[PATCH] tpm add default function definitions

[PATCH] tpm add default function definitions

[Mimi Zohar]

Add default tpm_pcr_read/extend function definitions required
by IMA/Kconfig changes.

Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Cc: Stable Kernel <stable@kernel.org>
---
 include/linux/tpm.h |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/include/linux/tpm.h b/include/linux/tpm.h
index 3338b3f..8eaa8f8 100644
--- a/include/linux/tpm.h
+++ b/include/linux/tpm.h
@@ -31,5 +31,12 @@
 
 extern int tpm_pcr_read(u32 chip_num, int pcr_idx, u8 *res_buf);
 extern int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash);
+#else
+static inline int tpm_pcr_read(u32 chip_num, int pcr_idx, u8 *res_buf) {
+	return -ENODEV;
+}
+static inline int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash) {
+	return -ENODEV;
+}
 #endif
 #endif
-- 
1.6.0.6

[PATCH] ima: remove ACPI dependency

[Mimi Zohar]

Remove ACPI dependency on systems without a TPM enabled.

Reported-by: Jean-Christophe Dubois <jcd@tribudubois.net>
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Acked-by: Jean-Christophe Dubois <jcd@tribudubois.net>
Cc: Stable Kernel <stable@kernel.org>
---
 security/integrity/ima/Kconfig |   17 +++++++----------
 1 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 3d7846d..3ca39e7 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -2,15 +2,12 @@
 #
 config IMA
 	bool "Integrity Measurement Architecture(IMA)"
-	depends on ACPI
-	depends on SECURITY
 	select SECURITYFS
 	select CRYPTO
 	select CRYPTO_HMAC
 	select CRYPTO_MD5
 	select CRYPTO_SHA1
-	select TCG_TPM
-	select TCG_TIS
+	select ACPI if TCG_TPM
 	help
 	  The Trusted Computing Group(TCG) runtime Integrity
 	  Measurement Architecture(IMA) maintains a list of hash
@@ -19,12 +16,12 @@ config IMA
 	  to change the contents of an important system file
 	  being measured, we can tell.
 
-	  If your system has a TPM chip, then IMA also maintains
-	  an aggregate integrity value over this list inside the
-	  TPM hardware, so that the TPM can prove to a third party
-	  whether or not critical system files have been modified.
-	  Read <http://www.usenix.org/events/sec04/tech/sailer.html>
-	  to learn more about IMA.
+	  If your system has a TPM chip, and it is enabled, then
+	  IMA also maintains an aggregate integrity value over
+	  this list inside the TPM hardware, so that the TPM can
+	  prove to a third party whether or not critical system
+	  files have been modified. To learn more about IMA, read
+	  <http://www.usenix.org/events/sec04/tech/sailer.html>
 	  If unsure, say N.
 
 config IMA_MEASURE_PCR_IDX
-- 
1.6.0.6

Re: [PATCH] ima: remove ACPI dependency

[Eric Paris]

On Mon, Oct 26, 2009 at 9:26 AM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> Remove ACPI dependency on systems without a TPM enabled.

I'm confused why you need ACPI at all.  The TPM code doesn't require
ACPI (I wish it did but Alan Cox Nak'd that patch).  I don't see acpi
anywhere in the ima code.  What's the problem we are solving?  Why
does IMA care about ACPI at all?  And aren't you really just dropping
the build requirement on TCG_TPM?  Is that a great idea?

-Eric

Re: [PATCH] ima: remove ACPI dependency

[David Safford]

On Tue, 2009-10-27 at 09:58 -0400, Eric Paris wrote:
> On Mon, Oct 26, 2009 at 9:26 AM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> > Remove ACPI dependency on systems without a TPM enabled.
> 
> I'm confused why you need ACPI at all.  The TPM code doesn't require
> ACPI (I wish it did but Alan Cox Nak'd that patch).  I don't see acpi
> anywhere in the ima code.  What's the problem we are solving?  Why
> does IMA care about ACPI at all?  And aren't you really just dropping
> the build requirement on TCG_TPM?  Is that a great idea?
> 
> -Eric

This is discussed in the LSM thread:
http://marc.info/?l=linux-security-module&m=125322062401677&w=2

Basically, if running on a system with a TPM, IMA wants the TPM
boot measurement log, which the TPM driver can only get through
ACPI. If the platform does not have a TPM, then IMA does not 
need ACPI. 

dave

Re: [PATCH] ima: remove ACPI dependency

[Eric Paris]

On Tue, 2009-10-27 at 11:59 -0400, David Safford wrote:
> On Tue, 2009-10-27 at 09:58 -0400, Eric Paris wrote:
> > On Mon, Oct 26, 2009 at 9:26 AM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> > > Remove ACPI dependency on systems without a TPM enabled.
> > 
> > I'm confused why you need ACPI at all.  The TPM code doesn't require
> > ACPI (I wish it did but Alan Cox Nak'd that patch).  I don't see acpi
> > anywhere in the ima code.  What's the problem we are solving?  Why
> > does IMA care about ACPI at all?  And aren't you really just dropping
> > the build requirement on TCG_TPM?  Is that a great idea?
> > 
> > -Eric
> 
> This is discussed in the LSM thread:
> http://marc.info/?l=linux-security-module&m=125322062401677&w=2
> 
> Basically, if running on a system with a TPM, IMA wants the TPM
> boot measurement log, which the TPM driver can only get through
> ACPI. If the platform does not have a TPM, then IMA does not 
> need ACPI.

I'm afraid I'm not seeing the connection.  Where does IMA gets the boot
measurement log?  I see that the TPM exports that log in securityfs as 2
files (ascii and binary) in tpm_bios.c but I don't see how IMA ever
makes use of that log either internally to the kernel or through the
securityfs files.

If I'm missing it, and IMA is getting and making use of the bios boot
log I think we need to instead make the TPM code send a reasonable
failure code without ACPI and IMA should be changed to handle it.  I
really don't like the obscure ACPI requirement.

-Eric

Re: [PATCH] ima: remove ACPI dependency

[David Safford]

On Tue, 2009-10-27 at 12:36 -0400, Eric Paris wrote:
> On Tue, 2009-10-27 at 11:59 -0400, David Safford wrote:
> > Basically, if running on a system with a TPM, IMA wants the TPM
> > boot measurement log, which the TPM driver can only get through
> > ACPI. If the platform does not have a TPM, then IMA does not 
> > need ACPI.
> 
> I'm afraid I'm not seeing the connection.  Where does IMA gets the boot
> measurement log?  I see that the TPM exports that log in securityfs as 2
> files (ascii and binary) in tpm_bios.c but I don't see how IMA ever
> makes use of that log either internally to the kernel or through the
> securityfs files.
> 
sorry - bad explanation. IMA reads PCR 0-7, and combines them into
a single "boot_aggregate" as the first entry in the IMA list. For full
attestation, a user level program needs access to both IMA's
boot aggregate, and to the detailed TPM event log upon which
the aggregate is based. So IMA does not itself access the logs,
but the boot aggregate is less useful without them.

As a separate issue, IMA requires the TPM driver to be compiled in
(not loaded as a module) so it is available at IMA initialization, and
the driver apparently requires ACPI in this case. I believe Rajiv
will comment more on this.

dave

> If I'm missing it, and IMA is getting and making use of the bios boot
> log I think we need to instead make the TPM code send a reasonable
> failure code without ACPI and IMA should be changed to handle it.  I
> really don't like the obscure ACPI requirement.

> -Eric

Re: [PATCH] ima: remove ACPI dependency

[Eric Paris]

On Tue, 2009-10-27 at 16:42 -0400, David Safford wrote:
> On Tue, 2009-10-27 at 12:36 -0400, Eric Paris wrote:
> > On Tue, 2009-10-27 at 11:59 -0400, David Safford wrote:
> > > Basically, if running on a system with a TPM, IMA wants the TPM
> > > boot measurement log, which the TPM driver can only get through
> > > ACPI. If the platform does not have a TPM, then IMA does not 
> > > need ACPI.
> > 
> > I'm afraid I'm not seeing the connection.  Where does IMA gets the boot
> > measurement log?  I see that the TPM exports that log in securityfs as 2
> > files (ascii and binary) in tpm_bios.c but I don't see how IMA ever
> > makes use of that log either internally to the kernel or through the
> > securityfs files.
> > 
> sorry - bad explanation. IMA reads PCR 0-7, and combines them into
> a single "boot_aggregate" as the first entry in the IMA list. For full
> attestation, a user level program needs access to both IMA's
> boot aggregate, and to the detailed TPM event log upon which
> the aggregate is based. So IMA does not itself access the logs,
> but the boot aggregate is less useful without them.

So users of IMA in userspace may want TPM.  Shouldn't the kernel really
have this as a depends/select in the TPM code?  This isn't IMA specific,
it's TPM specific.  Obviously I'm not a fan of the spurious ACPI
requirement in the IMA code.  How about a 'CONFIG_TPM_BIOS_LOG' or
something which selects ACPI?  We'll see what Rajiv thinks.

> As a separate issue, IMA requires the TPM driver to be compiled in
> (not loaded as a module) so it is available at IMA initialization, and
> the driver apparently requires ACPI in this case. I believe Rajiv
> will comment more on this.

I know it's required to be built in.  Didn't know that required ACPI,
but if so, that's a good reason to push this to the TPM code and get it
out of the IMA code....

Re: [PATCH] ima: remove ACPI dependency

[Rajiv Andrade]

Eric Paris wrote:
> On Tue, 2009-10-27 at 16:42 -0400, David Safford wrote:
>   
>> On Tue, 2009-10-27 at 12:36 -0400, Eric Paris wrote:
>>     
>>> On Tue, 2009-10-27 at 11:59 -0400, David Safford wrote:
>>>       
>>>> Basically, if running on a system with a TPM, IMA wants the TPM
>>>> boot measurement log, which the TPM driver can only get through
>>>> ACPI. If the platform does not have a TPM, then IMA does not 
>>>> need ACPI.
>>>>         
>>> I'm afraid I'm not seeing the connection.  Where does IMA gets the boot
>>> measurement log?  I see that the TPM exports that log in securityfs as 2
>>> files (ascii and binary) in tpm_bios.c but I don't see how IMA ever
>>> makes use of that log either internally to the kernel or through the
>>> securityfs files.
>>>
>>>       
>> sorry - bad explanation. IMA reads PCR 0-7, and combines them into
>> a single "boot_aggregate" as the first entry in the IMA list. For full
>> attestation, a user level program needs access to both IMA's
>> boot aggregate, and to the detailed TPM event log upon which
>> the aggregate is based. So IMA does not itself access the logs,
>> but the boot aggregate is less useful without them.
>>     
>
> So users of IMA in userspace may want TPM.  Shouldn't the kernel really
> have this as a depends/select in the TPM code?  This isn't IMA specific,
> it's TPM specific.  Obviously I'm not a fan of the spurious ACPI
> requirement in the IMA code.  How about a 'CONFIG_TPM_BIOS_LOG' or
> something which selects ACPI?  We'll see what Rajiv thinks.
>
>   
I like it, makes no sense to make IMA depend on ACPI just because a
lower layer does instead of making depend on this layer itself (the
TCG_TPM).
>> As a separate issue, IMA requires the TPM driver to be compiled in
>> (not loaded as a module) so it is available at IMA initialization, and
>> the driver apparently requires ACPI in this case. I believe Rajiv
>> will comment more on this.
>>     
>
> I know it's required to be built in.  Didn't know that required ACPI,
> but if so, that's a good reason to push this to the TPM code and get it
> out of the IMA code....
>
>   
The tpm.c code doesn't depend on ACPI actually, tpm_bios.c functions
called there have their proper dummy stubs in tpm.h in case ACPI isn't
selected.

However, by default, TPM_TIS depends on PNP to register the device,
which depends on ISA || ACPI. What's wrong there is that the device can
also be registered as a platform device providing the force module
option, therefore not requiring any of the PNP functions and structs,
and still needs PNP to be built due the Kconfig 'depends on PNP' entry.

On the attempt to push ACPI/PNP dependency into TPM code, I'm willing to
make the force option's default value and the PNP related code depend on
CONFIG_PNP and remove the PNP dependency in Kconfig.

Thanks,
Rajiv

Re: [PATCH] tpm add default function definitions

[Rajiv Andrade]

Acked-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>

Mimi Zohar wrote:
> Add default tpm_pcr_read/extend function definitions required
> by IMA/Kconfig changes.
>
> Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
> Cc: Stable Kernel <stable@kernel.org>
> ---
>  include/linux/tpm.h |    7 +++++++
>  1 files changed, 7 insertions(+), 0 deletions(-)
>
> diff --git a/include/linux/tpm.h b/include/linux/tpm.h
> index 3338b3f..8eaa8f8 100644
> --- a/include/linux/tpm.h
> +++ b/include/linux/tpm.h
> @@ -31,5 +31,12 @@
>
>  extern int tpm_pcr_read(u32 chip_num, int pcr_idx, u8 *res_buf);
>  extern int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash);
> +#else
> +static inline int tpm_pcr_read(u32 chip_num, int pcr_idx, u8 *res_buf) {
> +	return -ENODEV;
> +}
> +static inline int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash) {
> +	return -ENODEV;
> +}
>  #endif
>  #endif
>   

Re: [PATCH] tpm add default function definitions

[Eric Paris]

On Mon, Oct 26, 2009 at 10:06 AM, Rajiv Andrade
<srajiv@linux.vnet.ibm.com> wrote:
> Acked-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>

I don't see this as stable material, but it looks good for -next.

Acked-by: Eric Paris <eparis@redhat.com>

>
> Mimi Zohar wrote:
>> Add default tpm_pcr_read/extend function definitions required
>> by IMA/Kconfig changes.
>>
>> Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
>> Cc: Stable Kernel <stable@kernel.org>
>> ---
>>  include/linux/tpm.h |    7 +++++++
>>  1 files changed, 7 insertions(+), 0 deletions(-)
>>
>> diff --git a/include/linux/tpm.h b/include/linux/tpm.h
>> index 3338b3f..8eaa8f8 100644
>> --- a/include/linux/tpm.h
>> +++ b/include/linux/tpm.h
>> @@ -31,5 +31,12 @@
>>
>>  extern int tpm_pcr_read(u32 chip_num, int pcr_idx, u8 *res_buf);
>>  extern int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash);
>> +#else
>> +static inline int tpm_pcr_read(u32 chip_num, int pcr_idx, u8 *res_buf) {
>> +     return -ENODEV;
>> +}
>> +static inline int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash) {
>> +     return -ENODEV;
>> +}
>>  #endif
>>  #endif
>>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>