From mboxrd@z Thu Jan  1 00:00:00 1970
From: Matt Anderson <mra@hp.com>
Subject: Auditing the TPM
Date: Thu, 03 Jan 2008 14:22:45 -0500
Message-ID: <477D3605.5080406@hp.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m03JNNiE003361
	for <linux-audit@redhat.com>; Thu, 3 Jan 2008 14:23:23 -0500
Received: from g5t0008.atlanta.hp.com (g5t0008.atlanta.hp.com [15.192.0.45])
	by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id m03JMqDX023850
	for <linux-audit@redhat.com>; Thu, 3 Jan 2008 14:22:52 -0500
Received: from g5t0008.atlanta.hp.com (localhost.localdomain [127.0.0.1])
	by receive-from-antispam-filter (Postfix) with SMTP id 2D03A24849
	for <linux-audit@redhat.com>; Thu,  3 Jan 2008 19:22:47 +0000 (UTC)
Received: from mailstation.cce.hp.com (mailstation.zcce.gate.cpqcorp.net
	[16.104.192.124])
	(using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits))
	(No client certificate requested)
	by g5t0008.atlanta.hp.com (Postfix) with ESMTP id 2429924003
	for <linux-audit@redhat.com>; Thu,  3 Jan 2008 19:22:47 +0000 (UTC)
Received: from autechre.americas.cpqcorp.net
	(c-24-147-68-184.hsd1.nh.comcast.net [24.147.68.184])
	by mailstation.cce.hp.com (Postfix) with ESMTP id A6C52C043
	for <linux-audit@redhat.com>; Thu,  3 Jan 2008 13:24:42 -0600 (CST)
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

I have been experimenting with the TPM and the TrouSerS package some and
have so far come up with this list of possible events that could be
interesting from a OS auditing perspective:

    * Taking Ownership of the TPM
    * Clearing Ownership
    * Dis/Enabling the TPM
    * Dis/Activating the TPM
    * Recording PCR values
    * Adjustments to PCR values
    * Remote attestation connections/commands and their results
    * Requests of the Public Endorsement Key (EK)
    * Adjustments to the access controls on the EK
    * Creating/Destroying the EK
    * Changes to the TPM locked status (set/reset)


For some of these events it makes sense that the auditing would happen
in the TPM kernel driver, other events will need to be audited up in
user space to accurately capture all the important information.  Has
anyone in this community begun looking at what TPM events are
interesting from an audit perspective?

thanks
-matt