Re: [Linux-ima-user] boot aggregate measure

[Nayna <na...@li...>]

On 06/12/2017 06:46 PM, Micka wrote:
> I found out why I don't have TPM folder in the security folder :
>
> #if defined
> <http://elixir.free-electrons.com/linux/v4.8.17/ident/defined>(CONFIG_TCG_IBMVTPM)
> || defined
> <http://elixir.free-electrons.com/linux/v4.8.17/ident/defined>(CONFIG_TCG_IBMVTPM_MODULE)
> || \
> defined
> <http://elixir.free-electrons.com/linux/v4.8.17/ident/defined>(CONFIG_ACPI)
> extern  struct  dentry  **tpm_bios_log_setup
> <http://elixir.free-electrons.com/linux/v4.8.17/ident/tpm_bios_log_setup>(const  char  *);
> extern  void  tpm_bios_log_teardown
> <http://elixir.free-electrons.com/linux/v4.8.17/ident/tpm_bios_log_teardown>(struct  dentry  **);
> #else
> static  inline  struct  dentry  **tpm_bios_log_setup
> <http://elixir.free-electrons.com/linux/v4.8.17/ident/tpm_bios_log_setup>(const  char  *name)
> {
> 	return  NULL;
> }
> static  inline  void  tpm_bios_log_teardown
> <http://elixir.free-electrons.com/linux/v4.8.17/ident/tpm_bios_log_teardown>(struct  dentry  **dir <http://elixir.free-electrons.com/linux/v4.8.17/ident/dir>)
> {
> }
> #endif
>
> I wonder why other TPM can't use this feature ?
>
>

What version of TPM are you using ? TPM 1.2 or TPM 2.0 ?

Thanks & Regards,
       - Nayna

>
> Le lun. 12 juin 2017 à 09:36, Micka <mic...@gm...
> <mailto:mic...@gm...>> a écrit :
>
>     I just compiled the tools, but I don't have this folder :
>
>     /sys/kernel/security/tpm0
>
>
>     I have the folder:
>
>     /sys/class/tpm/tpm0/
>
>     I'm working with the kernel 4.4 .
>
>     I tried also :
>
>     ./ima_boot_aggregate
>     /sys/kernel/security/ima/binary_runtime_measurements
>     010 dc3bd4ee300406cd93181c5a2187b59b06000000
>     Error event too longPCR-00: 0000000000000000000000000000000000000000
>     PCR-01: 0000000000000000000000000000000000000000
>     PCR-02: 0000000000000000000000000000000000000000
>     PCR-03: 0000000000000000000000000000000000000000
>     PCR-04: 0000000000000000000000000000000000000000
>     PCR-05: 0000000000000000000000000000000000000000
>     PCR-06: 0000000000000000000000000000000000000000
>     PCR-07: 0000000000000000000000000000000000000000
>     boot_aggregate:9797edf8d0eed36b1cf92547816051c8af4e45ee
>
>
>     Le lun. 12 juin 2017 à 08:06, Nayna <na...@li...
>     <mailto:na...@li...>> a écrit :
>
>
>
>         On 06/10/2017 03:39 PM, Micka wrote:
>          > Thx, but my PCRS 0-7 are set to zero for the moment. I don't
>         have yet a
>          > secure boot. Is it the secure boot that provide the PCRS 0-7?
>          >
>
>         Trusted boot will provide PCRS 0-7.
>         Did you try to execute the ima-tests which I shared and verified ?
>
>         Thanks & Regards,
>                 - Nayna
>
>          >
>          > Micka,
>          >
>          > Le ven. 9 juin 2017 à 15:43, Nayna <na...@li...
>         <mailto:na...@li...>
>          > <mailto:na...@li...
>         <mailto:na...@li...>>> a écrit :
>          >
>          >
>          >
>          >     On 06/08/2017 02:25 PM, Micka wrote:
>          >      > Hi,
>          >      >
>          >      > I would like to know what boot aggregate measure means ?
>          >
>          >     It is an aggregated hash of PCRS 0-7.
>          >
>          >      >
>          >      > I have a problem, my PCR 10 is changing every time I
>         reboot my
>          >     device:
>          >      >
>          >      > 10 ddee6404dc3bd4ee300406cd93181c5a2187b59b ima-ng
>          >      > sha1:9797edf8d9eed36b1cf92547816a51c8af4e45ee
>         boot_aggregate
>          >      >
>          >
>          >     You can verify your boot_aggregate by using the test
>         scripts from
>          >     package ltp-ima-standalone-v2.tar.gz as available on:
>          > https://sourceforge.net/projects/linux-ima/
>          >
>          >     Steps to use it are specified in below link:
>          > http://linux-ima.sourceforge.net/linux-ima-measurements.html
>          >
>          >     Thanks & Regards,
>          >           - Nayna
>          >
>          >      > I have only activated: ima_audit=1
>          >      >
>          >      > Michael Musset,
>          >      >
>          >      >
>          >      >
>          >
>           ------------------------------------------------------------------------------
>          >      > Check out the vibrant tech community on one of the
>         world's most
>          >      > engaging tech sites, Slashdot.org!
>         http://sdm.link/slashdot
>          >      >
>          >      >
>          >      >
>          >      > _______________________________________________
>          >      > Linux-ima-user mailing list
>          >      > Lin...@li...
>         <mailto:Lin...@li...>
>          >     <mailto:Lin...@li...
>         <mailto:Lin...@li...>>
>          >      >
>         https://lists.sourceforge.net/lists/listinfo/linux-ima-user
>          >      >
>          >
>