From: Tushar Sugandhi <tusharsu@linux.microsoft.com>
To: zohar@linux.ibm.com, noodles@fb.com, bauermann@kolabnow.com,
ebiederm@xmission.com, bhe@redhat.com, vgoyal@redhat.com,
dyoung@redhat.com, peterhuewe@gmx.de, jarkko@kernel.org,
jgg@ziepe.ca, kexec@lists.infradead.org,
linux-integrity@vger.kernel.org
Cc: code@tyhicks.com, nramas@linux.microsoft.com, paul@paul-moore.com
Subject: [PATCH 3/6] ima: get TPM update counter
Date: Tue, 1 Aug 2023 11:19:14 -0700 [thread overview]
Message-ID: <20230801181917.8535-4-tusharsu@linux.microsoft.com> (raw)
In-Reply-To: <20230801181917.8535-1-tusharsu@linux.microsoft.com>
Measuring the TPM PCR update counter will help the remote attestation
service to validate if there are any missing entries in the IMA log, when
the system goes through certain important state changes (e.g. kexec soft
boot, IMA log snapshotting etc.). Detecting such missing entries would
help the remote attestation service functionality to be more robust.
It should also help the system administrators with manual investigations
when TPM PCR quotes go out of sync with IMA measurements.
Implement a new function, 'ima_tpm_get_update_counter()', which uses
the 'tpm_pcr_get_update_counter()' function from the TPM driver interface
to retrieve the PCR update counter of the TPM chip in use.
Signed-off-by: Tushar Sugandhi <tusharsu@linux.microsoft.com>
---
security/integrity/ima/ima.h | 1 +
security/integrity/ima/ima_queue.c | 16 ++++++++++++++++
2 files changed, 17 insertions(+)
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index c29db699c996..4acd0e5a830f 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -167,6 +167,7 @@ void ima_init_template_list(void);
int __init ima_init_digests(void);
int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event,
void *lsm_data);
+int ima_tpm_get_update_counter(u32 *cpu_update_counter);
/*
* used to protect h_table and sha_table
diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c
index 532da87ce519..38f5c35b23b2 100644
--- a/security/integrity/ima/ima_queue.c
+++ b/security/integrity/ima/ima_queue.c
@@ -135,6 +135,22 @@ unsigned long ima_get_binary_runtime_size(void)
return binary_runtime_size + sizeof(struct ima_kexec_hdr);
}
+int ima_tpm_get_update_counter(u32 *update_counter)
+{
+ int result;
+
+ if (!update_counter)
+ return -EINVAL;
+
+ result = tpm_pcr_get_update_counter(ima_tpm_chip,
+ CONFIG_IMA_MEASURE_PCR_IDX, TPM_ALG_SHA1, update_counter);
+
+ if (result != 0)
+ pr_err("Failed to get TPM PCR update counter, result: %d\n", result);
+
+ return result;
+}
+
static int ima_pcr_extend(struct tpm_digest *digests_arg, int pcr)
{
int result = 0;
--
2.25.1
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
next prev parent reply other threads:[~2023-08-01 18:19 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-01 18:19 [PATCH 0/6] Measuring TPM update counter in IMA Tushar Sugandhi
2023-08-01 18:19 ` [PATCH 1/6] tpm: implement TPM2 function to get update counter Tushar Sugandhi
2023-08-01 19:02 ` Jarkko Sakkinen
2023-08-01 21:01 ` Tushar Sugandhi
2023-08-02 3:58 ` Jarkko Sakkinen
2023-08-02 21:04 ` Tushar Sugandhi
2023-08-03 8:43 ` Jarkko Sakkinen
2023-08-03 19:30 ` Tushar Sugandhi
2023-08-03 1:22 ` Mimi Zohar
2023-08-03 8:57 ` Jarkko Sakkinen
2023-08-03 19:33 ` Tushar Sugandhi
2023-08-03 19:31 ` Tushar Sugandhi
2023-08-01 18:19 ` [PATCH 2/6] tpm: provide functionality " Tushar Sugandhi
2023-08-01 18:19 ` Tushar Sugandhi [this message]
2023-08-01 18:19 ` [PATCH 4/6] ima: implement functionality to measure TPM " Tushar Sugandhi
2023-08-03 21:42 ` Mimi Zohar
2023-08-03 23:01 ` Tushar Sugandhi
2023-08-04 1:22 ` Mimi Zohar
2023-08-04 17:13 ` Tushar Sugandhi
2023-08-01 18:19 ` [PATCH 5/6] ima: measure TPM update counter at ima_init Tushar Sugandhi
2023-08-03 22:15 ` Mimi Zohar
2023-08-03 23:34 ` Tushar Sugandhi
2023-08-04 1:18 ` Mimi Zohar
2023-08-04 17:11 ` Tushar Sugandhi
2023-08-01 18:19 ` [PATCH 6/6] kexec: measure TPM update counter in ima log at kexec load Tushar Sugandhi
2023-08-03 13:37 ` [PATCH 0/6] Measuring TPM update counter in IMA Stefan Berger
2023-08-03 21:45 ` Tushar Sugandhi
[not found] ` <cb2029b8-d585-1c06-a0ac-15624cf70e28@linux.microsoft.com>
2023-08-03 22:09 ` Stefan Berger
2023-08-03 22:36 ` Mimi Zohar
2023-08-03 22:55 ` Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230801181917.8535-4-tusharsu@linux.microsoft.com \
--to=tusharsu@linux.microsoft.com \
--cc=bauermann@kolabnow.com \
--cc=bhe@redhat.com \
--cc=code@tyhicks.com \
--cc=dyoung@redhat.com \
--cc=ebiederm@xmission.com \
--cc=jarkko@kernel.org \
--cc=jgg@ziepe.ca \
--cc=kexec@lists.infradead.org \
--cc=linux-integrity@vger.kernel.org \
--cc=noodles@fb.com \
--cc=nramas@linux.microsoft.com \
--cc=paul@paul-moore.com \
--cc=peterhuewe@gmx.de \
--cc=vgoyal@redhat.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox