Re: [PATCH] security: Fix IMA Kconfig for dependencies on ARM64

[James Bottomley <James.Bottomley@HansenPartnership.com>]

On Wed, 2018-03-14 at 13:08 -0400, Mimi Zohar wrote:
> On Wed, 2018-03-14 at 07:41 -0700, James Bottomley wrote:
[...]
> > What about a compromise: we
> > already get the boot loader to do measurements and PCR extensions
> > using the BIOS TPM driver, there's no reason why we can't do the
> > same in the early kernel until a real TPM driver is found.
> 
> Your proposal requires changes to the existing boot loaders, not all
> of which are X86 based.

I don't believe it does, see below.

>   Grub, to the best of my knowledge, is not interested in having
> anything to do with TPM based measurements.  Many attempts have been
> made to upstream trusted boot patches, but none have been accepted. 

Just for the sake of accuracy, even though it has nothing to do with
the current proposal, grub does actually measure the booting
components.  It does this via a shim protocol trick, so when grub
passes the kernel to shim to verify the signature, shim also stores its
measurement in the TPM boot log.

>  Any support would need to piggyback on the callback hooks introduced
> for secure boot and then be carried by the distros.

Right, that's how it does actually work today.

This is more or less what made me think of the compromise: the way shim
does measurements is using the EFI TPM protocol.  Although this is
technically a boot time UEFI driver, we can make it serve us until
we're ready to load the real TPM driver, so we could write measurements
to a PCR without any kernel drivers loaded.

> As for Linux based boot loaders, the driver needs to be builtin for
> these measurements.  So this wouldn't help you.
> 
> > 
> > That way IMA would have no dependency on any built in TPM driver
> > ... is that an acceptable compromise to everyone?
> 
> Adding additional support for post IMA-initialization for TPM's built
> as kernel modules is clearly not optimal for all of the reasons
> provided to now and will be confusing, but could be supported.  This
> delayed loading of the TPM needs to be clearly indicated in both the
> audit log and in IMA's measurement list.

Why if the measurement chain isn't broken?  The way I'm thinking of
implementing it, IMA wouldn't even know.  What would happen is that a
NULL tpm chip in tpm_pcr_read/tpm_pcr_extend would trigger the usual
search for the first TPM but if none were found and we'd booted on an
EFI system, we'd just use the EFI driver to do perform the operation.

There's probably a bit of additional subtlety making the kernel and EFI
agree which TPM they're using in a multi-TPM situation.

The EFI driver isn't full featured: it only does measurement and
logging, but it looks like that's all IMA needs.

James

> In terms of attestation, if a measurement policy is enabled before
> the TPM is loaded, any records up to the delayed TPM entry in the IMA
> measurement list would need to be ignored.
> 
> In addition, your changes should not in any way change the existing
> IMA-measurement initialization.
> 
> Mimi
>