursuit." > - Peter McWilliams > ------------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don't miss this year's exciting event. There's still time to save $100. > Use priority code J8TL2D2. > > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > > _______________________________________________ > Linux-ima-user mailing list > Lin...@li... > https://lists.sourceforge.net/lists/listinfo/linux-ima-user > > > > > > > -- > "Unravelling life's mysteries and discovering life's secrets may take the > courage and determination found only in a self-motivated pursuit." > - Peter McWilliams > > > -- "Unravelling life's mysteries and discovering life's secrets may take the courage and determination found only in a self-motivated pursuit." - Peter McWilliams |
