public inbox for kexec@lists.infradead.org
 help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.ibm.com>
To: Stefan Berger <stefanb@linux.ibm.com>,
	Tushar Sugandhi <tusharsu@linux.microsoft.com>,
	noodles@fb.com, bauermann@kolabnow.com, ebiederm@xmission.com,
	bhe@redhat.com, vgoyal@redhat.com, dyoung@redhat.com,
	peterhuewe@gmx.de, jarkko@kernel.org, jgg@ziepe.ca,
	kexec@lists.infradead.org, linux-integrity@vger.kernel.org
Cc: code@tyhicks.com, nramas@linux.microsoft.com, paul@paul-moore.com
Subject: Re: [PATCH 0/6] Measuring TPM update counter in IMA
Date: Thu, 03 Aug 2023 18:36:53 -0400	[thread overview]
Message-ID: <d51cd6959472885a59fc13b863b71f2157fc8f65.camel@linux.ibm.com> (raw)
In-Reply-To: <a4a5e40b-abc1-27fa-3984-cee18fb4522c@linux.ibm.com>

On Thu, 2023-08-03 at 18:09 -0400, Stefan Berger wrote:
> > I can remove the kexec example if it is causing confusion.> Please let me know.
> 
> I am not convinced we need this series  ... :-( Your kexec series prevents
> further logging and especially PCR extensions after the frozen measurement log
> has been created and in ima_add_template_entry(), if we hit an oom condition,
> then we luckily do not extend the PCR either. If either the log was to have one
> more entry than number PCR extensions occurred or vice versa, then the remote
> attestation service will see this mismatch no matter what and all the PCR update
> counter won't help (and is generally not a good indicator for this purpose imo)
> for it to recover from this. It's better to declare the system as un-trusted/
> corrupted in this case then.

As previously mentioned, there is a patch set that doesn't carry any
records across kexec, if the the measurement list is too large, and
another proposal to trim the measurement list.

In both of these cases including a new IMA mesaurement record, at least
after the boot_aggregate, would help simplify detecting whether the
measurement list has been trimmed/truncated.

-- 
thanks,

Mimi


_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

  reply	other threads:[~2023-08-03 22:37 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-08-01 18:19 [PATCH 0/6] Measuring TPM update counter in IMA Tushar Sugandhi
2023-08-01 18:19 ` [PATCH 1/6] tpm: implement TPM2 function to get update counter Tushar Sugandhi
2023-08-01 19:02   ` Jarkko Sakkinen
2023-08-01 21:01     ` Tushar Sugandhi
2023-08-02  3:58       ` Jarkko Sakkinen
2023-08-02 21:04         ` Tushar Sugandhi
2023-08-03  8:43           ` Jarkko Sakkinen
2023-08-03 19:30             ` Tushar Sugandhi
2023-08-03  1:22         ` Mimi Zohar
2023-08-03  8:57           ` Jarkko Sakkinen
2023-08-03 19:33             ` Tushar Sugandhi
2023-08-03 19:31           ` Tushar Sugandhi
2023-08-01 18:19 ` [PATCH 2/6] tpm: provide functionality " Tushar Sugandhi
2023-08-01 18:19 ` [PATCH 3/6] ima: get TPM " Tushar Sugandhi
2023-08-01 18:19 ` [PATCH 4/6] ima: implement functionality to measure " Tushar Sugandhi
2023-08-03 21:42   ` Mimi Zohar
2023-08-03 23:01     ` Tushar Sugandhi
2023-08-04  1:22       ` Mimi Zohar
2023-08-04 17:13         ` Tushar Sugandhi
2023-08-01 18:19 ` [PATCH 5/6] ima: measure TPM update counter at ima_init Tushar Sugandhi
2023-08-03 22:15   ` Mimi Zohar
2023-08-03 23:34     ` Tushar Sugandhi
2023-08-04  1:18       ` Mimi Zohar
2023-08-04 17:11         ` Tushar Sugandhi
2023-08-01 18:19 ` [PATCH 6/6] kexec: measure TPM update counter in ima log at kexec load Tushar Sugandhi
2023-08-03 13:37 ` [PATCH 0/6] Measuring TPM update counter in IMA Stefan Berger
2023-08-03 21:45   ` Tushar Sugandhi
     [not found]   ` <cb2029b8-d585-1c06-a0ac-15624cf70e28@linux.microsoft.com>
2023-08-03 22:09     ` Stefan Berger
2023-08-03 22:36       ` Mimi Zohar [this message]
2023-08-03 22:55         ` Stefan Berger

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=d51cd6959472885a59fc13b863b71f2157fc8f65.camel@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=bauermann@kolabnow.com \
    --cc=bhe@redhat.com \
    --cc=code@tyhicks.com \
    --cc=dyoung@redhat.com \
    --cc=ebiederm@xmission.com \
    --cc=jarkko@kernel.org \
    --cc=jgg@ziepe.ca \
    --cc=kexec@lists.infradead.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=noodles@fb.com \
    --cc=nramas@linux.microsoft.com \
    --cc=paul@paul-moore.com \
    --cc=peterhuewe@gmx.de \
    --cc=stefanb@linux.ibm.com \
    --cc=tusharsu@linux.microsoft.com \
    --cc=vgoyal@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox