Re: [Linux-ima-user] ima-ng template

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Micka <mic...@gm...> writes:

> Do you know where I can find documentation about others PCRs ? which
> project/binary use those PCRs ?

A Trusted Computing Group Conformant TPM1.x TPM must provide a minimum
of 24 PCR registers. They are numbered PCR0 through PCR23.

PCRs 0-15 are Static while 16-23 are resettable via pcrReset semantics.
Generally, unless you really understand what you are doing, only use
PCRs 8-15 outside of the BIOS.

See linux/Documentation/ABI/stable/sysfs-class-tpm

In a Mesured Boot system, the PCR usage is typically going to be
laid out something like this:

PCR 0- 7 Measured by BIOS
         Sometimes (depends on your Measured Boot enabled BIOS):
          0    BIOS
          1    BIOS configuration
          2    Option ROMs
          3    Option ROM configuration
          4    Master Boot Record
          5    Master Boot Record configuration
          6    State transition an wake events
          7    Platform manufacturer specific measurements

PCR 8-15 Measured by the Operating system
         Sometimes (depending on use of GRUB2 or ONIE boot loader)
          8    First sector of TrustedGRUB2 kernel (diskboot.img)
          9    TrustedGRUB2 kernel (core.img)
         10    IMA
         11    Various commandline arguments
         13    Other modules loaded from disk
         14    Suggested as the base for virtual TPMs
         15    Typically left for 3rd Party Application Measurements

PCR   16 Debug (Resettable)
PCR   23 Application Support (Resettable)

See also
https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClientTPMInterfaceSpecification_TIS__1-3_27_03212013.pdf

https://trustedcomputinggroup.org/wp-content/uploads/PC-Client-Specific-Platform-TPM-Profile-for-TPM-2-0-v43-150126.pdf

https://lwn.net/Articles/699551/

http://trousers.sourceforge.net/grub.html

https://github.com/Rohde-Schwarz-Cybersecurity/TrustedGRUB2

> Also why I can't edit this file : "/sys/kernel/security/ima/policy" ?

That is the running configuration. You may be able to add to it
(IMA_WRITE_POLICY) or read it (IMA_READ_POLICY), but you may not edit
it.

> I'm using the root user, but I can't access it. How can I change the
> policy of the ima ?

Please read Documentation/ABI/testing/ima_policy

Read integrity/ima/Kconfig
Look at IMA_WRITE_POLICY, IMA_READ_POLICY, 

Configure CONFIG_IMA_READ_POLICY if you want users to be able to read
the current policy that has been installed.
Configure IMA_WRITE_POLICY if you want users to be able to extend
the current policy that has been installed.

You may set IMA_MEASURE_PCR_IDX between the ranges of 8 through 14 with
the default being 10.

Your initrd or initramfs is the place to load the ima/policy file you
want to use.

	-- Mark