* Auditing the TPM
@ 2008-01-03 19:22 Matt Anderson
2008-01-03 21:39 ` Steve Grubb
0 siblings, 1 reply; 3+ messages in thread
From: Matt Anderson @ 2008-01-03 19:22 UTC (permalink / raw)
To: linux-audit
I have been experimenting with the TPM and the TrouSerS package some and
have so far come up with this list of possible events that could be
interesting from a OS auditing perspective:
* Taking Ownership of the TPM
* Clearing Ownership
* Dis/Enabling the TPM
* Dis/Activating the TPM
* Recording PCR values
* Adjustments to PCR values
* Remote attestation connections/commands and their results
* Requests of the Public Endorsement Key (EK)
* Adjustments to the access controls on the EK
* Creating/Destroying the EK
* Changes to the TPM locked status (set/reset)
For some of these events it makes sense that the auditing would happen
in the TPM kernel driver, other events will need to be audited up in
user space to accurately capture all the important information. Has
anyone in this community begun looking at what TPM events are
interesting from an audit perspective?
thanks
-matt
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: Auditing the TPM
2008-01-03 19:22 Auditing the TPM Matt Anderson
@ 2008-01-03 21:39 ` Steve Grubb
2008-01-03 23:22 ` Matt Anderson
0 siblings, 1 reply; 3+ messages in thread
From: Steve Grubb @ 2008-01-03 21:39 UTC (permalink / raw)
To: linux-audit
On Thursday 03 January 2008 14:22:45 Matt Anderson wrote:
> Has anyone in this community begun looking at what TPM events are
> interesting from an audit perspective?
Not that I know of. No one has contacted me for event types. Are there any
standards that define what is supposed to be audited?
-Steve
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Auditing the TPM
2008-01-03 21:39 ` Steve Grubb
@ 2008-01-03 23:22 ` Matt Anderson
0 siblings, 0 replies; 3+ messages in thread
From: Matt Anderson @ 2008-01-03 23:22 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
Steve Grubb wrote:
> On Thursday 03 January 2008 14:22:45 Matt Anderson wrote:
>> Has anyone in this community begun looking at what TPM events are
>> interesting from an audit perspective?
>
> Not that I know of. No one has contacted me for event types. Are there any
> standards that define what is supposed to be audited?
The Trusted Computing Group spec 1.2 allow for auditing events that the
TPM processes, but it only says that the owner should be able to set
which events get audited and which shouldn't, suggesting "There will be
a very limited number of audited commands, most likely those commands
that provide identities and control of the TPM. Commands such as unseal
would not be audited, they would use the logging functions of a
transport session."
Other than that spec I am unaware of other standards that might be
applicable. I will investigate that further, but if anyone can think of
any please let me know.
-matt
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2008-01-03 23:22 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-01-03 19:22 Auditing the TPM Matt Anderson
2008-01-03 21:39 ` Steve Grubb
2008-01-03 23:22 ` Matt Anderson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox