Re: [Linux-ima-user] no ima or tpm0 measurements

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Wed, 2013-09-25 at 17:10 +0200, Nicolae Paladi wrote:
> On 25 September 2013 16:52, Mimi Zohar <zo...@li...> wrote:
> 
> > On Wed, 2013-09-25 at 14:33 +0200, Nicolae Paladi wrote:
> > > Hi,
> > >
> > > I'm using a CentOS 6.4 platform with the 2.6.32 kernel;
> > >
> > > I boot with the following arguments:
> > >
> > > ro root=/dev/mapper/myhost-root rd_NO_LUKS rd_LVM_LV=myhost/root
> > > LANG=en_US.UTF-8  KEYBOARDTYPE=pc KEYTABLE=sv-latin1 rd_NO_MD
> > SYSFONT=lata
> > > rcyrheb-sun16 ima_tcb ima=on crashkernel=129M@0M rd_NO_DM rhgb quiet
> > >
> > > tpm_version show the following:
> > >  TPM 1.2 Version Info:
> > > Chip Version:        1.2.8.28
> > > Spec Level:          2
> > > Errata Revision:     3
> > > TPM Vendor ID:       STM
> > > TPM Version:         01010000
> > >
> > >
> > > However, there is no output in the /sys/kernel/security/ directory;
> > > The BIOS settings are correct since there WAS an expected output when
> > > I was running on a Ubuntu platform.
> > >
> > > Am I badly missing something here? Or is this a bug?
> > >
> > > Thank you,
> > > /Nico
> >
> > Make sure the TPM is builtin, not as a module, and IMA,EVM are enabled.
> >
> > IMA is enabled, as far as I see:
> 
> cat /usr/src/kernels/2.6.32-358.118.1.openstack.el6.x86_64/.config | grep
> CONFIG_IMA
> CONFIG_IMA=y
> CONFIG_IMA_MEASURE_PCR_IDX=10
> CONFIG_IMA_AUDIT=y
> CONFIG_IMA_LSM_RULES=y
> 
> How can I see that the TPM is 'builtin'? The machine was shipped with the
> TPM, it's a dell rack server;

Check that 'CONFIG_TCG_TPM=y' is enabled.

Even without the TPM enabled, there should be a measurement list.
'ima_tcb' is the only boot command line parameter needed.  (Try removing
ima=on.)

thanks,

Mimi