Re: [Linux-ima-user] Can't find tpm0 file in /sys/kernel/security/ directory.

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On 03/17/2011 09:49 AM, Qingping Hou wrote:
> To Stefan&  Rajiv,
>
> Thanks for your help. I can now conform that it is caused by
> tpm-emulator. Because it just virtually create a file called tpm in
> /dev directory and relies on its daemon tpmd to watch the commands
> sent to /dev/tpm. So there is no wonder that IMA cannot make use of
> it. So as Stefan said, I need to hack it if I want to use it.
>
> I tried IMA with the real tpm in my notebook, every things work out of box. :-)
>
> BTW, do you have any other tpm-emulator for recommendation?
I have recently posted patches on the Qemu mailing list that will 
integrate a TPM emulator into Qemu and thus make a TPM available to a 
Virtual Machine that will then access it via the TPM TIS driver in Linux 
and provide /dev/tpm0 and will make IMA work as well. However, this will 
take a while until it will be commonly available and the emulator we are 
using cannot be easily put into the kernel so that it could be made 
available via /dev/tpm0. In short, I cannot recommend another TPM emulator.

    Stefan

>
>
> 2011/3/17 Stefan Berger<st...@li...>:
>> On 03/17/2011 12:43 AM, Qingping Hou wrote:
>>> 2011/3/17 Stefan Berger<st...@li...>:
>>>> Unless the TPM emulator was running inside the kernel and hooked itself
>>>> into
>>>> the main tpm.c driver of Linux and thus could make a /dev/tpm0 available
>>>> to
>>>> userspace, you won't be able to use that emulator as a replacement for a
>>>> read hardware TPM device. So, yes, that's likely the cause.
>>> You mean I need to hack the kernel? On the tpm-emulator's official
>>> website I cannot find any instruction for compile it into the kernel.
>>>
>>> Having compiled it as a module, I can get access to /dev/tpm device.
>>> But I just cannot find tpm0 in sys/kernel/security/ directory as the
>>> document for ima describes.
>> IMA makes use of the main tpm.c driver's API. If the tpm-emulator does not
>> even hook itself into tpm.c (like all the other TPM drivers do), you will
>> not be able to use it as a hardware TPM replacement. Hacking that tpm
>> emulator seems to be the only choice then.
>>
>>   Stefan
>>
>>